Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
05-05-2024 17:39
General
-
Target
b57f0f54d65712e116d7fdbd77a6c2bf1c6f871df16453571b8499c0312604ca.exe
-
Size
1.8MB
-
MD5
9d7e95b132835b099f4b00cae7863e2d
-
SHA1
9e59088cfaa673241a49dbdfbb7f1b0462cb5da7
-
SHA256
b57f0f54d65712e116d7fdbd77a6c2bf1c6f871df16453571b8499c0312604ca
-
SHA512
ddfe237647bf44ef7a925de439eb55385696fdb5b15dde539f3cfe18122305149f9dc2b6a463f5948934e0d852c29706b74fac5781d125e0ccba30a3b1b490fe
-
SSDEEP
24576:fU0Hb8WCzvwyS2LzpLQNUbz/xkTbl37a5qFXM5s4GplYx2uqYVKEsX/B/q:fVQwyS2L+NUfJUGqVM542xC/q
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Extracted
risepro
147.45.47.93:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 3 IoCs
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 1 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 22 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 45 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 55 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b57f0f54d65712e116d7fdbd77a6c2bf1c6f871df16453571b8499c0312604ca.exe"C:\Users\Admin\AppData\Local\Temp\b57f0f54d65712e116d7fdbd77a6c2bf1c6f871df16453571b8499c0312604ca.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"C:\Users\Admin\AppData\Local\Temp\1000019001\amert.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\1000238001\ISetup8.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ud4.0.exe"C:\Users\Admin\AppData\Local\Temp\ud4.0.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 22888⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\ud4.1.exe"C:\Users\Admin\AppData\Local\Temp\ud4.1.exe"7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD18⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 15127⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\toolspub1.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 3847⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"C:\Users\Admin\AppData\Local\Temp\1000240001\4767d2e713f2021e8fe856e3ea638b58.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"8⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes9⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile8⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe8⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F9⤵
- Creates scheduled task(s)
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f9⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile9⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll9⤵
- Executes dropped EXE
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F9⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)11⤵
- Launches sc.exe
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\netsh.exenetsh wlan show profiles7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\230210488309_Desktop.zip' -CompressionLevel Optimal7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000020001\62fa75c398.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\62fa75c398.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
C:\Users\Admin\1000021002\22806c8add.exe"C:\Users\Admin\1000021002\22806c8add.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa9709ab58,0x7ffa9709ab68,0x7ffa9709ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1752,i,13479157654934174423,6344033403058095006,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1752,i,13479157654934174423,6344033403058095006,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2148 --field-trial-handle=1752,i,13479157654934174423,6344033403058095006,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1752,i,13479157654934174423,6344033403058095006,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1752,i,13479157654934174423,6344033403058095006,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1752,i,13479157654934174423,6344033403058095006,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3300 --field-trial-handle=1752,i,13479157654934174423,6344033403058095006,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3992 --field-trial-handle=1752,i,13479157654934174423,6344033403058095006,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1752,i,13479157654934174423,6344033403058095006,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1752,i,13479157654934174423,6344033403058095006,131072 /prefetch:25⤵
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 472 -ip 4721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3624 -ip 36241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1704 -ip 17041⤵
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exeC:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exeC:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exeC:\Users\Admin\AppData\Local\Temp\1000088001\NewB.exe1⤵
- Executes dropped EXE
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Virtualization/Sandbox Evasion
2Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.1MB
MD532ab440296dc6cf4c1fb3225455193b5
SHA13303070666889e955de30fdf1dd87dff635fbada
SHA256f3581a978c12debc01d7afc4601e2a3c82171896c893da133eb19d75c74cba06
SHA51213fd4db1269c37c0d2b5614d75ac82ecd4316123e73c6306ccca36748c010539042987cd0650bcbe0f56e5f953deb0c628514b5430cd09c05d03b4bb4859ba4b
-
Filesize
240B
MD570fdd7069c60df526a069cad83e1a0a1
SHA1957113fd2990bb6fed4f9bedb9f9a5763c62c21b
SHA256a8652c76717b04b42ed96071ef1c76ed25032ce89f2afcf5685c34838827262b
SHA512c169703da8c56d12c643fecc3397e3b67f07626221be64b8231081a0fdf122b926abb86f91c7d84471b6bc03d97ff3eb08478ca767342763ad02474910ff3088
-
Filesize
152KB
MD5222c50e321af234fed0246b9eb9c7bad
SHA12acee73a9d81e4851c0bda82b3bada5bb46c6fb5
SHA256c5fe7916103f478d546501339b8a9aba77fc32bcdd679fc01acbaa04c2af9d09
SHA512d4ea938922e3004e6a6eae6e99b8a0561446aa824e7a1fe0bff644b5f0842d170ebe9af42e5c906a7e1d0f453e6bee6811a9054b09d4fd111d70e484636132f0
-
Filesize
20KB
MD579e2c6bd3a036b20b0bcad89ea316b7e
SHA10ef35e704b5b6050366ee1f1f2d60db69979a064
SHA2565e0a380b87225b93cbc935de6d129e270ccf111a71f9f3f2baa0382dbf98ab3e
SHA5129863698230794b5ca2d3fe980973316d135d09d59c14140acbddaaea6f09b22052aa6350caf5883cbb96d8e6df6af2d1d686974dcd07a61497c4c68c3afe4209
-
Filesize
2KB
MD58dd8efc065765620261431a7eb1eea3d
SHA144267654da5f940c3ac571179a812a878dd12770
SHA25660a81bac1472d4b0e1ad8ffdbc46c60a13290985546b6ca0d58981df4415d31a
SHA51229de833e82f54bcb3efbd0e63bba138106c32ad4e0635a910221017d59ff8aee98a9e81611ca1b5fb1a1a2bf1082bc450f4de8bd52fe4a4a34baee2e125a2422
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5f1969df50b4534fde755bfb1208b1450
SHA15cc982753406da46aecd4c210dbcdc4bee969a56
SHA256d92774a5d090f5cf90b981730a9e8911dc9eb9012ebbf11180a7e1b88d3290e3
SHA51224f9cc9cb5ef622fb80d1c59346b8ba248d1b9732366dd859b77eaea50e6f87e9f317620e2bc7f4be299d76b0eb33a0bc82d9f2accddb2cabb9f574d532b7a21
-
Filesize
7KB
MD5a6a9561e6c1a185f5e10557e7183a2d1
SHA199c48104d073b684aa84c495ee5359c130607b99
SHA2568db28fbc44546b8040f1cd5c4767360daf9cea4c7606f15fbc1a2aaac077025b
SHA512c4e55dd52b9132c59ab1f24f6f69fe170cfff0c8e9499bd9eb7df1eb0058daa3d21340a4e3c7fc602b7a81e35e86de37e6c1960c5736bd0c99d8dcf83c208c1a
-
Filesize
16KB
MD5e7de056c45ced6a825e3103463a22074
SHA1f5ce4d4cab916315a1885c35618fcc1b8c5fca36
SHA2562d737834deaa6ced0e69338d277c2da954bdb4a5751bdb2d830c67ea3fde0044
SHA512f0ade7b3e66651a1c6396d934459309a745c1532794065e0ac1fceb901b8fdc2d5fa22115e6abe1e83b20c95a5435a2a620e520cdf2f8b9011c595f053a49647
-
Filesize
255KB
MD54c497bcf8ee1f111171504d919a56755
SHA11b9fc824b105dc3b5b6d6d57b673fcb0dcc764af
SHA256b8b03f510d5842b5d5c38ccc8d082666173125d54c4efb6c38cebfcb4e548d62
SHA5123b1c4c3612953394ab284192b334457519c8ff87db9fc4c990f99599330958194ce57196972732a51292bd54c64f84f85374a199f71d52a96f61c2fc7c80fa9e
-
Filesize
1.8MB
MD51b4beb207b9755c5ccd02b6d90e5dc43
SHA1d3d79d432e40c5863f1a3f0369ee03a76f0d5b1e
SHA256db6d324db3cab13f7325d7e64de470b2b10a6932ee0e75b35fab279ea042ed08
SHA51213df414d3e078562393b65e3b9dc56e533ea4067f81a12d6fcbd4321269973e84c14c2d67e6ad6a0ea38e990c765aa1c35916047658ddcecb3a1f4216b207dd1
-
Filesize
2.2MB
MD5a3fbdcd77e5f53ce812e36b5c180f50b
SHA16658412ff76c6ecbbf410780c778364f16245e00
SHA2565374c5fed1ccff19c612321900c6b3723f5497b5ec6d62478bd4b814fe2cd0be
SHA51286b873b8158e736abee42ac1edefd37419e9de71118e7514087e2993c0e899b21e70b742603fe4481279a72b10f2ff775bf099c7d72f27913bfcadb1ba856079
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
406KB
MD58c119343e6bf0180eebef7023c6dd30a
SHA1edd4dbb9fe569cdf6bd427c4397005876ccca575
SHA256f000cf9df04caf982a587f04d727fad5be0716146827a46e9e3cdc299952829d
SHA5124e890229827cf489b0fbc917a688bba239e635e6a53f05b3c55186bd564f06d0e71bde53311be312056fb4382c7c623cc0eb0326aa66f579a68aecf46c2c6c8d
-
Filesize
245KB
MD5eab8a9b818ef4e23bd92d7420ee33b77
SHA1f4751ca6ff4d24c3bfada9ad043835a27f04d2f5
SHA256130ef444d7e6cd446c98932ce64ec44b56653258965cea4180baba5b570e4b75
SHA512ce77e817741e460aa813d4efe1750f24f149bb4f7df23a06b7986c4ef09dc5303d0e0585928b78bf2b12dfa76a93f5bc8873fa03c8febe82b9c960ad41d1ff9f
-
Filesize
4.2MB
MD57ed0b5eeaf34416b080419f50f9bdf72
SHA1734fe1331117f6ffa209e82b54eaa6e56f98594c
SHA256f795392cec75639bd25fc5a9b536e837a056dd68ab476c664208cd2cd1b93f38
SHA512ac573ebf859d70a075b91ecf863275dc18f15aeb2d75b20d6ec33ff070fe612215647cbe96c527b2a3c054a23bbde206fb57e786c64ff799a00dc6319049ac96
-
Filesize
1.8MB
MD59d7e95b132835b099f4b00cae7863e2d
SHA19e59088cfaa673241a49dbdfbb7f1b0462cb5da7
SHA256b57f0f54d65712e116d7fdbd77a6c2bf1c6f871df16453571b8499c0312604ca
SHA512ddfe237647bf44ef7a925de439eb55385696fdb5b15dde539f3cfe18122305149f9dc2b6a463f5948934e0d852c29706b74fac5781d125e0ccba30a3b1b490fe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
2KB
MD5f3c3d86da12da80641e09bc9af326b79
SHA1614b44fca3befdee321f2859a9ef652b7eb9606a
SHA2567211e8f3ae15fadf3bdf47798dc45327edfdd147e28020652278ffd50fb30205
SHA512bd54099e73e99136b6af7889a50853629486371bb705bb4f3f29c8fe982364c5ee68748181c175981e07b373591de79d3949fc83facc0be08f974116d03c4519
-
Filesize
275KB
MD5741f4fea03733d88a053a34f5f99f85f
SHA1e7bece4b05fcd0df660ba0a043c3bd57dde078a3
SHA256d1b502639e81960fb96040c544be3f66fa19f0a7ff4cfff874f7375ab851f6bc
SHA512371070b856d0377c8d09eef20166376b9ac6bdd58b976882ed81e2d84609fa54f896e896b8dfe7434eba399af0a8a32d6290523e466d55eb2651517049dcc298
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
19KB
MD50c42220ccc0f6f2aca6f6a5285739011
SHA1ec2d299a4792c0fdf00669cdfced0cde011914c5
SHA256ce1764ea054fff9a12c0be5ac41e340fb9e0218ca55ccb78b81bd9dd43a59962
SHA5124bf8b3aabf52eb60e55d2fa7e97edac081e5e96de3a80e9c504529e994a5f74779141b318c267bc6bb195ce107d882c10094935f3f82cc2fd8c9bdeb41fe3f73
-
Filesize
19KB
MD5e1c558388ccd1f5d5085a4c8b556febf
SHA1de3206f8de0531a51819f2f2137597ebddb27742
SHA25689692a52544cbc15021048861994a90ec060d8c419aab6c652c58b44d2fc0f5e
SHA5126eaa8991c996bc11e9b4bdbd27dc8b5d75135573fc9cb9cd3072bc38a975a9e14f6d05e7e7ef8b8a00e543c1aac348f8d7fd74f0a59033f6b62c4c9540126e4b
-
Filesize
19KB
MD514213df935c28e82634f7ffd5e5d8be3
SHA1b44d43d3013487012f710854d3c4f4f3b8b886e5
SHA25650fe522a5fa0a17f2f8921d46c0b92065378ec3880b260a754aea9d537ccc3c3
SHA512124392a235882d87bf1c4afdbfc66c2a713a77ec11c3c1116562b19058d09adbbd27ef8ccb424a1e6efa57f39bb7541e78a22bb7a4151424069352defbb2364e
-
Filesize
19KB
MD5a8fd4b30a0774c633ceb134c5291abfc
SHA10bc608eccd4f5ca075d543ddb9e35cb51ce1bb90
SHA2569186f46adf0191da0cbdfde9e8a819cf089166b68df2784a4b20027bb4ec2436
SHA5129c6a1aa2e39eea20efc90016b36033a2bbcbeb5d42efb084a7ae82bc75daea44c00852f049c8b361a62ab18b764216f9a7090b24fcea9c19e3172b87bda89160
-
Filesize
19KB
MD5dca924e952a2fcd4c6166aeddf053673
SHA1db81e9a182a4238c9615c17309459d95f6527f22
SHA2569647fe60660c42837d6c7a788d06f4c963283cade94eda546945cd2fc95954bb
SHA5129981861236857dc9dc10d6eecabb44da21168a0263443450716009db017f80ccaebc05ce4191a7e75bee06d0f77b37f4550a769cbc6e42b8ada6b776aac42954
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
Filesize
39.1MB
-
Filesize
39.1MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
72KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
972KB
-
Filesize
42.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
208KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
84KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
280KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
656KB
-
Filesize
472KB
-
Filesize
5.2MB
-
Filesize
712KB
-
Filesize
392KB
-
Filesize
168KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
3.0MB
-
Filesize
32KB
-
Filesize
224KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
488KB
-
Filesize
48KB
-
Filesize
320KB
-
Filesize
120KB
-
Filesize
57.0MB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
144KB
-
Filesize
80KB
-
Filesize
1.1MB
-
Filesize
39.0MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
304KB
-
Filesize
84KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
656KB
-
Filesize
68KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB