amadey | 8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	153edcbbda.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	chrosha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
66	640	rundll32.exe
121	5988	rundll32.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 16 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrosha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	153edcbbda.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	153edcbbda.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	explorha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	36f296e9dd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	chrosha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 9 IoCs

pid	Process
116	explorha.exe
4956	36f296e9dd.exe
5260	explorha.exe
5800	153edcbbda.exe
1896	explorha.exe
1400	amert.exe
5752	explorha.exe
3396	chrosha.exe
5204	dirtquire.exe

Identifies Wine through registry keys 2 TTPs 8 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	153edcbbda.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	chrosha.exe

Loads dropped DLL 3 IoCs

pid	Process
4516	rundll32.exe
640	rundll32.exe
5988	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\36f296e9dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000055001\\36f296e9dd.exe"	explorha.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\153edcbbda.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000056001\\153edcbbda.exe"	explorha.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
264	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000023440-76.dat	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
3144	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
116	explorha.exe
5260	explorha.exe
5800	153edcbbda.exe
1896	explorha.exe
1400	amert.exe
5752	explorha.exe
3396	chrosha.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 116 set thread context of 1896	116	explorha.exe	137
PID 5204 set thread context of 316	5204	dirtquire.exe	150

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorha.job	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
File created	C:\Windows\Tasks\chrosha.job	amert.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133581194261033409"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-259785868-298165991-4178590326-1000\{D2AA1026-20FA-4934-82CE-E0A7571214FF}	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3144	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
3144	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
116	explorha.exe
116	explorha.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
1908	powershell.exe
1908	powershell.exe
1908	powershell.exe
4372	chrome.exe
4372	chrome.exe
5260	explorha.exe
5260	explorha.exe
5800	153edcbbda.exe
5800	153edcbbda.exe
1896	explorha.exe
1896	explorha.exe
4372	chrome.exe
4372	chrome.exe
1400	amert.exe
1400	amert.exe
5752	explorha.exe
5752	explorha.exe
3396	chrosha.exe
3396	chrosha.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
316	RegAsm.exe
5692	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe
Token: SeCreatePagefilePrivilege	4372	chrome.exe
Token: SeShutdownPrivilege	4372	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3144	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4956	36f296e9dd.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4372	chrome.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4956	36f296e9dd.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4372	chrome.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe
4956	36f296e9dd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 116	3144	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe	90
PID 3144 wrote to memory of 116	3144	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe	90
PID 3144 wrote to memory of 116	3144	8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe	90
PID 116 wrote to memory of 4516	116	explorha.exe	98
PID 116 wrote to memory of 4516	116	explorha.exe	98
PID 116 wrote to memory of 4516	116	explorha.exe	98
PID 4516 wrote to memory of 640	4516	rundll32.exe	99
PID 4516 wrote to memory of 640	4516	rundll32.exe	99
PID 640 wrote to memory of 1336	640	rundll32.exe	100
PID 640 wrote to memory of 1336	640	rundll32.exe	100
PID 640 wrote to memory of 1908	640	rundll32.exe	103
PID 640 wrote to memory of 1908	640	rundll32.exe	103
PID 116 wrote to memory of 4956	116	explorha.exe	105
PID 116 wrote to memory of 4956	116	explorha.exe	105
PID 116 wrote to memory of 4956	116	explorha.exe	105
PID 4956 wrote to memory of 4372	4956	36f296e9dd.exe	106
PID 4956 wrote to memory of 4372	4956	36f296e9dd.exe	106
PID 4372 wrote to memory of 3708	4372	chrome.exe	108
PID 4372 wrote to memory of 3708	4372	chrome.exe	108
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 3756	4372	chrome.exe	110
PID 4372 wrote to memory of 768	4372	chrome.exe	111
PID 4372 wrote to memory of 768	4372	chrome.exe	111
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112
PID 4372 wrote to memory of 4948	4372	chrome.exe	112

C:\Users\Admin\AppData\Local\Temp\8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe
"C:\Users\Admin\AppData\Local\Temp\8d10ea1db46deb842f9baae002fc6345a7fc7f405aa50f9facd98204b9ef325b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
  "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:1336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\597858682981_Desktop.zip' -CompressionLevel Optimal
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
- - C:\Users\Admin\AppData\Local\Temp\1000055001\36f296e9dd.exe
    "C:\Users\Admin\AppData\Local\Temp\1000055001\36f296e9dd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff93c45ab58,0x7ff93c45ab68,0x7ff93c45ab78
        5⤵
        
        PID:3708
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:2
        5⤵
        
        PID:3756
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1984 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:8
        5⤵
        
        PID:768
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2276 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:8
        5⤵
        
        PID:4948
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:1
        5⤵
        
        PID:2940
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:1
        5⤵
        
        PID:540
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:1
        5⤵
        
        PID:3572
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4532 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:1
        5⤵
        
        PID:5308
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4100 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:8
        5⤵
        
        PID:5424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:5432
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:8
        5⤵
        
        PID:5704
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:8
        5⤵
        
        PID:5768
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:8
        5⤵
        
        PID:5804
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:8
        5⤵
        
        PID:5816
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:8
        5⤵
        
        PID:5824
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=2016,i,8521022860606404074,16889117654576369110,131072 /prefetch:8
        5⤵
        
        PID:912
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:5988
- - C:\Users\Admin\AppData\Local\Temp\1000056001\153edcbbda.exe
    "C:\Users\Admin\AppData\Local\Temp\1000056001\153edcbbda.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:5800
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe
    "C:\Users\Admin\AppData\Local\Temp\1000059001\amert.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5260

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3396
- C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe
  "C:\Users\Admin\AppData\Local\Temp\1000193001\dirtquire.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\Admin\AppData\Roaming\RB48SMHJES.exe'"
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:5692

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion