Analysis
-
max time kernel
291s -
max time network
295s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe
Resource
win7-20240903-en
General
-
Target
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe
-
Size
1.8MB
-
MD5
f005e9e79e6612060e1bc6eae1464d67
-
SHA1
7228dc896a4d86e6b44942eff7e6c082d8d0d195
-
SHA256
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994
-
SHA512
609cbe54d3d760cad30fb0710d5d77f8368a385b489ba481bda5ab7458d54546877ce238951f0c3cdbb76a2e0ab926d014d52709f98113c9dd3fb25adffa59ea
-
SSDEEP
49152:lYJLqFonJmv5RtbfryR4zK4AteN9tGJ/xSL8:2kF9Xjzj8MoEL8
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
axplong.exed4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Drops startup file 1 IoCs
Processes:
InstallUtil.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrMCbRETFstGl3VgkaSDCwkj.bat InstallUtil.exe -
Executes dropped EXE 2 IoCs
Processes:
axplong.exeBubly2.exepid process 2324 axplong.exe 2068 Bubly2.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine axplong.exe -
Loads dropped DLL 3 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exepid process 2352 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe 2324 axplong.exe 2324 axplong.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exepid process 2352 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe 2324 axplong.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bubly2.exedescription pid process target process PID 2068 set thread context of 1744 2068 Bubly2.exe InstallUtil.exe -
Drops file in Windows directory 1 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exedescription ioc process File created C:\Windows\Tasks\axplong.job d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
axplong.exeBubly2.exeInstallUtil.exed4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bubly2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exeBubly2.exepid process 2352 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe 2324 axplong.exe 2068 Bubly2.exe 2068 Bubly2.exe 2068 Bubly2.exe 2068 Bubly2.exe 2068 Bubly2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bubly2.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 2068 Bubly2.exe Token: SeDebugPrivilege 1744 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exepid process 2352 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exeaxplong.exeBubly2.exedescription pid process target process PID 2352 wrote to memory of 2324 2352 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe axplong.exe PID 2352 wrote to memory of 2324 2352 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe axplong.exe PID 2352 wrote to memory of 2324 2352 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe axplong.exe PID 2352 wrote to memory of 2324 2352 d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe axplong.exe PID 2324 wrote to memory of 2068 2324 axplong.exe Bubly2.exe PID 2324 wrote to memory of 2068 2324 axplong.exe Bubly2.exe PID 2324 wrote to memory of 2068 2324 axplong.exe Bubly2.exe PID 2324 wrote to memory of 2068 2324 axplong.exe Bubly2.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 3060 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe PID 2068 wrote to memory of 1744 2068 Bubly2.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe"C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe"C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:3060
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19.2MB
MD5f1c717609dd44f9e2c979fd9a0f4315c
SHA1efcca65af18339bc8954c12a486f0a0828a981fa
SHA2569b2e59478ea4738cc23cdba5d1b9111c636410661a7a4592c35144de94b8c8ad
SHA5129dabafadb586444a0a8cc47c8d07c1b8a0f353d8e1aaf91cfe849bd15082ee417bb1688659fdea07be5d0a0bb8582ad1680b566884b7d980d1ef182ecfcfc709
-
Filesize
1.8MB
MD5f005e9e79e6612060e1bc6eae1464d67
SHA17228dc896a4d86e6b44942eff7e6c082d8d0d195
SHA256d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994
SHA512609cbe54d3d760cad30fb0710d5d77f8368a385b489ba481bda5ab7458d54546877ce238951f0c3cdbb76a2e0ab926d014d52709f98113c9dd3fb25adffa59ea