b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/s8Sj4vA.exe
Size

5.4MB
MD5

1be0e0db93388bd4ac29fc850a122a2e
SHA1

91532349e2c23400b0ec0f2987713d49b8f3af24
SHA256

d1ff00cc1a4fefafcc75abd174864a332f94ee52b4fa463be5a4e71369edcefe
SHA512

e19a532302dfc4a9a0d84dd08d0407d2533c5cc66a15401b7c39779b8eb08554ff83edcbb332812366e9827776dfa36f843917f35cfb9ccbf55c31a5b6ac7681
SSDEEP

98304:q6RUAPvIw0NUBy6EzhQzCWyLt6Tike/E4pCOqn9VdsWAF1t1XqsVUzy:q6NPvIPU/CWGt6+keNpCOqn9A3lhv

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5420	exp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\vbpk2hb902SX\\exp.exe"	s8Sj4vA.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1336 set thread context of 4596	1336	s8Sj4vA.exe	91
PID 5420 set thread context of 4848	5420	exp.exe	101

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	s8Sj4vA.exe
Token: SeDebugPrivilege	5420	exp.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 448	1336	s8Sj4vA.exe	87
PID 1336 wrote to memory of 448	1336	s8Sj4vA.exe	87
PID 448 wrote to memory of 3052	448	csc.exe	90
PID 448 wrote to memory of 3052	448	csc.exe	90
PID 1336 wrote to memory of 4596	1336	s8Sj4vA.exe	91
PID 1336 wrote to memory of 4596	1336	s8Sj4vA.exe	91
PID 1336 wrote to memory of 4596	1336	s8Sj4vA.exe	91
PID 1336 wrote to memory of 4596	1336	s8Sj4vA.exe	91
PID 1336 wrote to memory of 4596	1336	s8Sj4vA.exe	91
PID 1336 wrote to memory of 4596	1336	s8Sj4vA.exe	91
PID 1336 wrote to memory of 4596	1336	s8Sj4vA.exe	91
PID 1336 wrote to memory of 4596	1336	s8Sj4vA.exe	91
PID 4576 wrote to memory of 4900	4576	cmd.exe	94
PID 4576 wrote to memory of 4900	4576	cmd.exe	94
PID 4468 wrote to memory of 5420	4468	explorer.exe	96
PID 4468 wrote to memory of 5420	4468	explorer.exe	96
PID 5420 wrote to memory of 2516	5420	exp.exe	98
PID 5420 wrote to memory of 2516	5420	exp.exe	98
PID 2516 wrote to memory of 4868	2516	csc.exe	100
PID 2516 wrote to memory of 4868	2516	csc.exe	100
PID 5420 wrote to memory of 4848	5420	exp.exe	101
PID 5420 wrote to memory of 4848	5420	exp.exe	101
PID 5420 wrote to memory of 4848	5420	exp.exe	101
PID 5420 wrote to memory of 4848	5420	exp.exe	101
PID 5420 wrote to memory of 4848	5420	exp.exe	101
PID 5420 wrote to memory of 4848	5420	exp.exe	101
PID 5420 wrote to memory of 4848	5420	exp.exe	101
PID 5420 wrote to memory of 4848	5420	exp.exe	101

C:\Users\Admin\AppData\Local\Temp\quarantine\s8Sj4vA.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\s8Sj4vA.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yh5pg0vi\yh5pg0vi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B27.tmp" "c:\Users\Admin\AppData\Local\Temp\yh5pg0vi\CSC135BA43FC844E45AECC30F1181272E2.TMP"
    3⤵
    PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
  2⤵
  PID:4900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
  "C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5420
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bzktb2it\bzktb2it.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2C8.tmp" "c:\Users\Admin\AppData\Local\Temp\bzktb2it\CSC8ED9F08ED9814C71A7179258C02B9AE2.TMP"
      4⤵
      PID:4868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4848

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9B27.tmp

Filesize
1KB

MD5
03593df5aabd8227260f1862fb709f20

SHA1
7ea1816e709e9435db9d19220ca17ea115aad7f8

SHA256
17e48b75d9452fa92535dc44d0b28ed7f37e6db4d7a442da732316a4b20367ae

SHA512
06dc318e3d5b3134e46881293bd05f750840ed93d79b7f906492fa22b3bdfae636269ebe2a23d588c504404d956104be6ee9dc04e9088eafcc1a25ff85e678c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2C8.tmp

Filesize
1KB

MD5
5123894e0e3d0e7dd73a59581cd7c817

SHA1
61b85a53f023c92badb28493b913ce88a55860b3

SHA256
e94f895bcd32c6813ee3c5e62851fd52150516b1b4f275d66a5487c9ef5d9f72

SHA512
be15482b09093bd1ee1113dbcf4449b5524af70fcdd415215027ac343124071250e035c14403b0678a8bf6693988e8f3f7fd2f1d6ace5ffbef93904113413970

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzktb2it\bzktb2it.dll

Filesize
8KB

MD5
a7335f725063c2d276674f4cb3bc2fda

SHA1
dced4d669cceab5c66ecc2dad36825561bd1efa7

SHA256
79ebfd713a6ee4c0c9018152d40dd849d6ab316f04fb18dcee45e80aa5bfd859

SHA512
453466e6465b90781e724407dab7fda1db03f9560641f21b2e6faecc4d8e476471aa9d99bebcfd05108cf6eb6826579373e0953dcc5d04e2ac983aa7f0493584

Download Submit
C:\Users\Admin\AppData\Local\Temp\yh5pg0vi\yh5pg0vi.dll

Filesize
8KB

MD5
7cf1e97cf5d8557b36a032e73712d309

SHA1
475dbeba4c485ec0cfd19ef6e64711283f8aa917

SHA256
302200e4552974f70de3cd0282f250d0d19f721a2e2791f1dc1371db4153d35a

SHA512
37df13bbe9c549a02b4da2744b1213a7d4aade5a40f6b8276627e89a1ef836365819031d94952b23c10efba8a2192810125aa5d86de32f5cb7a0146314725912

Download Submit
C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe

Filesize
5.4MB

MD5
1be0e0db93388bd4ac29fc850a122a2e

SHA1
91532349e2c23400b0ec0f2987713d49b8f3af24

SHA256
d1ff00cc1a4fefafcc75abd174864a332f94ee52b4fa463be5a4e71369edcefe

SHA512
e19a532302dfc4a9a0d84dd08d0407d2533c5cc66a15401b7c39779b8eb08554ff83edcbb332812366e9827776dfa36f843917f35cfb9ccbf55c31a5b6ac7681

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bzktb2it\CSC8ED9F08ED9814C71A7179258C02B9AE2.TMP

Filesize
652B

MD5
7c88818ae685470ae8db4ad1d55a78fd

SHA1
8e8297c76634950a63bb8b44db104183bb2e82c5

SHA256
838d1ea0d4d4453f37c347b06cc9a6318182274548976858526d0b350bfbc044

SHA512
f66350c824cb64f29bee09a969251274987e00545e5aa59da4cae1015a867080ef8235d2e247f41e3c4454a4701eee0a19b729fea84257b7ef1e6f535e2c85ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bzktb2it\bzktb2it.cmdline

Filesize
204B

MD5
894509b8000a7681c5223784ea3257c1

SHA1
cec70e3c73f4b6ffc3aaa3fba7b51086aa5e2ac9

SHA256
71945f4c1a33abcd1f9513641b8634245b790a749b0b025e3951af9077366196

SHA512
82a6e11ac5805fc02b0cc524ce59ac1f9430fb59a6b0074b5feb3b9c0ffe0ee761a71ba51830621df5f8ae442680c36028885f78f648f62e8b2ce90fa72d2e76

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yh5pg0vi\CSC135BA43FC844E45AECC30F1181272E2.TMP

Filesize
652B

MD5
c982ce95bab6ed910c967b1dc37ddfd7

SHA1
a672c651d86f241d252899d624ef7a2e48ed7672

SHA256
0101bc237c9f493e5f042cea9fe38b84edee65775c19b6126048c8e409d82cc9

SHA512
1843f12c3c8aece5750a39a53fb92229351b01daf0fab248ea54c8b53b3b3b7f16509f73caf54c9eb944b7117c7fef29dfd215ef2011cca176201e1ed991393c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yh5pg0vi\yh5pg0vi.0.cs

Filesize
8KB

MD5
58b10ef6ba0da88788f1aac56ce7e2db

SHA1
48221936b98aac14ead7c4589513d074365414ec

SHA256
ae11144f426028e50e77d64a66aeb954e169f627f8abfe403791032594834520

SHA512
19c28b5af8e4243350ee13c423fd066cef969a5c86de5f7b2ac4e4fbf75fda17e82a6a91fbd6034786b9beee77e2eb4b1cecd1cf0b901e2874b88da3e338845e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yh5pg0vi\yh5pg0vi.cmdline

Filesize
204B

MD5
32b5799e3e5540830058f8d3b513075a

SHA1
23080bcb73ebc8894618ad44b28b59243b9150d6

SHA256
1d4dddca274c6a02671fd270de3dbc4cb0e620b43fc05884296cbe248c24e9f0

SHA512
318e2115004ac9de2ff0c04650393b6e0cd77bdd34c620cca213aac60f1dec5d7986775adba808fbabfebe0e04ffe4ba0989a2e6b19383600cb923eccaf9adb6

Download Submit
memory/1336-3-0x00007FF825100000-0x00007FF825BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1336-4-0x00007FF825100000-0x00007FF825BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1336-22-0x00007FF825100000-0x00007FF825BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1336-1-0x0000026A60200000-0x0000026A60734000-memory.dmp

Filesize
5.2MB

Download
memory/1336-0-0x00007FF825103000-0x00007FF825105000-memory.dmp

Filesize
8KB

Download
memory/1336-2-0x00007FF825100000-0x00007FF825BC1000-memory.dmp

Filesize
10.8MB

Download
memory/1336-17-0x0000026A46F50000-0x0000026A46F58000-memory.dmp

Filesize
32KB

Download
memory/4596-19-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4596-26-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/4596-25-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/4596-23-0x00000000746BE000-0x00000000746BF000-memory.dmp

Filesize
4KB

Download
memory/4596-45-0x00000000746BE000-0x00000000746BF000-memory.dmp

Filesize
4KB

Download
memory/4596-46-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/5420-40-0x000002CBD7390000-0x000002CBD7398000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads