Analysis
-
max time kernel
38s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 22:58
Static task
static1
Behavioral task
behavioral1
Sample
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe
Resource
win7-20240221-en
General
-
Target
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe
-
Size
1.8MB
-
MD5
7f40d98b2ba64348358fd75b5f0bdcfb
-
SHA1
e9f33ceeac6b2de2f63f9e73902b2926ba61364c
-
SHA256
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40
-
SHA512
c275ae0f9199f7fc024565e55afdbd952ad46ebcb890018acd22893e6e063a1db0e995fae77fc6e3a2ccb0971666e7ca5b920f4e8fc75b39f830bc0f45799abd
-
SSDEEP
24576:zbBE9EkzS56PSpOhed47Vm49wmFNaC0GL3bJN7xWiJ3HA7blfGPOo/2GVgUNPJ9D:zbBMETUqpO8deNNPT0HGZ+UNga
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Detects executables packed with Themida 10 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2892-62-0x00000000009A0000-0x0000000001141000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2892-63-0x00000000009A0000-0x0000000001141000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2892-61-0x00000000009A0000-0x0000000001141000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2892-64-0x00000000009A0000-0x0000000001141000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2892-65-0x00000000009A0000-0x0000000001141000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2892-67-0x00000000009A0000-0x0000000001141000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2892-66-0x00000000009A0000-0x0000000001141000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2892-68-0x00000000009A0000-0x0000000001141000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2892-173-0x00000000009A0000-0x0000000001141000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exeexplorha.exeadc0011383.exeamert.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ adc0011383.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 39 2236 rundll32.exe 44 1648 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exeexplorha.exeadc0011383.exeamert.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion adc0011383.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion adc0011383.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amert.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amert.exe -
Executes dropped EXE 4 IoCs
Processes:
explorha.exeadc0011383.exeamert.exef770f38967.exepid process 2680 explorha.exe 2892 adc0011383.exe 2436 amert.exe 2832 f770f38967.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exeexplorha.exeamert.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine amert.exe -
Loads dropped DLL 18 IoCs
Processes:
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exeexplorha.exerundll32.exerundll32.exerundll32.exepid process 2320 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe 2680 explorha.exe 2680 explorha.exe 2680 explorha.exe 2680 explorha.exe 2680 explorha.exe 1248 rundll32.exe 1248 rundll32.exe 1248 rundll32.exe 1248 rundll32.exe 2236 rundll32.exe 2236 rundll32.exe 2236 rundll32.exe 2236 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe themida behavioral1/memory/2892-62-0x00000000009A0000-0x0000000001141000-memory.dmp themida behavioral1/memory/2892-63-0x00000000009A0000-0x0000000001141000-memory.dmp themida behavioral1/memory/2892-61-0x00000000009A0000-0x0000000001141000-memory.dmp themida behavioral1/memory/2892-64-0x00000000009A0000-0x0000000001141000-memory.dmp themida behavioral1/memory/2892-65-0x00000000009A0000-0x0000000001141000-memory.dmp themida behavioral1/memory/2892-67-0x00000000009A0000-0x0000000001141000-memory.dmp themida behavioral1/memory/2892-66-0x00000000009A0000-0x0000000001141000-memory.dmp themida behavioral1/memory/2892-68-0x00000000009A0000-0x0000000001141000-memory.dmp themida behavioral1/memory/2892-173-0x00000000009A0000-0x0000000001141000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explorha.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\adc0011383.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\adc0011383.exe" explorha.exe -
Processes:
adc0011383.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA adc0011383.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exeexplorha.exeamert.exepid process 2320 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe 2680 explorha.exe 2436 amert.exe -
Drops file in Windows directory 2 IoCs
Processes:
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exeamert.exedescription ioc process File created C:\Windows\Tasks\explorha.job 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe File created C:\Windows\Tasks\explorgu.job amert.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exeexplorha.exeamert.exechrome.exerundll32.exepowershell.exepid process 2320 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe 2680 explorha.exe 2436 amert.exe 1132 chrome.exe 1132 chrome.exe 2236 rundll32.exe 2236 rundll32.exe 2236 rundll32.exe 2236 rundll32.exe 2236 rundll32.exe 2228 powershell.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
chrome.exepowershell.exedescription pid process Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe Token: SeShutdownPrivilege 1132 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exeamert.exef770f38967.exechrome.exepid process 2320 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe 2436 amert.exe 2832 f770f38967.exe 2832 f770f38967.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 1132 chrome.exe 1132 chrome.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
f770f38967.exechrome.exepid process 2832 f770f38967.exe 2832 f770f38967.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 1132 chrome.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe 2832 f770f38967.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exeexplorha.exef770f38967.exechrome.exedescription pid process target process PID 2320 wrote to memory of 2680 2320 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe explorha.exe PID 2320 wrote to memory of 2680 2320 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe explorha.exe PID 2320 wrote to memory of 2680 2320 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe explorha.exe PID 2320 wrote to memory of 2680 2320 85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe explorha.exe PID 2680 wrote to memory of 2892 2680 explorha.exe adc0011383.exe PID 2680 wrote to memory of 2892 2680 explorha.exe adc0011383.exe PID 2680 wrote to memory of 2892 2680 explorha.exe adc0011383.exe PID 2680 wrote to memory of 2892 2680 explorha.exe adc0011383.exe PID 2680 wrote to memory of 2212 2680 explorha.exe explorha.exe PID 2680 wrote to memory of 2212 2680 explorha.exe explorha.exe PID 2680 wrote to memory of 2212 2680 explorha.exe explorha.exe PID 2680 wrote to memory of 2212 2680 explorha.exe explorha.exe PID 2680 wrote to memory of 2436 2680 explorha.exe amert.exe PID 2680 wrote to memory of 2436 2680 explorha.exe amert.exe PID 2680 wrote to memory of 2436 2680 explorha.exe amert.exe PID 2680 wrote to memory of 2436 2680 explorha.exe amert.exe PID 2680 wrote to memory of 2832 2680 explorha.exe f770f38967.exe PID 2680 wrote to memory of 2832 2680 explorha.exe f770f38967.exe PID 2680 wrote to memory of 2832 2680 explorha.exe f770f38967.exe PID 2680 wrote to memory of 2832 2680 explorha.exe f770f38967.exe PID 2832 wrote to memory of 1132 2832 f770f38967.exe chrome.exe PID 2832 wrote to memory of 1132 2832 f770f38967.exe chrome.exe PID 2832 wrote to memory of 1132 2832 f770f38967.exe chrome.exe PID 2832 wrote to memory of 1132 2832 f770f38967.exe chrome.exe PID 1132 wrote to memory of 1080 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1080 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1080 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe PID 1132 wrote to memory of 1336 1132 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe"C:\Users\Admin\AppData\Local\Temp\85c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\adc0011383.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000049001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe"C:\Users\Admin\AppData\Local\Temp\1000051001\f770f38967.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6689758,0x7fef6689768,0x7fef66897785⤵PID:1080
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:25⤵PID:1336
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:85⤵PID:1396
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:85⤵PID:468
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:15⤵PID:2148
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:15⤵PID:2836
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3212 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:15⤵PID:2416
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1548 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:25⤵PID:1180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2792 --field-trial-handle=1312,i,6868605695981445345,2628037694563505978,131072 /prefetch:85⤵PID:1764
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
PID:1248 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2236 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:1548
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\452737119395_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1648
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2728
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
1KB
MD5ef61562c2d2fc1bb55c319611e9f6f01
SHA129beb784232fabd146b76ed2bb592aa64364d5f6
SHA2567be3218d5edd9169dccaabbb1f988094dbd9bd7159ffbda9132561bb6d89ce78
SHA5123654bc7e8d52e92dae200eb1006ede2c9dc65db8b17323993543620fe609426cc75f3d063d94ff8646156d5fce6ddb94b338d03c05998ef886a58ea4948b2f01
-
Filesize
6KB
MD5c4961780eb61c7839d1ca21859d725c1
SHA13b418052ae19f62cb6d432da4f7fc67737c7504c
SHA256304cb937eafa81f255a24dc7dfc4af7f9e4eee65151c1df795e30e6e14be8e74
SHA5124cec58bec51ed32cfc1b4aa4e6bae6a37f960a84f0372bafad5f04bdf9be9751da953d3ad39d774f2c22e6acc51f4cd562325750557ec2b7e6b5c00acdfbf686
-
Filesize
6KB
MD589568b34294355d476f540f23bc0c621
SHA1a735296c8f31e3e8f6680be897d0fcff3254aa1f
SHA2568a6f9a1060403dfd0984c6405bf024cd0baa90387e27f0b426f5fcf6228f3ecb
SHA5127ad9052eda3dbbd02f1ca4adc8416d3e8f1b4435d854a9f1b3b77ce892ffb3727958021d24dabc7cdf920cc340ef8e22df663c6010a1c3fcebc8fa426b6952cc
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
1.8MB
MD57f40d98b2ba64348358fd75b5f0bdcfb
SHA1e9f33ceeac6b2de2f63f9e73902b2926ba61364c
SHA25685c0ca2627afecbe9b4c8758ebe0c3922717dc364993e6f7aad1168b95d41a40
SHA512c275ae0f9199f7fc024565e55afdbd952ad46ebcb890018acd22893e6e063a1db0e995fae77fc6e3a2ccb0971666e7ca5b920f4e8fc75b39f830bc0f45799abd
-
Filesize
3.0MB
MD53edac80b993a482f7112524ab56c8ab0
SHA1e9aca74db0ddbbc6eccf8039a7c7a892fe3f746c
SHA2565af1635dd01cd83fc6c9bb03f52f066ff9fd2c8e6e5a9260f71288fba4fe438d
SHA512e7afb65176dcc69c8af46da866a4ba762ee1fe039a94089a1ed6f61d6ee4845c1fdd32f9cfbf343399db3cffc8bbb5a5ef81d0f78face4d1262e5e736c64b45b
-
Filesize
1.8MB
MD55c1591069b7d16c4e1c354e8589e3e29
SHA10822e58e1d4674a3ae29351a4eea38012616efd4
SHA256fe04a0fbd786f1f69cb8716383383149a910de26bfed62ea9611f2ff357cb869
SHA51282bd3a6343ab833702b327652f45cbd92b53f41e9e4caa25b1b589041f6c9963057e378ff5cf48880e6f63c3c588379d693da57dff858abe822ce8bf034e1253
-
Filesize
1.1MB
MD5c1a04495bca429962b8b3344fa8684a2
SHA1b6f77a13ad98d5cdd56152fe0ff1fca62aeb286c
SHA2564896377dfe62c7180cc960702291f7467ec7a2209b207cbfd63ccf27f29af524
SHA5121cbb5fa5a027898dff3bf12c7c2428f56243b21b5f99101f235ae0dc2283a8421f68667f95e7ab1b6c8ec32d62f2f5d41a2f736dcbf5b0bce087ae317406afd4
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e