amadey | 0ec6f1e4ea70e94d4b6245ecb1ca8953515e41ad631af0fbdad75c2ab14c36e8

Virtualization/Sandbox Evasion

Processes:

fddcf49860999a5147f34179c07c4bc6.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fddcf49860999a5147f34179c07c4bc6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

392 netsh.exe
4676 netsh.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
392	netsh.exe
4676	netsh.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

axplong.exeaxplong.exefddcf49860999a5147f34179c07c4bc6.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fddcf49860999a5147f34179c07c4bc6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fddcf49860999a5147f34179c07c4bc6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

fddcf49860999a5147f34179c07c4bc6.exeaxplong.exeRegAsm.exegawdth.execlamer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	fddcf49860999a5147f34179c07c4bc6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	gawdth.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	clamer.exe

Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
collection

Clipboard Data
T1115

Processes:

cmd.exepowershell.exe

pid process

2976 cmd.exe
2240 powershell.exe

pid	process
2976	cmd.exe
2240	powershell.exe

Drops startup file 2 IoCs

Processes:

2020.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.exe	2020.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.exe	2020.exe

Executes dropped EXE 21 IoCs

Processes:

axplong.exebuild.exestub.execrypted.exe5447jsX.execrypteda.exekJ3WE5kxeR.exeCSjUBJsJQG.exe2.exe25072023.exeaxplong.exepered.exepered.exe2020.exe2020.exeBlsvr.exegawdth.execlamer.exelofsawd.exeaxplong.exejdwcui.exe

pid	process
4992	axplong.exe
2536	build.exe
3692	stub.exe
392	crypted.exe
244	5447jsX.exe
4508	crypteda.exe
3564	kJ3WE5kxeR.exe
4024	CSjUBJsJQG.exe
3172	2.exe
2984	25072023.exe
2824	axplong.exe
3916	pered.exe
3708	pered.exe
6120	2020.exe
5960	2020.exe
5804	Blsvr.exe
5712	gawdth.exe
5512	clamer.exe
5428	lofsawd.exe
1564	axplong.exe
5384	jdwcui.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

persistence privilege_escalation

Processes:

fddcf49860999a5147f34179c07c4bc6.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine	fddcf49860999a5147f34179c07c4bc6.exe
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Wine	axplong.exe

Loads dropped DLL 64 IoCs

Processes:

stub.exeRegAsm.exepered.exe2020.exe

pid	process
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
3692	stub.exe
4204	RegAsm.exe
4204	RegAsm.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
3708	pered.exe
5960	2020.exe
5960	2020.exe
5960	2020.exe
5960	2020.exe
5960	2020.exe
5960	2020.exe
5960	2020.exe
5960	2020.exe
5960	2020.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

26 raw.githubusercontent.com
28 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com
91 ipinfo.io
92 ipinfo.io
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

cmd.exeARP.EXE

pid process

1324 cmd.exe
4868 ARP.EXE
Power Settings 1 TTPs 5 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

cmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

2844 cmd.exe
4100 powercfg.exe
4552 powercfg.exe
1656 powercfg.exe
3500 powercfg.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

1440 tasklist.exe
4792 tasklist.exe
4384 tasklist.exe
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

4592 cmd.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

fddcf49860999a5147f34179c07c4bc6.exeaxplong.exeaxplong.exepered.exeaxplong.exe

pid process

568 fddcf49860999a5147f34179c07c4bc6.exe
4992 axplong.exe
2824 axplong.exe
3708 pered.exe
1564 axplong.exe

flow	ioc
26	raw.githubusercontent.com
28	raw.githubusercontent.com

flow	ioc
24	ip-api.com
91	ipinfo.io
92	ipinfo.io

pid	process
1324	cmd.exe
4868	ARP.EXE

pid	process
2844	cmd.exe
4100	powercfg.exe
4552	powercfg.exe
1656	powercfg.exe
3500	powercfg.exe

pid	process
1440	tasklist.exe
4792	tasklist.exe
4384	tasklist.exe

pid	process
4592	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

crypted.exe5447jsX.execrypteda.exeBlsvr.exe

description	pid	process	target process
PID 392 set thread context of 3284	392	crypted.exe	RegAsm.exe
PID 244 set thread context of 4204	244	5447jsX.exe	RegAsm.exe
PID 4508 set thread context of 1220	4508	crypteda.exe	RegAsm.exe
PID 5804 set thread context of 3172	5804	Blsvr.exe	conhost.exe

Drops file in Windows directory 2 IoCs

Processes:

fddcf49860999a5147f34179c07c4bc6.exelofsawd.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	fddcf49860999a5147f34179c07c4bc6.exe
File created	C:\Windows\Tasks\Test Task17.job	lofsawd.exe

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4876 sc.exe
3284 sc.exe
4908 sc.exe
1252 sc.exe
440 sc.exe
784 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
4876	sc.exe
3284	sc.exe
4908	sc.exe
1252	sc.exe
440	sc.exe
784	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1404 3172 WerFault.exe 2.exe

pid	pid_target	process	target process
1404	3172	WerFault.exe	2.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RegAsm.exe5447jsX.exelofsawd.exeaxplong.execrypted.exeCSjUBJsJQG.exe2.execrypteda.exeRegAsm.exekJ3WE5kxeR.exejdwcui.exefddcf49860999a5147f34179c07c4bc6.exeRegAsm.exe25072023.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5447jsX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lofsawd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSjUBJsJQG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypteda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kJ3WE5kxeR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdwcui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fddcf49860999a5147f34179c07c4bc6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25072023.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.exenetsh.exe

pid process

764 cmd.exe
4624 netsh.exe
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
discovery

System Network Connections Discovery
T1049

Processes:

NETSTAT.EXE

pid process

2548 NETSTAT.EXE

pid	process
764	cmd.exe
4624	netsh.exe

pid	process
2548	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

5004 WMIC.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exe

pid process

2548 NETSTAT.EXE
3596 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4580 systeminfo.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4132 taskkill.exe

pid	process
5004	WMIC.exe

pid	process
2548	NETSTAT.EXE
3596	ipconfig.exe

pid	process
4580	systeminfo.exe

pid	process
4132	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

25072023.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	25072023.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	25072023.exe

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4168 schtasks.exe

pid	process
4168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fddcf49860999a5147f34179c07c4bc6.exeaxplong.exepowershell.exeRegAsm.exekJ3WE5kxeR.exeCSjUBJsJQG.exeRegAsm.exe25072023.exeaxplong.exeaxplong.exeBlsvr.execonhost.exe

pid	process
568	fddcf49860999a5147f34179c07c4bc6.exe
568	fddcf49860999a5147f34179c07c4bc6.exe
4992	axplong.exe
4992	axplong.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe
4204	RegAsm.exe
4204	RegAsm.exe
3564	kJ3WE5kxeR.exe
3564	kJ3WE5kxeR.exe
4024	CSjUBJsJQG.exe
4024	CSjUBJsJQG.exe
3284	RegAsm.exe
3284	RegAsm.exe
4204	RegAsm.exe
4204	RegAsm.exe
3284	RegAsm.exe
3284	RegAsm.exe
3284	RegAsm.exe
3284	RegAsm.exe
2984	25072023.exe
2984	25072023.exe
2824	axplong.exe
2824	axplong.exe
2984	25072023.exe
2984	25072023.exe
2984	25072023.exe
2984	25072023.exe
1564	axplong.exe
1564	axplong.exe
5804	Blsvr.exe
5804	Blsvr.exe
5804	Blsvr.exe
5804	Blsvr.exe
5804	Blsvr.exe
5804	Blsvr.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe
3172	conhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exetasklist.exetaskkill.exetasklist.exepowershell.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2892	WMIC.exe
Token: SeSecurityPrivilege	2892	WMIC.exe
Token: SeTakeOwnershipPrivilege	2892	WMIC.exe
Token: SeLoadDriverPrivilege	2892	WMIC.exe
Token: SeSystemProfilePrivilege	2892	WMIC.exe
Token: SeSystemtimePrivilege	2892	WMIC.exe
Token: SeProfSingleProcessPrivilege	2892	WMIC.exe
Token: SeIncBasePriorityPrivilege	2892	WMIC.exe
Token: SeCreatePagefilePrivilege	2892	WMIC.exe
Token: SeBackupPrivilege	2892	WMIC.exe
Token: SeRestorePrivilege	2892	WMIC.exe
Token: SeShutdownPrivilege	2892	WMIC.exe
Token: SeDebugPrivilege	2892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2892	WMIC.exe
Token: SeRemoteShutdownPrivilege	2892	WMIC.exe
Token: SeUndockPrivilege	2892	WMIC.exe
Token: SeManageVolumePrivilege	2892	WMIC.exe
Token: 33	2892	WMIC.exe
Token: 34	2892	WMIC.exe
Token: 35	2892	WMIC.exe
Token: 36	2892	WMIC.exe
Token: SeDebugPrivilege	1440	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2892	WMIC.exe
Token: SeSecurityPrivilege	2892	WMIC.exe
Token: SeTakeOwnershipPrivilege	2892	WMIC.exe
Token: SeLoadDriverPrivilege	2892	WMIC.exe
Token: SeSystemProfilePrivilege	2892	WMIC.exe
Token: SeSystemtimePrivilege	2892	WMIC.exe
Token: SeProfSingleProcessPrivilege	2892	WMIC.exe
Token: SeIncBasePriorityPrivilege	2892	WMIC.exe
Token: SeCreatePagefilePrivilege	2892	WMIC.exe
Token: SeBackupPrivilege	2892	WMIC.exe
Token: SeRestorePrivilege	2892	WMIC.exe
Token: SeShutdownPrivilege	2892	WMIC.exe
Token: SeDebugPrivilege	2892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2892	WMIC.exe
Token: SeRemoteShutdownPrivilege	2892	WMIC.exe
Token: SeUndockPrivilege	2892	WMIC.exe
Token: SeManageVolumePrivilege	2892	WMIC.exe
Token: 33	2892	WMIC.exe
Token: 34	2892	WMIC.exe
Token: 35	2892	WMIC.exe
Token: 36	2892	WMIC.exe
Token: SeDebugPrivilege	4132	taskkill.exe
Token: SeDebugPrivilege	4792	tasklist.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeIncreaseQuotaPrivilege	5004	WMIC.exe
Token: SeSecurityPrivilege	5004	WMIC.exe
Token: SeTakeOwnershipPrivilege	5004	WMIC.exe
Token: SeLoadDriverPrivilege	5004	WMIC.exe
Token: SeSystemProfilePrivilege	5004	WMIC.exe
Token: SeSystemtimePrivilege	5004	WMIC.exe
Token: SeProfSingleProcessPrivilege	5004	WMIC.exe
Token: SeIncBasePriorityPrivilege	5004	WMIC.exe
Token: SeCreatePagefilePrivilege	5004	WMIC.exe
Token: SeBackupPrivilege	5004	WMIC.exe
Token: SeRestorePrivilege	5004	WMIC.exe
Token: SeShutdownPrivilege	5004	WMIC.exe
Token: SeDebugPrivilege	5004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5004	WMIC.exe
Token: SeRemoteShutdownPrivilege	5004	WMIC.exe
Token: SeUndockPrivilege	5004	WMIC.exe
Token: SeManageVolumePrivilege	5004	WMIC.exe
Token: 33	5004	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fddcf49860999a5147f34179c07c4bc6.exeaxplong.exebuild.exestub.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execrypted.execmd.execmd.exe

description	pid	process	target process
PID 568 wrote to memory of 4992	568	fddcf49860999a5147f34179c07c4bc6.exe	axplong.exe
PID 568 wrote to memory of 4992	568	fddcf49860999a5147f34179c07c4bc6.exe	axplong.exe
PID 568 wrote to memory of 4992	568	fddcf49860999a5147f34179c07c4bc6.exe	axplong.exe
PID 4992 wrote to memory of 2536	4992	axplong.exe	build.exe
PID 4992 wrote to memory of 2536	4992	axplong.exe	build.exe
PID 2536 wrote to memory of 3692	2536	build.exe	stub.exe
PID 2536 wrote to memory of 3692	2536	build.exe	stub.exe
PID 3692 wrote to memory of 1096	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 1096	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 4384	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 4384	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 4484	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 4484	3692	stub.exe	cmd.exe
PID 4384 wrote to memory of 2892	4384	cmd.exe	WMIC.exe
PID 4384 wrote to memory of 2892	4384	cmd.exe	WMIC.exe
PID 4484 wrote to memory of 1440	4484	cmd.exe	tasklist.exe
PID 4484 wrote to memory of 1440	4484	cmd.exe	tasklist.exe
PID 3692 wrote to memory of 4592	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 4592	3692	stub.exe	cmd.exe
PID 4592 wrote to memory of 1460	4592	cmd.exe	attrib.exe
PID 4592 wrote to memory of 1460	4592	cmd.exe	attrib.exe
PID 3692 wrote to memory of 3684	3692	stub.exe	Conhost.exe
PID 3692 wrote to memory of 3684	3692	stub.exe	Conhost.exe
PID 3692 wrote to memory of 1188	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 1188	3692	stub.exe	cmd.exe
PID 1188 wrote to memory of 4132	1188	cmd.exe	taskkill.exe
PID 1188 wrote to memory of 4132	1188	cmd.exe	taskkill.exe
PID 3692 wrote to memory of 4796	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 4796	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 2976	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 2976	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 232	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 232	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 4676	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 4676	3692	stub.exe	cmd.exe
PID 4992 wrote to memory of 392	4992	axplong.exe	crypted.exe
PID 4992 wrote to memory of 392	4992	axplong.exe	crypted.exe
PID 4992 wrote to memory of 392	4992	axplong.exe	crypted.exe
PID 4796 wrote to memory of 4792	4796	cmd.exe	tasklist.exe
PID 4796 wrote to memory of 4792	4796	cmd.exe	tasklist.exe
PID 2976 wrote to memory of 2240	2976	cmd.exe	powershell.exe
PID 2976 wrote to memory of 2240	2976	cmd.exe	powershell.exe
PID 232 wrote to memory of 3904	232	cmd.exe	chcp.com
PID 232 wrote to memory of 3904	232	cmd.exe	chcp.com
PID 4676 wrote to memory of 2160	4676	cmd.exe	chcp.com
PID 4676 wrote to memory of 2160	4676	cmd.exe	chcp.com
PID 392 wrote to memory of 3284	392	crypted.exe	RegAsm.exe
PID 392 wrote to memory of 3284	392	crypted.exe	RegAsm.exe
PID 392 wrote to memory of 3284	392	crypted.exe	RegAsm.exe
PID 392 wrote to memory of 3284	392	crypted.exe	RegAsm.exe
PID 392 wrote to memory of 3284	392	crypted.exe	RegAsm.exe
PID 392 wrote to memory of 3284	392	crypted.exe	RegAsm.exe
PID 392 wrote to memory of 3284	392	crypted.exe	RegAsm.exe
PID 392 wrote to memory of 3284	392	crypted.exe	RegAsm.exe
PID 3692 wrote to memory of 1324	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 1324	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 764	3692	stub.exe	cmd.exe
PID 3692 wrote to memory of 764	3692	stub.exe	cmd.exe
PID 1324 wrote to memory of 4580	1324	cmd.exe	systeminfo.exe
PID 1324 wrote to memory of 4580	1324	cmd.exe	systeminfo.exe
PID 764 wrote to memory of 4624	764	cmd.exe	netsh.exe
PID 764 wrote to memory of 4624	764	cmd.exe	netsh.exe
PID 4992 wrote to memory of 244	4992	axplong.exe	5447jsX.exe
PID 4992 wrote to memory of 244	4992	axplong.exe	5447jsX.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1460 attrib.exe

pid	process
1460	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\fddcf49860999a5147f34179c07c4bc6.exe
"C:\Users\Admin\AppData\Local\Temp\fddcf49860999a5147f34179c07c4bc6.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992

C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\onefile_2536_133664677398941277\stub.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\build.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
6⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
6⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\tasklist.exe
tasklist
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe""
6⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\MonsterUpdateService\Monster.exe"
7⤵
- Views/modifies file attributes
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('%error_message%', 0, 'System Error', 0+16);close()""
6⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
6⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
6⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
7⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
6⤵
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\system32\chcp.com
chcp
7⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "chcp"
6⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\system32\chcp.com
chcp
7⤵
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
6⤵
- Network Service Discovery
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\systeminfo.exe
systeminfo
7⤵
- Gathers system information
PID:4580

C:\Windows\system32\HOSTNAME.EXE
hostname
7⤵
PID:3124

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
7⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\system32\net.exe
net user
7⤵
PID:1784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
8⤵
PID:3892

C:\Windows\system32\query.exe
query user
7⤵
PID:3748

C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
8⤵
PID:1460

C:\Windows\system32\net.exe
net localgroup
7⤵
PID:416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
8⤵
PID:1236

C:\Windows\system32\net.exe
net localgroup administrators
7⤵
PID:1404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
8⤵
PID:4044

C:\Windows\system32\net.exe
net user guest
7⤵
PID:4828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
8⤵
PID:3764

C:\Windows\system32\net.exe
net user administrator
7⤵
PID:1820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
8⤵
PID:5072

C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
7⤵
PID:2120

C:\Windows\system32\tasklist.exe
tasklist /svc
7⤵
- Enumerates processes with tasklist
PID:4384

C:\Windows\system32\ipconfig.exe
ipconfig /all
7⤵
- Gathers network information
PID:3596

C:\Windows\system32\ROUTE.EXE
route print
7⤵
PID:2784

C:\Windows\system32\ARP.EXE
arp -a
7⤵
- Network Service Discovery
PID:4868

C:\Windows\system32\NETSTAT.EXE
netstat -ano
7⤵
- System Network Connections Discovery
- Gathers network information
PID:2548

C:\Windows\system32\sc.exe
sc query type= service state= all
7⤵
- Launches sc.exe
PID:1252

C:\Windows\system32\netsh.exe
netsh firewall show state
7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:392

C:\Windows\system32\netsh.exe
netsh firewall show config
7⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
6⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\netsh.exe
netsh wlan show profiles
7⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:4896

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
6⤵
PID:3232

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3284

C:\Users\Admin\AppData\Local\Temp\1000003001\5447jsX.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\5447jsX.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:3684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:1220

C:\Users\Admin\AppData\Roaming\kJ3WE5kxeR.exe
"C:\Users\Admin\AppData\Roaming\kJ3WE5kxeR.exe"
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3564

C:\Users\Admin\AppData\Roaming\CSjUBJsJQG.exe
"C:\Users\Admin\AppData\Roaming\CSjUBJsJQG.exe"
6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4024

C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\2.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 356
5⤵
- Program crash
PID:1404

C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe
"C:\Users\Admin\AppData\Local\Temp\1000009001\25072023.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"
4⤵
- Executes dropped EXE
PID:3916

C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe
"C:\Users\Admin\AppData\Local\Temp\1000010001\pered.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:968

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 10 /tn MyTask /tr "\"C:\Users\Admin\AppData\Roaming\Suh\jre8\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\Suh\client.jar\"" /F
6⤵
- Scheduled Task/Job: Scheduled Task
PID:4168

C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"
4⤵
- Executes dropped EXE
PID:6120

C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe
"C:\Users\Admin\AppData\Local\Temp\1000012001\2020.exe"
5⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
PID:5960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
6⤵
PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\_MEI61202\Blsvr.exe
6⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\_MEI61202\Blsvr.exe
C:\Users\Admin\AppData\Local\Temp\_MEI61202\Blsvr.exe
7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5804

C:\Users\Admin\AppData\Local\Temp\1000014001\gawdth.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\gawdth.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
5⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
clamer.exe -priverdD
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:5512

C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe"
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5428

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
PID:5128

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:440

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:784

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4876

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3284

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4908

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Power Settings
PID:2844

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Power Settings
PID:4100

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Power Settings
PID:4552

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Power Settings
PID:1656

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Power Settings
PID:3500

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3172 -ip 3172
1⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\ProgramData\hnpfnv\jdwcui.exe
C:\ProgramData\hnpfnv\jdwcui.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion