b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
148s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/s8Sj4vA.exe
Size

5.4MB
MD5

1be0e0db93388bd4ac29fc850a122a2e
SHA1

91532349e2c23400b0ec0f2987713d49b8f3af24
SHA256

d1ff00cc1a4fefafcc75abd174864a332f94ee52b4fa463be5a4e71369edcefe
SHA512

e19a532302dfc4a9a0d84dd08d0407d2533c5cc66a15401b7c39779b8eb08554ff83edcbb332812366e9827776dfa36f843917f35cfb9ccbf55c31a5b6ac7681
SSDEEP

98304:q6RUAPvIw0NUBy6EzhQzCWyLt6Tike/E4pCOqn9VdsWAF1t1XqsVUzy:q6NPvIPU/CWGt6+keNpCOqn9A3lhv

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5932	exp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4144164418-4152157973-2926181071-1000\Software\Microsoft\Windows\CurrentVersion\Run\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\vbpk2hb902SX\\exp.exe"	s8Sj4vA.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3992 set thread context of 3468	3992	s8Sj4vA.exe	82
PID 5932 set thread context of 4876	5932	exp.exe	93

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3992	s8Sj4vA.exe
3992	s8Sj4vA.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	s8Sj4vA.exe
Token: SeDebugPrivilege	5932	exp.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 5888	3992	s8Sj4vA.exe	78
PID 3992 wrote to memory of 5888	3992	s8Sj4vA.exe	78
PID 5888 wrote to memory of 5804	5888	csc.exe	80
PID 5888 wrote to memory of 5804	5888	csc.exe	80
PID 3992 wrote to memory of 1148	3992	s8Sj4vA.exe	81
PID 3992 wrote to memory of 1148	3992	s8Sj4vA.exe	81
PID 3992 wrote to memory of 1148	3992	s8Sj4vA.exe	81
PID 3992 wrote to memory of 3468	3992	s8Sj4vA.exe	82
PID 3992 wrote to memory of 3468	3992	s8Sj4vA.exe	82
PID 3992 wrote to memory of 3468	3992	s8Sj4vA.exe	82
PID 3992 wrote to memory of 3468	3992	s8Sj4vA.exe	82
PID 3992 wrote to memory of 3468	3992	s8Sj4vA.exe	82
PID 3992 wrote to memory of 3468	3992	s8Sj4vA.exe	82
PID 3992 wrote to memory of 3468	3992	s8Sj4vA.exe	82
PID 3992 wrote to memory of 3468	3992	s8Sj4vA.exe	82
PID 1748 wrote to memory of 5520	1748	cmd.exe	85
PID 1748 wrote to memory of 5520	1748	cmd.exe	85
PID 5492 wrote to memory of 5932	5492	explorer.exe	87
PID 5492 wrote to memory of 5932	5492	explorer.exe	87
PID 5932 wrote to memory of 4704	5932	exp.exe	90
PID 5932 wrote to memory of 4704	5932	exp.exe	90
PID 4704 wrote to memory of 4972	4704	csc.exe	92
PID 4704 wrote to memory of 4972	4704	csc.exe	92
PID 5932 wrote to memory of 4876	5932	exp.exe	93
PID 5932 wrote to memory of 4876	5932	exp.exe	93
PID 5932 wrote to memory of 4876	5932	exp.exe	93
PID 5932 wrote to memory of 4876	5932	exp.exe	93
PID 5932 wrote to memory of 4876	5932	exp.exe	93
PID 5932 wrote to memory of 4876	5932	exp.exe	93
PID 5932 wrote to memory of 4876	5932	exp.exe	93
PID 5932 wrote to memory of 4876	5932	exp.exe	93

C:\Users\Admin\AppData\Local\Temp\quarantine\s8Sj4vA.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\s8Sj4vA.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fr1hthh1\fr1hthh1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA21C.tmp" "c:\Users\Admin\AppData\Local\Temp\fr1hthh1\CSCBC3536CE840C4E4CB54A4FEBBFA085.TMP"
    3⤵
    PID:5804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c explorer.exe C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
  2⤵
  PID:5520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5492
- C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe
  "C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5932
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tx3pprfn\tx3pprfn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA671.tmp" "c:\Users\Admin\AppData\Local\Temp\tx3pprfn\CSCE28AF4A33CBE4FB3B464CC216522A24.TMP"
      4⤵
      PID:4972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA21C.tmp

Filesize
1KB

MD5
da95fab4a93ce19b1b2a9bc927626c90

SHA1
d89b12ed572761c80fb850d1410a7081324a3193

SHA256
a6f5fb6a2e062562af32472d3cbd87dbd21499a138e7cf771455d3232f1e09cb

SHA512
ad458d47d6d37728b7b42e0d8bc0cb8fa5ddebc99b85865350902fc933e8bb945fdb29721ed282e6f172ad1ff27c66ca3365533b799a051f21a897fd201579b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA671.tmp

Filesize
1KB

MD5
6aaa1006e1fd2e34b0217a514d1506d1

SHA1
30d7223b12c040f398fbc20b0304177da1dfe53e

SHA256
6b76fd4a1aef2b15d181c9ca2e666cfbaabeb3356cdccb26c6634cad4ef9b031

SHA512
46e0e5826a0ec869dbcc7c6213ee3a5f05e843c4c98bfaf43dccbf0c0962435e1bea73a9394151a73228de739d91df6083a8d1fb278d8b6775dea4cf7cc53a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fr1hthh1\fr1hthh1.dll

Filesize
8KB

MD5
5698672292b1414fc1517ee3864a2832

SHA1
83441623167073f1bb85b146d82d3521d0507716

SHA256
e592cf14ccb6c445309f96db8e3dc9798122ce01ab9ecbc0f9f9131ded15f3c8

SHA512
88ee82ad06db1ff0d5cedd5c10a4b75d8be8beab94bfcdc6443fb322b3fcee432f12b1cbf95b9f657d7c9c2294f2b5126c4994ee2500a94ec97d77b968a148be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tx3pprfn\tx3pprfn.dll

Filesize
8KB

MD5
cdf542e019761095d0c5d816dd341e3f

SHA1
592408d7f97b91b647485e9b29c4210d8e2b4fd1

SHA256
b3d7160291baf0641a5374493d50a6f0ca48eb0ec5cd797068021ea07cf27108

SHA512
7afcc68775a2ec3935b78ef1af6d4124c52e484cef5a48212f878d46e10fa1fe68e2277552be1c20662618d7961a8617d3d19b62dc47963e2a3dd6fcb90f5511

Download Submit
C:\Users\Admin\AppData\Roaming\vbpk2hb902SX\exp.exe

Filesize
5.4MB

MD5
1be0e0db93388bd4ac29fc850a122a2e

SHA1
91532349e2c23400b0ec0f2987713d49b8f3af24

SHA256
d1ff00cc1a4fefafcc75abd174864a332f94ee52b4fa463be5a4e71369edcefe

SHA512
e19a532302dfc4a9a0d84dd08d0407d2533c5cc66a15401b7c39779b8eb08554ff83edcbb332812366e9827776dfa36f843917f35cfb9ccbf55c31a5b6ac7681

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fr1hthh1\CSCBC3536CE840C4E4CB54A4FEBBFA085.TMP

Filesize
652B

MD5
a5e456bb9e0853facaf85e37699bc15c

SHA1
8ddb11d467451000cf5d00e8fed883aa040010c2

SHA256
43803706f837d3f2feb14cd8234a9f5a0268361d629d1c66b514782d4a02ed82

SHA512
a27fe22d5230bce1053d7193852d600d132419c8612701929e1ffc8aa514467a955d6c07b0ee6ad6555f4ea362266fcc1e37a68999fffe4fd6e95f1dae371d23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fr1hthh1\fr1hthh1.0.cs

Filesize
8KB

MD5
58b10ef6ba0da88788f1aac56ce7e2db

SHA1
48221936b98aac14ead7c4589513d074365414ec

SHA256
ae11144f426028e50e77d64a66aeb954e169f627f8abfe403791032594834520

SHA512
19c28b5af8e4243350ee13c423fd066cef969a5c86de5f7b2ac4e4fbf75fda17e82a6a91fbd6034786b9beee77e2eb4b1cecd1cf0b901e2874b88da3e338845e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fr1hthh1\fr1hthh1.cmdline

Filesize
204B

MD5
e267d891891f13a6fb37a8c477c0e120

SHA1
fd02187cc1acafe2c531d9f7741a5fa6272136a8

SHA256
b667769df5e57b7d494ed6f26a032170edbf187ab0b63b0cfe0af0d76e1cce7e

SHA512
7c0d65237b81d136d7b22cbee3e582901aa5ee5da6348a2454479b1df1e54a88d845f943e6b43265885b18087472e616da087be4ba6b8c5e8c963e971b99223c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tx3pprfn\CSCE28AF4A33CBE4FB3B464CC216522A24.TMP

Filesize
652B

MD5
792b44d766b22d9ae42e2e1054a7d556

SHA1
56d1808e6df2eaec53ed3be738dd97e47c7f8939

SHA256
54010777b4b4e0ff3ada60dd178af96b67baab3cb9c93020f64c33021e5ea0e7

SHA512
5c5eb777cd40d5b1d6e1b77511a87dc4525318b1f2071af83a58dbca5e611c703ffbbe8d5cad3f12862f330dc5cf3354e81d367cad4ba16a67ebab61275bfd93

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tx3pprfn\tx3pprfn.cmdline

Filesize
204B

MD5
5e6ad7009fafc14be447fc3e5e66fe55

SHA1
e1dae9860709d90c639feec23140abe93c6d2be5

SHA256
a03afb6673fcb6abbc539138846674e290c619aefc56774178eaa01b7b8959e8

SHA512
94fe1ac7d8aa14bb0bb1f0fb98984df19350a119e78636c4ed40af5f474d756295c9b8c3530d0fabd0ad392b0bfbf5a6e28b72573de25fd8a00c4721af468ea1

Download Submit
memory/3468-19-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3468-24-0x00000000032A0000-0x00000000032AA000-memory.dmp

Filesize
40KB

Download
memory/3992-4-0x00007FF9253F0000-0x00007FF925EB2000-memory.dmp

Filesize
10.8MB

Download
memory/3992-17-0x000002BC57A70000-0x000002BC57A78000-memory.dmp

Filesize
32KB

Download
memory/3992-3-0x00007FF9253F0000-0x00007FF925EB2000-memory.dmp

Filesize
10.8MB

Download
memory/3992-0-0x00007FF9253F3000-0x00007FF9253F5000-memory.dmp

Filesize
8KB

Download
memory/3992-2-0x00007FF9253F0000-0x00007FF925EB2000-memory.dmp

Filesize
10.8MB

Download
memory/3992-1-0x000002BC712A0000-0x000002BC717D4000-memory.dmp

Filesize
5.2MB

Download
memory/3992-22-0x00007FF9253F0000-0x00007FF925EB2000-memory.dmp

Filesize
10.8MB

Download
memory/5932-38-0x000002B298A80000-0x000002B298A88000-memory.dmp

Filesize
32KB

Download