Analysis Overview
SHA256
d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994
Threat Level: Known bad
The file d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994 was found to be: Known bad.
Malicious Activity Summary
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Loads dropped DLL
Identifies Wine through registry keys
Checks BIOS information in registry
Executes dropped EXE
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-12 22:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-12 22:47
Reported
2024-09-12 22:52
Platform
win7-20240903-en
Max time kernel
291s
Max time network
295s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SrMCbRETFstGl3VgkaSDCwkj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2068 set thread context of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe
"C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe
"C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 103.130.147.211:80 | 103.130.147.211 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.21.79.77:443 | yip.su | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
Files
memory/2352-0-0x00000000012E0000-0x000000000179E000-memory.dmp
memory/2352-1-0x0000000076FE0000-0x0000000076FE2000-memory.dmp
memory/2352-2-0x00000000012E1000-0x000000000130F000-memory.dmp
memory/2352-3-0x00000000012E0000-0x000000000179E000-memory.dmp
memory/2352-4-0x00000000012E0000-0x000000000179E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | f005e9e79e6612060e1bc6eae1464d67 |
| SHA1 | 7228dc896a4d86e6b44942eff7e6c082d8d0d195 |
| SHA256 | d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994 |
| SHA512 | 609cbe54d3d760cad30fb0710d5d77f8368a385b489ba481bda5ab7458d54546877ce238951f0c3cdbb76a2e0ab926d014d52709f98113c9dd3fb25adffa59ea |
memory/2352-15-0x0000000007300000-0x00000000077BE000-memory.dmp
memory/2324-17-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2352-14-0x00000000012E0000-0x000000000179E000-memory.dmp
memory/2324-18-0x0000000001341000-0x000000000136F000-memory.dmp
memory/2324-21-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-20-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-22-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-23-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-24-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-25-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-26-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-27-0x0000000001340000-0x00000000017FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000286001\Bubly2.exe
| MD5 | f1c717609dd44f9e2c979fd9a0f4315c |
| SHA1 | efcca65af18339bc8954c12a486f0a0828a981fa |
| SHA256 | 9b2e59478ea4738cc23cdba5d1b9111c636410661a7a4592c35144de94b8c8ad |
| SHA512 | 9dabafadb586444a0a8cc47c8d07c1b8a0f353d8e1aaf91cfe849bd15082ee417bb1688659fdea07be5d0a0bb8582ad1680b566884b7d980d1ef182ecfcfc709 |
memory/2068-45-0x0000000001260000-0x000000000259A000-memory.dmp
memory/2324-46-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2068-47-0x0000000000C60000-0x0000000000CFE000-memory.dmp
memory/2324-48-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-49-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-50-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-51-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-52-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-53-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-54-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-55-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2068-56-0x0000000000440000-0x000000000045A000-memory.dmp
memory/2068-57-0x0000000000370000-0x0000000000376000-memory.dmp
memory/3060-58-0x0000000000090000-0x0000000000098000-memory.dmp
memory/3060-60-0x0000000000090000-0x0000000000098000-memory.dmp
memory/3060-62-0x0000000000090000-0x0000000000098000-memory.dmp
memory/3060-64-0x0000000000090000-0x0000000000098000-memory.dmp
memory/3060-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2324-76-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-77-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-78-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-79-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/1744-80-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1744-82-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1744-81-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2324-88-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-89-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-90-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-91-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-92-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-93-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-94-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-95-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-96-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-97-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-98-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-99-0x0000000001340000-0x00000000017FE000-memory.dmp
memory/2324-100-0x0000000001340000-0x00000000017FE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-12 22:47
Reported
2024-09-12 22:52
Platform
win10-20240404-en
Max time kernel
291s
Max time network
287s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\axplong.job | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5028 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe |
| PID 5028 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe |
| PID 5028 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe | C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe
"C:\Users\Admin\AppData\Local\Temp\d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 16.113.215.185.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
memory/5028-0-0x0000000001030000-0x00000000014EE000-memory.dmp
memory/5028-1-0x0000000077004000-0x0000000077005000-memory.dmp
memory/5028-2-0x0000000001031000-0x000000000105F000-memory.dmp
memory/5028-3-0x0000000001030000-0x00000000014EE000-memory.dmp
memory/5028-5-0x0000000001030000-0x00000000014EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
| MD5 | f005e9e79e6612060e1bc6eae1464d67 |
| SHA1 | 7228dc896a4d86e6b44942eff7e6c082d8d0d195 |
| SHA256 | d4102afb18acfe85569592a9d132bfe37b7081ab4d4deb6d99c3e5c739139994 |
| SHA512 | 609cbe54d3d760cad30fb0710d5d77f8368a385b489ba481bda5ab7458d54546877ce238951f0c3cdbb76a2e0ab926d014d52709f98113c9dd3fb25adffa59ea |
memory/2500-14-0x0000000000080000-0x000000000053E000-memory.dmp
memory/5028-13-0x0000000001030000-0x00000000014EE000-memory.dmp
memory/2500-16-0x0000000000081000-0x00000000000AF000-memory.dmp
memory/2500-17-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-18-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-19-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-20-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-21-0x0000000000080000-0x000000000053E000-memory.dmp
memory/4484-24-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-25-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-26-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-27-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-28-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-29-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-30-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2192-32-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2192-33-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-34-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-35-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-36-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-37-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-38-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-39-0x0000000000080000-0x000000000053E000-memory.dmp
memory/5024-41-0x0000000000080000-0x000000000053E000-memory.dmp
memory/5024-42-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-43-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-44-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-45-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-46-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-47-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-48-0x0000000000080000-0x000000000053E000-memory.dmp
memory/4180-50-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-51-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-52-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-53-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-54-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-55-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-56-0x0000000000080000-0x000000000053E000-memory.dmp
memory/4376-58-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-59-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-60-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-61-0x0000000000080000-0x000000000053E000-memory.dmp
memory/2500-62-0x0000000000080000-0x000000000053E000-memory.dmp