Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 01:50
Static task
static1
Behavioral task
behavioral1
Sample
c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe
Resource
win10v2004-20240226-en
General
-
Target
c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe
-
Size
1.8MB
-
MD5
2bb882f05824de9a479e3b8351cdf58d
-
SHA1
153c24fd281341558e3c307a3c13fcf78a30071b
-
SHA256
c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee
-
SHA512
3742e1d6919e2f4c68f34bcebb43d189e7f28323a5a8fd4d081f12957fc319842c2592d191f99f4f28997ad566c67d7d4b75e42e657ce4ab4bca6ad89bc9001c
-
SSDEEP
49152:dMpkyAxbCDuZJfaJqYvdL3bRHhfJi2K1GFlE:+tAxbCqZCqYVL3b1RJv0GE
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Signatures
-
Detect ZGRat V1 13 IoCs
resource yara_rule behavioral1/memory/4392-212-0x0000000005A00000-0x0000000005C4E000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-217-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-218-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-221-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-223-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-225-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-227-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-229-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-232-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-235-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-240-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-244-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 behavioral1/memory/4392-246-0x0000000005A00000-0x0000000005C48000-memory.dmp family_zgrat_v1 -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4392 created 2724 4392 amadycry.exe 77 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 97d2443fb7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 52 4468 rundll32.exe 73 4516 rundll32.exe 150 5156 rundll32.exe 164 5156 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 97d2443fb7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 97d2443fb7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation explorgu.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation amadka.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation explorha.exe -
Executes dropped EXE 11 IoCs
pid Process 1244 explorgu.exe 2748 amadka.exe 4940 explorha.exe 3876 explorgu.exe 3220 97d2443fb7.exe 4392 amadycry.exe 2040 explorha.exe 2512 lumma21.exe 5544 explorha.exe 5556 chrosha.exe 5872 amadycry.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine 97d2443fb7.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine amadka.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine explorgu.exe -
Loads dropped DLL 6 IoCs
pid Process 1280 rundll32.exe 4468 rundll32.exe 4516 rundll32.exe 6132 rundll32.exe 5156 rundll32.exe 5156 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\97d2443fb7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\97d2443fb7.exe" explorha.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wtoldkft = "C:\\Users\\Admin\\AppData\\Roaming\\Wtoldkft.exe" amadycry.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2068 c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe 1244 explorgu.exe 2748 amadka.exe 4940 explorha.exe 2040 explorha.exe 5544 explorha.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1244 set thread context of 3876 1244 explorgu.exe 112 PID 4392 set thread context of 5872 4392 amadycry.exe 129 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Tasks\explorgu.job c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe File created C:\Windows\Tasks\explorha.job amadka.exe File created C:\Windows\Tasks\chrosha.job lumma21.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 2068 c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe 2068 c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe 1244 explorgu.exe 1244 explorgu.exe 4468 rundll32.exe 4468 rundll32.exe 4468 rundll32.exe 4468 rundll32.exe 4468 rundll32.exe 4468 rundll32.exe 4468 rundll32.exe 4468 rundll32.exe 4468 rundll32.exe 4468 rundll32.exe 220 powershell.exe 220 powershell.exe 220 powershell.exe 2748 amadka.exe 2748 amadka.exe 4940 explorha.exe 4940 explorha.exe 2040 explorha.exe 2040 explorha.exe 5156 rundll32.exe 5156 rundll32.exe 5156 rundll32.exe 5156 rundll32.exe 5156 rundll32.exe 5156 rundll32.exe 5156 rundll32.exe 5156 rundll32.exe 5156 rundll32.exe 5156 rundll32.exe 5416 powershell.exe 5416 powershell.exe 5416 powershell.exe 5544 explorha.exe 5544 explorha.exe 4392 amadycry.exe 4392 amadycry.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 4392 amadycry.exe Token: SeDebugPrivilege 5416 powershell.exe Token: SeDebugPrivilege 4392 amadycry.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2068 c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe 2748 amadka.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1244 wrote to memory of 1280 1244 explorgu.exe 97 PID 1244 wrote to memory of 1280 1244 explorgu.exe 97 PID 1244 wrote to memory of 1280 1244 explorgu.exe 97 PID 1280 wrote to memory of 4468 1280 rundll32.exe 98 PID 1280 wrote to memory of 4468 1280 rundll32.exe 98 PID 4468 wrote to memory of 3176 4468 rundll32.exe 99 PID 4468 wrote to memory of 3176 4468 rundll32.exe 99 PID 4468 wrote to memory of 220 4468 rundll32.exe 102 PID 4468 wrote to memory of 220 4468 rundll32.exe 102 PID 1244 wrote to memory of 4516 1244 explorgu.exe 104 PID 1244 wrote to memory of 4516 1244 explorgu.exe 104 PID 1244 wrote to memory of 4516 1244 explorgu.exe 104 PID 1244 wrote to memory of 2748 1244 explorgu.exe 105 PID 1244 wrote to memory of 2748 1244 explorgu.exe 105 PID 1244 wrote to memory of 2748 1244 explorgu.exe 105 PID 2748 wrote to memory of 4940 2748 amadka.exe 108 PID 2748 wrote to memory of 4940 2748 amadka.exe 108 PID 2748 wrote to memory of 4940 2748 amadka.exe 108 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 1244 wrote to memory of 3876 1244 explorgu.exe 112 PID 4940 wrote to memory of 3220 4940 explorha.exe 113 PID 4940 wrote to memory of 3220 4940 explorha.exe 113 PID 4940 wrote to memory of 3220 4940 explorha.exe 113 PID 1244 wrote to memory of 4392 1244 explorgu.exe 114 PID 1244 wrote to memory of 4392 1244 explorgu.exe 114 PID 1244 wrote to memory of 4392 1244 explorgu.exe 114 PID 4940 wrote to memory of 6132 4940 explorha.exe 116 PID 4940 wrote to memory of 6132 4940 explorha.exe 116 PID 4940 wrote to memory of 6132 4940 explorha.exe 116 PID 6132 wrote to memory of 5156 6132 rundll32.exe 118 PID 6132 wrote to memory of 5156 6132 rundll32.exe 118 PID 4940 wrote to memory of 3580 4940 explorha.exe 117 PID 4940 wrote to memory of 3580 4940 explorha.exe 117 PID 4940 wrote to memory of 3580 4940 explorha.exe 117 PID 5156 wrote to memory of 5220 5156 rundll32.exe 119 PID 5156 wrote to memory of 5220 5156 rundll32.exe 119 PID 5156 wrote to memory of 5416 5156 rundll32.exe 121 PID 5156 wrote to memory of 5416 5156 rundll32.exe 121 PID 4940 wrote to memory of 2512 4940 explorha.exe 123 PID 4940 wrote to memory of 2512 4940 explorha.exe 123 PID 4940 wrote to memory of 2512 4940 explorha.exe 123 PID 4940 wrote to memory of 5156 4940 explorha.exe 125 PID 4940 wrote to memory of 5156 4940 explorha.exe 125 PID 4940 wrote to memory of 5156 4940 explorha.exe 125 PID 4392 wrote to memory of 5872 4392 amadycry.exe 129 PID 4392 wrote to memory of 5872 4392 amadycry.exe 129 PID 4392 wrote to memory of 5872 4392 amadycry.exe 129 PID 4392 wrote to memory of 5872 4392 amadycry.exe 129 PID 4392 wrote to memory of 5872 4392 amadycry.exe 129 PID 4392 wrote to memory of 5872 4392 amadycry.exe 129 PID 4392 wrote to memory of 5872 4392 amadycry.exe 129 PID 4392 wrote to memory of 5872 4392 amadycry.exe 129 PID 4392 wrote to memory of 5872 4392 amadycry.exe 129 PID 4392 wrote to memory of 5872 4392 amadycry.exe 129
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe"C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe"2⤵
- Executes dropped EXE
PID:5872
-
-
C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe"C:\Users\Admin\AppData\Local\Temp\c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2068
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:3176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045580317372_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4516
-
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe"C:\Users\Admin\AppData\Local\Temp\1000022001\97d2443fb7.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3220
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:6132 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5156 -
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵PID:5220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045580317372_Desktop.zip' -CompressionLevel Optimal6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"4⤵PID:3580
-
-
C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2512
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5156
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3876
-
-
C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe"C:\Users\Admin\AppData\Local\Temp\1001033001\amadycry.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2040
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Executes dropped EXE
PID:5556
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5544
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58358e35f7233f23485f5bebfdd94ac45
SHA1b055602516d07926b0bd13860887294482e2b24d
SHA256e43a3c5a6279c3fe669b46fe4acd681c5f4c58afb06efe6a8aefffc9bc1ccf42
SHA512984ff47aa9c00c4d13d53772f3c92c8b64e26fc2b8af5aca9df443eecf68dc238f29ad01d177c88458f8f2f5409522e59186d8205f4b8bec6926fcfec7f7f55d
-
Filesize
1KB
MD5cef374ab8fe4fe51d97d2615a88b076f
SHA1eed2f61fe466be489411a713ba4c6944dc576ced
SHA2561774d41c6d8f1ebb264433d11f66f3972243abed4f6f54e085cf5e6cbd498baa
SHA5126b89f9a6688b530629312e084c1e5551c07139554440044c9df54b833b01cc9a020fba02c79dd0190a2cd65275fa37dfc86b077ce95821d22127503fff15b4f2
-
Filesize
1.8MB
MD52bb882f05824de9a479e3b8351cdf58d
SHA1153c24fd281341558e3c307a3c13fcf78a30071b
SHA256c328805ce084493a7d4d761e65dc1820a5626c2da1622be93a7f095c67a7cbee
SHA5123742e1d6919e2f4c68f34bcebb43d189e7f28323a5a8fd4d081f12957fc319842c2592d191f99f4f28997ad566c67d7d4b75e42e657ce4ab4bca6ad89bc9001c
-
Filesize
3.0MB
MD52763d20c2151f640cabffc4ae240c33f
SHA1efa706682ada938daea3dd675fb303136b2e2310
SHA25644e14f844afcc6aa16effc6c090efa62be7491bcfcec572b260199e31845da5b
SHA512b29583c52db36be8dc45a745918f3a592978c15992ab1895806571ff28f1a574fd388207fd653f18a4b75fb4ccd597a27e7fc13d16fff59e43d771ad26395e81
-
Filesize
413KB
MD5d467222c3bd563cb72fa49302f80b079
SHA19335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
-
Filesize
1.8MB
MD50f1f137ec50935756eb506a1e7a24796
SHA1163426991cd993b8590e3739cbaa500ddb258806
SHA2566e22f3016206414917351ea4221b4167318e48442b3d17a0b33546930ed0e4d2
SHA512c88e472e4c6942665a11f15e4f2e3a2ff00492eeee443a8c392a48b3b1c175ae87d1b8e0c29b63a669d23b522a2cc17bbff74bdd6767a56cfe9b75ab3e74865d
-
Filesize
2.3MB
MD590c738cebe2f8dda5d53e777ad286a43
SHA158daf4a99c9c148f38b3e6173d5f7ac01bcfaf16
SHA256d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
SHA5127b77c041a5e1548403db8f749c90209a5bb4a8c1c178003d7af2641f94e1745b6e89abadfed441dd41c492cd134863afb57353a918d94ce308b2884cfdf29620
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
Filesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444