amadey | 193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb

Resubmissions

29-05-2024 00:25

240529-aqvwxsbf53 10

27-05-2024 20:39

240527-zfmj8sae79 10

Analysis

max time kernel
1203s
max time network
1203s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
Size

1.8MB
MD5

8dad2aa0711b0336db7003675e6e98d0
SHA1

e273d85776cf0c70e2f881b70dcbe887cdc1f63d
SHA256

193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb
SHA512

be4fac217bd3fe7cbfb7a1d1dc0f9c1820e7b9b6cb5db733746b0c63a843bf0b379449c0c15943b84c9277b068788193e14cb6a407fa759ee036c7a352e6ebd4
SSDEEP

49152:2WMfJwB30J3SZskZvisVBqqUQWC+7xqb/ehVj:cRwx3ZviwYqUQWftqO

Score

10^/10

amadey 49e482 evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

49e482

http://147.45.47.70

Attributes

install_dir
1b29d73536
install_file
axplont.exe
strings_key
4d31dd1a190d9879c21fac6d87dc0043
url_paths
/tr8nomy/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 23 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplont.exe

Checks BIOS information in registry 2 TTPs 46 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

axplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exeaxplont.exeaxplont.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplont.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplont.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe

Executes dropped EXE 21 IoCs

Processes:

axplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe

pid	process
3056	axplont.exe
3840	axplont.exe
4628	axplont.exe
2376	axplont.exe
2472	axplont.exe
2476	axplont.exe
904	axplont.exe
4004	axplont.exe
2808	axplont.exe
2252	axplont.exe
4152	axplont.exe
1912	axplont.exe
3540	axplont.exe
4648	axplont.exe
1572	axplont.exe
1432	axplont.exe
4140	axplont.exe
2684	axplont.exe
1680	axplont.exe
3796	axplont.exe
2532	axplont.exe

Identifies Wine through registry keys 2 TTPs 23 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	axplont.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 23 IoCs

Processes:

193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exeaxplont.exeaxplont.exe193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exe

pid	process
956	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
3056	axplont.exe
3840	axplont.exe
3452	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
4628	axplont.exe
2376	axplont.exe
2472	axplont.exe
2476	axplont.exe
904	axplont.exe
4004	axplont.exe
2808	axplont.exe
2252	axplont.exe
4152	axplont.exe
1912	axplont.exe
3540	axplont.exe
4648	axplont.exe
1572	axplont.exe
1432	axplont.exe
4140	axplont.exe
2684	axplont.exe
1680	axplont.exe
3796	axplont.exe
2532	axplont.exe

Drops file in Windows directory 1 IoCs

Processes:

193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe

description ioc process

File created C:\Windows\Tasks\axplont.job 193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\axplont.job	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

pid	process
956	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
956	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
3056	axplont.exe
3056	axplont.exe
3840	axplont.exe
3840	axplont.exe
3452	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
3452	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
4628	axplont.exe
4628	axplont.exe
2376	axplont.exe
2376	axplont.exe
2472	axplont.exe
2472	axplont.exe
2476	axplont.exe
2476	axplont.exe
904	axplont.exe
904	axplont.exe
4004	axplont.exe
4004	axplont.exe
2808	axplont.exe
2808	axplont.exe
2252	axplont.exe
2252	axplont.exe
4152	axplont.exe
4152	axplont.exe
1912	axplont.exe
1912	axplont.exe
3540	axplont.exe
3540	axplont.exe
4648	axplont.exe
4648	axplont.exe
1572	axplont.exe
1572	axplont.exe
1432	axplont.exe
1432	axplont.exe
4140	axplont.exe
4140	axplont.exe
2684	axplont.exe
2684	axplont.exe
1680	axplont.exe
1680	axplont.exe
3796	axplont.exe
3796	axplont.exe
2532	axplont.exe
2532	axplont.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe

pid process

956 193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe

description	pid	process	target process
PID 956 wrote to memory of 3056	956	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe	axplont.exe
PID 956 wrote to memory of 3056	956	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe	axplont.exe
PID 956 wrote to memory of 3056	956	193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe	axplont.exe

C:\Users\Admin\AppData\Local\Temp\193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
"C:\Users\Admin\AppData\Local\Temp\193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3860 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:1632

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3840

C:\Users\Admin\AppData\Local\Temp\193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe
"C:\Users\Admin\AppData\Local\Temp\193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3452

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4628

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2808

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4152

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3540

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1432

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4140

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3796

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe

Filesize
1.8MB

MD5
8dad2aa0711b0336db7003675e6e98d0

SHA1
e273d85776cf0c70e2f881b70dcbe887cdc1f63d

SHA256
193815b722572ee1a7a4b6f22a4f4563736102664a95425204e87244c1585bdb

SHA512
be4fac217bd3fe7cbfb7a1d1dc0f9c1820e7b9b6cb5db733746b0c63a843bf0b379449c0c15943b84c9277b068788193e14cb6a407fa759ee036c7a352e6ebd4

Download Submit
memory/904-76-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/956-6-0x0000000000F90000-0x0000000001451000-memory.dmp

Filesize
4.8MB

Download
memory/956-4-0x0000000000F90000-0x0000000001451000-memory.dmp

Filesize
4.8MB

Download
memory/956-0-0x0000000000F90000-0x0000000001451000-memory.dmp

Filesize
4.8MB

Download
memory/956-2-0x0000000000F91000-0x0000000000FBF000-memory.dmp

Filesize
184KB

Download
memory/956-1-0x00000000779F4000-0x00000000779F6000-memory.dmp

Filesize
8KB

Download
memory/956-19-0x0000000000F90000-0x0000000001451000-memory.dmp

Filesize
4.8MB

Download
memory/956-3-0x0000000000F90000-0x0000000001451000-memory.dmp

Filesize
4.8MB

Download
memory/1432-154-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/1572-145-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/1680-181-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/1912-118-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2252-100-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2376-50-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2376-49-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2472-59-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2472-58-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2476-68-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2684-172-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/2808-92-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-35-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-73-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-33-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-36-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-37-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-38-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-18-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-20-0x0000000000261000-0x000000000028F000-memory.dmp

Filesize
184KB

Download
memory/3056-42-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-43-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-44-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-45-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-46-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-47-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-32-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-21-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-51-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-52-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-53-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-54-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-55-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-56-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-22-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-28-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-60-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-61-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-62-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-63-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-64-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-65-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-27-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-69-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-70-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-71-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-72-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-23-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-74-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-26-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-77-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-78-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-79-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-80-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-81-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-82-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-101-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-85-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-86-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-87-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-88-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-89-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-90-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-25-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-93-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-94-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-95-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-96-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-97-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-98-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3056-24-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3452-34-0x0000000000F90000-0x0000000001451000-memory.dmp

Filesize
4.8MB

Download
memory/3540-127-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3840-30-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/3840-31-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/4004-84-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/4140-163-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/4152-109-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/4628-41-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/4628-40-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download
memory/4648-136-0x0000000000260000-0x0000000000721000-memory.dmp

Filesize
4.8MB

Download