amadey | 52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3

Analysis

max time kernel
147s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
31-08-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe
Size

1.8MB
MD5

6b3cbcc189028d6353f614c99228a679
SHA1

433ed3a2e4269c00258abb2571f88b6edaf7481b
SHA256

52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3
SHA512

b94ce92219e5ac4029cb5089131ab70e7b06acc0259e00c2ce721d9bec25d981698e6296b8db802b7203cec09f98e54af9c86904685521cdc49e7df661390e73
SSDEEP

49152:jnM7d2Ma9edXEFXYF9wrZdKOJhii6oz2dtCU7NM:jnUzaaEFc9AnhtmtCz

Score

10^/10

amadey zharkbot 1176f2 fed3aa botnet credential_access discovery evasion execution persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

http://185.215.113.19

Attributes

install_dir
417fd29867
install_file
ednfoki.exe
strings_key
183201dc3defc4394182b4bff63c4065
url_paths
/CoreOPT/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects ZharkBot payload 1 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral2/files/0x000100000002aad6-418.dat	zharkcore

ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5876	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe

Executes dropped EXE 11 IoCs

pid	Process
4740	axplong.exe
1764	Amadeus.exe
876	axplong.exe
2192	runtime.exe
4976	52i.exe
952	kitty.exe
4024	loli.exe
5248	TypeId.exe
5880	jyqwtii.exe
5916	axplong.exe
3552	axplong.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Wine	axplong.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\Amadeus.exe = "C:\\Users\\Admin\\1000238002\\Amadeus.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\IlluminatedControls = "C:\\Users\\Admin\\Pictures\\Illumination.pif"	runtime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	loli.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1948	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe
4740	axplong.exe
876	axplong.exe
5916	axplong.exe
3552	axplong.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 3496	2192	runtime.exe	87
PID 5248 set thread context of 5784	5248	TypeId.exe	102

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4784	952	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amadeus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kitty.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1948	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe
1948	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe
4740	axplong.exe
4740	axplong.exe
876	axplong.exe
876	axplong.exe
5876	powershell.exe
5876	powershell.exe
5784	MSBuild.exe
5784	MSBuild.exe
5784	MSBuild.exe
5784	MSBuild.exe
5784	MSBuild.exe
5880	jyqwtii.exe
5916	axplong.exe
5916	axplong.exe
3552	axplong.exe
3552	axplong.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	runtime.exe
Token: SeIncreaseQuotaPrivilege	5636	WMIC.exe
Token: SeSecurityPrivilege	5636	WMIC.exe
Token: SeTakeOwnershipPrivilege	5636	WMIC.exe
Token: SeLoadDriverPrivilege	5636	WMIC.exe
Token: SeSystemProfilePrivilege	5636	WMIC.exe
Token: SeSystemtimePrivilege	5636	WMIC.exe
Token: SeProfSingleProcessPrivilege	5636	WMIC.exe
Token: SeIncBasePriorityPrivilege	5636	WMIC.exe
Token: SeCreatePagefilePrivilege	5636	WMIC.exe
Token: SeBackupPrivilege	5636	WMIC.exe
Token: SeRestorePrivilege	5636	WMIC.exe
Token: SeShutdownPrivilege	5636	WMIC.exe
Token: SeDebugPrivilege	5636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5636	WMIC.exe
Token: SeRemoteShutdownPrivilege	5636	WMIC.exe
Token: SeUndockPrivilege	5636	WMIC.exe
Token: SeManageVolumePrivilege	5636	WMIC.exe
Token: 33	5636	WMIC.exe
Token: 34	5636	WMIC.exe
Token: 35	5636	WMIC.exe
Token: 36	5636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5636	WMIC.exe
Token: SeSecurityPrivilege	5636	WMIC.exe
Token: SeTakeOwnershipPrivilege	5636	WMIC.exe
Token: SeLoadDriverPrivilege	5636	WMIC.exe
Token: SeSystemProfilePrivilege	5636	WMIC.exe
Token: SeSystemtimePrivilege	5636	WMIC.exe
Token: SeProfSingleProcessPrivilege	5636	WMIC.exe
Token: SeIncBasePriorityPrivilege	5636	WMIC.exe
Token: SeCreatePagefilePrivilege	5636	WMIC.exe
Token: SeBackupPrivilege	5636	WMIC.exe
Token: SeRestorePrivilege	5636	WMIC.exe
Token: SeShutdownPrivilege	5636	WMIC.exe
Token: SeDebugPrivilege	5636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5636	WMIC.exe
Token: SeRemoteShutdownPrivilege	5636	WMIC.exe
Token: SeUndockPrivilege	5636	WMIC.exe
Token: SeManageVolumePrivilege	5636	WMIC.exe
Token: 33	5636	WMIC.exe
Token: 34	5636	WMIC.exe
Token: 35	5636	WMIC.exe
Token: 36	5636	WMIC.exe
Token: SeDebugPrivilege	4976	52i.exe
Token: SeDebugPrivilege	5876	powershell.exe
Token: SeDebugPrivilege	5248	TypeId.exe
Token: SeDebugPrivilege	5784	MSBuild.exe
Token: SeDebugPrivilege	5880	jyqwtii.exe
Token: SeBackupPrivilege	5880	jyqwtii.exe
Token: SeSecurityPrivilege	5880	jyqwtii.exe
Token: SeSecurityPrivilege	5880	jyqwtii.exe
Token: SeSecurityPrivilege	5880	jyqwtii.exe
Token: SeSecurityPrivilege	5880	jyqwtii.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1948	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 4740	1948	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe	82
PID 1948 wrote to memory of 4740	1948	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe	82
PID 1948 wrote to memory of 4740	1948	52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe	82
PID 4740 wrote to memory of 1764	4740	axplong.exe	84
PID 4740 wrote to memory of 1764	4740	axplong.exe	84
PID 4740 wrote to memory of 1764	4740	axplong.exe	84
PID 4740 wrote to memory of 2192	4740	axplong.exe	86
PID 4740 wrote to memory of 2192	4740	axplong.exe	86
PID 2192 wrote to memory of 3496	2192	runtime.exe	87
PID 2192 wrote to memory of 3496	2192	runtime.exe	87
PID 2192 wrote to memory of 3496	2192	runtime.exe	87
PID 2192 wrote to memory of 3496	2192	runtime.exe	87
PID 2192 wrote to memory of 3496	2192	runtime.exe	87
PID 2192 wrote to memory of 3496	2192	runtime.exe	87
PID 2192 wrote to memory of 3496	2192	runtime.exe	87
PID 2192 wrote to memory of 3496	2192	runtime.exe	87
PID 2192 wrote to memory of 3496	2192	runtime.exe	87
PID 2192 wrote to memory of 3496	2192	runtime.exe	87
PID 1764 wrote to memory of 4976	1764	Amadeus.exe	88
PID 1764 wrote to memory of 4976	1764	Amadeus.exe	88
PID 1764 wrote to memory of 952	1764	Amadeus.exe	89
PID 1764 wrote to memory of 952	1764	Amadeus.exe	89
PID 1764 wrote to memory of 952	1764	Amadeus.exe	89
PID 1764 wrote to memory of 4024	1764	Amadeus.exe	93
PID 1764 wrote to memory of 4024	1764	Amadeus.exe	93
PID 4024 wrote to memory of 5640	4024	loli.exe	94
PID 4024 wrote to memory of 5640	4024	loli.exe	94
PID 5640 wrote to memory of 5636	5640	cmd.exe	97
PID 5640 wrote to memory of 5636	5640	cmd.exe	97
PID 5640 wrote to memory of 4144	5640	cmd.exe	98
PID 5640 wrote to memory of 4144	5640	cmd.exe	98
PID 5248 wrote to memory of 5784	5248	TypeId.exe	102
PID 5248 wrote to memory of 5784	5248	TypeId.exe	102
PID 5248 wrote to memory of 5784	5248	TypeId.exe	102
PID 5248 wrote to memory of 5784	5248	TypeId.exe	102
PID 5248 wrote to memory of 5784	5248	TypeId.exe	102
PID 5248 wrote to memory of 5784	5248	TypeId.exe	102
PID 5784 wrote to memory of 5880	5784	MSBuild.exe	103
PID 5784 wrote to memory of 5880	5784	MSBuild.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe
"C:\Users\Admin\AppData\Local\Temp\52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\1000238002\Amadeus.exe
    "C:\Users\Admin\1000238002\Amadeus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\1000267001\52i.exe
      "C:\Users\Admin\AppData\Local\Temp\1000267001\52i.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
      "C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 508
        5⤵
        Program crash
        
        PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\1000271001\loli.exe
      "C:\Users\Admin\AppData\Local\Temp\1000271001\loli.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4024
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c "Loli.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5640
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic diskdrive get Model
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5636
      - C:\Windows\system32\findstr.exe
        
        findstr /i "DADY HARDDISK QEMU HARDDISK WDC WDS100T2B0A"
        6⤵
        
        PID:4144
- - C:\Users\Admin\AppData\Local\Temp\1000239001\runtime.exe
    "C:\Users\Admin\AppData\Local\Temp\1000239001\runtime.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3496

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 952 -ip 952
1⤵
PID:5136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwB1AGkAZABcAFQAeQBwAGUASQBkAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwB1AGkAZABcAFQAeQBwAGUASQBkAC4AZQB4AGUA
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5876

C:\Users\Admin\AppData\Roaming\Guid\TypeId.exe
C:\Users\Admin\AppData\Roaming\Guid\TypeId.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5784
- - C:\Users\Admin\AppData\Local\Temp\jyqwtii.exe
    "C:\Users\Admin\AppData\Local\Temp\jyqwtii.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5880

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5916

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000238002\Amadeus.exe

Filesize
425KB

MD5
ced97d60021d4a0bfa03ee14ec384c12

SHA1
7af327df2a2d1e0e09034c2bdf6a47f788cec4e4

SHA256
9e06eed4e1237ffdc84f0ff666fbe4b39e1bd2c60bd542870f7e1bfb10555951

SHA512
af0a02daa759010a1edfc78f14c5fe321c10802d0b9df55b515fe501114af0835a05bbd5dd5e2167b4b1f39bb6da787343bf9141d5f811113f71749741b47811

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000239001\runtime.exe

Filesize
539KB

MD5
4d40ebb93aa34bf94d303c07c6a7e5e5

SHA1
9333bc5b3f78f0a3cca32e1f6a90af8064bf8a81

SHA256
ef46ced1cea1c98722dc71aa0cf640bdc38d8677d92026b6fde6ce6ee2d623b5

SHA512
9cdce881809159ad07d99e9691c1457e7888aa96cf0ea93a19eea105b9db928f8f61c8de98c3b9179556b528fde4eb790d59e954db8a86799aecb38461741d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000267001\52i.exe

Filesize
715KB

MD5
4d190c235680b3e4481e4d7685e9a118

SHA1
17c5654e4077f9e0dd8e17e92e36696bed55557a

SHA256
4083f1ea732fd45abe2f648f824be39e3e511a59179fa7c8349d7f7f75e3d3b4

SHA512
517807dd7345c926cfc2e58d883764368c723900871ab358949a09bb6b23dcaef1a8db8096ebb2df08112e6914f893cdcc0b5fa8b78bc70008390598353ba771

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe

Filesize
319KB

MD5
0ec1f7cc17b6402cd2df150e0e5e92ca

SHA1
8405b9bf28accb6f1907fbe28d2536da4fba9fc9

SHA256
4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4

SHA512
7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000271001\loli.exe

Filesize
3.2MB

MD5
58b077ebba65b393fbcbee529e6e7dd3

SHA1
392971e1012dcf0fd21a4068e3855df53c5be9f4

SHA256
6465cf2f426c6080fbf053ce5470f8a5a0a63ce2225a5f1de0715903c410971f

SHA512
e794c390343ca96e29071679502aedcc04a82affb6905eeb190afa3423972125b0ae2090712e3cf67698e4df5b9b53a1c061178dcca40db4a8c53f1365690297

Download Submit
C:\Users\Admin\AppData\Local\Temp\272559161328

Filesize
84KB

MD5
ed1e0d0cb6c87513d4414cfb2d412882

SHA1
970849e2ceda0f407717a5e1dee7352b3858fb75

SHA256
df6a65b651377193e3bced26a543cd37863afcd65e7342f895de110edbf2b9c3

SHA512
95800d7edfee78e691250e23fe9372ee96c1f6847cdd11943608b20e987c2866763e9b7b367301595559f95cd4bfd3e9104c4701d363bd74208fd40f5cd34d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
6b3cbcc189028d6353f614c99228a679

SHA1
433ed3a2e4269c00258abb2571f88b6edaf7481b

SHA256
52ef6a21e129667bad413eacd968a1be53c7e0da76e1dd0f94847bc720b21cc3

SHA512
b94ce92219e5ac4029cb5089131ab70e7b06acc0259e00c2ce721d9bec25d981698e6296b8db802b7203cec09f98e54af9c86904685521cdc49e7df661390e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loli.bat

Filesize
4.4MB

MD5
646d2fc83c814797b5a163af06bb730c

SHA1
8bb609cd2773e140584b9ff7fd4a0dfd8441c732

SHA256
0a41a5a04ad40b4b675361a208683828bb56b76e5d6a55bc90d3c95527219ae9

SHA512
a903e93ba1ed0cb1505b27d3516f172d0ef6973f5a717e6a434027c232edcf7ee8f99221e4361f730a1afabb5daed284e2f2e8db7643c6e907e7a5b197384152

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_24izwdts.wtr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyqwtii.exe

Filesize
538KB

MD5
85441d14f17c49ea015d5cc9c53fe164

SHA1
6532bd0dfc162cb8f5beb37f9c1eb0861fdc6a8b

SHA256
b78104ce8ef14d177d4f9f9458930a54d067e6d35a482e5f323860d4443d1888

SHA512
34aa3713c9b38d3b1cf14dbd09ddf9e187fd9fbeb4fd490c85d9c14a3f2ef928c74377a6dce09042279dbbc3e49a915c3309e16716d02aec1609d1ac3a7c5e08

Download Submit
memory/876-42-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download
memory/876-55-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download
memory/1948-2-0x0000000000551000-0x000000000057F000-memory.dmp

Filesize
184KB

Download
memory/1948-17-0x0000000000550000-0x00000000009FA000-memory.dmp

Filesize
4.7MB

Download
memory/1948-5-0x0000000000550000-0x00000000009FA000-memory.dmp

Filesize
4.7MB

Download
memory/1948-0-0x0000000000550000-0x00000000009FA000-memory.dmp

Filesize
4.7MB

Download
memory/1948-3-0x0000000000550000-0x00000000009FA000-memory.dmp

Filesize
4.7MB

Download
memory/1948-1-0x00000000777E6000-0x00000000777E8000-memory.dmp

Filesize
8KB

Download
memory/2192-76-0x000000001AD50000-0x000000001ADD2000-memory.dmp

Filesize
520KB

Download
memory/2192-85-0x000000001AF60000-0x000000001AFD0000-memory.dmp

Filesize
448KB

Download
memory/2192-64-0x00000000000A0000-0x000000000012E000-memory.dmp

Filesize
568KB

Download
memory/3496-86-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3496-90-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3496-88-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3552-12055-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download
memory/4740-3281-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download
memory/4740-1879-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download
memory/4740-18-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download
memory/4740-19-0x00000000009A1000-0x00000000009CF000-memory.dmp

Filesize
184KB

Download
memory/4740-20-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download
memory/4740-21-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download
memory/4740-4075-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download
memory/4976-136-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-132-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-146-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-144-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-142-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-140-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-138-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-134-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-130-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-128-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-126-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-124-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-122-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-120-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-118-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-112-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-110-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-108-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-106-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-104-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-116-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-114-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-103-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-148-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-150-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-102-0x0000022CEA670000-0x0000022CEA77A000-memory.dmp

Filesize
1.0MB

Download
memory/4976-154-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-101-0x0000022CD0080000-0x0000022CD0138000-memory.dmp

Filesize
736KB

Download
memory/4976-4084-0x0000022CD1EE0000-0x0000022CD1F36000-memory.dmp

Filesize
344KB

Download
memory/4976-4085-0x0000022CD1F40000-0x0000022CD1F8C000-memory.dmp

Filesize
304KB

Download
memory/4976-156-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-4098-0x0000022CEA880000-0x0000022CEA8D4000-memory.dmp

Filesize
336KB

Download
memory/4976-158-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-152-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/4976-160-0x0000022CEA670000-0x0000022CEA775000-memory.dmp

Filesize
1.0MB

Download
memory/5876-4108-0x0000015278B90000-0x0000015278BB2000-memory.dmp

Filesize
136KB

Download
memory/5880-12033-0x0000000000D40000-0x0000000000DCC000-memory.dmp

Filesize
560KB

Download
memory/5880-12035-0x000000001EFA0000-0x000000001F0AA000-memory.dmp

Filesize
1.0MB

Download
memory/5880-12036-0x000000001BA20000-0x000000001BA32000-memory.dmp

Filesize
72KB

Download
memory/5880-12037-0x000000001D860000-0x000000001D89C000-memory.dmp

Filesize
240KB

Download
memory/5880-12038-0x000000001F530000-0x000000001F5A6000-memory.dmp

Filesize
472KB

Download
memory/5880-12039-0x000000001BA90000-0x000000001BAAE000-memory.dmp

Filesize
120KB

Download
memory/5880-12040-0x000000001FA80000-0x000000001FC42000-memory.dmp

Filesize
1.8MB

Download
memory/5880-12041-0x0000000020180000-0x00000000206A8000-memory.dmp

Filesize
5.2MB

Download
memory/5916-12043-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download
memory/5916-12045-0x00000000009A0000-0x0000000000E4A000-memory.dmp

Filesize
4.7MB

Download