Malware Analysis Report

2024-11-30 21:59

Sample ID 240706-b7739ascmm
Target bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe
SHA256 bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263

Threat Level: Known bad

The file bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:48

Reported

2024-07-06 02:05

Platform

win7-20240704-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000556fc37976dfd5bf6e878dd9fada492282e19e9924a945cc8b5da6869284c65e000000000e80000000020000200000004ce8716af3c28d95c03d0dac214fe044d9beae9fde92cd8c8a52406ea6106c0d90000000ccd79036ed0126892a85109d545c2cab2dfa49d5206bcd8d480b07ec54f453c00b3bd910a924461d39e6ee8206da01750075b076b5e69efb55d1b6b5c2cb42643227116a3e1a7d1d67ef7c0e9fd7bbc669dbe3df21e415de63f8f7585c0e4e0989b74edd1362cf18f9025e3b56b06c143bfbd54065b945453ec4a2416815c5270dde469e18e3bd7708ae1b5e1d20bff3400000006b163a74f65ef4867c790197ad0d64f0d930321e368bf7bd92fbd39c621de9050ee7477c1b7f0a0d19077a5223057884e0cb9fb65f630773c87628224e331fb3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000000664ec93506bd837afe9e3d67bbe88fd3d87a43c649c69a53516d5c7d26a137c000000000e80000000020000200000009a3185349168ab69f96f60402c29175ff48328005d82b79b2dac46bc4af134082000000061402441efc479589e3b05818366b8690867910b9957a3a6ee02252b44b2273e400000006b35cd16c2175df262c56851ce3a321a04457bfe93ffc38537ac82f117d7a51b6ede0dcb49fc7b687f4a66b6620745297d879a702776bc55b56e45f51e1d9a03 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426393257" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4AC11F1-3B3B-11EF-B233-C2666C5B6023} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0227fba48cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2188 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2188 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2188 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe
PID 2056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe
PID 2056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe
PID 2056 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe
PID 2056 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2224 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2224 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2224 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2460 wrote to memory of 2260 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2460 wrote to memory of 2260 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2460 wrote to memory of 2260 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2460 wrote to memory of 2260 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2736 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe
PID 2620 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe
PID 2620 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe
PID 2620 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe

"C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\951c343ea8.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BKJEHCAKFB.exe"

C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe

"C:\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe"

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2188-0-0x0000000000130000-0x00000000005C9000-memory.dmp

memory/2188-1-0x0000000077710000-0x0000000077712000-memory.dmp

memory/2188-2-0x0000000000131000-0x000000000015F000-memory.dmp

memory/2188-3-0x0000000000130000-0x00000000005C9000-memory.dmp

memory/2188-5-0x0000000000130000-0x00000000005C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 1608caccc377a28575b839e3eec49314
SHA1 ee0126916f65d88e92248d9c1bbe5ee2883d2abe
SHA256 bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263
SHA512 206f4dc5fedabec29c3f2428fe6c25ab52baf438f8d21e26993ce487c9d593825cb1797f1058095f5b4a69b0a35386e8bfbf9733cc4df5f6f7dda023b5b483a4

memory/2188-15-0x0000000000130000-0x00000000005C9000-memory.dmp

memory/2056-16-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-17-0x0000000000AC1000-0x0000000000AEF000-memory.dmp

memory/2056-18-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-20-0x0000000000AC0000-0x0000000000F59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\64a4f50ae0.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/2736-39-0x0000000000F80000-0x0000000001B6C000-memory.dmp

memory/2056-38-0x0000000006E10000-0x00000000079FC000-memory.dmp

memory/2056-37-0x0000000006E10000-0x00000000079FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\951c343ea8.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/2224-77-0x0000000002380000-0x0000000002480000-memory.dmp

memory/2224-79-0x0000000002380000-0x0000000002480000-memory.dmp

memory/2224-78-0x0000000002380000-0x0000000002480000-memory.dmp

memory/2736-86-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J7FHNNOW\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\85y7ywt\imagestore.dat

MD5 b5d8cc45a2a757a6a49de14b54b5d26c
SHA1 f88672b1ed987b53efa6570fe8ffa8be78fdbb94
SHA256 436b746aee7191f577889afde5d7b44a0c4482063d06b4641cc7508fd8f5e5e3
SHA512 4aebbae060c8736e687e68da28a4943f0c66d4d16b431caf80fea27321303eef10c9e0ddb91279440fd74242e02fa54af18b47bb2c102ed6e2d2d70f3950d282

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2056-185-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2736-195-0x0000000000F80000-0x0000000001B6C000-memory.dmp

\Users\Admin\AppData\Local\Temp\FIEGCBKEGC.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/2792-225-0x0000000001320000-0x00000000017C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar26C6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbf541a077d207bd5cddad0bdcf3fdd1
SHA1 938995404ff8cdacceed5083afaf7e430419343d
SHA256 d9be63f9de5e76e3813a4983993f07e7021a3c3ab7c3797dad723b1885e9825e
SHA512 1ef800838e4eac7898f98b116cb619feb54bad2a0ec0594715e83edf3363a4af6357ec815766b09a6d5f8f52f4771bd3ed52018ac1f3f804feb7d4c7cf442093

C:\Users\Admin\AppData\Local\Temp\Cab26B5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23ba21d107e1090e217ba2b9d07830a3
SHA1 fda7c2dc367ade9ff2d290643a1d23764b958ccf
SHA256 27789846a95a4fba344aee9a54e3413376433baf858ec5506b768de3e764b8fa
SHA512 4911681e3600a09a2d3de48e2ae44c5e9c0ba084d3c1f3c6f9af95f2d3f2da1ff34b1f2c766912c7fd7aa4d92804e0e045e920cab109d6337f243dbc2822b354

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49205a846cc2ebc268fb32ee10cef490
SHA1 fc7fd15de58c84255e80d917b197d35613f83fca
SHA256 18003ce91386aaff688789fa9094fc6df793fdb473b83536eb54a5f2b108d399
SHA512 510e0ddfe174e9dad6504fe3944463f2af256880d6029cfd6915e61bbec45d83703e8eeb1d79bafedd9021e72bcd0dd5da7f3eec8d9ad53e31231e46b2aacd0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0892fef5df2fe954d683bfd54afee2a1
SHA1 047212e399ecc96e766423fc1431cecf6e65bed1
SHA256 3cac94944e6854d45562a668a06214e5559706155f504d8330a72eed05e37874
SHA512 435178f619a42f2246514d0485e2daea2a27890145c868dc5963e573b244ad0094de526856a6d8f4fa3e420dacb38089d9a818950882618397f9fbc4cb24d1f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 78e3de0b0dfa249558cfb6f0925e26db
SHA1 0401aab19dd693906aebee8692cd1fe01e0f4498
SHA256 c80e8b8acb246a0883b47746ab9bc930851193249b4f7a704d4878a50f5bac25
SHA512 168894af7a49c75ccd80fc5aa920355dbfe1c8fd7e90f51d88f46e1f64fc36b9549b1090f2cd6d298cb93eac5aface17d9901035a8c967a568b338ad71380ebd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b1dd31d5231ebaca4917d6271145974
SHA1 88fe64557df770f41a3b8dc918a5b2832948a1d2
SHA256 3b0aa529c47c93e0f562efd9927c3f8cdcb6dcdd670249d6070bebcd158ebdd4
SHA512 ebd070177ae2255da50e1dd0fe872b97c7e4bb62bb9570c51c06ed6f6e97bb07834e0582f212de9e0e62fa1a17cc0018003c3d18064db8abee3ebdfc092048ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 260ee2bae65c0499d4214d847051d7fe
SHA1 524f74d0f92f01ac577c8d9d10f3ebf2175f9db3
SHA256 519f8dd165f3a4f9d30841fa64727a21888bcc75bb8b72a6671346eaa144f921
SHA512 74ccaee60b3681e9e25b0f8e620ab83f5e2b61509c33485c7828e16c182fb416d28f41b0a13732832a2b3a5b54a68f74804a7e383649f20b1a0a9d4241ef710d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6da8008aef888a416926e399a9d1bdbd
SHA1 8130a61d96e9c9affe0820e263db5e019042b20c
SHA256 92255684a7e23aa5147e223c84e2656b0d8d697e3da24c2db8946bf94d7409db
SHA512 cf5686fae4a48a5783643e766247d683424986322bafb5c06d68fd94537ffa0cdd38e828027895625182d7e3ab4ae11716f2d8f98864d48872820bf14bbee2fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23350935644cf12280f0302f4648efd9
SHA1 7f843b904b4f2e79ed8277c28ee03309bb27b71e
SHA256 4ac0c804439a1ae358a76f3a68f02723cde55e34a780e56707932199769ff435
SHA512 80648cc782c1dd4f692af4f946fd1d70256b2153a6aa0c7e5b7a0e13cbb5bc5fc63309e831f97a1c84cecffca67af3943eb2955b7dae0912a98b53096f086e86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7026faaa20a58d235e26ba4218ab862
SHA1 cf311d4bb045e675f374b8e58c9ec26edf06ead3
SHA256 ee229207e1da81f0e41c751a3001776a42fb5311647565fa372e43bbf13b9a3f
SHA512 1da5fe7068d0696bd1cf3ac9657c6b7eed3134336f559230433926c5d9dc476bacd6c85d9b8fe756a0196ccd0b8697495f602674f94bbc98e9c65d833203083e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dee2835e0269a91028f6c806742dabb7
SHA1 5ef7a235734e7246a990c9169475685f4eeb0d1a
SHA256 e5c1091b0750efe0d47fc45682f9e70c3851e45f47096cb2d04d3e27d76cd0fc
SHA512 5af38a7ea4f9e6131649cf4a265e1fe4e4429778abfe2849da2dd6c595169b63667d8848c0c3cabd474b9e2412ddfe05c5107ff04234486757d3b803fd139d29

memory/2792-632-0x0000000001320000-0x00000000017C8000-memory.dmp

memory/2056-669-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-670-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-671-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-672-0x0000000006E10000-0x00000000079FC000-memory.dmp

memory/2056-673-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-674-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-675-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-676-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-677-0x0000000000AC0000-0x0000000000F59000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c23ba4b36f569f9060394546a0247ea
SHA1 ff6f51c9bb27f928d8d1bd4308b9d5e0e364b0d1
SHA256 b83cd17608e6b956cf4d12a8f85b74456048d9ac79e103e87cd49187611b6091
SHA512 c3e34356d2325e57762e101484853089dd24f8af3a5dd7a885fa0d26318eb280012995e879cf19fc484f64bf1705271a39780c1f038c0398384397b2b671128c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0f64f4b25d82766fb1099503e66b605
SHA1 f10753c763412da957874dd785dc8f8226c6fcbd
SHA256 2c11a2c63ef6e7f85b4bd754269f830284b12899bef7dd4f3890c07644e2899e
SHA512 d6288eb91ca3f7a39258c98c85ee8c3e335290e15936c4a2f6952245b64e0e627ad83c5a81358f6c14836fe06e4e21958b79aabb83a7c0ff90c3ce5fc05a99f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37cbb99fea4388c33bd3bfa8a9d55619
SHA1 33ca22f587e957c6c9129af8b2bcb8b0ba0a43e7
SHA256 de5d909ff0eef2bd813b5316f20f2ba0632a9c2647e2eb620d1afdee55751c4e
SHA512 8c1498c78b87d1c5018bac619c90fc3d20c87d6332e77809926558a06c384e61627218558cbfaa8cc904688eb45e64ac8b4e38a5865a8b08b14caac1a407869b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 37130bfe6cba9ac92439a0c5b188b4b8
SHA1 d820d79c4134afe357a1c80ae9ff2ab75546f6e0
SHA256 1a29f68dfc1694767d35f973a29fc0c8ee34615e6b608b38dc882096203cb000
SHA512 53b928940cf69dc4d25b03fb871af619347a0b664a3d97780f4927ba8e7ff0092715e47e43713bc6e429b5a32741efeffcacad022ebc834daa7443aaef85f6ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a6f9fb78ccfc85c3998d885ebe24e97
SHA1 50d23eeca7bf9bed24649f54726f20c90d36dbff
SHA256 a5821ff76c769eb61c448b7f76d362cb3bce0e4d57b087c4a9816d7fa3889e5e
SHA512 25c023b52fc91cd96b469b9f6a84a0ce82cf7bb89e1382afa341d6e4d418289a0a439021d28b8eeac8bbdb81f8b005514dc573e80ece667641c3ef1bc5b5dd51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76d2b0572e58804e9991f6a14e374828
SHA1 c896da7b49abf8bd3c4c1ce44d07a4580bce6996
SHA256 168e9181fc17327de6cd9e1bd8907587800020151d31337ab68b614185a33b9e
SHA512 e524cd6f93417da2ea2f594bfd665c79348383ac2806cb0ea0ce80a68b7f5a841fa335fb91ce26b76f6127012f6b8d535c407dc0eceb2c4cd1188dbaebdc323d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 399f327f3d3d6b5832958aed235b85e2
SHA1 043282875d5bac0eb11666855c54b333f7e1b65e
SHA256 a3ffc758ca0bc0a60a86bb2afc94a397a48d0df376626789c36a6693faae7215
SHA512 8c3308ab45abdd9db0b8a13175e24668e0faa4293b354eba4a307815dc402ae61d418b2ad14b3921317c3fb090ffe1e40d9640d36515182e5f256f0473ebd4ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d0a63078ea18250351d41106fef6958
SHA1 c60692b8926dbc06eb454e7543d7e85f79e43a9a
SHA256 ef8e69b852fe4e812c36a94ca94ee2f079e4182e25dd531ce0cdbd9f211d6511
SHA512 ec96f743c1469944df3e67286c2ab4b922ed886af0ee7cc76eceffe29a1e2a5f7da696b1be8a2588a57b4f608534cd66863b8043e59cfe864f9bffd9480c289d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 948e8efcbd28c29f24be06ee017f8112
SHA1 a9f4329db29a4d347419949c25b5a15a4bb3438a
SHA256 eb9d54b7f2959108b9da882673f2ba5176cb352f91906271f3783daa3835c2e7
SHA512 0851bda6882a0505304a382e1fcc3116cd2044e3de082b0f137ce0c4eaa766b8d3d50af22890e0776d19fc119f48a72cee920d16a65ffbbbf42a1217ebbf8dc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b39146d5989ac2e9ea56cea41de6c9b
SHA1 a28d00708885e14b3002887da5815afe1acf7dac
SHA256 443eb60eccd3361d6e4096364f45d58e7908cc7f477d14392f1c92a5b9044856
SHA512 26f631b29a0ab685ca31406f2ee513916bc7f0e211e9f3319a901b4a16affc4a4cc87c51eebb47099da6ea5f30813a01827fbe44939213650eed98a5f1c7b6c2

memory/2056-1110-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-1111-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-1112-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-1113-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-1114-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-1115-0x0000000000AC0000-0x0000000000F59000-memory.dmp

memory/2056-1116-0x0000000000AC0000-0x0000000000F59000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:48

Reported

2024-07-06 02:05

Platform

win10v2004-20240704-en

Max time kernel

143s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe

"C:\Users\Admin\AppData\Local\Temp\bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/1832-0-0x00000000002E0000-0x0000000000779000-memory.dmp

memory/1832-1-0x0000000077A74000-0x0000000077A76000-memory.dmp

memory/1832-2-0x00000000002E1000-0x000000000030F000-memory.dmp

memory/1832-3-0x00000000002E0000-0x0000000000779000-memory.dmp

memory/1832-4-0x00000000002E0000-0x0000000000779000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 1608caccc377a28575b839e3eec49314
SHA1 ee0126916f65d88e92248d9c1bbe5ee2883d2abe
SHA256 bf54e9ba7f3f8d09aedef4e6d9d377f16bb085cb5353352a3f1bb5d17f3e1263
SHA512 206f4dc5fedabec29c3f2428fe6c25ab52baf438f8d21e26993ce487c9d593825cb1797f1058095f5b4a69b0a35386e8bfbf9733cc4df5f6f7dda023b5b483a4

memory/1832-17-0x00000000002E0000-0x0000000000779000-memory.dmp

memory/3704-18-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-19-0x0000000000B31000-0x0000000000B5F000-memory.dmp

memory/3704-20-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-21-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-22-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-23-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-24-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-25-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-26-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-27-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/4572-29-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/4572-30-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/4572-31-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/4572-32-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-33-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-34-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-35-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-36-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-37-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-38-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/4904-40-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-41-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-42-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-43-0x0000000000B30000-0x0000000000FC9000-memory.dmp

memory/3704-44-0x0000000000B30000-0x0000000000FC9000-memory.dmp