Analysis
-
max time kernel
1043s -
max time network
971s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 17:47
Static task
static1
General
-
Target
d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe
-
Size
1.8MB
-
MD5
7ed56e09edb6badc89bf9c17c5ffeb75
-
SHA1
d4b80e6c219a63aaaf7f9d3dc3e216944cc2b7c7
-
SHA256
d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2
-
SHA512
6f3a3c3555a05ad68479134ddeba61dff98767c0a9598501112fed553e84a0c4a1db66d709da64f5ca52af59acaf390949d94ebf9b136a97a941770db6e7e7c2
-
SSDEEP
49152:0rGPIoQ0PRkiMh85QpeAS4jo5yc7H0PsggZncxCehr5:0rjoaPh8ipeAS4jo/7H0PsRkR5
Malware Config
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 19 IoCs
Processes:
axplont.exeaxplont.exed1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe -
Checks BIOS information in registry 2 TTPs 38 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exed1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe -
Executes dropped EXE 18 IoCs
Processes:
axplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exepid process 3120 axplont.exe 4440 axplont.exe 3484 axplont.exe 1096 axplont.exe 2260 axplont.exe 3548 axplont.exe 3916 axplont.exe 2112 axplont.exe 240 axplont.exe 5064 axplont.exe 1412 axplont.exe 4344 axplont.exe 5024 axplont.exe 5060 axplont.exe 3376 axplont.exe 940 axplont.exe 2588 axplont.exe 4584 axplont.exe -
Identifies Wine through registry keys 2 TTPs 19 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exed1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Wine axplont.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
Processes:
d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exepid process 828 d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe 3120 axplont.exe 4440 axplont.exe 3484 axplont.exe 1096 axplont.exe 2260 axplont.exe 3548 axplont.exe 3916 axplont.exe 2112 axplont.exe 240 axplont.exe 5064 axplont.exe 1412 axplont.exe 4344 axplont.exe 5024 axplont.exe 5060 axplont.exe 3376 axplont.exe 940 axplont.exe 2588 axplont.exe 4584 axplont.exe -
Drops file in Windows directory 1 IoCs
Processes:
d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exedescription ioc process File created C:\Windows\Tasks\axplont.job d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exeaxplont.exepid process 828 d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe 828 d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe 3120 axplont.exe 3120 axplont.exe 4440 axplont.exe 4440 axplont.exe 3484 axplont.exe 3484 axplont.exe 1096 axplont.exe 1096 axplont.exe 2260 axplont.exe 2260 axplont.exe 3548 axplont.exe 3548 axplont.exe 3916 axplont.exe 3916 axplont.exe 2112 axplont.exe 2112 axplont.exe 240 axplont.exe 240 axplont.exe 5064 axplont.exe 5064 axplont.exe 1412 axplont.exe 1412 axplont.exe 4344 axplont.exe 4344 axplont.exe 5024 axplont.exe 5024 axplont.exe 5060 axplont.exe 5060 axplont.exe 3376 axplont.exe 3376 axplont.exe 940 axplont.exe 940 axplont.exe 2588 axplont.exe 2588 axplont.exe 4584 axplont.exe 4584 axplont.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exedescription pid process target process PID 828 wrote to memory of 3120 828 d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe axplont.exe PID 828 wrote to memory of 3120 828 d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe axplont.exe PID 828 wrote to memory of 3120 828 d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe axplont.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe"C:\Users\Admin\AppData\Local\Temp\d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeFilesize
1.8MB
MD57ed56e09edb6badc89bf9c17c5ffeb75
SHA1d4b80e6c219a63aaaf7f9d3dc3e216944cc2b7c7
SHA256d1f7cc65d685c009d8b679aa59907745f83985187d9b7d8e7153d8df15f516a2
SHA5126f3a3c3555a05ad68479134ddeba61dff98767c0a9598501112fed553e84a0c4a1db66d709da64f5ca52af59acaf390949d94ebf9b136a97a941770db6e7e7c2
-
memory/240-92-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/240-93-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/828-5-0x0000000000EF0000-0x00000000013B7000-memory.dmpFilesize
4.8MB
-
memory/828-2-0x0000000000EF1000-0x0000000000F1F000-memory.dmpFilesize
184KB
-
memory/828-3-0x0000000000EF0000-0x00000000013B7000-memory.dmpFilesize
4.8MB
-
memory/828-17-0x0000000000EF0000-0x00000000013B7000-memory.dmpFilesize
4.8MB
-
memory/828-0-0x0000000000EF0000-0x00000000013B7000-memory.dmpFilesize
4.8MB
-
memory/828-1-0x0000000077C26000-0x0000000077C28000-memory.dmpFilesize
8KB
-
memory/940-157-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/940-159-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/1096-48-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/1412-110-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/2112-84-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/2112-83-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/2260-57-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/2260-56-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/2588-167-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/2588-169-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-63-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-96-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-33-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-34-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-35-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-36-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-37-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-18-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-19-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-41-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-42-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-43-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-44-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-45-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-46-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-20-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-49-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-50-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-51-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-52-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-53-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-54-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-21-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-22-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-58-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-59-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-60-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-61-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-62-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-105-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-104-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-103-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-67-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-68-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-69-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-70-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-71-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-72-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-102-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-99-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-76-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-77-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-78-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-79-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-80-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-81-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-26-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-25-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-85-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-86-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-87-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-88-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-89-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-90-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-24-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-23-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-94-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-95-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-32-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-97-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3120-98-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3376-147-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3376-149-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3484-39-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3484-40-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3548-65-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3548-66-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3916-75-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/3916-74-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/4344-118-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/4344-120-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/4440-30-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/4440-28-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/4440-31-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/4440-29-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/4584-178-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/5024-130-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/5024-128-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/5060-139-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB
-
memory/5064-101-0x0000000000E30000-0x00000000012F7000-memory.dmpFilesize
4.8MB