Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 11:01
Static task
static1
Behavioral task
behavioral1
Sample
ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe
Resource
win11-20240802-en
General
-
Target
ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe
-
Size
1.9MB
-
MD5
48a36baee2fba32fc07ba2f12526914c
-
SHA1
0f16d91ed72554f0bc71e3906b6532ab2ac40781
-
SHA256
ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978
-
SHA512
a7f327d00ef54a17d06b0fce5084e10bddb7c93768c995738b80d8618f320c54472aded33769facde18fef1ec8e528fc29a8e818828cebe935b2ad8ded0f59aa
-
SSDEEP
49152:7LXxWt2ugXdp1jhk+BSIxEGMWRiF5AlObZX0:7L8t+dp1ybIxrMxOObl
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs
Processes:
RMS1.exedescription pid process target process PID 3592 created 3480 3592 RMS1.exe Explorer.EXE PID 3592 created 3480 3592 RMS1.exe Explorer.EXE PID 3592 created 3480 3592 RMS1.exe Explorer.EXE PID 3592 created 3480 3592 RMS1.exe Explorer.EXE PID 3592 created 3480 3592 RMS1.exe Explorer.EXE PID 3592 created 3480 3592 RMS1.exe Explorer.EXE PID 3592 created 3480 3592 RMS1.exe Explorer.EXE PID 3592 created 3480 3592 RMS1.exe Explorer.EXE -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
axplong.exeaxplong.exeee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exeaxplong.exeee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exeaxplong.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation axplong.exe -
Executes dropped EXE 4 IoCs
Processes:
axplong.exeaxplong.exeRMS1.exeaxplong.exepid process 4092 axplong.exe 2340 axplong.exe 3592 RMS1.exe 1948 axplong.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exeaxplong.exeee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exeaxplong.exeaxplong.exeaxplong.exepid process 1932 ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe 4092 axplong.exe 2340 axplong.exe 1948 axplong.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RMS1.exedescription pid process target process PID 3592 set thread context of 4120 3592 RMS1.exe InstallUtil.exe -
Drops file in Windows directory 1 IoCs
Processes:
ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exedescription ioc process File created C:\Windows\Tasks\axplong.job ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
axplong.exeee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exeaxplong.exeaxplong.exeRMS1.exepowershell.exeaxplong.exepid process 1932 ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe 1932 ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe 4092 axplong.exe 4092 axplong.exe 2340 axplong.exe 2340 axplong.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 3592 RMS1.exe 4668 powershell.exe 4668 powershell.exe 1948 axplong.exe 1948 axplong.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RMS1.exepowershell.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 3592 RMS1.exe Token: SeDebugPrivilege 3592 RMS1.exe Token: SeDebugPrivilege 4668 powershell.exe Token: SeDebugPrivilege 4120 InstallUtil.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exeaxplong.exeRMS1.exedescription pid process target process PID 1932 wrote to memory of 4092 1932 ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe axplong.exe PID 1932 wrote to memory of 4092 1932 ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe axplong.exe PID 1932 wrote to memory of 4092 1932 ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe axplong.exe PID 4092 wrote to memory of 3592 4092 axplong.exe RMS1.exe PID 4092 wrote to memory of 3592 4092 axplong.exe RMS1.exe PID 3592 wrote to memory of 5104 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 5104 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 3152 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 3152 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 1712 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 1712 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 5108 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 5108 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 972 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 972 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 2116 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 2116 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 4288 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 4288 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 4120 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 4120 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 4120 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 4120 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 4120 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 4120 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 4120 3592 RMS1.exe InstallUtil.exe PID 3592 wrote to memory of 4668 3592 RMS1.exe powershell.exe PID 3592 wrote to memory of 4668 3592 RMS1.exe powershell.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe"C:\Users\Admin\AppData\Local\Temp\ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe"C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\1000270001\RMS1.exe' -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:5104
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:3152
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:1712
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:5108
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:972
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:2116
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:4288
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD503b1ed4c105e5f473357dad1df17cf98
SHA1faf5046ff19eafd3a59dcf85be30496f90b5b6b1
SHA2566be5916900ffda93154db8c2c5dd28b9150f4c3aef74dbd4fd86390bc72845ba
SHA5123f6f8a12d000b913dc8240542be6a64f991dc0802313782d038b971219308e7d381d4d96c25d98ee1b05bca127a9bbc69e3bd54f1722d8381f8060bb506a9765
-
Filesize
1.9MB
MD548a36baee2fba32fc07ba2f12526914c
SHA10f16d91ed72554f0bc71e3906b6532ab2ac40781
SHA256ee6bf4a67ac2157703f50a3f71ae2dfd5bd9f602ed3cb466b957beb4711ee978
SHA512a7f327d00ef54a17d06b0fce5084e10bddb7c93768c995738b80d8618f320c54472aded33769facde18fef1ec8e528fc29a8e818828cebe935b2ad8ded0f59aa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82