Malware Analysis Report

2024-11-30 21:59

Sample ID 240705-xx69vswdpg
Target 7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2
SHA256 7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2

Threat Level: Known bad

The file 7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Reads data files stored by FTP clients

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-05 19:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 19:15

Reported

2024-07-05 19:17

Platform

win7-20240705-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426368780" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b09caebc0fcfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f000000000200000000001066000000010000200000004c040fe2e9a5f0f72fe26336f806e89bad6d4af72501e9c98927578584111576000000000e8000000002000020000000b5b7a15ee1597644fcc8e23b2be2b686c57a00b11b5f711d4298a14bb1abbbe490000000835a80297e524398b0b5f3487f0de085f984a29ba38608ebd1db6ce5fcc8b0f5590e65df3c9890c6565e6dec6d277d566d49736ab3454ae8b947776f2abdb910bf6c9c31faed1d22d459aeb2cfa3f1f7557ded10009967f864589edceabfec2b33966f4e844495e4a5a741e38b47b3299889678a31114bcf9c5dc5f8cad29fda0561a1e207610e399dab40666da1c208400000005d3ea10828b522fd6c4f380e6092ea2c08bacab7b469c27726b1b3e9796ecee9a40c5ec70b0c099c8fc38a49b77228b22d2245b62559fc137c193a184a961fbe C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E754EA51-3B02-11EF-A372-5E92D6109A20} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000f03df1743e0416f0165d9c7eb551659f124687df095ff485cfaa1d624216ce62000000000e8000000002000020000000e1b5626259cd3adbb56f650217fbfd994bfa8d22acd43695c3115342954e5c07200000001c9f493619d81ba181ede198d47fc3509a6ed8c7cc8b8d905e35272d29c9287740000000e8a2da8ed658a83dd804355e0909b255f9ef4fc289c488b696d76a1b073c4fcc35971d44831d44c5768d22784625c63c24e3083313943944b14301bb8b021bec C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2352 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2352 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2352 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2876 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe
PID 2876 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe
PID 2876 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe
PID 2876 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe
PID 2876 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1292 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1292 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1292 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2964 wrote to memory of 2216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2964 wrote to memory of 2216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2964 wrote to memory of 2216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2964 wrote to memory of 2216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1504 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe C:\Windows\SysWOW64\cmd.exe
PID 540 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe
PID 540 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe
PID 540 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe
PID 540 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe

"C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\3fe381c055.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIJJDGDHDG.exe"

C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe

"C:\Users\Admin\AppData\Local\Temp\FHJKKECFIE.exe"

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2352-0-0x0000000000120000-0x00000000005DF000-memory.dmp

memory/2352-1-0x00000000772E0000-0x00000000772E2000-memory.dmp

memory/2352-2-0x0000000000121000-0x000000000014F000-memory.dmp

memory/2352-3-0x0000000000120000-0x00000000005DF000-memory.dmp

memory/2352-5-0x0000000000120000-0x00000000005DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 0cbc2312c9d511e1e844f3f311c4dd57
SHA1 24b7fc2a6171761b0fb462dd171a2919d480b541
SHA256 7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2
SHA512 7418804b38a4979fe847cad62efd869ca11b6b09b1dc8ef45d56cdf2037625ab783af7c499392271ff45de73dfd3c2505c5bcddd80c850251bc6c6ba7f4e4199

memory/2352-16-0x0000000000120000-0x00000000005DF000-memory.dmp

memory/2352-15-0x0000000000120000-0x00000000005DF000-memory.dmp

memory/2876-17-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-18-0x00000000008D1000-0x00000000008FF000-memory.dmp

memory/2876-19-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-21-0x00000000008D0000-0x0000000000D8F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\45037b9944.exe

MD5 7ad17f11aa6b1408999981b11078d674
SHA1 57a4856e4db83685852d7c6037bb1bbde4793415
SHA256 441f614bb8a71a458b9f8274f807c33550d0a91304b7b1bc25c23c6cd8d9b616
SHA512 06f7dbbe0fbba7615742840c5aa0e77f87bca47eb85bc5d5b33d5785d76e9a705e4d6ce0e068f43f45986405dcaf7171dfd6bd2bbd832e2eced0032ab4695e65

memory/2876-37-0x0000000006A10000-0x00000000075FC000-memory.dmp

memory/1504-40-0x0000000001050000-0x0000000001C3C000-memory.dmp

memory/2876-39-0x0000000006A10000-0x00000000075FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\3fe381c055.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/1292-78-0x0000000002020000-0x0000000002120000-memory.dmp

memory/2876-107-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/1504-117-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNGGU6NJ\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hqw8ypt\imagestore.dat

MD5 666c1c193654a6cceffa7eb0d39af02d
SHA1 b7d7a239fc13ea248b9b47e9d030727c4710be3a
SHA256 6170659ca07372aa55777b6de1f0d982602f5657883adc41af5ae751425955b9
SHA512 602ddecd86843ebddc2a056c3a47aa6fec41db1c7806fe9d84780d5d52bfbd3a57be5960996d7a26c5dc83447dbd4e86d02f979c4f13bcab5b9549338d1ecb27

memory/2876-163-0x00000000008D0000-0x0000000000D8F000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\TarE9D6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\CabE9D4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2f8f76bc768874068e3cc16348d68fd
SHA1 c9cd9a45a8deae0a2304e520fce42d62208b26c1
SHA256 ff978b1680ad05bad5f5187c29c8fbc285e459df0cf8d460c18aa18cdeaf1354
SHA512 f0236b87d9b030c7fd53a96bfca8a0a1b100db740f2a38ed449b3921e9d02e71ec62100f297d091a77f5ef3d385c5454bea8a863d31a2fc7dc215a05298a3385

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4af3e9af11a1c62bf3b88b7e92e02112
SHA1 e6feb5ecfc0f02d98f956a43fb04395575af76f0
SHA256 75dc9122c4dfa4c6541d40aa3a052f0535907e3b2147ad1e9573772ae3a7eb4e
SHA512 2904c2079df7e0aab289e070e0861393d5c161a4448999faa29051dcaac79a77b91225f85ca13e646c5c0e19a6263ca2c837c209424e10d51f06e56ee7a9f6f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3342acce0a4583e8edd698625906170b
SHA1 3bcbe282c79f90c495a0d6f0e697d382322a7a0d
SHA256 900748fc048aa4cc5cd6efbd0827df72c6f7b4c0713eaf08f466782abf849f4b
SHA512 ca36f0a503143a5313a4343ffa8f4dea1d487f30284f05daa5e1271c43f44203f5998b9d114157255ef16834f021da9646668fe04c7d608a599cc9c04abbbfb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61597ecce06b8077b0ae29923f8d8a31
SHA1 d4efa3fe9fc2e817cf67e22edfdeca6736a1f012
SHA256 c3a6b3ece03474298a62f7aee95a189188072737d280b32f1838469e34c6cdd5
SHA512 9d75d8bb80014a78327adde15d45778f783d813a69613a143d565a9a0534c10360859e4dd81d4c88c4b75513e81d41d5ed3ca773bbae3bfd3b41ceb84d4a626c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e026d3a7455785e94a5d71b9bd1ad5fd
SHA1 80a289f98f14660a8df203557251dba445dd8309
SHA256 a3bddc5c7b0b097c280a306ef4f286ca8422e65327241427591bd125c5bde129
SHA512 897f7d9f80bd524fc9adb0ef570baa754988a4165aac74fa215ce1be6bf371b851bb9706f0dff0e9b0ab3b5394e0a16e703faaf1ba0b323c4571cc7570d0a730

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d8b6bf31da6ae8a47638b5d2879e969
SHA1 2218ddf50142ef6237ba474b0f448a1e3f5ff40d
SHA256 0d54a3bd6e5366a52678d3e8361e11408f711c8fbc382003fd85c1269925a2d8
SHA512 0e49be58e5326da87f066bab4fe42ce975c1d66c06cf35e42d5c69004839600e94c9a97968bedaf69ecda8fb844d2e595aaa0714f1a917a25236263a20f7c241

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d56c6ae58d24a27c27cc763978c8cc0
SHA1 7bf615d2c7c58b1a626e326e65b571e87fd4fe57
SHA256 1ffe64b7a16e7122eccea896f6c5c8031851d6f5173a518c81f9513b39055bca
SHA512 90b4ad9e35dee57a91edc3021f5716ddaf2ef9b4b4732b4e7298478c71a748d235546d817077e3cc8fba0d1a3f344553c603d1629cc6146c735b0ed9ee8e42ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc600a91f183116022c2c6b6383d103f
SHA1 1a562e8e742a10440e3ba51477dcd1abea77ded3
SHA256 0f176581caf8dc4edbc697ee7de1db1219fb09f59fff29fdd12ad288d1aee9cb
SHA512 42764c2729e730665da561d7db4cd0be6a13824633d0aa23109c329b9be84033c0fb826761738851cc475c65a5057efa0c68b1c45c67eaaf74c258248f8b7775

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e899322ea7a341384e7d78d910f50649
SHA1 5f130e4dd8a22dfc4c7aeb8d80afe648713e8170
SHA256 4ad94980cef2a6e52836675c62fca0ca2da6a77297009d834dc984eb8d33fa90
SHA512 c6870c241904b18951be776b3e0e8de91a282d4345c496a6600847d6706392795d003a1f68837a72c9f981083c9695d004b89564cadc1e40a2d58b02a41aae1e

memory/2876-527-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/1504-549-0x0000000001050000-0x0000000001C3C000-memory.dmp

memory/2876-593-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/832-603-0x0000000000280000-0x000000000073F000-memory.dmp

memory/832-665-0x0000000000280000-0x000000000073F000-memory.dmp

memory/2876-666-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-667-0x0000000006A10000-0x00000000075FC000-memory.dmp

memory/2876-668-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-669-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-670-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-671-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-672-0x00000000008D0000-0x0000000000D8F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d043ded4fb81a7131ce0502fa25c18b
SHA1 68a96112ec05a596dd228b9b54c391f3287d732a
SHA256 4fc8529983c600e9187e19d6579a02b648df9eae30ac9716cf5ca7b799cb344e
SHA512 7d6d422b1b3a300d723e0a6c0ec27d52897487926c7edcdce3e13861928688cf369bcefa751823132d8810586f0661f9c90499a46336983ea4ed47b89b8e1db4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd0defaee90fcbed4ef983a9060bad4b
SHA1 df9206feb4e38a128ede1f181830e8284a434d3c
SHA256 cc391498fd54bdc5e9d1048adea0db1d8346bbdd5db2751f7ab6e6a304b8b19e
SHA512 3e4894bc20d24cc85cc90abcf646fd22166ebf48bd50cbdda0b7ee68fab6e526709894363505c08c31fa0a77a08f3f7e7b52f8b8d641bdeaa38446778cc99007

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 faa621f649677b3005bc0797e37ea0f8
SHA1 3e3ec8157eed98c9bd41a4aac6e9f6996633985c
SHA256 43c262ee5480165584c9b4c88152b69b910d6243aac42bca90c5bf66f24fa4de
SHA512 d65a8fb2e31075fadf79f95a814b9e6b601121ce10c0094c9d8a81e8bcf0b3e692224326456e8e7fd7c0251700ea7d0a2634b1d9f398221a5d66a7d9d07752f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a62923cc63527fa7a481344fad1a514
SHA1 de519315ae1630fcd27507499a7e6f532590679e
SHA256 298e7f12dff313a24f3e09feff2d8686ab130a353a9c6e1e93d4ff946d548195
SHA512 c34527ea83d0b85d46e49bac980954a62f0ce07eb25b8a87454b41b4c2a17cdbf55eba5058f280254659da7b288358b73178f813fb57ef4c911199fb350857f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38c9b3fc8c5de300212ebfb4ce554867
SHA1 b98914628506291e302a4e3dbb4513da58bf11c3
SHA256 dd8eba5b2a915b3a7e06dbdb41cf7b8bd2ad1043fb7c3f0ed9eb9d05cf627470
SHA512 a593a8441007e84b5265a3c37756103629440e78fac3d71aad316f6cd84a297e30b4e15b05a309b9a954d2f42ea1059ad7cea4b37db8bb028c3570c669c44ec6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdf67fc72a379d36992cace166f43ffb
SHA1 6f4880ee832df32bae13d1e3936294832d59d8ba
SHA256 465877cd82a87bee56453b9c82eaaa96ae26aa6fb96edd8a056f5db8b7c137da
SHA512 8fe4b1375c4909ebde94617ab596b06ed521831f46ec00e99cc5855b5379a3784565ceb67b703e2a1b5f6fc2c1a2ddc1ac71de43dc45a478cd1cdb2e47c003c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ee98e1d60fdbab2ecd688ffe41899f1
SHA1 322ef6696bc14f7447406419751389481829338e
SHA256 00be7eaa11a459c466500fd13ce695793ca8f1c674ec799be22829cc216350fb
SHA512 d65fe9f462de80a6b539e97a1179d31ec3555c43429362ff979351f2920dd573c69337137ca4611c53ff9a882d49198601d13415c0e28eb883619af75eac3c42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e3aaf27fdcf28f1d84262a4da30e79d
SHA1 025c721fe776201683f0bbfc21737a0c8631cbb3
SHA256 1fffb430296cdf800a822acec2ceaa582a69967bf475df676f7c8e0ba04c5bd7
SHA512 2fd15c33aa07cd183bf394877091425a288253d19bb3902af77bb3ba8c748c153c3f255fa90556ae3cd8785693b2116285925a9a210efa91160600b99a9da2b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0df48905065a36283b0415c2750eb53
SHA1 72e04cb9bcd71b7a65cab3c933ce8a9ab7063adf
SHA256 b97aaf6d3c469b7f405ff37150fbf6c314ca6f8ea91457354149ef3a8b42311b
SHA512 973ceddac7ffd8eb579c40c3a5e6378464dd679a0420f775f8b4b20296debebf947db8403d5efab8c6121fe721faa737f4ab0d2952ddce653f291e7adc116e8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69183c4856b2de3e58b7468ff355ff54
SHA1 9b00b25e56f59b33cf57ee9d0807a0a67242d7f1
SHA256 6194d0f050a69d1c975f98699d0a814c2b486309dfe465379d1ce3f35d0871f2
SHA512 8d3e084f4cd4f7ea2b9490d30249d52d131b0d4bda11c3069fb29277eb00345c6a3ea2b8fbeebe7e136702584876a1034b8b0ba5b35a0933dc3ad20e17151896

memory/2876-1105-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-1106-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-1107-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-1108-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-1109-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-1110-0x00000000008D0000-0x0000000000D8F000-memory.dmp

memory/2876-1111-0x00000000008D0000-0x0000000000D8F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 19:15

Reported

2024-07-05 19:17

Platform

win10v2004-20240704-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe

"C:\Users\Admin\AppData\Local\Temp\7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 152.136.73.23.in-addr.arpa udp

Files

memory/1464-0-0x0000000000B70000-0x000000000102F000-memory.dmp

memory/1464-1-0x0000000077C24000-0x0000000077C26000-memory.dmp

memory/1464-2-0x0000000000B71000-0x0000000000B9F000-memory.dmp

memory/1464-3-0x0000000000B70000-0x000000000102F000-memory.dmp

memory/1464-5-0x0000000000B70000-0x000000000102F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 0cbc2312c9d511e1e844f3f311c4dd57
SHA1 24b7fc2a6171761b0fb462dd171a2919d480b541
SHA256 7e2ecc1809770f939efc65c54d1efcca2a929b2d42744f7bd748224bc9f2b7b2
SHA512 7418804b38a4979fe847cad62efd869ca11b6b09b1dc8ef45d56cdf2037625ab783af7c499392271ff45de73dfd3c2505c5bcddd80c850251bc6c6ba7f4e4199

memory/4088-18-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/1464-17-0x0000000000B70000-0x000000000102F000-memory.dmp

memory/4088-19-0x0000000000E51000-0x0000000000E7F000-memory.dmp

memory/4088-20-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-21-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-22-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-23-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-24-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-25-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-26-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-27-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-28-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-29-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4364-31-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4364-32-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4364-33-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4364-35-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-36-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-37-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-38-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-39-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-40-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-41-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/3140-43-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/3140-45-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-46-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-47-0x0000000000E50000-0x000000000130F000-memory.dmp

memory/4088-48-0x0000000000E50000-0x000000000130F000-memory.dmp