Analysis Overview
SHA256
3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27
Threat Level: Known bad
The file 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Windows security bypass
RedLine payload
Stealc
Lumma Stealer
Amadey
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Identifies Wine through registry keys
Drops startup file
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Executes dropped EXE
Windows security modification
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
Checks whether UAC is enabled
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-29 14:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 14:03
Reported
2024-05-29 14:05
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdAjehylZBmQ9gZIWT5rFX93.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KrQev5tverS7hAjCdjMVHWo7.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2ecbtAZIrGHeAsTHkke2ouES.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe | N/A |
Reads data files stored by FTP clients
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2956 set thread context of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3824 set thread context of 4768 | N/A | C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1664 set thread context of 960 | N/A | C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3232 set thread context of 4620 | N/A | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplont.job | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe
"C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3824 -ip 3824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 272
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe
"C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe" /s
C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exe
"C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| BE | 2.17.196.83:443 | www.bing.com | tcp |
| BE | 2.17.196.96:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 96.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.215.113.67:40960 | tcp | |
| US | 8.8.8.8:53 | roomabolishsnifftwk.shop | udp |
| US | 172.67.146.92:443 | roomabolishsnifftwk.shop | tcp |
| US | 8.8.8.8:53 | museumtespaceorsp.shop | udp |
| US | 104.21.32.80:443 | museumtespaceorsp.shop | tcp |
| US | 8.8.8.8:53 | buttockdecarderwiso.shop | udp |
| US | 8.8.8.8:53 | 92.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.32.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detailbaconroollyws.shop | udp |
| US | 172.67.193.11:443 | detailbaconroollyws.shop | tcp |
| US | 172.67.218.187:443 | buttockdecarderwiso.shop | tcp |
| US | 8.8.8.8:53 | horsedwollfedrwos.shop | udp |
| US | 172.67.157.243:443 | horsedwollfedrwos.shop | tcp |
| US | 8.8.8.8:53 | averageaattractiionsl.shop | udp |
| US | 172.67.220.163:443 | averageaattractiionsl.shop | tcp |
| US | 8.8.8.8:53 | patternapplauderw.shop | udp |
| US | 8.8.8.8:53 | femininiespywageg.shop | udp |
| US | 172.67.141.63:443 | femininiespywageg.shop | tcp |
| US | 104.21.55.248:443 | patternapplauderw.shop | tcp |
| US | 8.8.8.8:53 | 11.193.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.157.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.220.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | employhabragaomlsp.shop | udp |
| US | 8.8.8.8:53 | understanndtytonyguw.shop | udp |
| US | 104.21.85.81:443 | employhabragaomlsp.shop | tcp |
| US | 104.21.22.94:443 | understanndtytonyguw.shop | tcp |
| US | 8.8.8.8:53 | considerrycurrentyws.shop | udp |
| US | 8.8.8.8:53 | stalfbaclcalorieeis.shop | udp |
| DE | 23.88.106.134:80 | 23.88.106.134 | tcp |
| US | 188.114.97.2:443 | stalfbaclcalorieeis.shop | tcp |
| US | 8.8.8.8:53 | 63.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.55.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.85.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.106.88.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | civilianurinedtsraov.shop | udp |
| US | 104.21.49.245:443 | civilianurinedtsraov.shop | tcp |
| US | 8.8.8.8:53 | 245.49.21.104.in-addr.arpa | udp |
| RU | 185.215.113.67:40960 | tcp | |
| US | 104.21.28.32:443 | considerrycurrentyws.shop | tcp |
| US | 8.8.8.8:53 | 32.28.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 188.114.96.2:443 | yip.su | tcp |
| DE | 185.172.128.82:80 | 185.172.128.82 | tcp |
| US | 8.8.8.8:53 | gigapub.ma | udp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| US | 8.8.8.8:53 | free.360totalsecurity.com | udp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| FR | 51.75.247.100:443 | gigapub.ma | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| US | 8.8.8.8:53 | 82.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.247.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.127.236.151.in-addr.arpa | udp |
| RU | 185.215.113.67:40960 | tcp | |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.42.77.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.29.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.174.76.54.in-addr.arpa | udp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| US | 8.8.8.8:53 | sd.p.360safe.com | udp |
| FR | 18.164.55.159:80 | sd.p.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | 159.55.164.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.108.192.104.in-addr.arpa | udp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | 20.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.108.192.104.in-addr.arpa | udp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| RU | 185.215.113.67:40960 | tcp | |
| US | 104.21.28.32:443 | considerrycurrentyws.shop | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| RU | 185.215.113.67:40960 | tcp | |
| US | 8.8.8.8:53 | messtimetabledkolvk.shop | udp |
| US | 104.21.8.238:443 | messtimetabledkolvk.shop | tcp |
| US | 8.8.8.8:53 | deprivedrinkyfaiir.shop | udp |
| US | 104.21.25.251:443 | deprivedrinkyfaiir.shop | tcp |
| US | 8.8.8.8:53 | 238.8.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.25.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | relaxtionflouwerwi.shop | udp |
| US | 104.21.76.64:443 | relaxtionflouwerwi.shop | tcp |
| US | 8.8.8.8:53 | 64.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iili.io | udp |
Files
memory/4960-0-0x0000000000340000-0x0000000000800000-memory.dmp
memory/4960-1-0x0000000076FA4000-0x0000000076FA6000-memory.dmp
memory/4960-2-0x0000000000341000-0x000000000036F000-memory.dmp
memory/4960-3-0x0000000000340000-0x0000000000800000-memory.dmp
memory/4960-5-0x0000000000340000-0x0000000000800000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
| MD5 | e427f7e972e458acca51c043839c9c04 |
| SHA1 | 800cb9174a2afeb2a1402d7bd8deee4f97e36a4d |
| SHA256 | 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27 |
| SHA512 | a5e978064f24b9c19fd4ea39e833804479088a1843e18b9801e812589cef9262434757ac9950821a6abf0e321e73c2b96dd3087dcf62fcba39b36ae8c8671f70 |
memory/5016-16-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/4960-18-0x0000000000340000-0x0000000000800000-memory.dmp
memory/5016-19-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-20-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-21-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-22-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-23-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-24-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-25-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-26-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-27-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/64-29-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/64-30-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/64-31-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/64-32-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-33-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-34-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-35-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-36-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-37-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-38-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/4072-40-0x00000000001D0000-0x0000000000690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
| MD5 | 3f15c7460a1853a849d281ec3ad2ada6 |
| SHA1 | 108eab5f7164c8fde1de9bda2abb23e76e0fed68 |
| SHA256 | cf1f966f816ac904e42a09facd04b3f9aebd3bfa7cfa667a8b01ed78c9f986f4 |
| SHA512 | dba985eac586ab1da07e71d3b6c05d44bcb993b3923878bf38184061965a924fbe2bc88620e51c8c8eff62a53e601d4bdca2199c5e607d71833b730eb1756725 |
memory/4072-50-0x00000000001D0000-0x0000000000690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
| MD5 | 84bf36993bdd61d216e83fe391fcc7fd |
| SHA1 | e023212e847a54328aaea05fbe41eb4828855ce6 |
| SHA256 | 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa |
| SHA512 | bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf |
memory/4288-75-0x00000000005D0000-0x0000000000622000-memory.dmp
memory/4288-76-0x0000000005670000-0x0000000005C14000-memory.dmp
memory/4288-77-0x0000000005010000-0x00000000050A2000-memory.dmp
memory/4288-78-0x00000000051E0000-0x00000000051EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpBBD9.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4288-95-0x0000000005CA0000-0x0000000005D16000-memory.dmp
memory/4288-96-0x00000000066B0000-0x00000000066CE000-memory.dmp
memory/4288-99-0x0000000006CF0000-0x0000000007308000-memory.dmp
memory/4288-100-0x0000000006840000-0x000000000694A000-memory.dmp
memory/4288-101-0x0000000006780000-0x0000000006792000-memory.dmp
memory/4288-102-0x00000000067E0000-0x000000000681C000-memory.dmp
memory/4288-103-0x0000000006950000-0x000000000699C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
| MD5 | c4ffab152141150528716daa608d5b92 |
| SHA1 | a48d3aecc0e986b6c4369b9d4cfffb08b53aed89 |
| SHA256 | c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475 |
| SHA512 | a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9 |
memory/2956-119-0x0000000001250000-0x0000000001251000-memory.dmp
memory/2992-120-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2956-121-0x0000000001250000-0x0000000001251000-memory.dmp
memory/2992-122-0x0000000000400000-0x0000000000455000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000008001\gold.exe
| MD5 | 0b7e08a8268a6d413a322ff62d389bf9 |
| SHA1 | e04b849cc01779fe256744ad31562aca833a82c1 |
| SHA256 | d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65 |
| SHA512 | 3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4 |
memory/4768-139-0x0000000000400000-0x0000000000459000-memory.dmp
memory/3824-140-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
memory/4768-141-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000009001\swizzzz.exe
| MD5 | 05b11e7b711b4aaa512029ffcb529b5a |
| SHA1 | a8074cf8a13f21617632951e008cdfdace73bb83 |
| SHA256 | 2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa |
| SHA512 | dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff |
memory/960-158-0x0000000000400000-0x000000000063B000-memory.dmp
memory/960-160-0x0000000000400000-0x000000000063B000-memory.dmp
memory/1664-159-0x0000000000CF0000-0x0000000000CF1000-memory.dmp
memory/5016-161-0x00000000001D0000-0x0000000000690000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000020001\file300un.exe
| MD5 | a991da123f34074f2ee8ea0d798990f9 |
| SHA1 | 3988195503348626e8f9185747a216c8e7839130 |
| SHA256 | fd42e618223f510d694c5fb2f8ecbc1a88cabf003bcf20da6227da30a1352a0f |
| SHA512 | 1f958cacb820833ea8b5ac2d9ca7f596625e688f8f6b6e3ab6f27aa3b25b8c9e5b57e1eed532a8d2519da6c1b41492eb8ac930fc25eaf2be2f344c2f32e81a49 |
memory/3232-180-0x0000019D98A70000-0x0000019D98AAC000-memory.dmp
memory/3232-181-0x0000019D98EC0000-0x0000019D98EC6000-memory.dmp
memory/3232-182-0x0000019D9A7E0000-0x0000019D9A83C000-memory.dmp
memory/4620-183-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2n2pxlsb.sdq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/900-190-0x0000016FBAFD0000-0x0000016FBAFF2000-memory.dmp
C:\Users\Admin\Pictures\RyRId3CKdLYgL2rr2pnoiIHK.exe
| MD5 | 77f762f953163d7639dff697104e1470 |
| SHA1 | ade9fff9ffc2d587d50c636c28e4cd8dd99548d3 |
| SHA256 | d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea |
| SHA512 | d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499 |
memory/5016-207-0x00000000001D0000-0x0000000000690000-memory.dmp
C:\Users\Admin\Pictures\XB8anui8GSbW2JEB2EPgdwl7.exe
| MD5 | cd4acedefa9ab5c7dccac667f91cef13 |
| SHA1 | bff5ce910f75aeae37583a63828a00ae5f02c4e7 |
| SHA256 | dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c |
| SHA512 | 06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1 |
C:\Users\Admin\AppData\Local\Temp\{0EA9332C-D1CE-4b87-BFAD-718E6BF3C8B5}.tmp\360P2SP.dll
| MD5 | fc1796add9491ee757e74e65cedd6ae7 |
| SHA1 | 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812 |
| SHA256 | bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60 |
| SHA512 | 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d |
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
| MD5 | e6edb41c03bce3f822020878bde4e246 |
| SHA1 | 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9 |
| SHA256 | 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454 |
| SHA512 | 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 184a117024f3789681894c67b36ce990 |
| SHA1 | c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e |
| SHA256 | b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e |
| SHA512 | 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7 |
memory/5016-253-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-254-0x00000000001D0000-0x0000000000690000-memory.dmp
memory/5016-255-0x00000000001D0000-0x0000000000690000-memory.dmp
C:\Users\Admin\Pictures\jT9TY3q0ITgF8Vn3VcS9WO6B.exe
| MD5 | ef65292d26c79999f9cd88fc202e257e |
| SHA1 | bb1022e9d3d345f14db1f7e431d4d63259fa3ac2 |
| SHA256 | 4bd44fc79eff569312def70fb850c7f168e84d039f4d1d23b7a4927338476222 |
| SHA512 | 7df62adbecb10d5894741e85ee99df64949eb8a8300e352a5e9d8253b65ea58971f10d10a1f7a8dc0b99bfc87ab8ee511499a6b740cc996f8ec64e312209d02a |
memory/4392-269-0x00000000003E0000-0x000000000044A000-memory.dmp
memory/4392-270-0x0000000005830000-0x00000000058CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 14:03
Reported
2024-05-29 14:05
Platform
win11-20240508-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Amadey
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3896 set thread context of 344 | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplont.job | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe
"C:\Users\Admin\AppData\Local\Temp\3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | 70.47.45.147.in-addr.arpa | udp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.215.113.67:40960 | tcp | |
| US | 104.21.55.87:443 | roomabolishsnifftwk.shop | tcp |
| US | 172.67.184.107:443 | museumtespaceorsp.shop | tcp |
| US | 104.21.45.202:443 | buttockdecarderwiso.shop | tcp |
| US | 8.8.8.8:53 | 107.184.67.172.in-addr.arpa | udp |
| US | 172.67.220.163:443 | averageaattractiionsl.shop | tcp |
| US | 172.67.141.63:443 | femininiespywageg.shop | tcp |
| US | 172.67.141.63:443 | femininiespywageg.shop | tcp |
| US | 8.8.8.8:53 | employhabragaomlsp.shop | udp |
| US | 104.21.85.81:443 | employhabragaomlsp.shop | tcp |
| US | 188.114.96.2:443 | stalfbaclcalorieeis.shop | tcp |
| US | 172.67.197.146:443 | civilianurinedtsraov.shop | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| RU | 185.215.113.67:40960 | tcp | |
| RU | 185.215.113.67:40960 | tcp | |
| RU | 185.215.113.67:40960 | tcp |
Files
memory/1736-0-0x00000000000D0000-0x0000000000590000-memory.dmp
memory/1736-1-0x0000000077BF6000-0x0000000077BF8000-memory.dmp
memory/1736-2-0x00000000000D1000-0x00000000000FF000-memory.dmp
memory/1736-3-0x00000000000D0000-0x0000000000590000-memory.dmp
memory/1736-5-0x00000000000D0000-0x0000000000590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
| MD5 | e427f7e972e458acca51c043839c9c04 |
| SHA1 | 800cb9174a2afeb2a1402d7bd8deee4f97e36a4d |
| SHA256 | 3887d22396ae2b2b85469cad11cbcd6dfc015fd41fe10c60a215f421c21bfd27 |
| SHA512 | a5e978064f24b9c19fd4ea39e833804479088a1843e18b9801e812589cef9262434757ac9950821a6abf0e321e73c2b96dd3087dcf62fcba39b36ae8c8671f70 |
memory/1736-15-0x00000000000D0000-0x0000000000590000-memory.dmp
memory/2196-18-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-19-0x0000000000901000-0x000000000092F000-memory.dmp
memory/2196-20-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-21-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-22-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-23-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-24-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-25-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-26-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/3892-28-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/3892-29-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/3892-30-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/3892-31-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-32-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-33-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-34-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-35-0x0000000000900000-0x0000000000DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000004001\33333.exe
| MD5 | 7cea595dbd1fdd056b616f7fa6c68dee |
| SHA1 | c7962d3a9e57f838e8d86709ff6a72bf9046d22e |
| SHA256 | 4a34a915c77f67ee89df3be2c286cf3c135da8ee38c8590151de6b6f75f1412f |
| SHA512 | 04e77c27a55bd1a665c540d902ad161758be4c479ceec1f82a7196b93a6a77d7d600c1cc2b5765be447f7cd33caac21a25cc7253e4727f14557ff5a469e63a4d |
memory/2196-50-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-51-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/1100-53-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/1100-55-0x0000000000900000-0x0000000000DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000005001\fileosn.exe
| MD5 | 84bf36993bdd61d216e83fe391fcc7fd |
| SHA1 | e023212e847a54328aaea05fbe41eb4828855ce6 |
| SHA256 | 8e6d8b5a004c8f21bee1bbe4213c6d78cf80e439b38f587e963e9bb4569aaffa |
| SHA512 | bb3241949618ad2d39057e085e150f43b4d41d74efc4658d9c27f8c0ec80420191517a2c0b6b7e225c4e50e02cd031cdfd178e05b9a869847a3c27b210d09caf |
memory/1524-74-0x0000000000B50000-0x0000000000BA2000-memory.dmp
memory/1524-75-0x0000000005C80000-0x0000000006226000-memory.dmp
memory/1524-76-0x00000000056D0000-0x0000000005762000-memory.dmp
memory/1524-77-0x0000000005660000-0x000000000566A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpE29B.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1524-92-0x0000000005BC0000-0x0000000005C36000-memory.dmp
memory/1524-93-0x0000000006AD0000-0x0000000006AEE000-memory.dmp
memory/1524-96-0x0000000007210000-0x0000000007828000-memory.dmp
memory/1524-97-0x0000000006D60000-0x0000000006E6A000-memory.dmp
memory/1524-98-0x0000000006CA0000-0x0000000006CB2000-memory.dmp
memory/1524-99-0x0000000006D00000-0x0000000006D3C000-memory.dmp
memory/1524-100-0x0000000006E70000-0x0000000006EBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\lumma1234.exe
| MD5 | c4ffab152141150528716daa608d5b92 |
| SHA1 | a48d3aecc0e986b6c4369b9d4cfffb08b53aed89 |
| SHA256 | c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475 |
| SHA512 | a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9 |
memory/3896-116-0x00000000011A0000-0x00000000011A1000-memory.dmp
memory/3896-118-0x00000000011A0000-0x00000000011A1000-memory.dmp
memory/344-117-0x0000000000400000-0x0000000000455000-memory.dmp
memory/344-119-0x0000000000400000-0x0000000000455000-memory.dmp
memory/2196-120-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-121-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-122-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-123-0x0000000000900000-0x0000000000DC0000-memory.dmp
memory/2196-124-0x0000000000900000-0x0000000000DC0000-memory.dmp