Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-07-2024 03:35
Static task
static1
Behavioral task
behavioral1
Sample
8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe
Resource
win10v2004-20240709-en
General
-
Target
8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe
-
Size
1.8MB
-
MD5
5c680c61385dd58f4fc12a03b7faf3aa
-
SHA1
0ae6c6bb9d9a1175215187b487c9fd3a419c4680
-
SHA256
8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc
-
SHA512
10ced6edd0fb538d210a7aca9e29af1140d985d079826149c5cdddc3445775084cf599644fe567271da9e09db6006ce9513624ed14681be763baa84f57d9cf67
-
SSDEEP
49152:n72nmmbesQ6AuQmng0iBKFanvJ5xjgGgGCnTks6:nqnmwesQ6ABmneBKFUrxjnogx
Malware Config
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Extracted
stealc
hate
http://85.28.47.30
-
url_path
/920475a59bac849d.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
ECGDHDHJEB.exeexplorti.exeexplorti.exe8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exeexplorti.exeCBGHCAKKFB.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ECGDHDHJEB.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CBGHCAKKFB.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorti.exe8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exeCBGHCAKKFB.exeECGDHDHJEB.exeexplorti.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CBGHCAKKFB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ECGDHDHJEB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CBGHCAKKFB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ECGDHDHJEB.exe -
Executes dropped EXE 7 IoCs
Processes:
explorti.exee1db465562.exe3128f53eae.exeCBGHCAKKFB.exeECGDHDHJEB.exeexplorti.exeexplorti.exepid process 3476 explorti.exe 4804 e1db465562.exe 2816 3128f53eae.exe 2584 CBGHCAKKFB.exe 424 ECGDHDHJEB.exe 1032 explorti.exe 4924 explorti.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exeexplorti.exeCBGHCAKKFB.exeECGDHDHJEB.exeexplorti.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine CBGHCAKKFB.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine ECGDHDHJEB.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000\Software\Wine explorti.exe -
Loads dropped DLL 2 IoCs
Processes:
e1db465562.exepid process 4804 e1db465562.exe 4804 e1db465562.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000011001\3128f53eae.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exeexplorti.exee1db465562.exeCBGHCAKKFB.exeECGDHDHJEB.exeexplorti.exeexplorti.exepid process 2640 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe 3476 explorti.exe 4804 e1db465562.exe 4804 e1db465562.exe 2584 CBGHCAKKFB.exe 424 ECGDHDHJEB.exe 1032 explorti.exe 4924 explorti.exe -
Drops file in Windows directory 1 IoCs
Processes:
8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exedescription ioc process File created C:\Windows\Tasks\explorti.job 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exee1db465562.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e1db465562.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e1db465562.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exeexplorti.exee1db465562.exeCBGHCAKKFB.exeECGDHDHJEB.exeexplorti.exeexplorti.exepid process 2640 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe 2640 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe 3476 explorti.exe 3476 explorti.exe 4804 e1db465562.exe 4804 e1db465562.exe 4804 e1db465562.exe 4804 e1db465562.exe 2584 CBGHCAKKFB.exe 2584 CBGHCAKKFB.exe 424 ECGDHDHJEB.exe 424 ECGDHDHJEB.exe 1032 explorti.exe 1032 explorti.exe 4924 explorti.exe 4924 explorti.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
firefox.exedescription pid process Token: SeDebugPrivilege 4952 firefox.exe Token: SeDebugPrivilege 4952 firefox.exe Token: SeDebugPrivilege 4952 firefox.exe Token: SeDebugPrivilege 4952 firefox.exe Token: SeDebugPrivilege 4952 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
3128f53eae.exefirefox.exepid process 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 4952 firefox.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
3128f53eae.exepid process 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe 2816 3128f53eae.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e1db465562.exefirefox.exepid process 4804 e1db465562.exe 4952 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exeexplorti.exe3128f53eae.exefirefox.exefirefox.exedescription pid process target process PID 2640 wrote to memory of 3476 2640 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe explorti.exe PID 2640 wrote to memory of 3476 2640 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe explorti.exe PID 2640 wrote to memory of 3476 2640 8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe explorti.exe PID 3476 wrote to memory of 4804 3476 explorti.exe e1db465562.exe PID 3476 wrote to memory of 4804 3476 explorti.exe e1db465562.exe PID 3476 wrote to memory of 4804 3476 explorti.exe e1db465562.exe PID 3476 wrote to memory of 2816 3476 explorti.exe 3128f53eae.exe PID 3476 wrote to memory of 2816 3476 explorti.exe 3128f53eae.exe PID 3476 wrote to memory of 2816 3476 explorti.exe 3128f53eae.exe PID 2816 wrote to memory of 4844 2816 3128f53eae.exe firefox.exe PID 2816 wrote to memory of 4844 2816 3128f53eae.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4952 4844 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe PID 4952 wrote to memory of 4384 4952 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe"C:\Users\Admin\AppData\Local\Temp\8462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\1000006001\e1db465562.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\e1db465562.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBGHCAKKFB.exe"4⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\CBGHCAKKFB.exe"C:\Users\Admin\AppData\Local\Temp\CBGHCAKKFB.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2584 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"4⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"C:\Users\Admin\AppData\Local\Temp\ECGDHDHJEB.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:424 -
C:\Users\Admin\AppData\Local\Temp\1000011001\3128f53eae.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\3128f53eae.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account4⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e84a54e-98d1-4c0e-8146-e475419056f2} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" gpu6⤵PID:4384
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 26671 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {511de0e9-4dae-4ad8-9e95-f3f0e017800b} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" socket6⤵PID:1848
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3092 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01fd64d7-7e03-4ba5-b2b9-6b0f0b1ce27b} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab6⤵PID:4788
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3580 -childID 2 -isForBrowser -prefsHandle 3548 -prefMapHandle 3576 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a562804-b06f-46a8-a618-dc5a444b2475} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab6⤵PID:3776
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4704 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4684 -prefMapHandle 4680 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9aeab9ea-616b-472c-876d-9d6e06431acd} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" utility6⤵
- Checks processor information in registry
PID:2208 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1699536e-5b46-4303-92c8-a9566870b8d8} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab6⤵PID:1300
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 4 -isForBrowser -prefsHandle 5716 -prefMapHandle 5724 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2773d3e-141e-46c2-a33b-075caa648c41} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab6⤵PID:4592
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5980 -childID 5 -isForBrowser -prefsHandle 5900 -prefMapHandle 5904 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43666f08-ea8a-4286-84f6-d40136322258} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab6⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1032
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exeC:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD51306155981016c90bf873c3cdfddc453
SHA13e132ad607e26a8ff43529301dc2addde2e3e6a5
SHA256c25cb1962d999e882012219c3d8c8d97e07ac55cdcf3911de34569d64863934f
SHA512b9a794ba11dca431b64fe3308e5b427d4bfc5e949c54f3ce5893c810ba51f90964038c457bcd43644d6313f5c7e66bc23aa10cad70ab6d891753089b12655a9b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\activity-stream.discovery_stream.json.tmp
Filesize18KB
MD5ee3d690af22cde17283bddf3ca04783e
SHA158562a17439edfcdb75b60417f45f11d04b7682b
SHA256240eca30183962b815a02f6856aebcc2b496e54b38d7b199420a74ca59acdafc
SHA512614fa2c45a2ee434f541a671d77de190df0221064571f8660beac1ee6e5ba1978deabbd95eb07e1ae2e527f10c6d6c37299fbf9fd1172000454008d48ada24f6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4i9bphnb.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A
Filesize13KB
MD51d4264851511d1d01e540ae69ae3c1ba
SHA12231ebbf9a4b7f38c11aad3d0640b961d7b518e6
SHA25676451bbcfed12cfb7967413e5708b6336a3ef45a30557bc4d9187eba501bdca3
SHA5127d29950da8d5eb0916dbda901ca6b9b853ad24d7f18bdcbbab20457db3138299fcfc50f2b882249178137eb037ef498c714518190cce8f18761e3e3528d268be
-
Filesize
2.4MB
MD5b5f67083e086299287f0dfb2a7bef96e
SHA1dccf58d99cd7153859d1ad5a1c3f7e348e2ebbb7
SHA2561b6722f558bf4483253663180682caec67066261bc0414d12d6e1622cb848d80
SHA51255c4f5d435a1a27e6c8e14c88e454da4dc2398076f4596a6f983184831db0119c58be9c82b8ddf5ef37265b65b5cea56e5963c871b2be0f8e88064224681d654
-
Filesize
1.2MB
MD5fd0b9abb452747cdf5b01aa567ba1bb6
SHA110964d022c5a21e53ec407facc763ba7b155b674
SHA2561c269084aaa81ff27f94106ab4572d394b2a467956f5bf0fff6fd130d00214d0
SHA512a0f6f551cbd3899044e2e6b7c47601b77fd1df92178cbdbb0a484f291aa656d2f71abc314870db7fe82cc06d0bc8af84887eaafd6f23faac3fec9e1db3730826
-
Filesize
1.8MB
MD55c680c61385dd58f4fc12a03b7faf3aa
SHA10ae6c6bb9d9a1175215187b487c9fd3a419c4680
SHA2568462138a8aa6167aa5c96c6a0ab0f49aac24bf4c0715c07a522d0c2a25aed1bc
SHA51210ced6edd0fb538d210a7aca9e29af1140d985d079826149c5cdddc3445775084cf599644fe567271da9e09db6006ce9513624ed14681be763baa84f57d9cf67
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin
Filesize8KB
MD5ac42c0499b1eca829e02be48a64333ed
SHA1683a0924d84d8d9fdcb7971ef814ea61f20d1d24
SHA25640c1c639401f0d6548eac1a811fa5d965d59b7de2bcb024893aab7de0a822251
SHA51221b69d1f8080a5748d947850a7c9095887db40ddacf30b598cd01366c95c12f438b715d5395b15bd9ae72df7c71b98f9f2f900f2be2f828be1e2a287be2b360b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\AlternateServices.bin
Filesize12KB
MD55c35a36896a3e14bb45992fdc80668dd
SHA1e3a407ecae34e82d8e0d9b8c749742d72dc6618c
SHA256283a010d7081f72cfc4b5116c5421156ae9184c466accd62d6d86797d5281020
SHA512fdc44316428a6cbf5686b502d6ff3e826c7b79efaff47c491b137b78733cba27d79442a55ae474670cfb521c2f5663cf0b950ad9e13fe68d5e3dece414213d32
-
Filesize
256KB
MD571257bc4673e1921714ebeef90d9b28a
SHA1f3e3e821fc3159d81dc30d9dc17320dce4cddeb9
SHA256be0672486a257054e4700a6e3d868c9e3f8b582c290d1449fc1c4bb7705225aa
SHA512f2a91b4ffeca477a0239e1d70019fc89e2686aaf7dd8d1ffc59a5d11fdc6bc66d4964d5b05839b06e665a9dbdc7159736bf1b7f2cc6c571294af87ab7a6a7cf1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize34KB
MD5a42f3f7ba347ca6a3e87fc4938b933ba
SHA16ef1a38475115c27462dae544ffc0614c66e48c9
SHA2560970fdaedcb77b7dbde3bf6b6843b2d98b253fb189106f146def5e731560770e
SHA512e159cd81721f652234c676e2502c3fb8757dcb94db6fd5d23082fa2288c821b8afcc37bc1f9cde448f7bdf88d0e72b34fe397fd168be608897a901575647cfcd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5c194dcd6e490c982097eecd3caebb6bf
SHA10d639fd165541c9024474e1bd90306663d9f323b
SHA25625c98c26ce4e77428ab93a490d482dac912c071ef0a936cf7dd7af77eab3ff95
SHA51268fa1d7162bc1451bf3543f9678058fefa78989b9e357a769f452a19ded3058b274e24c66f8ff435cfbbd90ba2a26fc0fd8adf2f626050fa35d7eafdb7c67d82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD51a19a8f94d9d883d7b74a990daee288e
SHA17f6815b4112586272ae3eb98fa72939d6f5e597a
SHA2565df6ab78867a33db79bcce20af2f87412f5cb2360929739699c0f50b7b609eb1
SHA512f62a0fc76a7da185021d61158bf77c88b00dd0ff686a00f32fd296cf2d82dc746a7c88ec0005a9927a5bcdf9c05f8d6279d1cff9363b248bff47ba5009e6ac85
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\7c550128-357b-4305-ab33-67d32d283738
Filesize982B
MD5e7eb1b9585b0109e76c7bdda1df1ca3d
SHA1b4d985c3009d65f1dadf1160d9c31ffada711c16
SHA256ede9c6669351f6c3c8b6d90e98f82f8cc9a284990bb6b237af53b655a8bac406
SHA5124cd41d4920c7368fe4b8a8e29673cf1b8d527b9a09e0858cfc1178b041f29ca5d4a58c359b9bb4f162425f05ae0fc73e10a4ac9fe86543bd07793f70a7e91c7c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\datareporting\glean\pending_pings\e9ff3b83-b95d-4895-8740-c9051182fa5b
Filesize659B
MD50809e33a897760a81cd22fa4eef613a4
SHA1f0a5d8a4e3ab02513e203645766a79e46d822dd8
SHA256d200074aa02535eb58a34848c41b32bae6a7707be7ffdf354780fc2fa339f7bb
SHA51252b5407794c24b34857381d7ed0bb873c60fd4080fddc8e3b6e55926668c4b978b2e701e372b469bd48b68de84fcbe60abc7fd58e622d53299cf376f4662363a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
992KB
MD597c358b42538023e3a79e4b49361279b
SHA1a8ce1a15322350f77ab876f385eab051472f3793
SHA2568fbaed39a08bd8d3fbd77ffd453284449685e9ea0d811c3c332c1fa28a7cf374
SHA5129182fd1161c65045bbfb752f755648d44df34604d12846cec97c336979949c0980291c16771a3308597113de96fb7eaad14234257ae653385c93e118c922a4e0
-
Filesize
12KB
MD56a654ac780907a2175dea82642dcb0f0
SHA10927f51735459e0a9f25ff2a91739658204b4672
SHA256306bf9c3dbeda9fa59e4ced8e33c261b227d38db146428a2decabaaacefdf6a1
SHA512f3a84c1a60dde3709304fc01390149e5ca25d577289c7b5bc012a73787d32e7c2a58f47763c1112170704beba3792548bd7ef1d8a5f1e088e79e160f225f27b9
-
Filesize
16KB
MD5ab09fac61cc386836516da7edf612310
SHA117fe5a60d78855969ae769f29b1673cb45302496
SHA25606948c61f8dad48d131f5be8318cf513fa14d8895780c4a0657e02a4590dfff1
SHA512d466e50f06e516162a5eb1136cedd34ae25d41346513b1e1a61e2de6d1877edcec58ccd022c00383e081d998723e8888643fbec0e360062801e60ff2950a639c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4i9bphnb.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize1.5MB
MD548907088ad6e0440e45de0902dc1428f
SHA1be618ef648d767ffd91f42a10c2cc745c3520741
SHA2566d0456d2ee065f3e2260f90732838f1046e45b209791ce22a9eb6750629392a7
SHA512dadcc3fb230813a079bc66dfabf8216b046ec2bd8dd09776aa7b7ef5dcedaf69df104b0f490039592ff3a4d3a1ab7467a320466a4982e483906122390c120b78