amadey | 0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734

Virtualization/Sandbox Evasion

Processes:

0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exeexplorgu.exerandom.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

84 5080 rundll32.exe
99 3536 rundll32.exe
Downloads MZ/PE file

flow	pid	process
84	5080	rundll32.exe
99	3536	rundll32.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

explorgu.exerandom.exe0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

RegAsm.exeboom8.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	boom8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	explorgu.exe

Executes dropped EXE 14 IoCs

Processes:

explorgu.exeosminog.exegoldprimeldlldf.exerandom.exeTeamFour.exealex1234.exeTraffic.exepropro.exe987123.exelummalg.exechckik.exemk.exefile300un.exeboom8.exe

pid	process
4760	explorgu.exe
4980	osminog.exe
4932	goldprimeldlldf.exe
2828	random.exe
932	TeamFour.exe
2644	alex1234.exe
568	Traffic.exe
2652	propro.exe
4984	987123.exe
940	lummalg.exe
4204	chckik.exe
4476	mk.exe
3716	file300un.exe
804	boom8.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exeexplorgu.exerandom.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine	0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe
Key opened	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Wine	random.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exeregsvr32.exe

pid process

3460 rundll32.exe
5080 rundll32.exe
3536 rundll32.exe
3700 regsvr32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3460	rundll32.exe
5080	rundll32.exe
3536	rundll32.exe
3700	regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u1qw.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u1qw.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u1qw.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u1to.1.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorgu.exefile300un.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe"	explorgu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\.BLRVzdv\\svchost.exe\""	file300un.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

138 pastebin.com
136 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exeexplorgu.exe

pid process

2012 0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe
4760 explorgu.exe

flow	ioc
138	pastebin.com
136	pastebin.com

Suspicious use of SetThreadContext 5 IoCs

Processes:

osminog.exegoldprimeldlldf.exealex1234.exelummalg.exefile300un.exe

description	pid	process	target process
PID 4980 set thread context of 4480	4980	osminog.exe	RegAsm.exe
PID 4932 set thread context of 3188	4932	goldprimeldlldf.exe	RegAsm.exe
PID 2644 set thread context of 5080	2644	alex1234.exe	RegAsm.exe
PID 940 set thread context of 2640	940	lummalg.exe	RegAsm.exe
PID 3716 set thread context of 548	3716	file300un.exe	CasPol.exe

Drops file in Windows directory 2 IoCs

Processes:

0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exechckik.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe
File created	C:\Windows\Tasks\chrosha.job	chckik.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3284	4480	WerFault.exe	RegAsm.exe
2924	2640	WerFault.exe	RegAsm.exe
184	5092	WerFault.exe	5DD7.exe
5248	4252	WerFault.exe	RegAsm.exe
5320	4252	WerFault.exe	RegAsm.exe
5436	2264	WerFault.exe	iaP4Oo2Wc3CcnqyqORQJGdx4.exe
6104	2364	WerFault.exe	c7UCXRdXxBBHYMXeIi9aKnxz.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

987123.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1684 schtasks.exe
5956 schtasks.exe
5528 schtasks.exe
1800 schtasks.exe

pid	process
1684	schtasks.exe
5956	schtasks.exe
5528	schtasks.exe
1800	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exeexplorgu.exerundll32.exepowershell.exeRegAsm.exeTeamFour.exe987123.exeTraffic.exe

pid	process
2012	0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe
2012	0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe
4760	explorgu.exe
4760	explorgu.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
492	powershell.exe
492	powershell.exe
492	powershell.exe
3188	RegAsm.exe
3188	RegAsm.exe
3188	RegAsm.exe
3188	RegAsm.exe
932	TeamFour.exe
932	TeamFour.exe
4984	987123.exe
4984	987123.exe
568	Traffic.exe
568	Traffic.exe
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464
3464

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

987123.exe

pid process

4984 987123.exe

pid	process
4984	987123.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

osminog.exepowershell.exeTeamFour.exeTraffic.exeCasPol.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4980	osminog.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	932	TeamFour.exe
Token: SeBackupPrivilege	932	TeamFour.exe
Token: SeSecurityPrivilege	932	TeamFour.exe
Token: SeSecurityPrivilege	932	TeamFour.exe
Token: SeSecurityPrivilege	932	TeamFour.exe
Token: SeSecurityPrivilege	932	TeamFour.exe
Token: SeDebugPrivilege	568	Traffic.exe
Token: SeBackupPrivilege	568	Traffic.exe
Token: SeSecurityPrivilege	568	Traffic.exe
Token: SeSecurityPrivilege	568	Traffic.exe
Token: SeSecurityPrivilege	568	Traffic.exe
Token: SeSecurityPrivilege	568	Traffic.exe
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeShutdownPrivilege	3464
Token: SeCreatePagefilePrivilege	3464
Token: SeDebugPrivilege	548	CasPol.exe
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe

pid process

2012 0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3464

pid	process
3464

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

explorgu.exeosminog.exegoldprimeldlldf.exerundll32.exerundll32.exealex1234.exeRegAsm.exelummalg.exe

description	pid	process	target process
PID 4760 wrote to memory of 4980	4760	explorgu.exe	osminog.exe
PID 4760 wrote to memory of 4980	4760	explorgu.exe	osminog.exe
PID 4760 wrote to memory of 4980	4760	explorgu.exe	osminog.exe
PID 4980 wrote to memory of 4480	4980	osminog.exe	RegAsm.exe
PID 4980 wrote to memory of 4480	4980	osminog.exe	RegAsm.exe
PID 4980 wrote to memory of 4480	4980	osminog.exe	RegAsm.exe
PID 4980 wrote to memory of 4480	4980	osminog.exe	RegAsm.exe
PID 4980 wrote to memory of 4480	4980	osminog.exe	RegAsm.exe
PID 4980 wrote to memory of 4480	4980	osminog.exe	RegAsm.exe
PID 4980 wrote to memory of 4480	4980	osminog.exe	RegAsm.exe
PID 4980 wrote to memory of 4480	4980	osminog.exe	RegAsm.exe
PID 4980 wrote to memory of 4480	4980	osminog.exe	RegAsm.exe
PID 4760 wrote to memory of 4932	4760	explorgu.exe	goldprimeldlldf.exe
PID 4760 wrote to memory of 4932	4760	explorgu.exe	goldprimeldlldf.exe
PID 4760 wrote to memory of 4932	4760	explorgu.exe	goldprimeldlldf.exe
PID 4932 wrote to memory of 3188	4932	goldprimeldlldf.exe	RegAsm.exe
PID 4932 wrote to memory of 3188	4932	goldprimeldlldf.exe	RegAsm.exe
PID 4932 wrote to memory of 3188	4932	goldprimeldlldf.exe	RegAsm.exe
PID 4932 wrote to memory of 3188	4932	goldprimeldlldf.exe	RegAsm.exe
PID 4932 wrote to memory of 3188	4932	goldprimeldlldf.exe	RegAsm.exe
PID 4932 wrote to memory of 3188	4932	goldprimeldlldf.exe	RegAsm.exe
PID 4932 wrote to memory of 3188	4932	goldprimeldlldf.exe	RegAsm.exe
PID 4932 wrote to memory of 3188	4932	goldprimeldlldf.exe	RegAsm.exe
PID 4760 wrote to memory of 3460	4760	explorgu.exe	rundll32.exe
PID 4760 wrote to memory of 3460	4760	explorgu.exe	rundll32.exe
PID 4760 wrote to memory of 3460	4760	explorgu.exe	rundll32.exe
PID 3460 wrote to memory of 5080	3460	rundll32.exe	rundll32.exe
PID 3460 wrote to memory of 5080	3460	rundll32.exe	rundll32.exe
PID 5080 wrote to memory of 496	5080	rundll32.exe	netsh.exe
PID 5080 wrote to memory of 496	5080	rundll32.exe	netsh.exe
PID 5080 wrote to memory of 492	5080	rundll32.exe	powershell.exe
PID 5080 wrote to memory of 492	5080	rundll32.exe	powershell.exe
PID 4760 wrote to memory of 3536	4760	explorgu.exe	rundll32.exe
PID 4760 wrote to memory of 3536	4760	explorgu.exe	rundll32.exe
PID 4760 wrote to memory of 3536	4760	explorgu.exe	rundll32.exe
PID 4760 wrote to memory of 2828	4760	explorgu.exe	random.exe
PID 4760 wrote to memory of 2828	4760	explorgu.exe	random.exe
PID 4760 wrote to memory of 2828	4760	explorgu.exe	random.exe
PID 4760 wrote to memory of 932	4760	explorgu.exe	TeamFour.exe
PID 4760 wrote to memory of 932	4760	explorgu.exe	TeamFour.exe
PID 4760 wrote to memory of 2644	4760	explorgu.exe	alex1234.exe
PID 4760 wrote to memory of 2644	4760	explorgu.exe	alex1234.exe
PID 4760 wrote to memory of 2644	4760	explorgu.exe	alex1234.exe
PID 2644 wrote to memory of 5080	2644	alex1234.exe	RegAsm.exe
PID 2644 wrote to memory of 5080	2644	alex1234.exe	RegAsm.exe
PID 2644 wrote to memory of 5080	2644	alex1234.exe	RegAsm.exe
PID 2644 wrote to memory of 5080	2644	alex1234.exe	RegAsm.exe
PID 2644 wrote to memory of 5080	2644	alex1234.exe	RegAsm.exe
PID 2644 wrote to memory of 5080	2644	alex1234.exe	RegAsm.exe
PID 2644 wrote to memory of 5080	2644	alex1234.exe	RegAsm.exe
PID 2644 wrote to memory of 5080	2644	alex1234.exe	RegAsm.exe
PID 5080 wrote to memory of 568	5080	RegAsm.exe	Traffic.exe
PID 5080 wrote to memory of 568	5080	RegAsm.exe	Traffic.exe
PID 5080 wrote to memory of 2652	5080	RegAsm.exe	propro.exe
PID 5080 wrote to memory of 2652	5080	RegAsm.exe	propro.exe
PID 5080 wrote to memory of 2652	5080	RegAsm.exe	propro.exe
PID 4760 wrote to memory of 4984	4760	explorgu.exe	987123.exe
PID 4760 wrote to memory of 4984	4760	explorgu.exe	987123.exe
PID 4760 wrote to memory of 4984	4760	explorgu.exe	987123.exe
PID 4760 wrote to memory of 940	4760	explorgu.exe	lummalg.exe
PID 4760 wrote to memory of 940	4760	explorgu.exe	lummalg.exe
PID 4760 wrote to memory of 940	4760	explorgu.exe	lummalg.exe
PID 940 wrote to memory of 2640	940	lummalg.exe	RegAsm.exe
PID 940 wrote to memory of 2640	940	lummalg.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe
"C:\Users\Admin\AppData\Local\Temp\0930c8275f5bea0c5de51e96d27ade98486d2b1c33a9aac5dfdc3297aa83f734.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2012

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
  "C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1216
      4⤵
      Program crash
      PID:3284
- C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3188
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\134859772495_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:492
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3536
- C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe
  "C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe
  "C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:568
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2652
- C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 1264
      4⤵
      Program crash
      PID:2924
- C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe
  "C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe
  "C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe"
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Users\Admin\AppData\Local\Temp\1001029001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001029001\file300un.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:3716
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit
    3⤵
    PID:1508
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:548
  - - C:\Users\Admin\Pictures\c7UCXRdXxBBHYMXeIi9aKnxz.exe
      "C:\Users\Admin\Pictures\c7UCXRdXxBBHYMXeIi9aKnxz.exe"
      4⤵
      PID:2364
    - - C:\Users\Admin\AppData\Local\Temp\u1to.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1to.0.exe"
        5⤵
        
        PID:5580
    - - C:\Users\Admin\AppData\Local\Temp\u1to.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1to.1.exe"
        5⤵
        
        PID:6048
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:5528
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 1640
        5⤵
        Program crash
        
        PID:6104
  - - C:\Users\Admin\Pictures\q3SbAByB915LvV75lXk5bD7C.exe
      "C:\Users\Admin\Pictures\q3SbAByB915LvV75lXk5bD7C.exe"
      4⤵
      PID:1232
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4252
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 620
        6⤵
        Program crash
        
        PID:5248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 616
        6⤵
        Program crash
        
        PID:5320
  - - C:\Users\Admin\Pictures\iaP4Oo2Wc3CcnqyqORQJGdx4.exe
      "C:\Users\Admin\Pictures\iaP4Oo2Wc3CcnqyqORQJGdx4.exe"
      4⤵
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\u1qw.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1qw.0.exe"
        5⤵
        
        PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\u1qw.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1qw.1.exe"
        5⤵
        
        PID:5380
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:5956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 624
        5⤵
        Program crash
        
        PID:5436
  - - C:\Users\Admin\Pictures\39vckUM3E0zDvJwrt88jWRVl.exe
      "C:\Users\Admin\Pictures\39vckUM3E0zDvJwrt88jWRVl.exe"
      4⤵
      PID:4448
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4312
    - - C:\Users\Admin\Pictures\39vckUM3E0zDvJwrt88jWRVl.exe
        
        "C:\Users\Admin\Pictures\39vckUM3E0zDvJwrt88jWRVl.exe"
        5⤵
        
        PID:6064
  - - C:\Users\Admin\Pictures\dpazPQobfe6cxiyoEp1Zes22.exe
      "C:\Users\Admin\Pictures\dpazPQobfe6cxiyoEp1Zes22.exe"
      4⤵
      PID:3320
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2928
    - - C:\Users\Admin\Pictures\dpazPQobfe6cxiyoEp1Zes22.exe
        
        "C:\Users\Admin\Pictures\dpazPQobfe6cxiyoEp1Zes22.exe"
        5⤵
        
        PID:6056
  - - C:\Users\Admin\Pictures\Se4db6jjvZP1JUS1rawPOljC.exe
      "C:\Users\Admin\Pictures\Se4db6jjvZP1JUS1rawPOljC.exe"
      4⤵
      PID:3368
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6000
- C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe
  "C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:804
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4480 -ip 4480
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2640 -ip 2640
1⤵
PID:4904

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3483.dll
1⤵
PID:1040
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\3483.dll
  2⤵
  - Loads dropped DLL
  PID:3700

C:\Users\Admin\AppData\Local\Temp\5DD7.exe
C:\Users\Admin\AppData\Local\Temp\5DD7.exe
1⤵
PID:5092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 808
  2⤵
  - Program crash
  PID:184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5092 -ip 5092
1⤵
PID:2656

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4252 -ip 4252
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4252 -ip 4252
1⤵
PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2264 -ip 2264
1⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
PID:5620

C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe
C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe
1⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2364 -ip 2364
1⤵
PID:6072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion