Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
31-08-2024 21:46
General
-
Target
e84f0350a855d40b6610c627bad7ae94c9c810f4cca955a578200a291dd68d9f.exe
-
Size
1.8MB
-
MD5
efcf09ebf92ae8885313639c8b96ef86
-
SHA1
b58f115381697fd69b7f92451ac3de35238c3be3
-
SHA256
e84f0350a855d40b6610c627bad7ae94c9c810f4cca955a578200a291dd68d9f
-
SHA512
4ef6179114dd3b781509461db6819baa6abdffca24a285b78057d0b4c5b7f32c7b5583969ab812ea7860569aaed31d2cf6d5e293a78f048bfb976f606b39465e
-
SSDEEP
49152:1cTgAtmrA3K2I0p/tUrLEGBwR/pyP4rI35U5a5b:14mrA3K2IEa5wRrrN5a
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Extracted
redline
@CLOUDYTTEAM
65.21.18.51:45580
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
lumma
https://locatedblsoqp.shop/api
https://traineiwnqo.shop/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects ZharkBot payload 1 IoCs
ZharkBot is a botnet written C++.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
ZharkBot
ZharkBot is a botnet written C++.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 9 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 31 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Indirect Command Execution 1 TTPs 6 IoCs
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
-
Loads dropped DLL 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 46 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e84f0350a855d40b6610c627bad7ae94c9c810f4cca955a578200a291dd68d9f.exe"C:\Users\Admin\AppData\Local\Temp\e84f0350a855d40b6610c627bad7ae94c9c810f4cca955a578200a291dd68d9f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\crypted.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DX2JXSDxBW.exe"C:\Users\Admin\AppData\Roaming\DX2JXSDxBW.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\boAXiCXN0O.exe"C:\Users\Admin\AppData\Roaming\boAXiCXN0O.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000011001\joffer2.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\joffer2.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000129001\Setup.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\Setup.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"C:\Users\Admin\AppData\Local\Temp\1000191001\BitcoinCore.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1000228001\PureSyncInst.exe"C:\Users\Admin\AppData\Local\Temp\1000228001\PureSyncInst.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\1000238002\Amadeus.exe"C:\Users\Admin\1000238002\Amadeus.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1000260001\Channel1.exe"C:\Users\Admin\AppData\Local\Temp\1000260001\Channel1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
-
C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe"C:\Users\Admin\AppData\Local\Temp\1000262001\385107.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\7zSE9DE.tmp\Install.exe.\Install.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\7zSEBB3.tmp\Install.exe.\Install.exe /PsFGQdidqwCo "385107" /S6⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 610⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"8⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C powershell start-process -WindowStyle Hidden gpupdate.exe /force9⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell start-process -WindowStyle Hidden gpupdate.exe /force10⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force11⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"7⤵
- Indirect Command Execution
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True8⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True9⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True10⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bISIDNXXYteSJEZXLD" /SC once /ST 21:49:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zSEBB3.tmp\Install.exe\" W7 /JTTxdidPrG 385107 /S" /V1 /F7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000267001\52i.exe"C:\Users\Admin\AppData\Local\Temp\1000267001\52i.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 4885⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000277001\ovrflw.exe"C:\Users\Admin\AppData\Local\Temp\1000277001\ovrflw.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe"C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000239001\runtime.exe"C:\Users\Admin\AppData\Local\Temp\1000239001\runtime.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000241001\build.exe"C:\Users\Admin\AppData\Local\Temp\1000241001\build.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5260 -ip 52601⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwB1AGkAZABcAFQAeQBwAGUASQBkAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwB1AGkAZABcAFQAeQBwAGUASQBkAC4AZQB4AGUA1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Guid\TypeId.exeC:\Users\Admin\AppData\Roaming\Guid\TypeId.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ybyaxfggyzv.exe"C:\Users\Admin\AppData\Local\Temp\ybyaxfggyzv.exe"3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indirect Command Execution
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
425KB
MD5ced97d60021d4a0bfa03ee14ec384c12
SHA17af327df2a2d1e0e09034c2bdf6a47f788cec4e4
SHA2569e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951
SHA512af0a02daa759010a1edfc78f14c5fe321c10802d0b9df55b515fe501114af0835a05bbd5dd5e2167b4b1f39bb6da787343bf9141d5f811113f71749741b47811
-
Filesize
1KB
MD528854213fdaa59751b2b4cfe772289cc
SHA1fa7058052780f4b856dc2d56b88163ed55deb6ab
SHA2567c65fe71d47e0de69a15b95d1ee4b433c07a1d6f00f37dd32aee3666bb84a915
SHA5121e2c928242bdef287b1e8afe8c37427cfd3b7a83c37d4e00e45bcbaa38c9b0bf96f869a062c9bc6bb58ecd36e687a69b21d5b07803e6615a9b632922c1c5ace4
-
Filesize
15KB
MD597e3484907cd15b60e7e30ee57e37cdb
SHA1ba411b52a5a52136dcec65e27ae9ec7bb430b177
SHA256fb1b2b57dbae66d874bd9b27b28663a7ab73def050720fa1785b2a60aef7f14b
SHA512ae89ca3830c5dac27fa8e3e94d67b9c93899e21bb6d5dfed2f5d4de7e46adf41ab7d63a13e451c77cfd58404bb15e5cbc959eb95a39db1a175038e4697ee27a1
-
Filesize
314KB
MD56134586375c01f97f8777bae1bf5ed98
SHA14787fa996b75dbc54632cc321725ee62666868a1
SHA256414becb8aabd4e8c406e84df062bee1a45cffa334ae30022078cfa71da9e330d
SHA512652ed16d96b5700f105c2bab8e7258f167bc1615b6397be7340c08df7c977842844326e07fdef677aecfaf07263f99bb7968c9fc926e90e5a33d2ed793f8436b
-
Filesize
1.1MB
MD58e74497aff3b9d2ddb7e7f819dfc69ba
SHA11d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA5129aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
6.3MB
MD54386df2790a9752e9cf0424dca91ad15
SHA122da8886a1bf7823fa759540cf88f3e3f1b42671
SHA256e2f0e525c66dba847bedf887398405348159ce607bc6cc826bef73651fd7135d
SHA5120afe4bf35665de41f96c3beeb13688428c840f4501fbc91285dbecf43e9204b2f921966194ea31655a48467620b7e364367684bb50274bd576955ca958b6fe9b
-
Filesize
187KB
MD57a02aa17200aeac25a375f290a4b4c95
SHA17cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6
-
Filesize
6.4MB
MD53b99c5464631ad74c76680196c3c64d9
SHA1d631bc593e3e76215f15c4cd8244828225c12329
SHA25633a7fabaceac3e73239ced3eec7c67fa0f17987e4d03fef30161b06564f6d8f9
SHA512e24c258fe8416f3be43c2e37f2cad6561c5a3b501b59e430193360c20bc0c6eb9fc52224f5f844d9f8a6bae2092a1b9208a79f0cbd6fbdc1faf0738b15bdd491
-
Filesize
13.0MB
MD51a8d05f20424f5bddfe29cd84afec17a
SHA1f81a09b08c53b8f76ea6cf2e821bea65f8c9c213
SHA256f1ecef25154188e919750404135580041edd3b9e608ff8ca311199e1fa11c912
SHA5126d4dfe1f8f150371860cef26d63223a67f887307fdbd8d244e7f2610a07a0a16e70653f457095d1aa204b54c370d1a241e6c5ca398858c6495dec64fc6ca50cb
-
Filesize
9.2MB
MD5366eb232ccb1d3d063e8074f8c4b529f
SHA113e30ac58cfc74cb05edaf0074eb09927ab5a9fa
SHA25633d866c385c3d05981986f7e3d56eac4966821813d216670d37aa7af7c30d62c
SHA5120a9c2acbf9ef27345efeadda579fea582b3299f96078b9a2959bad5e87a0e7840949518fd905c82cb49b8ed604d93b404fdf85a11d71de1e1ba3dba9c0abab6f
-
Filesize
539KB
MD54d40ebb93aa34bf94d303c07c6a7e5e5
SHA19333bc5b3f78f0a3cca32e1f6a90af8064bf8a81
SHA256ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5
SHA5129cdce881809159ad07d99e9691c1457e7888aa96cf0ea93a19eea105b9db928f8f61c8de98c3b9179556b528fde4eb790d59e954db8a86799aecb38461741d3a
-
Filesize
413KB
MD505c1baaa01bd0aa0ccb5ec1c43a7d853
SHA1e47d7f53987eb147f599321c858fe8d71ebc0d71
SHA2569998d38b192309056d5109ac27a8b13f2b36fc27bac9ebdf5385452b2c1b0cdb
SHA512996450fc8c8b702327eacfe2eb819c86baccf4d49f2eb58d3dd2b3ce35733f1e00857ac71b290bc99db71baab08d7d7b22ef5223504c93b26ade0df6c9369501
-
Filesize
6.3MB
MD5caff8b55cce4de6920096046f80ca991
SHA14d6ca5d42bf49e45cce7222dd4e35f4b5be7f563
SHA256ed8342a9e176e5aad2554216077fc94b9bf541acfb518736bdc1883630da159e
SHA512ae8a316e9740db4b4fdb4e3dd3701bcd87593e9a51693d76672b5c21c806840f5bfa01364839711c33529684e0d40d3bbf9695665974811f0e5e114b1d1303e6
-
Filesize
7.3MB
MD547c9157e7c6abb97ad9ecd6526724a9a
SHA1eea340a7ae660f1858562e3fcd7d72a930497d8e
SHA25612e4e6b6ddadf32f974df08ecb92708af2d0c02ca6b500f1addeb546c62c4b06
SHA5123d061ca259f756e8d4d882997256e7a8d5ede799321fa4f4e6c84d256f6d30aa462a9e6b3c7f5c92c14b284dcd23f7caf89fee76cb8eea9b40c3feff2f37ead7
-
Filesize
715KB
MD54d190c235680b3e4481e4d7685e9a118
SHA117c5654e4077f9e0dd8e17e92e36696bed55557a
SHA2564083f1ea732fd45abe2f648f824be39e3e511a59179fa7c8349d7f7f75e3d3b4
SHA512517807dd7345c926cfc2e58d883764368c723900871ab358949a09bb6b23dcaef1a8db8096ebb2df08112e6914f893cdcc0b5fa8b78bc70008390598353ba771
-
Filesize
319KB
MD50ec1f7cc17b6402cd2df150e0e5e92ca
SHA18405b9bf28accb6f1907fbe28d2536da4fba9fc9
SHA2564c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4
SHA5127caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861
-
Filesize
6KB
MD5307dca9c775906b8de45869cabe98fcd
SHA12b80c3a2fd4a235b2cc9f89315a554d0721c0dd1
SHA2568437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c
SHA51280c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c
-
Filesize
1.4MB
MD53adfc7cf1e296c6fb703991c5233721d
SHA1fddd2877ce7952b91c3f841ca353235d6d8eea67
SHA2566bc23179d079d220337ede270113d4a474b549f5f0c7fd57f3d33d318f7ae471
SHA5125136525626c3021baf8d35be0d76473cc03bfe2433682d613650b8e4bb444f767d2d14ac0070ce46c4c220e0a71a8f2e789e4e684e2042bd78b60f68f35a652b
-
Filesize
80KB
MD5ada5ade3481ad21f92d9deeb14d19a84
SHA15388635b43def7f4f577751c4986de6e426d9916
SHA256ca78ff6700db1520a57090fb58b8fb290fc46d92daaf23ad2530d2ed9f2f1b06
SHA5124b867b5078c16e04db16812e438a99f17e39af36b36571be9b56899172926b9beb97620a89f10264465086b4094293e5a71aec6bcf9d6f62c3e18e4fa33c834a
-
Filesize
1.8MB
MD5efcf09ebf92ae8885313639c8b96ef86
SHA1b58f115381697fd69b7f92451ac3de35238c3be3
SHA256e84f0350a855d40b6610c627bad7ae94c9c810f4cca955a578200a291dd68d9f
SHA5124ef6179114dd3b781509461db6819baa6abdffca24a285b78057d0b4c5b7f32c7b5583969ab812ea7860569aaed31d2cf6d5e293a78f048bfb976f606b39465e
-
Filesize
6.4MB
MD581e626eb37a48ec3a73d93155626fe6a
SHA1b79652cb27c3186495a91c7094cb80a68244c3fc
SHA25611c609e10df00e4a2540a0517dde29edc2ad0b5bcea00461bfcf890fe731368e
SHA512ef04d8efcf4672bd69e79f8f477f61e30011ef774472f99373986d51a60d763a5a91e48d3e6ba75adab7fafeb729e12a24e84d442472f29ceb8537ab04171e6d
-
Filesize
6.7MB
MD5523c9df50948340df2e82213b22c72b7
SHA19260e4afb910e4f0c98aad1bf8b9bc31f5d7467f
SHA25626f9eafb7869a2bfa9af2ede0363c2a41af6839c4263f6c107ab723de9dd2e37
SHA51228432c1fe74d0f74f3b2edce9cdb2a987e170cd19738384ca63be432108d17d636fc78fc4d55a84b36f7c19ea1999988cd488798064daef986784d6eb4e92c32
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
300.0MB
MD5736e5c3ccbcb6b277e629a416e012aa8
SHA1d2c6c17b623976c3314ebabb7f2704a1262785f3
SHA25694d6549cb8f69e5d938ebe348ea82a2292ec8ee3a5b483e1e1699ab23e123a20
SHA5124e9bd816651b471d9acf47220279bd9740811ea244ea848fb42e990822da0494c892343f9c430c2a91c2d0da6f3113ec8494917548f78e6098a4f9443fde80fe
-
Filesize
544KB
MD588367533c12315805c059e688e7cdfe9
SHA164a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA5127a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714
-
Filesize
2KB
MD593b7ac68ba442420f36c031c6befb116
SHA1896c086503cb553c026133d6d4c0f9e61ca430b4
SHA2565ad78606af1bf42608de3e92731c4e53bf46eaf838e0c8091ea40376281dc5d0
SHA5120cf4eec953f56c3e86dabae1c930abde7012b5b539859bb5177d4423ad1a5c8dcd12bcd158e5050c813659c44e263ee757cc8177f3abdbf0bf70db61351a4201
-
Filesize
304KB
MD530f46f4476cdc27691c7fdad1c255037
SHA1b53415af5d01f8500881c06867a49a5825172e36
SHA2563a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f
-
Filesize
2KB
MD5fa94888e2a41442629317ff50fdd654f
SHA149841253c535b624e997f24133947c17f4409394
SHA256a728fa30af9d9d034457e6c1b3d7e610546a2889cf888d237b77a176f702c250
SHA512b1933dcbadf6daf1e7d3f79e4a417ca4abf062b2b4848bc532dc0320da47b9ed0106a6611e0b0ded0be31d3e2cf628a871215185658a01a2a1f38859598d56dc
-
Filesize
2KB
MD5c4a0d7cf2725331ec1660f4215c5bbc1
SHA18d2137b41c12331958859d76c1dc2640f9d8efd8
SHA25605097e66a4cce22d99bd43f8b4116b346e84ff376ea44bf42a62c8accc5d2d3d
SHA5126eb6ffbcc43a9fd58a23429c76bb2738a148612ca687fe884e791649ff7e94732e4514c022ffe9f2657a7bb40d683ecda3f470f522478f4707e690b685a209b5
-
Filesize
568KB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
304KB
-
Filesize
440KB
-
Filesize
336KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
1.1MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
13.1MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
1.4MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
328KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
560KB
-
Filesize
240KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
972KB
-
Filesize
304KB
-
Filesize
736KB
-
Filesize
336KB
-
Filesize
344KB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
5.2MB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
1.8MB
-
Filesize
328KB
-
Filesize
5.6MB
-
Filesize
240KB
-
Filesize
320KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
520KB
-
Filesize
448KB
-
Filesize
568KB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
68KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
336KB