Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 02:48
Static task
static1
Behavioral task
behavioral1
Sample
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe
Resource
win10v2004-20240802-en
General
-
Target
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe
-
Size
1.8MB
-
MD5
f005e9e79e6612060e1bc6eae1464d67
-
SHA1
7228dc896a4d86e6b44942eff7e6c082d8d0d195
-
SHA256
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994
-
SHA512
609cbe54d3d760cad30fb0710d5d77f8368a385b489ba481bda5ab7458d54546877ce238951f0c3cdbb76a2e0ab926d014d52709f98113c9dd3fb25adffa59ea
-
SSDEEP
49152:lYJLqFonJmv5RtbfryR4zK4AteN9tGJ/xSL8:2kF9Xjzj8MoEL8
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
@CLOUDYTTEAM
65.21.18.51:45580
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe family_redline behavioral2/memory/4768-104-0x0000000000940000-0x0000000000992000-memory.dmp family_redline -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
axplong.exeRegAsm.exeNework.exeHkbsse.exed4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation RegAsm.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation Nework.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation Hkbsse.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe -
Executes dropped EXE 11 IoCs
Processes:
axplong.exeaxplong.exeaxplong.execrypteda.exePSLvRVnwWg.exe6eOm6iL9Z6.exeNework.exeHkbsse.exestealc_default2.exeHkbsse.exeaxplong.exepid process 3740 axplong.exe 2668 axplong.exe 4392 axplong.exe 3992 crypteda.exe 1612 PSLvRVnwWg.exe 4768 6eOm6iL9Z6.exe 4440 Nework.exe 3024 Hkbsse.exe 632 stealc_default2.exe 872 Hkbsse.exe 3952 axplong.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine axplong.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exepid process 2540 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe 3740 axplong.exe 2668 axplong.exe 4392 axplong.exe 3952 axplong.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
crypteda.exedescription pid process target process PID 3992 set thread context of 2056 3992 crypteda.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeNework.exedescription ioc process File created C:\Windows\Tasks\axplong.job d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe File created C:\Windows\Tasks\Hkbsse.job Nework.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegAsm.exe6eOm6iL9Z6.exePSLvRVnwWg.exeNework.exeHkbsse.exestealc_default2.exed4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.execrypteda.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6eOm6iL9Z6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PSLvRVnwWg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nework.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbsse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealc_default2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypteda.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
stealc_default2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 stealc_default2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString stealc_default2.exe -
Processes:
6eOm6iL9Z6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 6eOm6iL9Z6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 6eOm6iL9Z6.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exeaxplong.exeaxplong.exePSLvRVnwWg.exe6eOm6iL9Z6.exestealc_default2.exeaxplong.exepid process 2540 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe 2540 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe 3740 axplong.exe 3740 axplong.exe 2668 axplong.exe 2668 axplong.exe 4392 axplong.exe 4392 axplong.exe 1612 PSLvRVnwWg.exe 4768 6eOm6iL9Z6.exe 4768 6eOm6iL9Z6.exe 4768 6eOm6iL9Z6.exe 4768 6eOm6iL9Z6.exe 4768 6eOm6iL9Z6.exe 632 stealc_default2.exe 632 stealc_default2.exe 3952 axplong.exe 3952 axplong.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
PSLvRVnwWg.exe6eOm6iL9Z6.exedescription pid process Token: SeDebugPrivilege 1612 PSLvRVnwWg.exe Token: SeBackupPrivilege 1612 PSLvRVnwWg.exe Token: SeSecurityPrivilege 1612 PSLvRVnwWg.exe Token: SeSecurityPrivilege 1612 PSLvRVnwWg.exe Token: SeSecurityPrivilege 1612 PSLvRVnwWg.exe Token: SeSecurityPrivilege 1612 PSLvRVnwWg.exe Token: SeDebugPrivilege 4768 6eOm6iL9Z6.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exepid process 2540 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.execrypteda.exeRegAsm.exeNework.exedescription pid process target process PID 2540 wrote to memory of 3740 2540 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe axplong.exe PID 2540 wrote to memory of 3740 2540 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe axplong.exe PID 2540 wrote to memory of 3740 2540 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe axplong.exe PID 3740 wrote to memory of 3992 3740 axplong.exe crypteda.exe PID 3740 wrote to memory of 3992 3740 axplong.exe crypteda.exe PID 3740 wrote to memory of 3992 3740 axplong.exe crypteda.exe PID 3992 wrote to memory of 2056 3992 crypteda.exe RegAsm.exe PID 3992 wrote to memory of 2056 3992 crypteda.exe RegAsm.exe PID 3992 wrote to memory of 2056 3992 crypteda.exe RegAsm.exe PID 3992 wrote to memory of 2056 3992 crypteda.exe RegAsm.exe PID 3992 wrote to memory of 2056 3992 crypteda.exe RegAsm.exe PID 3992 wrote to memory of 2056 3992 crypteda.exe RegAsm.exe PID 3992 wrote to memory of 2056 3992 crypteda.exe RegAsm.exe PID 3992 wrote to memory of 2056 3992 crypteda.exe RegAsm.exe PID 3992 wrote to memory of 2056 3992 crypteda.exe RegAsm.exe PID 3992 wrote to memory of 2056 3992 crypteda.exe RegAsm.exe PID 2056 wrote to memory of 1612 2056 RegAsm.exe PSLvRVnwWg.exe PID 2056 wrote to memory of 1612 2056 RegAsm.exe PSLvRVnwWg.exe PID 2056 wrote to memory of 1612 2056 RegAsm.exe PSLvRVnwWg.exe PID 2056 wrote to memory of 4768 2056 RegAsm.exe 6eOm6iL9Z6.exe PID 2056 wrote to memory of 4768 2056 RegAsm.exe 6eOm6iL9Z6.exe PID 2056 wrote to memory of 4768 2056 RegAsm.exe 6eOm6iL9Z6.exe PID 3740 wrote to memory of 4440 3740 axplong.exe Nework.exe PID 3740 wrote to memory of 4440 3740 axplong.exe Nework.exe PID 3740 wrote to memory of 4440 3740 axplong.exe Nework.exe PID 4440 wrote to memory of 3024 4440 Nework.exe Hkbsse.exe PID 4440 wrote to memory of 3024 4440 Nework.exe Hkbsse.exe PID 4440 wrote to memory of 3024 4440 Nework.exe Hkbsse.exe PID 3740 wrote to memory of 632 3740 axplong.exe stealc_default2.exe PID 3740 wrote to memory of 632 3740 axplong.exe stealc_default2.exe PID 3740 wrote to memory of 632 3740 axplong.exe stealc_default2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe"C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe"C:\Users\Admin\AppData\Roaming\PSLvRVnwWg.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe"C:\Users\Admin\AppData\Roaming\6eOm6iL9Z6.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:632
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2668
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4392
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
PID:872
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3952
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5fb4b7dd5001e3e263c6c4db03c9df1fc
SHA1f8454e5dbc716b85d89b3117aaa51751514c1801
SHA2561016070be8c1c10cf9b4fe2b8bc374e0ad34d401fdb95c7b0ac2222b147d2d7c
SHA5122d53daf42b07687e970c5fd96b61bdd57209dd31d3914d7ac86d5a356e5ba84af816275b01de8791ad3705f69057f8994e5cf2dd60c916e8bd58e5700d8bb2a7
-
Filesize
1.1MB
MD58e74497aff3b9d2ddb7e7f819dfc69ba
SHA11d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA5129aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
5.2MB
MD5923af9aa015392afb0de83984c63800e
SHA1b6f7676f5067fd107f75c8da413c62a1729c688a
SHA256a1badc8aa494ac97273e81666ed109b9720c4e77fd931680e2a3bd8b1c3de4b7
SHA5121882bc2f6f47b7cac1227a862c7b534343d133233a4bb33fd387d907e3267adb4760989c1e32f05abdb7b34228689228ec4a7090111838ca3341808ef2806f82
-
Filesize
187KB
MD57a02aa17200aeac25a375f290a4b4c95
SHA17cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6
-
Filesize
1.8MB
MD5f005e9e79e6612060e1bc6eae1464d67
SHA17228dc896a4d86e6b44942eff7e6c082d8d0d195
SHA256d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994
SHA512609cbe54d3d760cad30fb0710d5d77f8368a385b489ba481bda5ab7458d54546877ce238951f0c3cdbb76a2e0ab926d014d52709f98113c9dd3fb25adffa59ea
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
304KB
MD530f46f4476cdc27691c7fdad1c255037
SHA1b53415af5d01f8500881c06867a49a5825172e36
SHA2563a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f
-
Filesize
544KB
MD588367533c12315805c059e688e7cdfe9
SHA164a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA5127a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714