Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-06-2024 00:49
Static task
static1
Behavioral task
behavioral1
Sample
2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe
Resource
win10v2004-20240508-en
General
-
Target
2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe
-
Size
1.8MB
-
MD5
fcfdedde2ecdd0399f36409e57f1e0e9
-
SHA1
40178bf761e6bbb3ca612a72f0ec9da52c7cc396
-
SHA256
2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80
-
SHA512
22d17e254fe7cee5be31117ea53414136053f18cca6f07b47943a7ed17f068696cb23e86bb48a40ac4d4cd1de9445858240624ed76350f6ff7b72af8030a92a5
-
SSDEEP
24576:QwuLVBVFjxHEjTylTbccv5Z+TA+3rIaI0qI5E0hEKiqaYex9Br8hw+EJ9Iew4fY7:QLpnDEvyluA+URXEWhwEJ9Iebhu
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
risepro
147.45.47.126:58709
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9178620dfd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 775b414d6b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9178620dfd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 775b414d6b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 775b414d6b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9178620dfd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe -
Executes dropped EXE 18 IoCs
pid Process 3652 explortu.exe 1452 9178620dfd.exe 952 775b414d6b.exe 412 axplont.exe 1940 riff.exe 3940 lgodjadrg.exe 2948 work.exe 3908 lgors.exe 1376 riff.exe 2284 tor-real.exe 2480 nopplr.exe 1620 axplont.exe 3940 explortu.exe 1148 riff.exe 3232 nopplr.exe 772 riff.exe 1388 axplont.exe 1432 explortu.exe -
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine 9178620dfd.exe Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine 775b414d6b.exe Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine axplont.exe -
Loads dropped DLL 9 IoCs
pid Process 2284 tor-real.exe 2284 tor-real.exe 2284 tor-real.exe 2284 tor-real.exe 2284 tor-real.exe 2284 tor-real.exe 2284 tor-real.exe 2284 tor-real.exe 2284 tor-real.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 riff.exe Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 riff.exe Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 riff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\775b414d6b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\775b414d6b.exe" explortu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
pid Process 2528 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe 3652 explortu.exe 1452 9178620dfd.exe 412 axplont.exe 952 775b414d6b.exe 1620 axplont.exe 3940 explortu.exe 1388 axplont.exe 1432 explortu.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\nopplr.job lgors.exe File opened for modification C:\Windows\Tasks\nopplr.job lgors.exe File created C:\Windows\Tasks\explortu.job 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe File created C:\Windows\Tasks\axplont.job 9178620dfd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3028 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2604 timeout.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2528 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe 2528 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe 3652 explortu.exe 3652 explortu.exe 1452 9178620dfd.exe 1452 9178620dfd.exe 412 axplont.exe 412 axplont.exe 952 775b414d6b.exe 952 775b414d6b.exe 1376 riff.exe 1376 riff.exe 3908 lgors.exe 3908 lgors.exe 1376 riff.exe 1376 riff.exe 1620 axplont.exe 1620 axplont.exe 3940 explortu.exe 3940 explortu.exe 1388 axplont.exe 1388 axplont.exe 1432 explortu.exe 1432 explortu.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1940 riff.exe Token: SeDebugPrivilege 1376 riff.exe Token: SeDebugPrivilege 1148 riff.exe Token: SeDebugPrivilege 772 riff.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1452 9178620dfd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1376 riff.exe -
Suspicious use of WriteProcessMemory 58 IoCs
description pid Process procid_target PID 2528 wrote to memory of 3652 2528 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe 77 PID 2528 wrote to memory of 3652 2528 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe 77 PID 2528 wrote to memory of 3652 2528 2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe 77 PID 3652 wrote to memory of 3840 3652 explortu.exe 78 PID 3652 wrote to memory of 3840 3652 explortu.exe 78 PID 3652 wrote to memory of 3840 3652 explortu.exe 78 PID 3652 wrote to memory of 1452 3652 explortu.exe 79 PID 3652 wrote to memory of 1452 3652 explortu.exe 79 PID 3652 wrote to memory of 1452 3652 explortu.exe 79 PID 3652 wrote to memory of 952 3652 explortu.exe 80 PID 3652 wrote to memory of 952 3652 explortu.exe 80 PID 3652 wrote to memory of 952 3652 explortu.exe 80 PID 1452 wrote to memory of 412 1452 9178620dfd.exe 81 PID 1452 wrote to memory of 412 1452 9178620dfd.exe 81 PID 1452 wrote to memory of 412 1452 9178620dfd.exe 81 PID 412 wrote to memory of 1940 412 axplont.exe 82 PID 412 wrote to memory of 1940 412 axplont.exe 82 PID 1940 wrote to memory of 4988 1940 riff.exe 84 PID 1940 wrote to memory of 4988 1940 riff.exe 84 PID 4988 wrote to memory of 2964 4988 cmd.exe 86 PID 4988 wrote to memory of 2964 4988 cmd.exe 86 PID 4988 wrote to memory of 2604 4988 cmd.exe 87 PID 4988 wrote to memory of 2604 4988 cmd.exe 87 PID 412 wrote to memory of 3940 412 axplont.exe 88 PID 412 wrote to memory of 3940 412 axplont.exe 88 PID 412 wrote to memory of 3940 412 axplont.exe 88 PID 3940 wrote to memory of 3640 3940 lgodjadrg.exe 89 PID 3940 wrote to memory of 3640 3940 lgodjadrg.exe 89 PID 3940 wrote to memory of 3640 3940 lgodjadrg.exe 89 PID 3640 wrote to memory of 2948 3640 cmd.exe 93 PID 3640 wrote to memory of 2948 3640 cmd.exe 93 PID 3640 wrote to memory of 2948 3640 cmd.exe 93 PID 2948 wrote to memory of 3908 2948 work.exe 94 PID 2948 wrote to memory of 3908 2948 work.exe 94 PID 2948 wrote to memory of 3908 2948 work.exe 94 PID 4988 wrote to memory of 3028 4988 cmd.exe 95 PID 4988 wrote to memory of 3028 4988 cmd.exe 95 PID 4988 wrote to memory of 1376 4988 cmd.exe 96 PID 4988 wrote to memory of 1376 4988 cmd.exe 96 PID 1376 wrote to memory of 2284 1376 riff.exe 97 PID 1376 wrote to memory of 2284 1376 riff.exe 97 PID 1376 wrote to memory of 2284 1376 riff.exe 97 PID 1376 wrote to memory of 2232 1376 riff.exe 99 PID 1376 wrote to memory of 2232 1376 riff.exe 99 PID 2232 wrote to memory of 4164 2232 cmd.exe 101 PID 2232 wrote to memory of 4164 2232 cmd.exe 101 PID 2232 wrote to memory of 4300 2232 cmd.exe 102 PID 2232 wrote to memory of 4300 2232 cmd.exe 102 PID 2232 wrote to memory of 1064 2232 cmd.exe 103 PID 2232 wrote to memory of 1064 2232 cmd.exe 103 PID 1376 wrote to memory of 3640 1376 riff.exe 104 PID 1376 wrote to memory of 3640 1376 riff.exe 104 PID 3640 wrote to memory of 948 3640 cmd.exe 106 PID 3640 wrote to memory of 948 3640 cmd.exe 106 PID 3640 wrote to memory of 1068 3640 cmd.exe 107 PID 3640 wrote to memory of 1068 3640 cmd.exe 107 PID 3640 wrote to memory of 2604 3640 cmd.exe 108 PID 3640 wrote to memory of 2604 3640 cmd.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 riff.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 riff.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe"C:\Users\Admin\AppData\Local\Temp\2e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵PID:3840
-
-
C:\Users\Admin\1000004002\9178620dfd.exe"C:\Users\Admin\1000004002\9178620dfd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\1000053001\riff.exe"C:\Users\Admin\AppData\Local\Temp\1000053001\riff.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "riff" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000053001\riff.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2964
-
-
C:\Windows\system32\timeout.exetimeout /t 37⤵
- Delays execution with timeout.exe
PID:2604
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "riff" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:3028
-
-
C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe"C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1376 -
C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe"C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\zxqaiiy6en\tor\torrc.txt"8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"8⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:4164
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles9⤵PID:4300
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"9⤵PID:1064
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"8⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:948
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid9⤵PID:1068
-
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"9⤵PID:2604
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000054001\lgodjadrg.exe"C:\Users\Admin\AppData\Local\Temp\1000054001\lgodjadrg.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lgors.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\lgors.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3908
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\775b414d6b.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\775b414d6b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:952
-
-
-
C:\ProgramData\xpiau\nopplr.exeC:\ProgramData\xpiau\nopplr.exe start21⤵
- Executes dropped EXE
PID:2480
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3940
-
C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exeC:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
C:\ProgramData\xpiau\nopplr.exeC:\ProgramData\xpiau\nopplr.exe start21⤵
- Executes dropped EXE
PID:3232
-
C:\Users\Admin\AppData\Local\RobloxSecurity\riff.exeC:\Users\Admin\AppData\Local\RobloxSecurity\riff.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:772
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1388
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1432
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Credential Access
Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51fd9bdf457110fc9c0b6a5eaca7b6e7f
SHA1c3bde60ebe8b2b068db21e3084a5ef17fa852de3
SHA256ddb8629348893cc8e5d8dcdcbf280fb404a8bb61650000e7f89b8d3a54c7eee3
SHA51284e4edd1480435dd53b50e48c521c23b0fb4a2925eb123abf6dc76bb8f173635b4a810446f50aa99ba5c21d1ba369eb995d16d2b090999044e36264671e79586
-
Filesize
1KB
MD5081b644082c51f2ff0f00087877003b5
SHA12eeb0a8a592e5327873f5a6704031c1ff6d0bd31
SHA256cc427c714517dd0a3c96354869ce1bb300bf4935006fc628ceb28e2f040197ac
SHA51295621587e55a5f5111aea05cadbaf56429adde2de0c41c9de8e74c03d31116edf72b63d76f65af45e4b14b68fe214926425581f77113d332eb91b0b6a5598eff
-
Filesize
2.3MB
MD514aca070e2756b27dd4fcb8a33c9b50f
SHA139afe979af25afc0547f1d864f5622207804a528
SHA2563ebbe88713c293d699058b87334e720697f3265964afb15e88b25705dee0c731
SHA512f894073e1b69195cf3cdc5a6713a05f91b93b958f842facf33c0ca240c1e8558857bcaf7d64aeb27505c9db52718de0b357b4628921cdb5a1fe2129c73c83488
-
Filesize
119KB
MD5b37058a1a6fa72cf11d4bda54e15790a
SHA1b8663b93cac0b88168d207fd648da5c2f9b775de
SHA25685b1ce3f619ebeb3799acff17ee1356a7f3911e0b95f29b24111ae03fa2a03a0
SHA5124848057ad580943a96e57713ca721ad3052001e8fd428651b08034592596f14e9396d0de970bdbffc552e104189aa81dfe7723bd13003637659198ec38fed818
-
Filesize
613KB
MD5a1ad149a4d2a04338fd9a0d902410daf
SHA1d43db08458ea4a81cd32926a402d8a5d12728a2f
SHA2566e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a
SHA512cef534d0233f47048d6b80c49c4b44570fc436b90904ea84f03c24106ecb785802c424e1241ebd70b9a85f09b77f7c0322927c57a9d65959da4a425149e04128
-
Filesize
1.8MB
MD5fcfdedde2ecdd0399f36409e57f1e0e9
SHA140178bf761e6bbb3ca612a72f0ec9da52c7cc396
SHA2562e116b2262973c14b37cce08265b2c0d1f6b8f3ae9c47f8b9e5c2ffedac5fa80
SHA51222d17e254fe7cee5be31117ea53414136053f18cca6f07b47943a7ed17f068696cb23e86bb48a40ac4d4cd1de9445858240624ed76350f6ff7b72af8030a92a5
-
Filesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
Filesize
294KB
MD5372b142bdf88cc3175d31b48a650955d
SHA1515f9a1e5c954cd849bacd19291534c50201ac49
SHA256e3873f55cd848b37d6897b3851a21aa6c17b3d74d94ea2adcd076cf3eb3f4121
SHA512cff5c69e361d4975f6b10000d5d53ccd0853503f585842ac3422131cf8313195ab8720b65e291c27fc12875b584129069b8548823774320ded37403cc64d8d11
-
Filesize
16KB
MD54f01c3d7439dde153ff0110a26e2a71c
SHA140d7203ad4e1fd40e13a56e6f747ee480740873c
SHA256cfb1fd0adf528fcf14647cf3fcd85fb7e4fddd2167b36f9e8b2424b62453df28
SHA512513d09b80e1ac80813bc691e71cdf5348478157350e43b9daed27741b7f5a7a16b2ae4d88ee9951395747c7f2a93ff0c1f2c3753a9e3bad2e2607767a1e3d28e
-
Filesize
4B
MD53501672ebc68a5524629080e3ef60aef
SHA14f488051fc883ae71cbae548692da0a3f02409b3
SHA256e02be5962e51741e00991efc7883e7c79f57fc42d718d8d6442c4cf0f1b8f69b
SHA512598faf72221a7d89c0d39302f5cbb3515710a290792cc5fe573c13e3f3739157f2140148aebbaa31fa2486445847158d7947938ab879972292e85da406af23bd
-
Filesize
2.5MB
MD542ec7882d8d517ad5216713ccb2b384a
SHA12a6cf9b89fd09d7d36f52925534b8c296ffedda5
SHA256d448c740b305c7f302fe6434bef95628d6b8c786dd48fbf4e84c6a951981d0ff
SHA512a8efb6d3e9f4324fffdac7c0c75cf92b4a236684d77b9d5642cb3868a0d09703eaa866114ae02cb372cb1adf373e8c9a5b81b62fa8a721bbb3126a7f9d9fd64e
-
Filesize
7.7MB
MD571c513fb57bb70f82b6448296e8bb6f7
SHA1ef4252e9bbc05bf2e0fc23a92792507be5b18b2b
SHA2567a5a21f14b5cc6a995f45a4a46e205d67677f028908e648c47b38414daa2171f
SHA51204fcb80b5a5b2a776be945420176963b31aef5497e3b32221bc8401513291b95bc56e9bebe17c094d0cf090b05734fcfa24f8c29b70c0f99b810501741574d85
-
Filesize
64B
MD54b27c8e331ce962b820547eddbe7bb08
SHA1492b78c180d8a3628d469fe7f1f041b9c968184f
SHA256a27abd7e792e2b311d23be59e3f1ea18a7746f0ef37576527d4af9c69cc1a529
SHA512113db95b0e47aa7d918cde91993b447ca49b8b1bb2e1342f06a44ce8cf9f19a4e311168c13a6974f58c1f3e383d3f1cfce6437f79a4aab35b9ebce8015ccf266
-
Filesize
3.5MB
MD56d48d76a4d1c9b0ff49680349c4d28ae
SHA11bb3666c16e11eff8f9c3213b20629f02d6a66cb
SHA2563f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d
SHA51209a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9
-
Filesize
1.1MB
MD5a3bf8e33948d94d490d4613441685eee
SHA175ed7f6e2855a497f45b15270c3ad4aed6ad02e2
SHA25691c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585
SHA512c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28
-
Filesize
1.0MB
MD5bd40ff3d0ce8d338a1fe4501cd8e9a09
SHA13aae8c33bf0ec9adf5fbf8a361445969de409b49
SHA256ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c
SHA512404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1
-
Filesize
1.1MB
MD5945d225539becc01fbca32e9ff6464f0
SHA1a614eb470defeab01317a73380f44db669100406
SHA256c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a
SHA512409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a
-
Filesize
246KB
MD5b77328da7cead5f4623748a70727860d
SHA113b33722c55cca14025b90060e3227db57bf5327
SHA25646541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7
SHA5122f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2
-
Filesize
512KB
MD519d7cc4377f3c09d97c6da06fbabc7dc
SHA13a3ba8f397fb95ed5df22896b2c53a326662fcc9
SHA256228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d
SHA51223711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a
-
Filesize
4.0MB
MD507244a2c002ffdf1986b454429eace0b
SHA1d7cd121caac2f5989aa68a052f638f82d4566328
SHA256e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf
SHA5124a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca
-
Filesize
226B
MD5f513d7adf45800705c2d71bba131111e
SHA1dfdd361e9ef4ea9c6b38eb031d9c4bb4f6fe2ad1
SHA2561e9a89e8fd1d4b55d92941e0b92b852a8c0c4b3364a2ecb907ecb27ee86bcc81
SHA512591f289d3be60ea5b929020fb0de3fdf3484671a4a4fd1bcc61cabab25ef0891844b7c3806e8ac4ef79732a825a91322e5bab5b8ee51d81dc84730614b771321
-
Filesize
121KB
MD56f98da9e33cd6f3dd60950413d3638ac
SHA1e630bdf8cebc165aa81464ff20c1d55272d05675
SHA256219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773
SHA5122983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c