Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 17:46
Static task
static1
Behavioral task
behavioral1
Sample
8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe
Resource
win11-20240802-en
General
-
Target
8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe
-
Size
1.8MB
-
MD5
81d052a9d4afb3c55178026aa0775924
-
SHA1
ebccdf07654e703001c1f3fdac352dddaaa1b83c
-
SHA256
8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7
-
SHA512
f886229f4dea2162f5ea076cb7035a6b3568cc4a2db338ebfa0f3ee2a22d4e595f2ccd3cd7c424677afd512728dd4c1de16972d1e6ee2f79a543fb682db129d3
-
SSDEEP
24576:FDpPzXilUqIxDfvG6SboycvkesSRDaje5N/iSk7NMiPHPx1MtPpYxW9yyV:FNPJhnGkvkcaa7iSxiP51YmAV
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Extracted
redline
@CLOUDYTTEAM
65.21.18.51:45580
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
cryptbot
sevtv17sb.top
analforeverlovyu.top
fivev5sb.top
-
url_path
/v1/upload.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1068-45-0x0000000000400000-0x0000000000452000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\z1ZjmiPgBw.exe family_redline behavioral1/memory/4280-123-0x0000000000D00000-0x0000000000D52000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exe8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exeaxplong.exeRegAsm.exeNework.exeHkbsse.exejoffer2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Nework.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation Hkbsse.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation joffer2.exe -
Executes dropped EXE 16 IoCs
Processes:
axplong.exegold.execrypteda.exeTvwHxx6LCj.exez1ZjmiPgBw.exeNework.exeHkbsse.exestealc_default2.exeaxplong.exeHkbsse.exejoffer2.exeSеtup.exeservice123.exeHkbsse.exeaxplong.exeservice123.exepid process 5020 axplong.exe 3908 gold.exe 4976 crypteda.exe 1700 TvwHxx6LCj.exe 4280 z1ZjmiPgBw.exe 976 Nework.exe 3328 Hkbsse.exe 4812 stealc_default2.exe 1704 axplong.exe 3172 Hkbsse.exe 4368 joffer2.exe 2184 Sеtup.exe 5040 service123.exe 4792 Hkbsse.exe 4360 axplong.exe 1436 service123.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exe8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Wine axplong.exe -
Loads dropped DLL 4 IoCs
Processes:
stealc_default2.exeservice123.exeservice123.exepid process 4812 stealc_default2.exe 4812 stealc_default2.exe 5040 service123.exe 1436 service123.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exeaxplong.exeaxplong.exeaxplong.exepid process 2932 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe 5020 axplong.exe 1704 axplong.exe 4360 axplong.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
gold.execrypteda.exedescription pid process target process PID 3908 set thread context of 1068 3908 gold.exe RegAsm.exe PID 4976 set thread context of 1912 4976 crypteda.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
Nework.exe8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exedescription ioc process File created C:\Windows\Tasks\Hkbsse.job Nework.exe File created C:\Windows\Tasks\axplong.job 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
z1ZjmiPgBw.exeTvwHxx6LCj.exeservice123.exeschtasks.exe8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exeaxplong.exeRegAsm.exejoffer2.exegold.exeRegAsm.exeNework.exestealc_default2.execrypteda.exeHkbsse.exeSеtup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z1ZjmiPgBw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TvwHxx6LCj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language joffer2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nework.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbsse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sеtup.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
stealc_default2.exejoffer2.exeSеtup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 joffer2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString joffer2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sеtup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sеtup.exe -
Processes:
RegAsm.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exeaxplong.exestealc_default2.exeTvwHxx6LCj.exez1ZjmiPgBw.exeRegAsm.exeaxplong.exeaxplong.exepid process 2932 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe 2932 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe 5020 axplong.exe 5020 axplong.exe 4812 stealc_default2.exe 4812 stealc_default2.exe 1700 TvwHxx6LCj.exe 1700 TvwHxx6LCj.exe 4280 z1ZjmiPgBw.exe 4280 z1ZjmiPgBw.exe 4280 z1ZjmiPgBw.exe 4280 z1ZjmiPgBw.exe 4280 z1ZjmiPgBw.exe 4280 z1ZjmiPgBw.exe 1068 RegAsm.exe 1068 RegAsm.exe 1068 RegAsm.exe 1068 RegAsm.exe 1068 RegAsm.exe 1068 RegAsm.exe 1704 axplong.exe 1704 axplong.exe 4812 stealc_default2.exe 4812 stealc_default2.exe 4360 axplong.exe 4360 axplong.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
TvwHxx6LCj.exez1ZjmiPgBw.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1700 TvwHxx6LCj.exe Token: SeBackupPrivilege 1700 TvwHxx6LCj.exe Token: SeSecurityPrivilege 1700 TvwHxx6LCj.exe Token: SeSecurityPrivilege 1700 TvwHxx6LCj.exe Token: SeSecurityPrivilege 1700 TvwHxx6LCj.exe Token: SeSecurityPrivilege 1700 TvwHxx6LCj.exe Token: SeDebugPrivilege 4280 z1ZjmiPgBw.exe Token: SeDebugPrivilege 1068 RegAsm.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exeaxplong.exegold.execrypteda.exeRegAsm.exeNework.exeHkbsse.exejoffer2.exedescription pid process target process PID 2932 wrote to memory of 5020 2932 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe axplong.exe PID 2932 wrote to memory of 5020 2932 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe axplong.exe PID 2932 wrote to memory of 5020 2932 8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe axplong.exe PID 5020 wrote to memory of 3908 5020 axplong.exe gold.exe PID 5020 wrote to memory of 3908 5020 axplong.exe gold.exe PID 5020 wrote to memory of 3908 5020 axplong.exe gold.exe PID 3908 wrote to memory of 3328 3908 gold.exe RegAsm.exe PID 3908 wrote to memory of 3328 3908 gold.exe RegAsm.exe PID 3908 wrote to memory of 3328 3908 gold.exe RegAsm.exe PID 3908 wrote to memory of 1068 3908 gold.exe RegAsm.exe PID 3908 wrote to memory of 1068 3908 gold.exe RegAsm.exe PID 3908 wrote to memory of 1068 3908 gold.exe RegAsm.exe PID 3908 wrote to memory of 1068 3908 gold.exe RegAsm.exe PID 3908 wrote to memory of 1068 3908 gold.exe RegAsm.exe PID 3908 wrote to memory of 1068 3908 gold.exe RegAsm.exe PID 3908 wrote to memory of 1068 3908 gold.exe RegAsm.exe PID 3908 wrote to memory of 1068 3908 gold.exe RegAsm.exe PID 5020 wrote to memory of 4976 5020 axplong.exe crypteda.exe PID 5020 wrote to memory of 4976 5020 axplong.exe crypteda.exe PID 5020 wrote to memory of 4976 5020 axplong.exe crypteda.exe PID 4976 wrote to memory of 3504 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 3504 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 3504 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 1912 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 1912 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 1912 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 1912 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 1912 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 1912 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 1912 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 1912 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 1912 4976 crypteda.exe RegAsm.exe PID 4976 wrote to memory of 1912 4976 crypteda.exe RegAsm.exe PID 1912 wrote to memory of 1700 1912 RegAsm.exe TvwHxx6LCj.exe PID 1912 wrote to memory of 1700 1912 RegAsm.exe TvwHxx6LCj.exe PID 1912 wrote to memory of 1700 1912 RegAsm.exe TvwHxx6LCj.exe PID 1912 wrote to memory of 4280 1912 RegAsm.exe z1ZjmiPgBw.exe PID 1912 wrote to memory of 4280 1912 RegAsm.exe z1ZjmiPgBw.exe PID 1912 wrote to memory of 4280 1912 RegAsm.exe z1ZjmiPgBw.exe PID 5020 wrote to memory of 976 5020 axplong.exe Nework.exe PID 5020 wrote to memory of 976 5020 axplong.exe Nework.exe PID 5020 wrote to memory of 976 5020 axplong.exe Nework.exe PID 976 wrote to memory of 3328 976 Nework.exe Hkbsse.exe PID 976 wrote to memory of 3328 976 Nework.exe Hkbsse.exe PID 976 wrote to memory of 3328 976 Nework.exe Hkbsse.exe PID 5020 wrote to memory of 4812 5020 axplong.exe stealc_default2.exe PID 5020 wrote to memory of 4812 5020 axplong.exe stealc_default2.exe PID 5020 wrote to memory of 4812 5020 axplong.exe stealc_default2.exe PID 3328 wrote to memory of 4368 3328 Hkbsse.exe joffer2.exe PID 3328 wrote to memory of 4368 3328 Hkbsse.exe joffer2.exe PID 3328 wrote to memory of 4368 3328 Hkbsse.exe joffer2.exe PID 5020 wrote to memory of 2184 5020 axplong.exe Sеtup.exe PID 5020 wrote to memory of 2184 5020 axplong.exe Sеtup.exe PID 5020 wrote to memory of 2184 5020 axplong.exe Sеtup.exe PID 4368 wrote to memory of 5040 4368 joffer2.exe service123.exe PID 4368 wrote to memory of 5040 4368 joffer2.exe service123.exe PID 4368 wrote to memory of 5040 4368 joffer2.exe service123.exe PID 4368 wrote to memory of 3744 4368 joffer2.exe schtasks.exe PID 4368 wrote to memory of 3744 4368 joffer2.exe schtasks.exe PID 4368 wrote to memory of 3744 4368 joffer2.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe"C:\Users\Admin\AppData\Local\Temp\8ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3328
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:3504
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Roaming\TvwHxx6LCj.exe"C:\Users\Admin\AppData\Roaming\TvwHxx6LCj.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Users\Admin\AppData\Roaming\z1ZjmiPgBw.exe"C:\Users\Admin\AppData\Roaming\z1ZjmiPgBw.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe"C:\Users\Admin\AppData\Local\Temp\1000022001\joffer2.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5040 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3744 -
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2184
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
PID:3172
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
PID:4792
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4360
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
313KB
MD52d647cf43622ed10b6d733bb5f048fc3
SHA16b9c5f77a9ef064a23e5018178f982570cbc64c6
SHA25641426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6
SHA51262400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a
-
Filesize
1.1MB
MD58e74497aff3b9d2ddb7e7f819dfc69ba
SHA11d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA5129aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
6.4MB
MD5f7f25eb4fb89302ddfc596ad4dfb2907
SHA10a6f2cffb64eef1b4f698427bd3144fb2c679f63
SHA256c56917c40623e6f97fb1168b7586d3434b3ba23e0ddaa40ebe455ff7ab7db2ff
SHA51227fdbf978393f1d41c13f36e9ce5dff79b332d9039207d21e1b6fedd7a13f42dc30cd5f06096d8cd29fb7cd97243fbb6da77abe5842cbf018ecbe0a18a23f951
-
Filesize
187KB
MD57a02aa17200aeac25a375f290a4b4c95
SHA17cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6
-
Filesize
6.3MB
MD545b55d1e5d2bf60cc572f541ae6fa7d1
SHA12329f56147a299bcdbf20520e626cc8253e49a8d
SHA256039f5c692ba1c67c6e9b475738f40f4311e5e5625e4390d5e51685f6b4e548b8
SHA5125483964e050b2be073d3cf966b6dd6271556d4adfb420fb9ecf81f42f27cd06727016292dceb9a282f9fdcb451507309d1a78f58dd5d84e3022c0ea20c58dbe2
-
Filesize
1.6MB
MD540a0ffd6ede65588b0800ad5244e4a44
SHA177ff419a94e88a5ee63dca1dc8725e53584bbb9a
SHA256a7c5e9c514707a1dd75844d64a93ba4e922374dfe238e3b829d9fa3b792f8ba1
SHA512da6538aa36d9d67e56c43d10c0106dae8da3bee374391ef06d3e590745fcbd3111814bd3ff733f1d9fca191893b6addbeb71228bed708fa49d3c08adf7913264
-
Filesize
1.8MB
MD581d052a9d4afb3c55178026aa0775924
SHA1ebccdf07654e703001c1f3fdac352dddaaa1b83c
SHA2568ca6bed140d0389dbb880d209b05da5d31650afd81893dc5a2ad6db5d20f8be7
SHA512f886229f4dea2162f5ea076cb7035a6b3568cc4a2db338ebfa0f3ee2a22d4e595f2ccd3cd7c424677afd512728dd4c1de16972d1e6ee2f79a543fb682db129d3
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-786284298-625481688-3210388970-1000\76b53b3ec448f7ccdda2063b15d2bfc3_1b74ca46-c49b-4c52-a57d-8cd1ff70c625
Filesize2KB
MD51812869135a456acba75037a0f76a9f3
SHA1f35c505ef7dfe51861bb6db18b5fd4f01d17c2dd
SHA256d423fe589d5e1d3519519a1c69f2675450c5f19a157b89f009b9cdf460e732d0
SHA51299505a05f201aa6dcb30236bc93b209c8a9cd732bc23253ecddbeee35d328d3b3c13bbc005425c7e4ef664efd261aa2b934175c432acdf432306d6e08ccab48d
-
Filesize
544KB
MD588367533c12315805c059e688e7cdfe9
SHA164a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA5127a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714
-
Filesize
304KB
MD530f46f4476cdc27691c7fdad1c255037
SHA1b53415af5d01f8500881c06867a49a5825172e36
SHA2563a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f
-
Filesize
2KB
MD5aa60d7755d5a23aaba15d7e1555aa410
SHA186161ac3fc74599ef77c21e6d4525d4d2407a330
SHA256a9d7cb990c537410262c28d8017bd8c2ffbdcc9850133a81bf3cc5100f090e4e
SHA5122e51315c3704d082686ee84b93ea15e623e785280051e6482e172ddd9fa76c0234303132dbdff4174972877c00b004c43289782e1b27417ab863d852c8ae35e2
-
Filesize
2KB
MD5fba612eeb015040e2746998f014d48bb
SHA16a0b6255fd631eeb7a3e5c8378e71410464608a6
SHA256efed14402dbda73ef60c40cde4d6095269dd87531980a735f3bb35ad4b598a89
SHA5123370be0f65c58366664475d361be58253ad5eb8e8924f820c36b7f5a6980f420548152e2962efd4e2f20435b7e1003c896cc00f2df2185947edcb4ca6d34d1db