Malware Analysis Report

2024-11-30 21:58

Sample ID 240706-bzvg7asamr
Target 8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe
SHA256 8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff

Threat Level: Known bad

The file 8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:35

Reported

2024-07-06 01:58

Platform

win7-20240705-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DD102721-3B3A-11EF-A4F3-F6314D1D8E10} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000b9e400604b06ef3f4ee31ad269edd15523c95bb656cfccf0878368adcea4f7af000000000e8000000002000020000000a7373f14afeb76dc3675c471e3e1afbbf97fc38cd2908fd67be0cbff16db9202900000000960b20deaa9ac6ef467d5d01a5137ee79c7df45ce5d79d68e34df45e67a4461e6b449a262bbe2315f9608d9bccac415dac4542b510c1b97e98b04ecda292b6bc9fd4e6bb3cebb3af00d1eb91e7e0a1e31fb31b0f283f585210e8686ad5f8929f7f539a843b2ee7dc95fbe2ffe753c6d45193a33f6988315ea323d7208b2005e6b65c1c6e940fda3e9339a6ed717d117400000002da893f85ae2634cac3f834d1e3b828d83b9d08731b510f67dc702951978a6ca516c297cbab3c1740aeb07bedfbda23ea66cfab600d2aed4f0b1741aab9d71a7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000bcb525b13c27c817b8f85f1356e791a4821fe1718ded15c910cd5b8ccaf3b286000000000e8000000002000020000000676746fafa7a6c10e31ea92bbff4096e8f8ffc9de39501f4bf459206328afe7220000000cc8b2292cb85373df93560c84c4da33216ca28bb81074d1beca4530aa41f9c7b400000005eaa4bba9663bacabab839b7520f6cccb023058d43f35bf798a98d7dd48423aa6ce1c540a8a47336038201556d6b382e3baa567005a4719e6dcf77ecb4e0242f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0815bb247cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426392815" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1872 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe
PID 2256 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe
PID 2256 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe
PID 2256 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe
PID 2756 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2756 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2756 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2756 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1104 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\8959c9abd0.exe
PID 1104 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\8959c9abd0.exe
PID 1104 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\8959c9abd0.exe
PID 1104 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\8959c9abd0.exe
PID 1104 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1460 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1460 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1460 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2740 wrote to memory of 1528 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 1528 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 1528 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2740 wrote to memory of 1528 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe

"C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKEHIEBKJK.exe"

C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe

"C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\8959c9abd0.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\8959c9abd0.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\2c40174d70.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1872-0-0x0000000000AF0000-0x00000000016E8000-memory.dmp

memory/1872-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1872-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1872-66-0x0000000000AF0000-0x00000000016E8000-memory.dmp

memory/2256-81-0x0000000002160000-0x0000000002608000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAKKKJEHDB.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/2756-92-0x0000000000310000-0x00000000007B8000-memory.dmp

memory/1104-118-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/2756-117-0x0000000000310000-0x00000000007B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\8959c9abd0.exe

MD5 05be2cbe945ebb1f4db5c1fa09a75079
SHA1 bda32f10b41780e494da9733b74aaff5ddca342d
SHA256 179f7c98dab9536a149dbbeee298e9153c3a01fc94a2c48377118231246200ac
SHA512 20447216767e2010afc5d54ba6218c48f8aa6594de53e97ff0a9da180f2021c9916c1dddb059aabe2470454f945eedd1520b6c3f5ba5099b6d48fad9f400cacb

memory/1104-139-0x0000000006C70000-0x000000000785C000-memory.dmp

memory/1104-138-0x0000000006C70000-0x000000000785C000-memory.dmp

memory/2200-141-0x0000000000200000-0x0000000000DEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\2c40174d70.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/2200-151-0x0000000000200000-0x0000000000DEC000-memory.dmp

memory/1460-180-0x00000000024A0000-0x00000000025A0000-memory.dmp

memory/1460-181-0x00000000024A0000-0x00000000025A0000-memory.dmp

memory/1460-182-0x00000000024A0000-0x00000000025A0000-memory.dmp

memory/1104-183-0x00000000008A0000-0x0000000000D48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabEC55.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarECB8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 083722a567a2a148b548a1a6c508085a
SHA1 a924a4e489df53c2b26a34ed8b80f721f9300d40
SHA256 4ea54a20a53be7091b5d2cb768b1763f42bb4d1910d61654a989991a8283c73c
SHA512 9d790ccc96b46f466b2dccd914b2cb8ca4bf5341003bb47d27d76b0f6c84bd17534112b611362f1a22375b617d917e3585b1867121fdf43ed04bff20da121012

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27cb0b37b03e6fe7c9fdda09106b3822
SHA1 d8c2d04b183df4d6797a541835d9aac3cc5ccf91
SHA256 5ab40435e60c204d58f5736ac120a69b0efb8ce94750aa12afb3bccc95d6810c
SHA512 198bc6a39389bdbe4ebe1a862e23cda9b0b1e25a30849253d4dad295911bdfd5cd49ac6805a3215f088a03f9c59241e6cf6f3db74b611e3021b153bed5229032

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e4202401f06ead192a071ec8947d40b
SHA1 af217efadaa352c3d456c6bc1cf825556f810a84
SHA256 61e7f31d3c0dec7dca74e96099a9ed772d854a81e72fc2f53e4b2d2214ee1523
SHA512 eb9014fc25ced47c437c4c08a3268ad769877d843e49144a5aa893427979b9668db0c2857a73a17c206ad861fe1acd40239efeedded63223f82ab6fbdbce707e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94a9e0751e2a71058400b4b02fa07466
SHA1 e16eb1ebe196842279b9e53ead75b349348fda67
SHA256 439c804aeae6440401ff534ad281ccc30951ad1c8dc5f0306a383c27ab9676ff
SHA512 2184a12598d4e693f785717e0cc6ed0e70041de3478762d65c966e249e3b511855614c95c4acf4d87fc5fd20ed74ad6aefd0a8544150951798c9b9c5cafdd985

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf325ed74ee97f067bba48df60e910bb
SHA1 8f08d978db86384aa1024b3454195210b64528b9
SHA256 e0049bd34b70d2d1ff8f29aa0b3dda7be90d29b0507cffc11ae186bfd3f69bf2
SHA512 62e87684feecf3dcd124478712579401dd16a4e5106a8e7982a0aec4b39447c7a34977843064b82110863ebdaa53241add1fbec28cd4a101461f4efabc9eae5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe9b741af53f2196584e41f898849188
SHA1 28433271ad1ea5a554cf54672cc823f3bf0f8821
SHA256 25f31459d57857c01e9d34eb4217d9286cf4b324c60f30c2e9f6828bc02cefed
SHA512 68ba6fd51618ca7fa75581bd8bc2f18f38baaa99c8b16a3199c75cd7edca476d5fc783ffc19382c5419f464fd6241dfa643020114b091ba8a88acc467731f01b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 527eaf7543e80d29adc279169606deb5
SHA1 f5fe492f5888782b0c7652d17421f627e6eab898
SHA256 c2291b229d3eb2c425f736ef766b4220f42836b02d1e81f1980f64ef92bcf373
SHA512 ecdac1364df7512acbecf542a06d679b60e8e68bbda000299c3a10b46d48c85b2e72e61556ecc5c76a0baa8ab2642736eb9cc910ec8e986b78ffa145349d6ffd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9f2826d2d8e828916ebb145e34e57c6
SHA1 03d6ff9be3349781707729ddc1dd2d4dc9d76bb8
SHA256 49b09f688295aef3a0e481275cc276d6d3eea161876149c3807999418faa4df8
SHA512 24f2e5af33bfbf5a4f84176bb48cda3153e84749953f5f8738db769120c7b4e3ff0500f24d0e4d99b31b5bdb32a5d589c2d41e5b6b0566083f2fd7ac4b170c99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2705b515663b47d88783dad9c6df1cd4
SHA1 089d8acc6a3a327bc5fcac18b805d748aff900c1
SHA256 7473edf4a867aec0007c7da1198f0f0dc22b6eb32487f1ae60d05c86af595d02
SHA512 bfa86ceb32035b452fc1affc45c3ef0193bbace822f304365f65c6bc554a3ae08f923bff2f945475d90160072901d2ed33c29b9cfda7ecbc781b7d819a3cc3c2

memory/1104-612-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-613-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-614-0x0000000006C70000-0x000000000785C000-memory.dmp

memory/1104-615-0x0000000006C70000-0x000000000785C000-memory.dmp

memory/1104-616-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-617-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-618-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-619-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-620-0x00000000008A0000-0x0000000000D48000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 554c95cbe825aa860028ef7044ee6ea7
SHA1 560cd8586bb85943dd68ef4c343b29541ba26529
SHA256 4d303b09a1ce78f9d2974ffa67fa766d39b666a14b33d82644ca921887b03584
SHA512 55aca2d2d3b0a9fc69e89a0f01c2abb2f7b4b1fdff699881bf8f496f863b6fdbe23499dc6cff8bceddfdff8820adde6c4b739d854ddbc20856b347cc7a6a7d86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4439a559babc50b471b0fd298eab3d36
SHA1 f997d574d01863ea93f573bfd28dc6e4adbf9446
SHA256 153841c1739f2d66347eb1ff3558bf2b0673f522ce3e6427a5e984fd536d02ee
SHA512 e045bf6df7165001413b0f4a23af28cc5a5089cf1422db8a1d62c3097a9eb16bc00e48d8b971e1ad56d2e441e01f09f37fb07fa49e5df2ac6f849c1c5d3cd7ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bbeda5306c16e76dcddcdfc404c75afa
SHA1 8cf64635c68d7e547e8097a6a076f8a0fdea7107
SHA256 ce7cb255977c068c408556b6c0800cde3668d39c7b9f2b44b69f258bb58b0b72
SHA512 36c3782a02229d8ffe1ad3c371e33f6e339101fd98a3e22bab29af409ff9d7aaf3cd42f0bda3de4ef4480a387e1ab388bde6d9ea50ce7a557466bfd305950d33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b4e554d94f2fb7793ff2ee6134f5efe
SHA1 e616c68b78c77775640929a2983658cbd94ed356
SHA256 c10790d60a273d205d5a4db4dcabc64ecc4477181ae4bc00e8c5a986eac58e4b
SHA512 87f0a28b8dce34da4067cdbb41845d36c63db594fc3fac9d0cbd6fbed624f678c65ad0919c8ff41a3cf959a73e1f226792d6a8498d9316ff9b0c1f0b884405b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e58c2bcbe205a7eaafcdb306ee89539
SHA1 a09a29698ddd593f1a5dd7079a93bdd27fd1b3ef
SHA256 081a314cab7f96c59818a1c00c08815dbeab48ecca49bf312ed5edd07fa64e28
SHA512 534cee8bba099ed94ebb4a3820449d29a784f328a965982d4f82e5eca09e2a61cce4f4889595ff0db33e2c844b103ec98c8a37b9fc58531fc851e560d558a272

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f5cb6545d868646f789ed5a44b836f1
SHA1 d732d6ad80468fa99b9649c4f411f922300c0884
SHA256 af9309f5634ae0bca8c12b758b1f166a948233a94036bb6c035db212b86969bc
SHA512 03d36675bf6b4245e47a914762fe6721af8701f9709091300275c2309f7cc894cf96af9fecba93a27f97accb32bb420ae1d0be164ce1b998a8209c03c290fc2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85620e94130df5096962535aa91adfbc
SHA1 634fdc9511e170f90109a440d18b75865e3f4f78
SHA256 0e95d399b1d49010c165477570a6f20f7dcaf07229dd1f46b5e24e8bba671a39
SHA512 425bf60c76598f00838b5dc394a2e9165ebf93c7a11c8a85fc88dd01892a3f86f3152082cd2ea246ca17fb563b0b18fab96c425a37a5de8aaae46eafc1c2ab31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ae25edb4d69ef56995d01e9e0f58f69
SHA1 99dc9ca991122fe45baec2a4f5933f41832868ce
SHA256 8c9881c16b327b7c37bb22525ddf88d84dbb13206f234fe5c8a7f0a9da207138
SHA512 0073450834588b794c87c0eebdfde7523f25363092abb54bd4068cc72e069941970ff93e4d1e485ad4005f240a0586876e24d3a62473c4ee7ed8ecfc557b9760

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b61bbb301ea74a24807990dca99f086
SHA1 ca95290a04e82f574018fce6e3cb5b3dd8b73b4e
SHA256 af4bd7c569e898dc5a0986a43916a157c027b3af80223da69661ccb5dd12c484
SHA512 6f0c92702897022ba9013c57c5b022c34f816886ccd3d1044b7355f4cefe4923b85b1f668357a2b39a65d2031e5c724ad599dba3884f80f0bd0fe43db68cf22b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b721611f320d351808e6deaca305594
SHA1 3f8ab50f3f821dda08c5f4875da675b4915560d4
SHA256 3abab1f6edfa12f24a89cad98ebe72c044665f98f64a2bf149393e44f9a50b8c
SHA512 affb33494a5eda96b1f288d7d5747824abea4c8b8e12c9daf28c070dc2db647f4172e0e965396a7ab70aaaf28299b0af9bbf0b1d0a25a197d1fa0a2e2d43f059

memory/1104-1053-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-1054-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-1055-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-1056-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-1057-0x00000000008A0000-0x0000000000D48000-memory.dmp

memory/1104-1058-0x00000000008A0000-0x0000000000D48000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:35

Reported

2024-07-06 01:57

Platform

win10v2004-20240704-en

Max time kernel

143s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe
PID 3448 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe
PID 3448 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe
PID 1920 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1920 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1920 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe

"C:\Users\Admin\AppData\Local\Temp\8e7963520355e4078e56aa0cbb4b38d6ca934a05ae11005a396ff917991116ff.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDGIIDHJEB.exe"

C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe

"C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 30.47.28.85.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 77.91.77.81:80 77.91.77.81 tcp
US 8.8.8.8:53 81.77.91.77.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1468-0-0x0000000000B30000-0x0000000001728000-memory.dmp

memory/1468-1-0x000000007F720000-0x000000007FAF1000-memory.dmp

memory/1468-2-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1468-78-0x000000007F720000-0x000000007FAF1000-memory.dmp

memory/1468-77-0x0000000000B30000-0x0000000001728000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KKFBAAFCGI.exe

MD5 11eec964ba9537e8483d7f83e16e9dc5
SHA1 c28912eeb04e8014db6c1405c015ee4f86b3e5de
SHA256 72c54bee2aa8eefe4fa0fdc460ea31f7f04d76d8a3c9bd610eb722268c9881fc
SHA512 5ce8979b5c4e21b275d8f604ee174afd19191559c4431f038cb04a43eda1c1d9508d2efdbf7df86675ba455304ce187a6fbaf8b6f315282fd1e46c1070f39f4e

memory/1920-82-0x0000000000F50000-0x00000000013F8000-memory.dmp

memory/1920-96-0x0000000000F50000-0x00000000013F8000-memory.dmp

memory/4008-94-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-97-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/2532-99-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/2532-100-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-101-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-102-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-103-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-104-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-105-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-106-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-107-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4800-109-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4800-110-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-111-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-112-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-113-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-114-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-115-0x0000000000CE0000-0x0000000001188000-memory.dmp

memory/4008-116-0x0000000000CE0000-0x0000000001188000-memory.dmp