amadey | 35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed

Virtualization/Sandbox Evasion

Processes:

explortu.exeaxplont.exeexplortu.exeaxplont.exeaxplont.exeexplortu.exe5ce025e2d2.exe7dda573139.exeaxplont.exe35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exeexplortu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5ce025e2d2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7dda573139.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

Processes:

explortu.exe7dda573139.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeexplortu.exe35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exeaxplont.exeaxplont.exe5ce025e2d2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7dda573139.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7dda573139.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5ce025e2d2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5ce025e2d2.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

Processes:

35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exeexplortu.exe5ce025e2d2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explortu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	5ce025e2d2.exe

Executes dropped EXE 10 IoCs

Processes:

explortu.exe5ce025e2d2.exeaxplont.exe7dda573139.exeaxplont.exeexplortu.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exe

pid	process
5040	explortu.exe
2148	5ce025e2d2.exe
4532	axplont.exe
4812	7dda573139.exe
1224	axplont.exe
3504	explortu.exe
4776	explortu.exe
2440	axplont.exe
3708	explortu.exe
1932	axplont.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

5ce025e2d2.exeaxplont.exeaxplont.exeexplortu.exe35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exeexplortu.exeexplortu.exeexplortu.exeaxplont.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	5ce025e2d2.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	axplont.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000005001\7dda573139.exe	themida
behavioral1/memory/4812-72-0x00000000008A0000-0x0000000000EFF000-memory.dmp	themida
behavioral1/memory/4812-73-0x00000000008A0000-0x0000000000EFF000-memory.dmp	themida
behavioral1/memory/4812-74-0x00000000008A0000-0x0000000000EFF000-memory.dmp	themida
behavioral1/memory/4812-78-0x00000000008A0000-0x0000000000EFF000-memory.dmp	themida
behavioral1/memory/4812-76-0x00000000008A0000-0x0000000000EFF000-memory.dmp	themida
behavioral1/memory/4812-79-0x00000000008A0000-0x0000000000EFF000-memory.dmp	themida
behavioral1/memory/4812-77-0x00000000008A0000-0x0000000000EFF000-memory.dmp	themida
behavioral1/memory/4812-75-0x00000000008A0000-0x0000000000EFF000-memory.dmp	themida
behavioral1/memory/4812-82-0x00000000008A0000-0x0000000000EFF000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explortu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7dda573139.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\7dda573139.exe"	explortu.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

7dda573139.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7dda573139.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7dda573139.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exeexplortu.exe5ce025e2d2.exeaxplont.exeaxplont.exeexplortu.exeexplortu.exeaxplont.exeaxplont.exeexplortu.exe

pid	process
1604	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe
5040	explortu.exe
2148	5ce025e2d2.exe
4532	axplont.exe
1224	axplont.exe
3504	explortu.exe
4776	explortu.exe
2440	axplont.exe
1932	axplont.exe
3708	explortu.exe

Drops file in Windows directory 2 IoCs

Processes:

35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe5ce025e2d2.exe

description	ioc	process
File created	C:\Windows\Tasks\explortu.job	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe
File created	C:\Windows\Tasks\axplont.job	5ce025e2d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exeexplortu.exe5ce025e2d2.exeaxplont.exeaxplont.exeexplortu.exeexplortu.exeaxplont.exeaxplont.exeexplortu.exe

pid	process
1604	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe
1604	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe
5040	explortu.exe
5040	explortu.exe
2148	5ce025e2d2.exe
2148	5ce025e2d2.exe
4532	axplont.exe
4532	axplont.exe
1224	axplont.exe
1224	axplont.exe
3504	explortu.exe
3504	explortu.exe
4776	explortu.exe
4776	explortu.exe
2440	axplont.exe
2440	axplont.exe
1932	axplont.exe
1932	axplont.exe
3708	explortu.exe
3708	explortu.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exeexplortu.exe5ce025e2d2.exe

description	pid	process	target process
PID 1604 wrote to memory of 5040	1604	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe	explortu.exe
PID 1604 wrote to memory of 5040	1604	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe	explortu.exe
PID 1604 wrote to memory of 5040	1604	35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe	explortu.exe
PID 5040 wrote to memory of 2324	5040	explortu.exe	explortu.exe
PID 5040 wrote to memory of 2324	5040	explortu.exe	explortu.exe
PID 5040 wrote to memory of 2324	5040	explortu.exe	explortu.exe
PID 5040 wrote to memory of 2148	5040	explortu.exe	5ce025e2d2.exe
PID 5040 wrote to memory of 2148	5040	explortu.exe	5ce025e2d2.exe
PID 5040 wrote to memory of 2148	5040	explortu.exe	5ce025e2d2.exe
PID 2148 wrote to memory of 4532	2148	5ce025e2d2.exe	axplont.exe
PID 2148 wrote to memory of 4532	2148	5ce025e2d2.exe	axplont.exe
PID 2148 wrote to memory of 4532	2148	5ce025e2d2.exe	axplont.exe
PID 5040 wrote to memory of 4812	5040	explortu.exe	7dda573139.exe
PID 5040 wrote to memory of 4812	5040	explortu.exe	7dda573139.exe
PID 5040 wrote to memory of 4812	5040	explortu.exe	7dda573139.exe

C:\Users\Admin\AppData\Local\Temp\35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe
"C:\Users\Admin\AppData\Local\Temp\35980f6a49e79c4ab06db58c1dd166a8705787b85878edf72824e6dc7cd296ed.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
3⤵
PID:2324

C:\Users\Admin\1000004002\5ce025e2d2.exe
"C:\Users\Admin\1000004002\5ce025e2d2.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Users\Admin\AppData\Local\Temp\1000005001\7dda573139.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\7dda573139.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4812

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3504

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4776

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3708

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

2

Modify Registry

T1112

Credential Access

Discovery

Query Registry

4

Virtualization/Sandbox Evasion

2