Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-09-2024 13:40
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240708-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
87c548fab3b4bf1b9fdaa21e4cc18f27
-
SHA1
cfa7c8c564668ef2827efd4d890f1ff19a8f0c78
-
SHA256
d7e8125c7026f1a9e05ecd076203aef923870b2a222945cdf13b9a9165928748
-
SHA512
764b3e7db14e07bcdad352e0d141f315f9370828475a5809f8e1df8e887c5168c2bdfea7988a50fcdab1916f8fb11814f65f8088f68c721d14589f6d0afde8a9
-
SSDEEP
49152:MFLjIClgvypImQ2hJaSsS/zL6MBgZgNFgB:MFLac4QVs6bBgGFg
Malware Config
Extracted
amadey
4.41
0657d1
http://185.215.113.19
-
install_dir
0d8f5eb8a7
-
install_file
explorti.exe
-
strings_key
6c55a5f34bb433fbd933a168577b1838
-
url_paths
/Vi9leo/index.php
Extracted
stealc
leva
http://185.215.113.100
-
url_path
/e2b1563c6670f193.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
file.exeexplorti.exea260c77832.exe2183fa58f0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a260c77832.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2183fa58f0.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a260c77832.exe2183fa58f0.exefile.exeexplorti.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a260c77832.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a260c77832.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2183fa58f0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2183fa58f0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe -
Executes dropped EXE 4 IoCs
Processes:
explorti.exea260c77832.exe2183fa58f0.exe2183fa58f0.exepid process 2768 explorti.exe 700 a260c77832.exe 2012 2183fa58f0.exe 1132 2183fa58f0.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
file.exeexplorti.exea260c77832.exe2183fa58f0.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine explorti.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine a260c77832.exe Key opened \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Wine 2183fa58f0.exe -
Loads dropped DLL 6 IoCs
Processes:
file.exeexplorti.exepid process 1484 file.exe 2768 explorti.exe 2768 explorti.exe 2768 explorti.exe 2768 explorti.exe 2768 explorti.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000053001\2183fa58f0.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
file.exeexplorti.exea260c77832.exe2183fa58f0.exepid process 1484 file.exe 2768 explorti.exe 700 a260c77832.exe 2012 2183fa58f0.exe -
Drops file in Windows directory 1 IoCs
Processes:
file.exedescription ioc process File created C:\Windows\Tasks\explorti.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
file.exeexplorti.exea260c77832.exe2183fa58f0.exe2183fa58f0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorti.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a260c77832.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2183fa58f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2183fa58f0.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
file.exeexplorti.exea260c77832.exe2183fa58f0.exepid process 1484 file.exe 2768 explorti.exe 700 a260c77832.exe 2012 2183fa58f0.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
file.exe2183fa58f0.exepid process 1484 file.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
2183fa58f0.exepid process 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe 1132 2183fa58f0.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
file.exeexplorti.exedescription pid process target process PID 1484 wrote to memory of 2768 1484 file.exe explorti.exe PID 1484 wrote to memory of 2768 1484 file.exe explorti.exe PID 1484 wrote to memory of 2768 1484 file.exe explorti.exe PID 1484 wrote to memory of 2768 1484 file.exe explorti.exe PID 2768 wrote to memory of 700 2768 explorti.exe a260c77832.exe PID 2768 wrote to memory of 700 2768 explorti.exe a260c77832.exe PID 2768 wrote to memory of 700 2768 explorti.exe a260c77832.exe PID 2768 wrote to memory of 700 2768 explorti.exe a260c77832.exe PID 2768 wrote to memory of 2012 2768 explorti.exe 2183fa58f0.exe PID 2768 wrote to memory of 2012 2768 explorti.exe 2183fa58f0.exe PID 2768 wrote to memory of 2012 2768 explorti.exe 2183fa58f0.exe PID 2768 wrote to memory of 2012 2768 explorti.exe 2183fa58f0.exe PID 2768 wrote to memory of 1132 2768 explorti.exe 2183fa58f0.exe PID 2768 wrote to memory of 1132 2768 explorti.exe 2183fa58f0.exe PID 2768 wrote to memory of 1132 2768 explorti.exe 2183fa58f0.exe PID 2768 wrote to memory of 1132 2768 explorti.exe 2183fa58f0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Roaming\1000051000\a260c77832.exe"C:\Users\Admin\AppData\Roaming\1000051000\a260c77832.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:700 -
C:\Users\Admin\AppData\Roaming\1000052000\2183fa58f0.exe"C:\Users\Admin\AppData\Roaming\1000052000\2183fa58f0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\1000053001\2183fa58f0.exe"C:\Users\Admin\AppData\Local\Temp\1000053001\2183fa58f0.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD587c548fab3b4bf1b9fdaa21e4cc18f27
SHA1cfa7c8c564668ef2827efd4d890f1ff19a8f0c78
SHA256d7e8125c7026f1a9e05ecd076203aef923870b2a222945cdf13b9a9165928748
SHA512764b3e7db14e07bcdad352e0d141f315f9370828475a5809f8e1df8e887c5168c2bdfea7988a50fcdab1916f8fb11814f65f8088f68c721d14589f6d0afde8a9
-
Filesize
896KB
MD5815d0325b08029dc535dc4c7c9daeaf7
SHA15f0d5f6624954c274bbce5edd211b28696897400
SHA25680c206cdeb203530a85f6700016155be6e1380d913c589bad66ca7a7ff209b4f
SHA512cb754b8f9d907be570ed3a5d218184970872c015b88e8ba78ae5425198fcf8ea6e8d01a4ecfbd8b3dbc1ac3eccfcc692297579cb5c9b67a560059038f62c8d0f
-
Filesize
1.7MB
MD5c318d3326ce1921ff20be775cbc99782
SHA194bb85d34e0fccf26fd58cfadfabe90606ec00f4
SHA2563ab3541c8960a2f4ccc60e0e8efc339d0f99d9cb96b0ea46a5e0440b020347d9
SHA51235556fabf9cd5c229fb2975a9075dd25b1ff913d152689a5e955b6214691779b6e8f58d53750bd9abb1ffddedc5b238a6284628c1b3a2286f59ef727aade7919