Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2024 19:19
Static task
static1
Behavioral task
behavioral1
Sample
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe
Resource
win11-20240802-en
General
-
Target
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe
-
Size
1.8MB
-
MD5
77a18ff06aacc09d8c95dd91e3a5c676
-
SHA1
c207c31a7530a6727958866c6f2e4ce21b3641fa
-
SHA256
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9
-
SHA512
bb0ec6116320fe5ba2626c150783257152ad15b28a8672c3780f9b417b481a554fa8bf3c9a045399e15ad054b1f0b52c2738421dd66cb96aa070ed97662881ff
-
SSDEEP
49152:uencH40zZfCrjkwQuzjTI2sj/qtiZRu7Mky:uz3Z4gwBnM2sj/qt2uAl
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Extracted
redline
@CLOUDYTTEAM
65.21.18.51:45580
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
stealc
default
http://91.202.233.158
-
url_path
/e96ea2db21fa9a1b.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4672-45-0x0000000000400000-0x0000000000452000-memory.dmp family_redline C:\Users\Admin\AppData\Roaming\shtvMS9Gee.exe family_redline behavioral1/memory/3476-123-0x00000000004A0000-0x00000000004F2000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exeaxplong.exeRegAsm.exeNework.exeHkbsse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation Nework.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation Hkbsse.exe -
Executes dropped EXE 14 IoCs
Processes:
axplong.exegold.execrypteda.exeeaiKpnwby1.exeshtvMS9Gee.exeNework.exeHkbsse.exestealc_default2.exeaxplong.exeHkbsse.exeaxplong.exeHkbsse.exeneedmoney.exesvchost015.exepid process 3276 axplong.exe 4368 gold.exe 3664 crypteda.exe 4544 eaiKpnwby1.exe 3476 shtvMS9Gee.exe 2180 Nework.exe 1220 Hkbsse.exe 4060 stealc_default2.exe 4660 axplong.exe 4488 Hkbsse.exe 2684 axplong.exe 2232 Hkbsse.exe 1276 needmoney.exe 1924 svchost015.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exe9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine axplong.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exeaxplong.exeaxplong.exeaxplong.exepid process 4936 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe 3276 axplong.exe 4660 axplong.exe 2684 axplong.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gold.execrypteda.exeneedmoney.exedescription pid process target process PID 4368 set thread context of 4672 4368 gold.exe RegAsm.exe PID 3664 set thread context of 2832 3664 crypteda.exe RegAsm.exe PID 1276 set thread context of 1924 1276 needmoney.exe svchost015.exe -
Drops file in Windows directory 2 IoCs
Processes:
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exeNework.exedescription ioc process File created C:\Windows\Tasks\axplong.job 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe File created C:\Windows\Tasks\Hkbsse.job Nework.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4016 4060 WerFault.exe stealc_default2.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
gold.exeNework.exeaxplong.exeshtvMS9Gee.exeeaiKpnwby1.exestealc_default2.execrypteda.exeneedmoney.exesvchost015.exe9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exeRegAsm.exeHkbsse.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nework.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shtvMS9Gee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eaiKpnwby1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language needmoney.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost015.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbsse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
stealc_default2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default2.exe -
Processes:
RegAsm.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exeaxplong.exeRegAsm.exeeaiKpnwby1.exestealc_default2.exeshtvMS9Gee.exeaxplong.exeaxplong.exepid process 4936 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe 4936 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe 3276 axplong.exe 3276 axplong.exe 4672 RegAsm.exe 4672 RegAsm.exe 4672 RegAsm.exe 4672 RegAsm.exe 4544 eaiKpnwby1.exe 4544 eaiKpnwby1.exe 4672 RegAsm.exe 4672 RegAsm.exe 4060 stealc_default2.exe 4060 stealc_default2.exe 3476 shtvMS9Gee.exe 3476 shtvMS9Gee.exe 3476 shtvMS9Gee.exe 3476 shtvMS9Gee.exe 3476 shtvMS9Gee.exe 3476 shtvMS9Gee.exe 4660 axplong.exe 4660 axplong.exe 2684 axplong.exe 2684 axplong.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
eaiKpnwby1.exeRegAsm.exeshtvMS9Gee.exedescription pid process Token: SeDebugPrivilege 4544 eaiKpnwby1.exe Token: SeBackupPrivilege 4544 eaiKpnwby1.exe Token: SeSecurityPrivilege 4544 eaiKpnwby1.exe Token: SeSecurityPrivilege 4544 eaiKpnwby1.exe Token: SeSecurityPrivilege 4544 eaiKpnwby1.exe Token: SeSecurityPrivilege 4544 eaiKpnwby1.exe Token: SeDebugPrivilege 4672 RegAsm.exe Token: SeDebugPrivilege 3476 shtvMS9Gee.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exeNework.exepid process 4936 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe 2180 Nework.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exeaxplong.exegold.execrypteda.exeRegAsm.exeNework.exeneedmoney.exedescription pid process target process PID 4936 wrote to memory of 3276 4936 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe axplong.exe PID 4936 wrote to memory of 3276 4936 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe axplong.exe PID 4936 wrote to memory of 3276 4936 9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe axplong.exe PID 3276 wrote to memory of 4368 3276 axplong.exe gold.exe PID 3276 wrote to memory of 4368 3276 axplong.exe gold.exe PID 3276 wrote to memory of 4368 3276 axplong.exe gold.exe PID 4368 wrote to memory of 4672 4368 gold.exe RegAsm.exe PID 4368 wrote to memory of 4672 4368 gold.exe RegAsm.exe PID 4368 wrote to memory of 4672 4368 gold.exe RegAsm.exe PID 4368 wrote to memory of 4672 4368 gold.exe RegAsm.exe PID 4368 wrote to memory of 4672 4368 gold.exe RegAsm.exe PID 4368 wrote to memory of 4672 4368 gold.exe RegAsm.exe PID 4368 wrote to memory of 4672 4368 gold.exe RegAsm.exe PID 4368 wrote to memory of 4672 4368 gold.exe RegAsm.exe PID 3276 wrote to memory of 3664 3276 axplong.exe crypteda.exe PID 3276 wrote to memory of 3664 3276 axplong.exe crypteda.exe PID 3276 wrote to memory of 3664 3276 axplong.exe crypteda.exe PID 3664 wrote to memory of 1004 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 1004 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 1004 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 2832 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 2832 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 2832 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 2832 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 2832 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 2832 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 2832 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 2832 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 2832 3664 crypteda.exe RegAsm.exe PID 3664 wrote to memory of 2832 3664 crypteda.exe RegAsm.exe PID 2832 wrote to memory of 4544 2832 RegAsm.exe eaiKpnwby1.exe PID 2832 wrote to memory of 4544 2832 RegAsm.exe eaiKpnwby1.exe PID 2832 wrote to memory of 4544 2832 RegAsm.exe eaiKpnwby1.exe PID 2832 wrote to memory of 3476 2832 RegAsm.exe shtvMS9Gee.exe PID 2832 wrote to memory of 3476 2832 RegAsm.exe shtvMS9Gee.exe PID 2832 wrote to memory of 3476 2832 RegAsm.exe shtvMS9Gee.exe PID 3276 wrote to memory of 2180 3276 axplong.exe Nework.exe PID 3276 wrote to memory of 2180 3276 axplong.exe Nework.exe PID 3276 wrote to memory of 2180 3276 axplong.exe Nework.exe PID 2180 wrote to memory of 1220 2180 Nework.exe Hkbsse.exe PID 2180 wrote to memory of 1220 2180 Nework.exe Hkbsse.exe PID 2180 wrote to memory of 1220 2180 Nework.exe Hkbsse.exe PID 3276 wrote to memory of 4060 3276 axplong.exe stealc_default2.exe PID 3276 wrote to memory of 4060 3276 axplong.exe stealc_default2.exe PID 3276 wrote to memory of 4060 3276 axplong.exe stealc_default2.exe PID 3276 wrote to memory of 1276 3276 axplong.exe needmoney.exe PID 3276 wrote to memory of 1276 3276 axplong.exe needmoney.exe PID 3276 wrote to memory of 1276 3276 axplong.exe needmoney.exe PID 1276 wrote to memory of 1924 1276 needmoney.exe svchost015.exe PID 1276 wrote to memory of 1924 1276 needmoney.exe svchost015.exe PID 1276 wrote to memory of 1924 1276 needmoney.exe svchost015.exe PID 1276 wrote to memory of 1924 1276 needmoney.exe svchost015.exe PID 1276 wrote to memory of 1924 1276 needmoney.exe svchost015.exe PID 1276 wrote to memory of 1924 1276 needmoney.exe svchost015.exe PID 1276 wrote to memory of 1924 1276 needmoney.exe svchost015.exe PID 1276 wrote to memory of 1924 1276 needmoney.exe svchost015.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe"C:\Users\Admin\AppData\Local\Temp\9be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵PID:1004
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Roaming\eaiKpnwby1.exe"C:\Users\Admin\AppData\Roaming\eaiKpnwby1.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544 -
C:\Users\Admin\AppData\Roaming\shtvMS9Gee.exe"C:\Users\Admin\AppData\Roaming\shtvMS9Gee.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3476 -
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4060 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 7564⤵
- Program crash
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\svchost015.exeC:\Users\Admin\AppData\Local\Temp\svchost015.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
PID:4488
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4060 -ip 40601⤵PID:3608
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
PID:2232
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2684
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313KB
MD52d647cf43622ed10b6d733bb5f048fc3
SHA16b9c5f77a9ef064a23e5018178f982570cbc64c6
SHA25641426dd54fcabbf30a68b2aa11aa4f61f3862bea83109d3e3c50cfebed1359e6
SHA51262400f1e9646268f0326aab5b95efacb0303f4c5879cccf0cbb24d1f66d0db40d0fdfebb09ba785b5dfd54df2d32e8aab48c1f5f333956b606112de68635ac3a
-
Filesize
1.1MB
MD58e74497aff3b9d2ddb7e7f819dfc69ba
SHA11d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA5129aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
3.9MB
MD51ac6d5f2fa75caab64f52f3ce5e97faf
SHA14dcb554f55f713bcff1ec6f8a9c8f0ebc2805ff2
SHA256bd7152623bdca6ff169c35ae330c6a32483c3286deee6a99780bf0b4f4347d9b
SHA5125d477582acc2a1ac3ee0d0809aa81c4f710c62005a17c67ea283c67a6293865d7b015fe9a265e1a481d2ee4cb94a1f092628c9aeacb95d405d507595d6cfc0ac
-
Filesize
187KB
MD57a02aa17200aeac25a375f290a4b4c95
SHA17cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6
-
Filesize
992KB
MD5e162c30a26e4666f4317ffc184185942
SHA1c22c50d49f451e3eef892f2365d4681271092f1a
SHA2561e70ac426d5e3535b6b11de404241d696a4e9b1dd42ef6de7a3b334298ef09fd
SHA5122a1c8aad17c8bd2500e5ce31289a2b47b32defdb2668ecf02fbee664531923bc14e2da48c1f5ce528b26df1dd052887f16f94427c90d0c4440f4e30ff6b5ea93
-
Filesize
3.6MB
MD57e6a519688246fe1180f35fe0d25d370
SHA18e8719ac897dfef7305311dc216f570af40709af
SHA25632a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a
SHA512a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972
-
Filesize
1.8MB
MD577a18ff06aacc09d8c95dd91e3a5c676
SHA1c207c31a7530a6727958866c6f2e4ce21b3641fa
SHA2569be041d4bbc4710ad80b38e4d1c90d75c8527d6014a616c00a7866bb40d34ad9
SHA512bb0ec6116320fe5ba2626c150783257152ad15b28a8672c3780f9b417b481a554fa8bf3c9a045399e15ad054b1f0b52c2738421dd66cb96aa070ed97662881ff
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\76b53b3ec448f7ccdda2063b15d2bfc3_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823
Filesize2KB
MD545c6a130adefeb9b319c03a17495a3e4
SHA17b1fc001ec2b3a0f53519002db4ad117015f1ab6
SHA256dea1f0ad46dc7f6349ffd8483388ed92b750199ff55675e6e02c8fa58868dcd0
SHA5128183109c8ac2e7b1a8254dec4e0be38d8d1741565962a1710820d2bf5e3b5a041eea42ba4f26522b0c6f551a820249392d1d85f75591c5ac53df8efe5096608c
-
Filesize
544KB
MD588367533c12315805c059e688e7cdfe9
SHA164a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA5127a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714
-
Filesize
304KB
MD530f46f4476cdc27691c7fdad1c255037
SHA1b53415af5d01f8500881c06867a49a5825172e36
SHA2563a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f
-
Filesize
2KB
MD5963ca9a5095947baec18f6a65134e9cf
SHA1a72f7dccfe0b62e48cb02c3a651034ae001e1039
SHA256739f355a46a20ed02b8d7418bf802f56ff7d94388e8ee08028ea0dfeecb34e81
SHA512249d890cf13e7fbc873ead7ff8492c3481d2b9b86d161685b2d37d7081566c62d6385b65fe4f6f76418fc0ced1d3a6cc533c4720971d973c3651211c0927de37
-
Filesize
2KB
MD557c1745d7a3453e0fa1882256236bd1a
SHA1409c3fa71da392341c6825ec6f97d4e360fcc621
SHA25683c80b8e9d933025e8cf35bc3f23f719314b9202b4f30cd02f43bb478ebe4741
SHA512d4147fec5f5e3b3369f6955849f45654d44114dec7096e8645c837e7db13ead951224dc3f5fd2b6f99c484a2502f65f1cd54c3fcf44469a53bada9a4350d4652