Analysis Overview
SHA256
31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126
Threat Level: Known bad
The file 31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126 was found to be: Known bad.
Malicious Activity Summary
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks BIOS information in registry
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Identifies Wine through registry keys
Executes dropped EXE
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 22:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 22:33
Reported
2024-07-04 22:39
Platform
win7-20240611-en
Max time kernel
291s
Max time network
263s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\075b69ad45.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\075b69ad45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\075b69ad45.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\075b69ad45.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe
"C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CFCBKKKJJJ.exe"
C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe
"C:\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\075b69ad45.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\075b69ad45.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
Files
memory/3056-0-0x0000000001250000-0x0000000001E43000-memory.dmp
memory/3056-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp
memory/3056-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/3056-65-0x0000000001250000-0x0000000001E43000-memory.dmp
memory/3056-66-0x000000007EBD0000-0x000000007EFA1000-memory.dmp
\Users\Admin\AppData\Local\Temp\JKFCBAEHCA.exe
| MD5 | 614662fb204fcdb5b6ffb872780847db |
| SHA1 | eacce19db94bfc22c3ee1a21b043b9282ad64c2e |
| SHA256 | cb66a75afddb6ffcd09f236b8c81402513402599250094d4bed44b6f5231f242 |
| SHA512 | 996a5fa85bd53b9081283a6cff572edecdcaef7b5f6cf84a4b4a6b684a06b29114dfa93b9e32de2ba573caa1e15586b628c42918a44fbb934e373bcb7355d23b |
memory/1708-101-0x0000000000B00000-0x0000000000FB6000-memory.dmp
memory/1708-117-0x0000000007130000-0x00000000075E6000-memory.dmp
memory/1772-118-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1708-116-0x0000000000B00000-0x0000000000FB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\075b69ad45.exe
| MD5 | de1d8c161d81ba79c888fef77c75db93 |
| SHA1 | 55e3b5e658d41d98779214afb48d34c66bf17346 |
| SHA256 | 31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126 |
| SHA512 | 4d243246e4476555a4b018d2df63ae93da8c64096523c8f8b20ba616b0dec97c21e4bed7dced51da50c0908ad3da6b882b11de6d668b71852f2290850a6810ea |
memory/1772-139-0x0000000006CB0000-0x00000000078A3000-memory.dmp
memory/2292-141-0x00000000008F0000-0x00000000014E3000-memory.dmp
memory/1772-140-0x0000000006CB0000-0x00000000078A3000-memory.dmp
memory/2292-143-0x00000000008F0000-0x00000000014E3000-memory.dmp
memory/1772-144-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1708-145-0x0000000007130000-0x00000000075E6000-memory.dmp
memory/1772-146-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-147-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-148-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-149-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-150-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-151-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-152-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-153-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-154-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-155-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-156-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-157-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-158-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-159-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-160-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-161-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-162-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-163-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-164-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-165-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-166-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-167-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-168-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-169-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-170-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-171-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-172-0x0000000000E00000-0x00000000012B6000-memory.dmp
memory/1772-173-0x0000000000E00000-0x00000000012B6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 22:33
Reported
2024-07-04 22:39
Platform
win10-20240404-en
Max time kernel
300s
Max time network
300s
Command Line
Signatures
Amadey
Stealc
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\921bb8200e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\921bb8200e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorti.job | C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000006001\921bb8200e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe
"C:\Users\Admin\AppData\Local\Temp\31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJECAEHJJJ.exe"
C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe
"C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"
C:\Users\Admin\AppData\Local\Temp\1000006001\921bb8200e.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\921bb8200e.exe"
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
Network
| Country | Destination | Domain | Proto |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| US | 8.8.8.8:53 | 30.47.28.85.in-addr.arpa | udp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 81.77.91.77.in-addr.arpa | udp |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
| RU | 77.91.77.81:80 | 77.91.77.81 | tcp |
| US | 8.8.8.8:53 | 82.77.91.77.in-addr.arpa | udp |
| RU | 85.28.47.30:80 | 85.28.47.30 | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 77.91.77.82:80 | 77.91.77.82 | tcp |
Files
memory/2924-0-0x0000000001230000-0x0000000001E23000-memory.dmp
memory/2924-1-0x000000007E400000-0x000000007E7D1000-memory.dmp
memory/2924-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2924-66-0x0000000001230000-0x0000000001E23000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IDBAFHDGDG.exe
| MD5 | 614662fb204fcdb5b6ffb872780847db |
| SHA1 | eacce19db94bfc22c3ee1a21b043b9282ad64c2e |
| SHA256 | cb66a75afddb6ffcd09f236b8c81402513402599250094d4bed44b6f5231f242 |
| SHA512 | 996a5fa85bd53b9081283a6cff572edecdcaef7b5f6cf84a4b4a6b684a06b29114dfa93b9e32de2ba573caa1e15586b628c42918a44fbb934e373bcb7355d23b |
memory/2176-70-0x0000000000360000-0x0000000000816000-memory.dmp
memory/2176-79-0x0000000000360000-0x0000000000816000-memory.dmp
memory/5084-80-0x00000000013D0000-0x0000000001886000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000006001\921bb8200e.exe
| MD5 | de1d8c161d81ba79c888fef77c75db93 |
| SHA1 | 55e3b5e658d41d98779214afb48d34c66bf17346 |
| SHA256 | 31cbdcdb540d6bc6fbc616c288f6f7ad7c74fe74eff55a135dafc31853b76126 |
| SHA512 | 4d243246e4476555a4b018d2df63ae93da8c64096523c8f8b20ba616b0dec97c21e4bed7dced51da50c0908ad3da6b882b11de6d668b71852f2290850a6810ea |
memory/2940-94-0x0000000000F90000-0x0000000001B83000-memory.dmp
memory/2940-95-0x0000000000F90000-0x0000000001B83000-memory.dmp
memory/5084-96-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-97-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-98-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-99-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/2524-101-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/2524-102-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-103-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-104-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-105-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-106-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-107-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-108-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/1136-110-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/1136-111-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/1136-112-0x0000000000D00000-0x0000000000DAE000-memory.dmp
memory/5084-114-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-115-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-116-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-117-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-118-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-119-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/3344-121-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/3344-122-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-123-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-124-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-125-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-126-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-127-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-128-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/1184-130-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/1184-131-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-132-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-133-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-134-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-135-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-136-0x00000000013D0000-0x0000000001886000-memory.dmp
memory/5084-137-0x00000000013D0000-0x0000000001886000-memory.dmp