Analysis
-
max time kernel
291s -
max time network
290s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 22:37
Static task
static1
Behavioral task
behavioral1
Sample
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe
Resource
win7-20240903-en
General
-
Target
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe
-
Size
1.8MB
-
MD5
89948338964b03c9053516d558cbb106
-
SHA1
5d024903fcfd568fbcac0130dc2d6cdfe71f82b8
-
SHA256
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774
-
SHA512
31f3f12577a0b6f957befcb7b0b1fecaffab5510b2b4fba2db609b5027ba576e6262c1cc37b2adb5a1aceff708e26e59d91d08c857b6c83c2c6f4796f8cc9b32
-
SSDEEP
49152:Gl6DQLS7m2cexFO8tr7q6HGrXU+cLKNQcG59zVx3aX:GcDJcZb6HGcLYLGCX
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Drops startup file 1 IoCs
Processes:
InstallUtil.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DNwBK1FgqhZDCgf59TsYoHJO.bat InstallUtil.exe -
Executes dropped EXE 2 IoCs
Processes:
axplong.exeBubly2.exepid process 2688 axplong.exe 864 Bubly2.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine axplong.exe -
Loads dropped DLL 3 IoCs
Processes:
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exeaxplong.exepid process 2168 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe 2688 axplong.exe 2688 axplong.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exeaxplong.exepid process 2168 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe 2688 axplong.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bubly2.exedescription pid process target process PID 864 set thread context of 1712 864 Bubly2.exe InstallUtil.exe -
Drops file in Windows directory 1 IoCs
Processes:
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exedescription ioc process File created C:\Windows\Tasks\axplong.job 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
axplong.exeBubly2.exeInstallUtil.exe6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bubly2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exeaxplong.exeBubly2.exepid process 2168 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe 2688 axplong.exe 864 Bubly2.exe 864 Bubly2.exe 864 Bubly2.exe 864 Bubly2.exe 864 Bubly2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bubly2.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 864 Bubly2.exe Token: SeDebugPrivilege 1712 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exepid process 2168 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exeaxplong.exeBubly2.exedescription pid process target process PID 2168 wrote to memory of 2688 2168 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe axplong.exe PID 2168 wrote to memory of 2688 2168 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe axplong.exe PID 2168 wrote to memory of 2688 2168 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe axplong.exe PID 2168 wrote to memory of 2688 2168 6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe axplong.exe PID 2688 wrote to memory of 864 2688 axplong.exe Bubly2.exe PID 2688 wrote to memory of 864 2688 axplong.exe Bubly2.exe PID 2688 wrote to memory of 864 2688 axplong.exe Bubly2.exe PID 2688 wrote to memory of 864 2688 axplong.exe Bubly2.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1368 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe PID 864 wrote to memory of 1712 864 Bubly2.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe"C:\Users\Admin\AppData\Local\Temp\6acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe"C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:1368
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19.2MB
MD5f1c717609dd44f9e2c979fd9a0f4315c
SHA1efcca65af18339bc8954c12a486f0a0828a981fa
SHA2569b2e59478ea4738cc23cdba5d1b9111c636410661a7a4592c35144de94b8c8ad
SHA5129dabafadb586444a0a8cc47c8d07c1b8a0f353d8e1aaf91cfe849bd15082ee417bb1688659fdea07be5d0a0bb8582ad1680b566884b7d980d1ef182ecfcfc709
-
Filesize
1.8MB
MD589948338964b03c9053516d558cbb106
SHA15d024903fcfd568fbcac0130dc2d6cdfe71f82b8
SHA2566acd5411bda460e30601463b148f7b7a799595363893b4b1c4017b048315e774
SHA51231f3f12577a0b6f957befcb7b0b1fecaffab5510b2b4fba2db609b5027ba576e6262c1cc37b2adb5a1aceff708e26e59d91d08c857b6c83c2c6f4796f8cc9b32