Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 14:03
Static task
static1
General
-
Target
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe
-
Size
1.8MB
-
MD5
e427f7e972e458acca51c043839c9c04
-
SHA1
800cb9174a2afeb2a1402d7bd8deee4f97e36a4d
-
SHA256
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27
-
SHA512
a5e978064f24b9c19fd4ea39e833804479088a1843e18b9801e812589cef9262434757ac9950821a6abf0e321e73c2b96dd3087dcf62fcba39b36ae8c8671f70
-
SSDEEP
49152:BKLAvkPPHS++crkFwOnxAvpmcTajVMNqq:qAvkXxrkbneBmcuZeqq
Malware Config
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
redline
1
185.215.113.67:40960
Extracted
stealc
zzvv
http://23.88.106.134
-
url_path
/c73eed764cc59dcb.php
Extracted
lumma
https://roomabolishsnifftwk.shop/api
https://museumtespaceorsp.shop/api
https://detailbaconroollyws.shop/api
https://buttockdecarderwiso.shop/api
https://horsedwollfedrwos.shop/api
https://averageaattractiionsl.shop/api
https://femininiespywageg.shop/api
https://patternapplauderw.shop/api
https://employhabragaomlsp.shop/api
https://understanndtytonyguw.shop/api
https://stalfbaclcalorieeis.shop/api
https://civilianurinedtsraov.shop/api
https://considerrycurrentyws.shop/api
https://messtimetabledkolvk.shop/api
https://deprivedrinkyfaiir.shop/api
https://relaxtionflouwerwi.shop/api
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe family_redline behavioral1/memory/4288-75-0x00000000005D0000-0x0000000000622000-memory.dmp family_redline -
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Processes:
file300un.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" file300un.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
axplont.exe3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplont.exeaxplont.exeaxplont.exe3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exeRegAsm.exefile300un.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation axplont.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation file300un.exe -
Drops startup file 3 IoCs
Processes:
CasPol.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdAjehylZBmQ9gZIWT5rFX93.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KrQev5tverS7hAjCdjMVHWo7.bat CasPol.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ecbtAZIrGHeAsTHkke2ouES.bat CasPol.exe -
Executes dropped EXE 10 IoCs
Processes:
axplont.exeaxplont.exeaxplont.exefileosn.exelumma1234.exegold.exeswizzzz.exefile300un.exeXB8anui8GSbW2JEB2EPgdwl7.exejT9TY3q0ITgF8Vn3VcS9WO6B.exepid process 5016 axplont.exe 64 axplont.exe 4072 axplont.exe 4288 fileosn.exe 2956 lumma1234.exe 3824 gold.exe 1664 swizzzz.exe 3232 file300un.exe 1588 XB8anui8GSbW2JEB2EPgdwl7.exe 4392 jT9TY3q0ITgF8Vn3VcS9WO6B.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplont.exe3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine axplont.exe -
Loads dropped DLL 1 IoCs
Processes:
XB8anui8GSbW2JEB2EPgdwl7.exepid process 1588 XB8anui8GSbW2JEB2EPgdwl7.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Processes:
file300un.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths file300un.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" file300un.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
file300un.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file300un.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
XB8anui8GSbW2JEB2EPgdwl7.exedescription ioc process File opened for modification \??\PhysicalDrive0 XB8anui8GSbW2JEB2EPgdwl7.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exeaxplont.exeaxplont.exepid process 4960 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe 5016 axplont.exe 64 axplont.exe 4072 axplont.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
lumma1234.exegold.exeswizzzz.exefile300un.exedescription pid process target process PID 2956 set thread context of 2992 2956 lumma1234.exe RegAsm.exe PID 3824 set thread context of 4768 3824 gold.exe RegAsm.exe PID 1664 set thread context of 960 1664 swizzzz.exe RegAsm.exe PID 3232 set thread context of 4620 3232 file300un.exe CasPol.exe -
Drops file in Windows directory 1 IoCs
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exedescription ioc process File created C:\Windows\Tasks\axplont.job 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3532 3824 WerFault.exe gold.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4628 timeout.exe -
Processes:
fileosn.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 fileosn.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 fileosn.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exeaxplont.exeaxplont.exeRegAsm.exepowershell.exeXB8anui8GSbW2JEB2EPgdwl7.exepid process 4960 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe 4960 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe 5016 axplont.exe 5016 axplont.exe 64 axplont.exe 64 axplont.exe 4072 axplont.exe 4072 axplont.exe 960 RegAsm.exe 960 RegAsm.exe 900 powershell.exe 900 powershell.exe 900 powershell.exe 1588 XB8anui8GSbW2JEB2EPgdwl7.exe 1588 XB8anui8GSbW2JEB2EPgdwl7.exe 1588 XB8anui8GSbW2JEB2EPgdwl7.exe 1588 XB8anui8GSbW2JEB2EPgdwl7.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
file300un.exeCasPol.exepowershell.exeXB8anui8GSbW2JEB2EPgdwl7.exejT9TY3q0ITgF8Vn3VcS9WO6B.exedescription pid process Token: SeDebugPrivilege 3232 file300un.exe Token: SeDebugPrivilege 4620 CasPol.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeManageVolumePrivilege 1588 XB8anui8GSbW2JEB2EPgdwl7.exe Token: SeDebugPrivilege 4392 jT9TY3q0ITgF8Vn3VcS9WO6B.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exepid process 4960 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exeaxplont.exelumma1234.exegold.exeswizzzz.exeRegAsm.execmd.exefile300un.exedescription pid process target process PID 4960 wrote to memory of 5016 4960 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe axplont.exe PID 4960 wrote to memory of 5016 4960 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe axplont.exe PID 4960 wrote to memory of 5016 4960 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe axplont.exe PID 5016 wrote to memory of 4288 5016 axplont.exe fileosn.exe PID 5016 wrote to memory of 4288 5016 axplont.exe fileosn.exe PID 5016 wrote to memory of 4288 5016 axplont.exe fileosn.exe PID 5016 wrote to memory of 2956 5016 axplont.exe lumma1234.exe PID 5016 wrote to memory of 2956 5016 axplont.exe lumma1234.exe PID 5016 wrote to memory of 2956 5016 axplont.exe lumma1234.exe PID 2956 wrote to memory of 2992 2956 lumma1234.exe RegAsm.exe PID 2956 wrote to memory of 2992 2956 lumma1234.exe RegAsm.exe PID 2956 wrote to memory of 2992 2956 lumma1234.exe RegAsm.exe PID 2956 wrote to memory of 2992 2956 lumma1234.exe RegAsm.exe PID 2956 wrote to memory of 2992 2956 lumma1234.exe RegAsm.exe PID 2956 wrote to memory of 2992 2956 lumma1234.exe RegAsm.exe PID 2956 wrote to memory of 2992 2956 lumma1234.exe RegAsm.exe PID 2956 wrote to memory of 2992 2956 lumma1234.exe RegAsm.exe PID 2956 wrote to memory of 2992 2956 lumma1234.exe RegAsm.exe PID 5016 wrote to memory of 3824 5016 axplont.exe gold.exe PID 5016 wrote to memory of 3824 5016 axplont.exe gold.exe PID 5016 wrote to memory of 3824 5016 axplont.exe gold.exe PID 3824 wrote to memory of 2720 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 2720 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 2720 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 4768 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 4768 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 4768 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 4768 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 4768 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 4768 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 4768 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 4768 3824 gold.exe RegAsm.exe PID 3824 wrote to memory of 4768 3824 gold.exe RegAsm.exe PID 5016 wrote to memory of 1664 5016 axplont.exe swizzzz.exe PID 5016 wrote to memory of 1664 5016 axplont.exe swizzzz.exe PID 5016 wrote to memory of 1664 5016 axplont.exe swizzzz.exe PID 1664 wrote to memory of 960 1664 swizzzz.exe RegAsm.exe PID 1664 wrote to memory of 960 1664 swizzzz.exe RegAsm.exe PID 1664 wrote to memory of 960 1664 swizzzz.exe RegAsm.exe PID 1664 wrote to memory of 960 1664 swizzzz.exe RegAsm.exe PID 1664 wrote to memory of 960 1664 swizzzz.exe RegAsm.exe PID 1664 wrote to memory of 960 1664 swizzzz.exe RegAsm.exe PID 1664 wrote to memory of 960 1664 swizzzz.exe RegAsm.exe PID 1664 wrote to memory of 960 1664 swizzzz.exe RegAsm.exe PID 1664 wrote to memory of 960 1664 swizzzz.exe RegAsm.exe PID 960 wrote to memory of 4516 960 RegAsm.exe cmd.exe PID 960 wrote to memory of 4516 960 RegAsm.exe cmd.exe PID 960 wrote to memory of 4516 960 RegAsm.exe cmd.exe PID 4516 wrote to memory of 4628 4516 cmd.exe timeout.exe PID 4516 wrote to memory of 4628 4516 cmd.exe timeout.exe PID 4516 wrote to memory of 4628 4516 cmd.exe timeout.exe PID 5016 wrote to memory of 3232 5016 axplont.exe file300un.exe PID 5016 wrote to memory of 3232 5016 axplont.exe file300un.exe PID 3232 wrote to memory of 900 3232 file300un.exe powershell.exe PID 3232 wrote to memory of 900 3232 file300un.exe powershell.exe PID 3232 wrote to memory of 4620 3232 file300un.exe CasPol.exe PID 3232 wrote to memory of 4620 3232 file300un.exe CasPol.exe PID 3232 wrote to memory of 4620 3232 file300un.exe CasPol.exe PID 3232 wrote to memory of 4620 3232 file300un.exe CasPol.exe PID 3232 wrote to memory of 4620 3232 file300un.exe CasPol.exe PID 3232 wrote to memory of 4620 3232 file300un.exe CasPol.exe PID 3232 wrote to memory of 4620 3232 file300un.exe CasPol.exe PID 3232 wrote to memory of 4620 3232 file300un.exe CasPol.exe PID 3232 wrote to memory of 680 3232 file300un.exe CasPol.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
file300un.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file300un.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe"C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 2724⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 56⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe"C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe" /s5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exe"C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3824 -ip 38241⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\[email protected]Filesize
656B
MD5184a117024f3789681894c67b36ce990
SHA1c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7
-
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.iniFilesize
830B
MD5e6edb41c03bce3f822020878bde4e246
SHA103198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA2569fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA5122d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1
-
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exeFilesize
608KB
MD53f15c7460a1853a849d281ec3ad2ada6
SHA1108eab5f7164c8fde1de9bda2abb23e76e0fed68
SHA256cf1f966f816ac904e42a09facd04b3f9aebd3bfa7cfa667a8b01ed78c9f986f4
SHA512dba985eac586ab1da07e71d3b6c05d44bcb993b3923878bf38184061965a924fbe2bc88620e51c8c8eff62a53e601d4bdca2199c5e607d71833b730eb1756725
-
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exeFilesize
304KB
MD584bf36993bdd61d216e83fe391fcc7fd
SHA1e023212e847a54328aaea05fbe41eb4828855ce6
SHA2568e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa
SHA512bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf
-
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exeFilesize
518KB
MD5c4ffab152141150528716daa608d5b92
SHA1a48d3aecc0e986b6c4369b9d4cfffb08b53aed89
SHA256c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475
SHA512a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9
-
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exeFilesize
1.2MB
MD50b7e08a8268a6d413a322ff62d389bf9
SHA1e04b849cc01779fe256744ad31562aca833a82c1
SHA256d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65
SHA5123d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4
-
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exeFilesize
778KB
MD505b11e7b711b4aaa512029ffcb529b5a
SHA1a8074cf8a13f21617632951e008cdfdace73bb83
SHA2562aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa
SHA512dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff
-
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exeFilesize
579KB
MD5a991da123f34074f2ee8ea0d798990f9
SHA13988195503348626e8f9185747a216c8e7839130
SHA256fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f
SHA5121f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeFilesize
1.8MB
MD5e427f7e972e458acca51c043839c9c04
SHA1800cb9174a2afeb2a1402d7bd8deee4f97e36a4d
SHA2563887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27
SHA512a5e978064f24b9c19fd4ea39e833804479088a1843e18b9801e812589cef9262434757ac9950821a6abf0e321e73c2b96dd3087dcf62fcba39b36ae8c8671f70
-
C:\Users\Admin\AppData\Local\Temp\TmpBBD9.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2n2pxlsb.sdq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\{0EA9332C-D1CE-4b87-BFAD-718E6BF3C8B5}.tmp\360P2SP.dllFilesize
824KB
MD5fc1796add9491ee757e74e65cedd6ae7
SHA1603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA5128fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d
-
C:\Users\Admin\Pictures\RyRId3CKdLYgL2rr2pnoiIHK.exeFilesize
7KB
MD577f762f953163d7639dff697104e1470
SHA1ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499
-
C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exeFilesize
1.5MB
MD5cd4acedefa9ab5c7dccac667f91cef13
SHA1bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA51206fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
-
C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exeFilesize
405KB
MD5ef65292d26c79999f9cd88fc202e257e
SHA1bb1022e9d3d345f14db1f7e431d4d63259fa3ac2
SHA2564bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222
SHA5127df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a
-
memory/64-30-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/64-29-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/64-31-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/64-32-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/900-190-0x0000016FBAFD0000-0x0000016FBAFF2000-memory.dmpFilesize
136KB
-
memory/960-158-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/960-160-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/1664-159-0x0000000000CF0000-0x0000000000CF1000-memory.dmpFilesize
4KB
-
memory/2956-121-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/2956-119-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/2992-122-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2992-120-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/3232-180-0x0000019D98A70000-0x0000019D98AAC000-memory.dmpFilesize
240KB
-
memory/3232-181-0x0000019D98EC0000-0x0000019D98EC6000-memory.dmpFilesize
24KB
-
memory/3232-182-0x0000019D9A7E0000-0x0000019D9A83C000-memory.dmpFilesize
368KB
-
memory/3824-140-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/4072-40-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/4072-50-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/4288-77-0x0000000005010000-0x00000000050A2000-memory.dmpFilesize
584KB
-
memory/4288-101-0x0000000006780000-0x0000000006792000-memory.dmpFilesize
72KB
-
memory/4288-75-0x00000000005D0000-0x0000000000622000-memory.dmpFilesize
328KB
-
memory/4288-95-0x0000000005CA0000-0x0000000005D16000-memory.dmpFilesize
472KB
-
memory/4288-96-0x00000000066B0000-0x00000000066CE000-memory.dmpFilesize
120KB
-
memory/4288-99-0x0000000006CF0000-0x0000000007308000-memory.dmpFilesize
6.1MB
-
memory/4288-100-0x0000000006840000-0x000000000694A000-memory.dmpFilesize
1.0MB
-
memory/4288-78-0x00000000051E0000-0x00000000051EA000-memory.dmpFilesize
40KB
-
memory/4288-102-0x00000000067E0000-0x000000000681C000-memory.dmpFilesize
240KB
-
memory/4288-103-0x0000000006950000-0x000000000699C000-memory.dmpFilesize
304KB
-
memory/4288-76-0x0000000005670000-0x0000000005C14000-memory.dmpFilesize
5.6MB
-
memory/4392-269-0x00000000003E0000-0x000000000044A000-memory.dmpFilesize
424KB
-
memory/4392-270-0x0000000005830000-0x00000000058CC000-memory.dmpFilesize
624KB
-
memory/4620-183-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4768-139-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4768-141-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4960-18-0x0000000000340000-0x0000000000800000-memory.dmpFilesize
4.8MB
-
memory/4960-0-0x0000000000340000-0x0000000000800000-memory.dmpFilesize
4.8MB
-
memory/4960-1-0x0000000076FA4000-0x0000000076FA6000-memory.dmpFilesize
8KB
-
memory/4960-2-0x0000000000341000-0x000000000036F000-memory.dmpFilesize
184KB
-
memory/4960-3-0x0000000000340000-0x0000000000800000-memory.dmpFilesize
4.8MB
-
memory/4960-5-0x0000000000340000-0x0000000000800000-memory.dmpFilesize
4.8MB
-
memory/5016-161-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-16-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-21-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-22-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-33-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-34-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-35-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-20-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-19-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-36-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-207-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-26-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-23-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-24-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-25-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-253-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-254-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-255-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-27-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-37-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB
-
memory/5016-38-0x00000000001D0000-0x0000000000690000-memory.dmpFilesize
4.8MB