Malware Analysis Report

2025-03-15 03:57

Sample ID 240519-2bgjjadf46
Target 6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510
SHA256 6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510
Tags
themida amadey 18befc evasion trojan c767c0
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510

Threat Level: Known bad

The file 6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510 was found to be: Known bad.

Malicious Activity Summary

themida amadey 18befc evasion trojan c767c0

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 22:24

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 22:24

Reported

2024-05-19 22:27

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe

"C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 88.221.83.208:443 www.bing.com tcp
US 8.8.8.8:53 208.83.221.88.in-addr.arpa udp
RU 5.42.96.141:80 5.42.96.141 tcp
BE 88.221.83.208:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3032-1-0x0000000000EE0000-0x0000000001434000-memory.dmp

memory/3032-0-0x0000000000EE0000-0x0000000001434000-memory.dmp

memory/3032-2-0x0000000000EE0000-0x0000000001434000-memory.dmp

memory/3032-3-0x0000000000EE0000-0x0000000001434000-memory.dmp

memory/3032-6-0x0000000000EE0000-0x0000000001434000-memory.dmp

memory/3032-5-0x0000000000EE0000-0x0000000001434000-memory.dmp

memory/3032-7-0x0000000000EE0000-0x0000000001434000-memory.dmp

memory/3032-4-0x0000000000EE0000-0x0000000001434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 7286229961d535787946498abd94284b
SHA1 3a36e020bd2b5727db8e6afbdbe98e31d374a617
SHA256 6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510
SHA512 ac3da38b9ce83fc85755e7c9de4b8118420feb71fb728167598eed953165c8f5f13708f8dc4300acf5ecbc23b92cb81b587cc5f8495cdb07d5991592ed5745c8

memory/3032-20-0x0000000000EE0000-0x0000000001434000-memory.dmp

memory/1536-27-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/1536-28-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/1536-26-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/1536-23-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/1536-25-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/1536-24-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/1536-21-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/1536-29-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4528-34-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4528-35-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4528-39-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4528-33-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4528-38-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4528-37-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4528-36-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4528-32-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4528-40-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4580-48-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4580-51-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4580-54-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4580-53-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4580-52-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4580-49-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4580-50-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4580-55-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/4580-56-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/3932-65-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/3932-66-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/3932-69-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/3932-71-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/3932-70-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/3932-67-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/3932-68-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/3932-64-0x0000000000490000-0x00000000009E4000-memory.dmp

memory/3932-73-0x0000000000490000-0x00000000009E4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 22:24

Reported

2024-05-19 22:27

Platform

win11-20240419-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\1000017002\7f8dd64666.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\1000017002\7f8dd64666.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\1000017002\7f8dd64666.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine C:\Users\Admin\1000017002\7f8dd64666.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2700 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2700 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3760 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3760 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3760 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3760 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 3760 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 3760 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 396 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 396 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 396 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3760 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\7f8dd64666.exe
PID 3760 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\7f8dd64666.exe
PID 3760 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\1000017002\7f8dd64666.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe

"C:\Users\Admin\AppData\Local\Temp\6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\1000017002\7f8dd64666.exe

"C:\Users\Admin\1000017002\7f8dd64666.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
RU 5.42.96.141:80 5.42.96.141 tcp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
RU 5.42.96.7:80 5.42.96.7 tcp

Files

memory/2700-2-0x0000000000970000-0x0000000000EC4000-memory.dmp

memory/2700-3-0x0000000000970000-0x0000000000EC4000-memory.dmp

memory/2700-1-0x0000000000970000-0x0000000000EC4000-memory.dmp

memory/2700-0-0x0000000000970000-0x0000000000EC4000-memory.dmp

memory/2700-6-0x0000000000970000-0x0000000000EC4000-memory.dmp

memory/2700-5-0x0000000000970000-0x0000000000EC4000-memory.dmp

memory/2700-4-0x0000000000970000-0x0000000000EC4000-memory.dmp

memory/2700-7-0x0000000000970000-0x0000000000EC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 7286229961d535787946498abd94284b
SHA1 3a36e020bd2b5727db8e6afbdbe98e31d374a617
SHA256 6ce92c9d73465e722da2ec046acb54a9137c13642fcb5538ead9661391952510
SHA512 ac3da38b9ce83fc85755e7c9de4b8118420feb71fb728167598eed953165c8f5f13708f8dc4300acf5ecbc23b92cb81b587cc5f8495cdb07d5991592ed5745c8

memory/2700-19-0x0000000000970000-0x0000000000EC4000-memory.dmp

memory/3760-27-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/3760-28-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/3760-26-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/3760-24-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/3760-23-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/3760-21-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/3760-22-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/3760-25-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/3760-31-0x0000000000B00000-0x0000000001054000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 c61f6e3515579f99188f4d0b4f2c12d6
SHA1 46a891fac99328048a975a118eb3aeedf273051d
SHA256 a586477edf84307bf28879ffd305173ab03fb2647158b9fcedc6a49d813d95cf
SHA512 764337de929e6273a231cae7c0a097b808841e34d768a60be5ff99046ed064dc26a026531103ede5996aefe34fa8e8470eedd78cba7fdb2a8061101e95210b01

memory/396-47-0x00000000003F0000-0x000000000089A000-memory.dmp

memory/396-48-0x0000000077C46000-0x0000000077C48000-memory.dmp

memory/4396-53-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/4396-57-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/4396-55-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/4396-54-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/4396-56-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/4396-52-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/4396-51-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/4396-50-0x0000000000B00000-0x0000000001054000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\dc11072123.exe

MD5 29f3745b79c8d1a4db5b2c85a1db135b
SHA1 deb086c291c4bde3472a602df64ea53cb4ad7fdc
SHA256 f60269ed927b2a51d0b14a61efb368fa02011ad2b14ffb8e4f99ee495862ae1e
SHA512 c6fc851c31ae718d3cfd4354d52571033a01b500b910edf186e9d85dd155b46712d7d140fa118026cad5527d96897857273a803337723c3daedfe04015e040e9

memory/2384-85-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/4396-87-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/396-82-0x00000000003F0000-0x000000000089A000-memory.dmp

C:\Users\Admin\1000017002\7f8dd64666.exe

MD5 d0d9b758764ced5f38eddd0f9c765b79
SHA1 037f9f517d2599305a667e965734e24d96875aa2
SHA256 2fd0034392e25580745b0828a3c9d295f09cf2d561254bf6b5fa92e76818efb1
SHA512 58ea14f2a265215c98a916a3b1bbf37a6777f62ac66c5399fa68d1993a363e31e04821efe78558f569d6be727beba01a93995289e5990d74ca122afc5d480429

memory/4900-104-0x0000000000850000-0x0000000000CFA000-memory.dmp

memory/3760-103-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/4900-105-0x0000000000850000-0x0000000000CFA000-memory.dmp

memory/3760-106-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/2384-107-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/2384-109-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/2384-111-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/2384-113-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/2384-115-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/2104-118-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/1664-120-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1664-121-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1664-122-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1664-125-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1664-124-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1664-123-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1664-126-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/2104-127-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/1664-128-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/2384-129-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/2384-131-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/2384-133-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/2384-135-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/2384-137-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/2384-139-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/1464-142-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1464-148-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1464-147-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/3352-151-0x0000000000330000-0x00000000007DA000-memory.dmp

memory/1464-145-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1464-143-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1464-146-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1464-144-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/1464-154-0x0000000000B00000-0x0000000001054000-memory.dmp

memory/3352-156-0x0000000000330000-0x00000000007DA000-memory.dmp