Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows11-21h2_x64 -
resource
win11-20240319-en -
resource tags
arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-03-2024 12:54
Static task
static1
Behavioral task
behavioral1
Sample
a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe
Resource
win11-20240319-en
General
-
Target
a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe
-
Size
1.8MB
-
MD5
3b19df097f80d5ab3b3bf72705d8ad7f
-
SHA1
1d39f6e092d0d85f9d56f518c84361e100028082
-
SHA256
a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701
-
SHA512
df53a139eac88b7cbbb0b86a0dd0c266ef3a003e9ed670411c1076678c51926f6b9eec90226abab63a91d062810317e53f7e7c85ac189009a42e5f16f0b25e02
-
SSDEEP
24576:LdpKg87IG1k8VcUZgG/gtk0qsOR6OCFE17C23C4GWct4VBB/3WdniLdIjhYVxG2k:mzVpZh/Uk0qs269T235ckJsi+Ad5b
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
redline
Jok123
185.215.113.67:26260
Extracted
redline
LiveTraffic
4.185.137.132:1632
Signatures
-
Detect ZGRat V1 4 IoCs
resource yara_rule behavioral2/files/0x000100000002a795-53.dat family_zgrat_v1 behavioral2/memory/4020-68-0x0000000000CA0000-0x0000000000E5C000-memory.dmp family_zgrat_v1 behavioral2/files/0x000100000002a7a9-213.dat family_zgrat_v1 behavioral2/files/0x000100000002a7ae-251.dat family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
resource yara_rule behavioral2/files/0x000100000002a79c-87.dat family_redline behavioral2/files/0x000100000002a79d-93.dat family_redline behavioral2/memory/3260-102-0x0000000000030000-0x0000000000082000-memory.dmp family_redline behavioral2/memory/2460-125-0x0000000000E60000-0x0000000000EEC000-memory.dmp family_redline behavioral2/files/0x000100000002a7a2-161.dat family_redline behavioral2/memory/2736-184-0x0000000000800000-0x0000000000850000-memory.dmp family_redline behavioral2/files/0x000100000002a7a9-213.dat family_redline behavioral2/memory/1876-294-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amadka.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 12 2144 rundll32.exe 17 1336 rundll32.exe 22 3956 rundll32.exe 24 3100 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amadka.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorgu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amadka.exe -
Executes dropped EXE 16 IoCs
pid Process 692 explorgu.exe 416 random.exe 4020 alex1234.exe 2460 Traffic.exe 3260 propro.exe 4080 amadka.exe 2736 redlinepanel.exe 4060 explorha.exe 4408 32456.exe 1368 goldprimeldlldf.exe 3532 NewB.exe 4276 swiiiii.exe 2780 explorha.exe 3260 NewB.exe 1868 explorha.exe 4740 NewB.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine explorgu.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine random.exe Key opened \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Wine amadka.exe -
Loads dropped DLL 6 IoCs
pid Process 4164 rundll32.exe 2144 rundll32.exe 1336 rundll32.exe 540 rundll32.exe 3956 rundll32.exe 3100 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\random.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000873001\\random.exe" explorgu.exe Set value (str) \REGISTRY\USER\S-1-5-21-1233663403-1277323514-675434005-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1001031001\\amadka.exe" explorgu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1732 a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe 692 explorgu.exe 4080 amadka.exe 4060 explorha.exe 2780 explorha.exe 1868 explorha.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4020 set thread context of 2096 4020 alex1234.exe 81 PID 1368 set thread context of 1876 1368 goldprimeldlldf.exe 99 PID 4276 set thread context of 2120 4276 swiiiii.exe 109 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorgu.job a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe File created C:\Windows\Tasks\explorha.job amadka.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1368 4276 WerFault.exe 106 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3404 schtasks.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 propro.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 propro.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 1732 a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe 1732 a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe 692 explorgu.exe 692 explorgu.exe 4080 amadka.exe 4080 amadka.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 4060 explorha.exe 4060 explorha.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 2144 rundll32.exe 2460 Traffic.exe 2460 Traffic.exe 4288 powershell.exe 4288 powershell.exe 4288 powershell.exe 2736 redlinepanel.exe 2736 redlinepanel.exe 4408 32456.exe 4408 32456.exe 1876 RegAsm.exe 1876 RegAsm.exe 3956 rundll32.exe 3956 rundll32.exe 3956 rundll32.exe 3956 rundll32.exe 3956 rundll32.exe 3956 rundll32.exe 2120 RegAsm.exe 2120 RegAsm.exe 2120 RegAsm.exe 2120 RegAsm.exe 3260 propro.exe 3260 propro.exe 3260 propro.exe 3260 propro.exe 3956 rundll32.exe 3956 rundll32.exe 3956 rundll32.exe 3956 rundll32.exe 4500 powershell.exe 4500 powershell.exe 4500 powershell.exe 1876 RegAsm.exe 1876 RegAsm.exe 2736 redlinepanel.exe 2736 redlinepanel.exe 2780 explorha.exe 2780 explorha.exe 1868 explorha.exe 1868 explorha.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 2460 Traffic.exe Token: SeBackupPrivilege 2460 Traffic.exe Token: SeSecurityPrivilege 2460 Traffic.exe Token: SeSecurityPrivilege 2460 Traffic.exe Token: SeSecurityPrivilege 2460 Traffic.exe Token: SeSecurityPrivilege 2460 Traffic.exe Token: SeDebugPrivilege 4408 32456.exe Token: SeBackupPrivilege 4408 32456.exe Token: SeSecurityPrivilege 4408 32456.exe Token: SeSecurityPrivilege 4408 32456.exe Token: SeSecurityPrivilege 4408 32456.exe Token: SeSecurityPrivilege 4408 32456.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeDebugPrivilege 2736 redlinepanel.exe Token: SeDebugPrivilege 3260 propro.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeDebugPrivilege 1876 RegAsm.exe Token: SeDebugPrivilege 2096 RegAsm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1732 a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe 4080 amadka.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 692 wrote to memory of 416 692 explorgu.exe 78 PID 692 wrote to memory of 416 692 explorgu.exe 78 PID 692 wrote to memory of 416 692 explorgu.exe 78 PID 692 wrote to memory of 4020 692 explorgu.exe 79 PID 692 wrote to memory of 4020 692 explorgu.exe 79 PID 692 wrote to memory of 4020 692 explorgu.exe 79 PID 4020 wrote to memory of 2096 4020 alex1234.exe 81 PID 4020 wrote to memory of 2096 4020 alex1234.exe 81 PID 4020 wrote to memory of 2096 4020 alex1234.exe 81 PID 4020 wrote to memory of 2096 4020 alex1234.exe 81 PID 4020 wrote to memory of 2096 4020 alex1234.exe 81 PID 4020 wrote to memory of 2096 4020 alex1234.exe 81 PID 4020 wrote to memory of 2096 4020 alex1234.exe 81 PID 4020 wrote to memory of 2096 4020 alex1234.exe 81 PID 2096 wrote to memory of 2460 2096 RegAsm.exe 82 PID 2096 wrote to memory of 2460 2096 RegAsm.exe 82 PID 2096 wrote to memory of 3260 2096 RegAsm.exe 84 PID 2096 wrote to memory of 3260 2096 RegAsm.exe 84 PID 2096 wrote to memory of 3260 2096 RegAsm.exe 84 PID 692 wrote to memory of 4080 692 explorgu.exe 85 PID 692 wrote to memory of 4080 692 explorgu.exe 85 PID 692 wrote to memory of 4080 692 explorgu.exe 85 PID 692 wrote to memory of 2736 692 explorgu.exe 87 PID 692 wrote to memory of 2736 692 explorgu.exe 87 PID 692 wrote to memory of 2736 692 explorgu.exe 87 PID 692 wrote to memory of 4164 692 explorgu.exe 88 PID 692 wrote to memory of 4164 692 explorgu.exe 88 PID 692 wrote to memory of 4164 692 explorgu.exe 88 PID 4164 wrote to memory of 2144 4164 rundll32.exe 89 PID 4164 wrote to memory of 2144 4164 rundll32.exe 89 PID 4080 wrote to memory of 4060 4080 amadka.exe 90 PID 4080 wrote to memory of 4060 4080 amadka.exe 90 PID 4080 wrote to memory of 4060 4080 amadka.exe 90 PID 2144 wrote to memory of 1472 2144 rundll32.exe 91 PID 2144 wrote to memory of 1472 2144 rundll32.exe 91 PID 692 wrote to memory of 4408 692 explorgu.exe 92 PID 692 wrote to memory of 4408 692 explorgu.exe 92 PID 692 wrote to memory of 1368 692 explorgu.exe 112 PID 692 wrote to memory of 1368 692 explorgu.exe 112 PID 692 wrote to memory of 1368 692 explorgu.exe 112 PID 1368 wrote to memory of 3780 1368 goldprimeldlldf.exe 98 PID 1368 wrote to memory of 3780 1368 goldprimeldlldf.exe 98 PID 1368 wrote to memory of 3780 1368 goldprimeldlldf.exe 98 PID 1368 wrote to memory of 1876 1368 goldprimeldlldf.exe 99 PID 1368 wrote to memory of 1876 1368 goldprimeldlldf.exe 99 PID 1368 wrote to memory of 1876 1368 goldprimeldlldf.exe 99 PID 692 wrote to memory of 3532 692 explorgu.exe 100 PID 692 wrote to memory of 3532 692 explorgu.exe 100 PID 692 wrote to memory of 3532 692 explorgu.exe 100 PID 1368 wrote to memory of 1876 1368 goldprimeldlldf.exe 99 PID 1368 wrote to memory of 1876 1368 goldprimeldlldf.exe 99 PID 1368 wrote to memory of 1876 1368 goldprimeldlldf.exe 99 PID 1368 wrote to memory of 1876 1368 goldprimeldlldf.exe 99 PID 1368 wrote to memory of 1876 1368 goldprimeldlldf.exe 99 PID 3532 wrote to memory of 3404 3532 NewB.exe 101 PID 3532 wrote to memory of 3404 3532 NewB.exe 101 PID 3532 wrote to memory of 3404 3532 NewB.exe 101 PID 2144 wrote to memory of 4288 2144 rundll32.exe 103 PID 2144 wrote to memory of 4288 2144 rundll32.exe 103 PID 692 wrote to memory of 4276 692 explorgu.exe 106 PID 692 wrote to memory of 4276 692 explorgu.exe 106 PID 692 wrote to memory of 4276 692 explorgu.exe 106 PID 4276 wrote to memory of 2616 4276 swiiiii.exe 108 PID 4276 wrote to memory of 2616 4276 swiiiii.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe"C:\Users\Admin\AppData\Local\Temp\a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1732
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"C:\Users\Admin\AppData\Local\Temp\1000873001\random.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:416
-
-
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵PID:1108
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵PID:2660
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1001031001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4060 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
PID:540 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3956 -
C:\Windows\system32\netsh.exenetsh wlan show profiles6⤵PID:3992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\233663403127_Desktop.zip' -CompressionLevel Optimal6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\1001039001\redlinepanel.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:1472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\233663403127_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"C:\Users\Admin\AppData\Local\Temp\1001040001\32456.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"C:\Users\Admin\AppData\Local\Temp\1001053001\goldprimeldlldf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3780
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe" /F3⤵
- Creates scheduled task(s)
PID:3404
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\1001073001\swiiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:2616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 9163⤵
- Program crash
PID:1368
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1336
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4276 -ip 42761⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
PID:3260
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1868
-
C:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1001059001\NewB.exe1⤵
- Executes dropped EXE
PID:4740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ae626d9a72417b14570daa8fcd5d34a4
SHA1c103ebaf4d760df722d620df87e6f07c0486439f
SHA25652cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a
SHA512a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14
-
Filesize
1KB
MD5070ab1be93ef965ef5ce97f088557cdf
SHA11735a7dfc291bb614d677a32b249dc49059c2c4d
SHA2569bcadc4a8e6a5d6b11095dbbbe6f8a342b70a267773ebb1b4e8851bb25e0fe5a
SHA512b48a6ff7e4e8416e4054f10df61ed0d01dfe5ae603704e7d1df44fe2c4efdd4e06d7cb05956a9dea81aee3867bebed9450ce99568ff5f6c8845301100baa7b68
-
Filesize
1.8MB
MD53b19df097f80d5ab3b3bf72705d8ad7f
SHA11d39f6e092d0d85f9d56f518c84361e100028082
SHA256a7f717a5b8396936e4647b106ba3e355e018077b7a98846e7e89f01c0b0f6701
SHA512df53a139eac88b7cbbb0b86a0dd0c266ef3a003e9ed670411c1076678c51926f6b9eec90226abab63a91d062810317e53f7e7c85ac189009a42e5f16f0b25e02
-
Filesize
3.0MB
MD5da65163d6993c8207ab414fd65cdc164
SHA1db762fca49df614a96abf98505a0a470732c549a
SHA256c9c36d89661e79a5e7cb01eacdb7f5ba6ca6d729ac9dbb13ec1c7418d57f4839
SHA51216caa01ee4e553c03096eac0c1f33f85a1cee18f7bc908629982e24b321307a5533e57c8816ff534f6b4fd8e16b61c4ebe4c8306635ef69d70d46355e9cc1b72
-
Filesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
Filesize
1.8MB
MD536cdd421bca18b892a7b9acbf8ddae22
SHA17304ee9320fa859d3996603621722b5b4d1af44b
SHA25697af1cd8f14c81dc532c69899d8f6efde30e3da17340d0a18cb785ac63eb58f8
SHA512db73b4c5fe2cab6220122969594215a292950ccaa028887bfc8d3dd6de8c83d0e0c0495e81250ee33d3e3c718bae663d0eb5aa954cb4b8545b08c32d2cc97855
-
Filesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
Filesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
Filesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
46KB
MD514ccc9293153deacbb9a20ee8f6ff1b7
SHA146b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3
SHA2563195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511
SHA512916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765
-
Filesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
Filesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1233663403-1277323514-675434005-1000\76b53b3ec448f7ccdda2063b15d2bfc3_51f76018-0820-469a-b12d-f27f55f8b028
Filesize2KB
MD5e13cda0804eedb7c12fd5c1f17ce8749
SHA135e97131f7991a7e2fcef7c5b6dfc0064b23291e
SHA256e8cf9ab25268f4af3f482cf305a5ce9c60eda371abc6470f86597de9f335bc9e
SHA5123b6283778c674290c4584937e2139f5d130da2f48f5370e4362ef3a19c44578f0ca2e123627422237ba05d32c58e0c52fcc171d79dbe9abd4f13c51a285c6a3a
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
Filesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
Filesize
2KB
MD561ec96f533bcab8f6bfce11178fef9d2
SHA170a6aebf59a63ec21f23504f3675145b9c43bf40
SHA25697fddb6603381e1406a646f1342f9ca485d8d0aaf7353eaa5bc0fd7ca78a2a04
SHA5126439acce90dc94ce6e196011dea7e26187a64c7c51d254ec23c88530d107b21d9b1659c5e17eaa7564f12d46b4f85e40a640eb2f2bcd4280e91d2e427768591e
-
Filesize
2KB
MD54638e4d5380391c8012ef3448ccdf1d0
SHA11f42302d0ace00e0f06d26b29e72f0e418f60d72
SHA256d184a7f6075fa5bb566e85f5055302755097965d53b51444bf2fa4def43d7f6a
SHA51259b5c786a86bf648e4a84a7b8fac9f472513d987edeaae856b611f47f787b89c6e0879826215aa01b19713ef93a12cea9768c08e0336a9cfce2afc4aca25d2bd