Malware Analysis Report

2024-11-30 22:08

Sample ID 240706-mznv7awhql
Target 53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c
SHA256 53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c
Tags
amadey stealc 4dd39d nice discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c

Threat Level: Known bad

The file 53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c was found to be: Known bad.

Malicious Activity Summary

amadey stealc 4dd39d nice discovery evasion spyware stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Reads data files stored by FTP clients

Identifies Wine through registry keys

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 10:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 10:54

Reported

2024-07-06 11:46

Platform

win7-20240705-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426428121" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0F9577C1-3B8D-11EF-9E52-6ED7993C8D5B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000ef24a8f68a3763cbe6c92e57902e1f1c33ca7b179abe8037bf31cdc6d5615973000000000e8000000002000020000000a9ae1098272df34bd7fdb023d3829031a93c0c0a4caee7fca8fef30ba5e4755a2000000049566d9ed4c86b0b0548237c7d635b6819de62567f8998963a6a1ef122d2cc214000000009d597821a3e09fa48a588cca6cc9741a9e6af1c9e9ad7f93185a389f68eb3b35e5d7d38aea95448bc0255bd1f8a4e7be65823be38a7032d029bf681c9892024 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c63ae999cfda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf710000000002000000000010660000000100002000000023a18a248a110f61ab06b3c7d3523e8799ad3d22daad5b5d2352484051c9d6c9000000000e8000000002000020000000cbbee9cfa3946e4fda6132a204456d46e47e8b2dafdab33cc8d790dd2137a3a890000000acad0533c87cc3aed9e62de31935d75420ef23bdafeff29b664675956b1bbd3574bfa127f4e47d52f2efaa53c0c61f6b182322c7c6e9f331ab5ad85710f9d07538d818a4ea2a1d223e8042709060ca0802f49620bb8809f1d32c53931a08f9efd8c3f7e0acbf3712a39add1b1671082837a7989f63598a0c31cc32e73b75caa9a1cf829c00a32a62255108aea92ac980400000008318365209da333c4dc8084ea7d24e1e4f758723faf1be6a501c886b9da1a73d1badf6ba33797450faccab6a52b1ce5a3fa7d715ab17642e1dbd036653037b24 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2244 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2244 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 2244 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
PID 1132 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe
PID 1132 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe
PID 1132 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe
PID 1132 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe
PID 1132 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1732 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2712 wrote to memory of 3056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2712 wrote to memory of 3056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2712 wrote to memory of 3056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2712 wrote to memory of 3056 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2572 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe
PID 2004 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe
PID 2004 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe
PID 2004 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe

"C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe

"C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000008021\a360f20909.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EBKKKEGIDB.exe"

C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe

"C:\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe"

Network

Country Destination Domain Proto
RU 77.91.77.82:80 77.91.77.82 tcp
RU 77.91.77.81:80 77.91.77.81 tcp
RU 85.28.47.30:80 85.28.47.30 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.201.99:80 o.pki.goog tcp
GB 216.58.201.99:80 o.pki.goog tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.201.110:443 consent.youtube.com tcp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
RU 77.91.77.81:80 77.91.77.81 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2244-0-0x0000000000390000-0x0000000000857000-memory.dmp

memory/2244-1-0x0000000077AB0000-0x0000000077AB2000-memory.dmp

memory/2244-2-0x0000000000391000-0x00000000003BF000-memory.dmp

memory/2244-3-0x0000000000390000-0x0000000000857000-memory.dmp

memory/2244-4-0x0000000000390000-0x0000000000857000-memory.dmp

memory/2244-5-0x0000000000390000-0x0000000000857000-memory.dmp

memory/2244-8-0x0000000000390000-0x0000000000857000-memory.dmp

memory/2244-7-0x0000000000390000-0x0000000000857000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 28e571d4573b9bdbeeaf27b204fee1d9
SHA1 ad4d75a05f431936933b3572758b806765761ee1
SHA256 53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c
SHA512 800f910316a8cb2c3fdb28afdf1fc0a539375d3d9ce44804f4493dab6a6158a956b9c59f85a55f982f764b20762eef2e803124362e5eed53f2d951f456240332

memory/1132-18-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/2244-17-0x0000000007130000-0x00000000075F7000-memory.dmp

memory/2244-19-0x0000000000390000-0x0000000000857000-memory.dmp

memory/1132-20-0x0000000000921000-0x000000000094F000-memory.dmp

memory/1132-22-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-21-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-24-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-25-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-26-0x0000000000920000-0x0000000000DE7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000006001\720b7a9399.exe

MD5 58ecb697be82278aeb969f9c2c12e1d4
SHA1 962efe904a67f667065350cf5a865d22a8d9b563
SHA256 c8d2aaa1fc32eab170c96f95884a85e47a025f8d74b66a9e7311cba9ee88d10d
SHA512 0947b87b1b38d1bcde914e65233a78dc8079f419fc0c0f36e10d4ae2fc07e239b557fa05e899d36ef3158265a7519cf1a83fa44e1d86567ff181c5660966f26c

memory/1132-44-0x0000000006E00000-0x00000000079E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000008021\a360f20909.cmd

MD5 ee00aba3bdbf694bb1588c965a077e3a
SHA1 00491ccb092d576b62d54172bdc09877d0f74c19
SHA256 1aaae392ae43103ba228a64247a82cc41767041f6fa6db20246e3f0d49b29750
SHA512 1a05c43de1ac0fdbabe97145e7170a1a399fcf2b8463422049ee1e5b13d42c316e7da0cb39b7e10935fc16e69f88d6a5869e114f1ae4fbed15ffd1b313661e49

memory/2572-85-0x0000000000340000-0x0000000000F27000-memory.dmp

memory/1132-84-0x0000000006E00000-0x00000000079E7000-memory.dmp

memory/2572-86-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1132-104-0x0000000000920000-0x0000000000DE7000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2572-180-0x0000000000340000-0x0000000000F27000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jmgc6we\imagestore.dat

MD5 de18d538d846fc493697217af027c3c4
SHA1 ec5038d4416741d1ba61df6b42a9cc34cb13702f
SHA256 ea1fa123b9454986c21100995eb1a47c664b5ed0d7e401d0fb598c70657f3990
SHA512 06cb1276a6a79d5b85a0cec3333bdee4bf8d47f5219c03ff2615804b6547f3e9f2a44e939c4e926d44dca76e88bf3f21eae2be5c56a953df62ed8dce3ec9cd79

memory/1132-199-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/2572-203-0x0000000000340000-0x0000000000F27000-memory.dmp

\Users\Admin\AppData\Local\Temp\DGCAAAFCBF.exe

MD5 f5b545d705d9eb65864751dc06c581fc
SHA1 5a1e0218d17f6bf8d2caa61f62f8ec9f8dde8f80
SHA256 cd76f05a2948f291245d29bcbd8f61f3280e91c31787c730b65525af56dacbde
SHA512 cf600b113d2d4808fae4e841234737508100ccbd00615844f80cbf5f38a911641ced0906660a67b69d74c850d760257fb55102fac36de3d61f0e68b982675d9a

memory/2228-234-0x0000000000C20000-0x00000000010CA000-memory.dmp

memory/2004-233-0x00000000021D0000-0x000000000267A000-memory.dmp

memory/2228-244-0x0000000000C20000-0x00000000010CA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 70ffb11edc608b4aa5ca5343e4462012
SHA1 347dbab3bbbbe8487d395bff201ef77bde320ff5
SHA256 544061de06a0c6c4e8f85c26c519701e0ca74d72790c8d6087995a526cf7dbb0
SHA512 6472aabbd53ff40404d023879ea08925e93272dd8da67d8ac0c31cac306250a1b54da2a2925761dea85afb1f45aca500db0aaaf047ca55448d6789a5beb04dee

C:\Users\Admin\AppData\Local\Temp\TarEB5C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\CabEB4A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca3319aa53e86fc55f0826c99408d802
SHA1 905e7a279a6c2eae10067a1d3b8894f247b6ed62
SHA256 446390a5272d2aaafb79a6b352f987a1cfa06aa96b5e404142bac76b25801970
SHA512 6b3685d619959ca6f066949ac5095322ec8c380a909ecf0bf8a8f22904d54ce41496684c8e5d14e2e64d52dc7a528e0d79e9d6f9a6591292cdb4da0794d83a3b

memory/1132-296-0x0000000000920000-0x0000000000DE7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b29199cc8c6438b9564949023f7d1b6
SHA1 caf91e7b49e20357f1b5e3e3c3708582f8dc4b76
SHA256 2e97f2fcf95504012c4cd8370d2cf57ce720aa497c4b6bd8aac7c4ac83f35905
SHA512 05956d1c6440336e9367221d46e769767f6f1f555b941a9d37b871beed01b29912186e8fc116ab8d664ef6ba0bd5ac6b439ccd767e225172b2f0d146e2d7474c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df5687ffacd5bf77431095ab36f62d6c
SHA1 8ce38204aef3d87fd39cf982a728c478a5e901fc
SHA256 8b2f6c97324b637c71592beaad498f87afe6c0fb22fa9a7b48b907ff425d6cab
SHA512 ef7aa82f21eb8dccfb137471e8b4c7a92813acb9a646d2a17f2eaade214815db39f26d0efd76a5720cc52c750ed1f1ab67ed724b3e320f76b9c444c41df80fcd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6173c9e7687d8f234f3355f3b436333
SHA1 6d4d4e707c34d365a48d127489b11a7bb3ba9c50
SHA256 7abc9448f2775c41f8a799986250e5b9b0e6eb9b0de86cd1bebe924b890b6532
SHA512 9522019965e4be81d628214c0104f0b85e7ce39e90c59b68463d4cebb20d3684269a84eb4050cfbc5bc1e83147a9cae88cdd2c6781cdc100ebe126b47fcd2350

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c9a27333c3d6ac7bd4d649b017001d0
SHA1 2ec21cccb3eeb1c0d72df9346453050cd3307dda
SHA256 cdfb9c7752545e6dc987d784c2ae3ae4db917c2c7bbf8ae44bc1fb5cec9a6fb4
SHA512 ab4fc961b1e3ccd793fb3a4eb85d4ea3804c7e15cfeff83c4037947878b17c247c216ea01efa2c55a2ca3d2233c9e1738e48b907cdb34a28eb7f920333935ab7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8ba38a898ac521ce7ed700344aa3728
SHA1 b56b3f1444ab3c85704cd1e723c679626a3f21dc
SHA256 7e9734e30ea287c182eac7c6bf9b485e0178c591834b82bd9b5d78c7b3c80292
SHA512 b9935f3ff30c87e4a1b183df612ab59245dab840324b7ba621b244d46c88acafe612062700c598491c076b916ae2b5b7b421fdf698562c59e226748e3b1d8b24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92af7d47a5c84969b4cf5051eda87dd2
SHA1 7be7a76fc15ea21550eea1ab9af308f8b58432a5
SHA256 ddea563844947ece469948fcc11e5ae1c3614452ed282cfd073dc1cc74045afc
SHA512 ba2090eba85fd076d7d9565d97a5f1173830a6baf9d4968b100c245996412f301c627cca40b865eb233d35b1c0052cf0ad1631e5d4155b906dd32dd5cafcebb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64fc204003a1526af29f206c3b244431
SHA1 8692376902df6ccfc06f75d3a2e66ec500a83067
SHA256 0171a6b8753454509e0a401373a5ff1c6a2f124273f03c396426099c9b963f56
SHA512 d9c8124b2f5c6136818cdf28596665e31416e704e16bab2c0176288f8986a2ac71873ba1a545c166a8af0690e5c325a35d5fad5377484df464d860d1c398cff2

memory/1132-642-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-679-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-680-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-681-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/2004-682-0x00000000021D0000-0x000000000267A000-memory.dmp

memory/1132-683-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-684-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-685-0x0000000000920000-0x0000000000DE7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4b35322105739f5473096f544b9dd44
SHA1 f276fbc4683df8452c95f87bcbbb2de4f50ca37d
SHA256 8574415502d5c65bc25c77893de3881fb36d3088572353ff0b5519eb2cba9963
SHA512 f3c9b6e690db300c74e66b37412208ba40e08a407d850456d9118abaa7d43ac9b92105a5b3243cd3c44d8970d84297e6d2b09f6102dff5594b3d590ae7f73b82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82119ccfb2f2201e2ce20ad2015c9955
SHA1 0f3fed734161b6d228fa077eaa09adc9ba9f91d2
SHA256 d5192d88a9f9d6d4b28ed56287f22ddea8711a8b3762eef8682019957d9e18b4
SHA512 a062cedacdcf507073937e1d290cb0399a45a0cbbfbce2fe4c4d574fbcc7b30e15c5e23dbddedd69a4491214217cc12eda2d0cc6fe448190e3d1f8551c8fdbba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b74cf183917b3b69259f07f4f10191f
SHA1 81293e3a8b4d05c181835e740a88d79128d922b6
SHA256 e54f9d5068dc8490853aa96c5ca65d63ecad165b5a0ef203a8a3a7fd836044ed
SHA512 bd8c6b870916e50c8a5dac2feabcbbd9f6a891fe644f63aa820b723a82d3793d5ad1cc11ac852a85faf6fd399614af78b14746a32ecec38a6745960fe847658e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c63f5335c1d2476941a78628e51036ca
SHA1 b873f5dd002a90520c89833152a90d350a9f5c97
SHA256 69339b4f34f4d3867307fbb6a4beafdb536235290ce43560dcbbc80541edeb19
SHA512 1902c45c10cace792e755fc0d1a72aa1d4c08ea14254cce322fd462f118c9eeef6663c6a02f7b117eadd9f0053850edf6a47ede4f3fc231461c17981d2ece207

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23377d635fd137cb09d25ddbbce67003
SHA1 56a3e3c6f4f57a69b85ac187b2271948bef3db51
SHA256 a87c57622438a3daf74ccdd141638a45d7f9ebfebad50af290b45ae79d061e82
SHA512 ffb902417ee8b491b4926f6cf63ab6d34b2ceaec7bd934f5a050899d3c08f8b690f0b3d94937da477570290f8609dfccc58bf634344105aeaa1cc8877c4ac4ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c230f7b92cdd52fe4eefa65eae2cc667
SHA1 17f3513baf9d9b4de12a89df9020840ff3448f60
SHA256 66cd88d6552f8bd34f1bc5a97dd368878ad59d921307629ee414294f9f6f5ff6
SHA512 0fd7883599a98caa6878c66ffb64295b694a3aba9b0ef1b914cc80ca39b7b18f41635062ccccabe0462916b851e39aed662cc8cd2931835b27559be2af4cc68c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 447af9a3aa967c780f8686afe6a18e45
SHA1 8a353ba28c0253da05e42dcc67b488c8757a1cf9
SHA256 d9ee693a399adeca2d9b49f687c562b7be0965697a3ad22c064549fd82628d42
SHA512 2c105d2a7e2073861a9608306cdc6cd3c690c8e68d023ee018c544028a157601a246cb18829254ae34587bf115b59edb12956a1bbf595b512748d87359e54c51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c6ae57286e5231a799544409c03e6a5
SHA1 d9e64b0ca9319d9d97b09a584f939edaf955c5d4
SHA256 30384f565e25e58f5f141534d723582ef8be5ab8f4cafd92c0f6978315d32d99
SHA512 0de66365c376d6ba580d7fca4b597327b9f40edf334ee7522f95b88bd4f374310cda43a54ec8826610946412007259534da1dfb7c53517b9cceeb707e6e0afad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1820facc8f5dfcadf98ed25578fb92cc
SHA1 6c90f11a3299c629fc3ece3b58e4876b603b7df9
SHA256 772ba7da576244effac20e0ace9dca6b92702ed7353d77fd1971cd142ebea4d7
SHA512 36a70b3c4a6a385d6ab028745f3701d5263c253b801332fb41a2f486044cc15087dfaabe940bbcc644840c92a9d1adf67a4ecb78f3243ba8de9f34dc41c0a3da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 693f840f41b0d42f8a71e4d8a580f133
SHA1 4c8a7ca3197346eb7b612621d701871c52a984de
SHA256 609372cd55796bfa7a0133bb2b3b089b5e946ec194b6bd5d258b831b7d064e0c
SHA512 49e43bfe674be39dc12de36b8a44851d29888824316fd5f3159a44289c92dc0623e758bdd927d792ee35dbc8e4903ff0611c29a66f99fd616c596daa618bfd63

memory/1132-1118-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-1119-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-1120-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-1121-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-1122-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-1123-0x0000000000920000-0x0000000000DE7000-memory.dmp

memory/1132-1124-0x0000000000920000-0x0000000000DE7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 10:54

Reported

2024-07-06 11:44

Platform

win10v2004-20240704-en

Max time kernel

144s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe

"C:\Users\Admin\AppData\Local\Temp\53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
RU 77.91.77.82:80 77.91.77.82 tcp
US 8.8.8.8:53 82.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1924-0-0x0000000000AD0000-0x0000000000F97000-memory.dmp

memory/1924-1-0x0000000077644000-0x0000000077646000-memory.dmp

memory/1924-2-0x0000000000AD1000-0x0000000000AFF000-memory.dmp

memory/1924-3-0x0000000000AD0000-0x0000000000F97000-memory.dmp

memory/1924-4-0x0000000000AD0000-0x0000000000F97000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 28e571d4573b9bdbeeaf27b204fee1d9
SHA1 ad4d75a05f431936933b3572758b806765761ee1
SHA256 53188c5bd473240d4307ec137e20df4fe7f2e50864e5a888f7f30be49c988d0c
SHA512 800f910316a8cb2c3fdb28afdf1fc0a539375d3d9ce44804f4493dab6a6158a956b9c59f85a55f982f764b20762eef2e803124362e5eed53f2d951f456240332

memory/1924-13-0x0000000000AD0000-0x0000000000F97000-memory.dmp

memory/3196-18-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/1924-17-0x0000000000AD0000-0x0000000000F97000-memory.dmp

memory/3196-19-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-20-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-21-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-23-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/2388-24-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/2388-25-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/2388-27-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/2388-28-0x0000000000781000-0x00000000007AF000-memory.dmp

memory/2388-29-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-30-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-31-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-32-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-33-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-34-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-35-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-36-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-37-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/1468-39-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/1468-40-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-41-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-42-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-43-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-44-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-45-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-46-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/400-48-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/400-50-0x0000000000780000-0x0000000000C47000-memory.dmp

memory/3196-51-0x0000000000780000-0x0000000000C47000-memory.dmp