Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
12-09-2024 07:46
General
-
Target
f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe
-
Size
1.8MB
-
MD5
3e01ec450e996ba874a75ff6322e458c
-
SHA1
1d961f083889d8d2779b44913d42834933f0583d
-
SHA256
f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72
-
SHA512
a1ae2d350cfdc0173b5647955ef7497f0f2d487e7a84cb8dd259930938fcdb53c6b05decf01e076c48c9eab42f3de8555ed3211f7a66f0970b842d7e50649156
-
SSDEEP
49152:oUq0vo2AbkuYzegomlAX9JId8FKc+7o8U9H0R:oUqkoHkuYSgomuIKFRR8U9U
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
redline
LiveTraffic
95.179.250.45:26212
Extracted
redline
@CLOUDYTTEAM
65.21.18.51:45580
Extracted
stealc
default2
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
stealc
default
http://91.202.233.158
-
url_path
/e96ea2db21fa9a1b.php
Extracted
redline
bundle
185.215.113.67:15206
Extracted
cryptbot
analforeverlovyu.top
fivevd5sr.top
sevtv17pn.top
-
url_path
/v1/upload.php
Extracted
amadey
4.41
1176f2
http://185.215.113.19
-
install_dir
417fd29867
-
install_file
ednfoki.exe
-
strings_key
183201dc3defc4394182b4bff63c4065
-
url_paths
/CoreOPT/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Detects ZharkBot payload 1 IoCs
ZharkBot is a botnet written C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
ZharkBot
ZharkBot is a botnet written C++.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 41 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 8 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 27 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe"C:\Users\Admin\AppData\Local\Temp\f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\crypteda.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vVRF3QNBae.exe"C:\Users\Admin\AppData\Roaming\vVRF3QNBae.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\omORvZzPVW.exe"C:\Users\Admin\AppData\Roaming\omORvZzPVW.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\Nework.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1000035001\JLumma.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\JLumma.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000037001\JUmer.exe"C:\Users\Admin\AppData\Local\Temp\1000037001\JUmer.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\Sеtup.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"C:\Users\Admin\AppData\Local\Temp\1000191001\needmoney.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exeC:\Users\Admin\AppData\Local\Temp\svchost015.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"C:\Users\Admin\AppData\Local\Temp\1000254001\penis.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"C:\Users\Admin\AppData\Local\Temp\1000259001\bundle.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe"C:\Users\Admin\AppData\Local\Temp\1000269001\acentric.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵
-
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"C:\Users\Admin\AppData\Local\Temp\1000169001\contorax.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"C:\Users\Admin\AppData\Local\Temp\1000172001\3546345.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe"C:\Users\Admin\AppData\Local\Temp\1000220001\crypteda.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\rEA2qvRRsI.exe"C:\Users\Admin\AppData\Roaming\rEA2qvRRsI.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\hu01pHYE3x.exe"C:\Users\Admin\AppData\Roaming\hu01pHYE3x.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe"C:\Users\Admin\AppData\Local\Temp\1000221001\exbuild.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1000223001\ba0113578b.exe"C:\Users\Admin\AppData\Local\Temp\1000223001\ba0113578b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe"C:\Users\Admin\AppData\Local\Temp\1000256001\BowExpert.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist8⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6841268⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "VegetablesIndividualBindingGba" Ever8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\684126\Intake.pifIntake.pif C8⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\684126\RegAsm.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 58⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 5087⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe"C:\Users\Admin\AppData\Local\Temp\1000305001\acentric.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Explorer.exe"C:\Windows\SysWOW64\Explorer.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000306001\vlst.exe"C:\Users\Admin\AppData\Local\Temp\1000306001\vlst.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe"C:\Users\Admin\AppData\Local\Temp\1000308001\freedom.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
-
C:\Users\Admin\AppData\Local\Temp\1000322001\appgate15.exe"C:\Users\Admin\AppData\Local\Temp\1000322001\appgate15.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\Admin\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1128 -ip 11281⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
Filesize
312KB
MD5389881b424cf4d7ec66de13f01c7232a
SHA1d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78
SHA2569d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746
SHA5122b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96
-
Filesize
1.1MB
MD58e74497aff3b9d2ddb7e7f819dfc69ba
SHA11d18154c206083ead2d30995ce2847cbeb6cdbc1
SHA256d8e81d9e336ef37a37cae212e72b6f4ef915db4b0f2a8df73eb584bd25f21e66
SHA5129aacc5c130290a72f1087daa9e79984565ccab6dbcad5114bfed0919812b9ba5f8dee9c37d230eeca4df3cca47ba0b355fbf49353e53f10f0ebc266e93f49f97
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
23.1MB
MD58094be340c539b9ac0d2af7ea4c3120c
SHA18d7e93d2ea05a156eefde875bcfaaceaae09b0e6
SHA25671b814a0a6c6d9cd59504a14918e29f59d2b77d981dca01d22a97f098c89c782
SHA512395029ace96b8c0c2d926ac5c2295b625ba93e91d27fd92b6605660c3c555c618df79db01c61ff28e29c05532554b6aac9361e103134cea794e9443439cd460d
-
Filesize
6.4MB
MD5dc46c12181890e3705f40d55b09f8d1d
SHA1b03e12c75fd92ee2ce5ca911b2af07e8db2616ae
SHA256c85bffc34feb81361875f120fc673b9758c44dc333b25544ae9f7984b8cdf46b
SHA512a4a26c9efdf21ca7ffd204bbe02af0f6940399ce8c9d6e650f5c793a2be3c75ff55bbbb3d5eac9563c0fd56490ececdd0774b863265eb248e478da9be99b0647
-
Filesize
187KB
MD57a02aa17200aeac25a375f290a4b4c95
SHA17cc94ca64268a9a9451fb6b682be42374afc22fd
SHA256836799fd760eba25e15a55c75c50b977945c557065a708317e00f2c8f965339e
SHA512f6ebfe7e087aa354722cea3fddd99b1883a862fb92bb5a5a86782ea846a1bff022ab7db4397930bcabaa05cb3d817de3a89331d41a565bc1da737f2c5e3720b6
-
Filesize
6.4MB
MD558002255ca7651f46ffd07793008bad2
SHA1bb9248a25b0ba2e969d9ad45715afd959a53915f
SHA2566c77c2a923fae249f3f2c0d4c2f5153896a09076ffd9699b3a067b7f7d1da0fe
SHA512875ef86bfbf239ac47d3167ff83a9519b0dd1103eb12c1e08d879acd7ba89afdb3df9ec60d9b0060921664e530c870e48da24b8e2b27bce16dc2a13b0e87726b
-
Filesize
102KB
MD5771b8e84ba4f0215298d9dadfe5a10bf
SHA10f5e4c440cd2e7b7d97723424ba9c56339036151
SHA2563f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0
SHA5122814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164
-
Filesize
2.7MB
MD5fd2defc436fc7960d6501a01c91d893e
SHA15faa092857c3c892eab49e7c0e5ac12d50bce506
SHA256ba13da01c41fa50ec5e340061973bc912b1f41cd1f96a7cae5d40afc00ff7945
SHA5129a3e1f2dc5104d8636dc27af4c0f46bdb153fcfada98831b5af95eeb09bb7ef3c7e19927d8f06884a6837e10889380645b6138644f0c08b9cb2e59453041ec42
-
Filesize
3.6MB
MD57e6a519688246fe1180f35fe0d25d370
SHA18e8719ac897dfef7305311dc216f570af40709af
SHA25632a927e9b33371b82bae9f02b5ebf07c19ae5a3a7e3c0cd3fcbee7cfff7f257a
SHA512a751e911eb254749a3c8c98740f455a5be32ce1af94dc90eba8fc677d6d7379303f80247748dfcfe9c8570edb3488a5af97fa7ff29c815bec6824dd491e27972
-
Filesize
17B
MD5c965aa525ae4cfbc3b45c6b7e9271a59
SHA13a84d4c1c9277173b530263107af4caf1f61213f
SHA25650ea6c698e72e13b8132b66bbca9479b7f4815ebb2f8adb3ca1cfec79523107e
SHA512bfddf9f5cb766b20f564b6a94048d1779431794b02cbd0993f4f3554b46b1a4e17bd3def58200da665fd991d1480b22992181ef543413d8013a19889484c3f1c
-
Filesize
494KB
MD56760374f17416485fa941b354d3dd800
SHA1d88389ec19ac3e87bc743ba3f8b7c518601fdbf9
SHA2569dc31fbd03da881700908423eb50c6b0c42c87fec28e817449d3dd931802c9f5
SHA5126e4d2f17cb93fe831198c2eaa35bf030d6a06d620645d3e1452c6bd6e77e42baa9dc323fd60a2c5ae1d89124adde69972c489739d4bd73ba01b95b829a777eab
-
Filesize
1.3MB
MD5db2a12edc73769f2f2b6b01545afe2c3
SHA173dc44fb0753296f51b851299f468031ceb77b54
SHA256e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42
SHA512dadf36bc9c5d88c28b9064892cc263c912ce668435b71802df756c0a4e680f8407011d36498a2511dda7165aea866c0ae794f9ec8fbcc42c7da1661399316ce4
-
Filesize
304KB
MD530daa686c1f31cc4833bd3d7283d8cdc
SHA170f74571fafe1b359cfe9ce739c3752e35d16cf5
SHA256504518e3b4f3abc7f1ae1bf205fdc4a9f739e05b5e84618bae9c7e66bdc19822
SHA5129f6c0eea9f03f9aa35ebf27ce8264e41d9072d273d1b8a35415ae4666d31013d895d1108dd67e36910200e2ac4fc45a4a9d761a1aadf02b0fd29ef93cd20a4d9
-
Filesize
319KB
MD50ec1f7cc17b6402cd2df150e0e5e92ca
SHA18405b9bf28accb6f1907fbe28d2536da4fba9fc9
SHA2564c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4
SHA5127caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861
-
Filesize
454KB
MD537d198ad751d31a71acc9cb28ed0c64e
SHA18eb519b7a6df66d84c566605da9a0946717a921d
SHA2561ed4a8b4c74aab435ea5cd459d5ac961e5a8ca28924801bd84d336135f30efde
SHA51260923c0a8ce5fd397d49749ccee68ca3fe294d7323551ce9755410ac16bfff56a35bee3e6b9a67d57cdfcb43e4f164712f33cd255b76689174dcf4c475976c96
-
Filesize
538KB
MD51b2583d84dca4708d7a0309cf1087a89
SHA1cae0d1e16db95b9269b96c06caa66fa3dab99f48
SHA256e0d9f3b8d36e9b4a44bc093b47ba3ba80cabd7e08b3f1a64dec7e3a2c5421bac
SHA512a51b8ed6a6cf403b4b19fc7e9f22d5f60265b16cdf24a7033bc0ee0da8c31861caa212dc5fb3bf17e28842fc28a263564076ad4e9905afd483763859bafd4493
-
Filesize
3.5MB
MD5d6b80519cb7c625d200d2899c345c8c6
SHA15bdc488ee5c3139260fad6957fedfd9167427011
SHA2569b31ce85872a2d41ea6e3181066790e56d4fb29d593ba9a156e12133490799ca
SHA51212376e5d59cb61bc4de1678e08dd8a452d837eb2dd1102cfca718f12614d858b97c72fbedf2f5f978a26152251a58b07347cbb42fd8ade4b533f5192bcc74e6b
-
Filesize
4.3MB
MD5d27f0f74b4381fb585068b4afdb81afc
SHA159d8efea4a87a203f6941efef0700edd95e2e38c
SHA256aa66c3988f3631925873757ae73ac5630508a43e2eebe6c0502a4d3194de8e41
SHA5125070e522c922636b36cced63719558b52249faec5289e68174d03295c4630f200c3db7757c7f96b84200944cd13ee396d0ae733d33aaba9c861c05610938425c
-
Filesize
82KB
MD57b8f922a8196097ec4279f813fd14be6
SHA12091fca65df48de6555affaa29819174e08ffd41
SHA2560d1682cdf9f10f63e175028ceb27e4f8fd63b09204fef8122d0e41a2ce03fc4f
SHA5126209d0b806fe662da98c255ddb3a386b838e0745e80af1dbdb83825b7ce0e6b9ce28a0f4a3b7358fdd4e32e1d3ccb34b21e5157c7c14b161898778fc5180e63c
-
Filesize
1.8MB
MD53e01ec450e996ba874a75ff6322e458c
SHA11d961f083889d8d2779b44913d42834933f0583d
SHA256f942af4f1b60a5e2a50b93cbcc0de895af2290be50bce1e1dd43bc2be0203c72
SHA512a1ae2d350cfdc0173b5647955ef7497f0f2d487e7a84cb8dd259930938fcdb53c6b05decf01e076c48c9eab42f3de8555ed3211f7a66f0970b842d7e50649156
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
2.9MB
MD5b826dd92d78ea2526e465a34324ebeea
SHA1bf8a0093acfd2eb93c102e1a5745fb080575372e
SHA2567824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
SHA5121ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17
-
Filesize
2KB
MD5b8253084f95e1e8da8ba154d52b70eff
SHA14eaf673107e8fe34bb22834a018ad29606d7d1b9
SHA25603fea62e9cf54f3ca386c17b25548a74bcf9664d492d5fc962b2d4c8d34da274
SHA5129b6688748640afc22223664c0385673855c818cf2c98b3d0f26b6c241bd1751f4ecda5d0ec7c10a150e8e5e0b03d3930693eeb1903f6acd7df8dd4473d598318
-
Filesize
304KB
MD530f46f4476cdc27691c7fdad1c255037
SHA1b53415af5d01f8500881c06867a49a5825172e36
SHA2563a8f5f6951dad3ba415b23b35422d3c93f865146da3ccf7849b75806e0b67ce0
SHA512271aadb524e94ed1019656868a133c9e490cc6f8e4608c8a41c29eff7c12de972895a01f171e8f625d07994ff3b723bb308d362266f96cb20dff82689454c78f
-
Filesize
544KB
MD588367533c12315805c059e688e7cdfe9
SHA164a107adcbac381c10bd9c5271c2087b7aa369ec
SHA256c6fc5c06ad442526a787989bae6ce0d32a2b15a12a41f78baca336b6560997a9
SHA5127a8c3d767d19395ce9ffef964b0347a148e517982afcf2fc5e45b4c524fd44ec20857f6be722f57ff57722b952ef7b88f6249339551949b9e89cf60260f0a714
-
Filesize
2KB
MD5f25ea0aff7f3ed07990ea3b05b5440fd
SHA166df6b04a1a5f5c3ccf3b5aaeb6d4287fda786f5
SHA2565b0fa941d94657b7a0fc0e241b34e4ad674ce6842d0fbfb4c86d342e2ff77a6a
SHA5121e3965ba2991658691736161378c7d0ddaa3e98099253dc8e1040fe958c94b890ed07afb2ddd27056c0efa01469a0c6793b20f32a37d1e9a7a7d1d7a24c7dd3c
-
Filesize
2KB
MD5b44b2b58627a4d5984035a0e6c3c841d
SHA1c8769c244274701b66670218c462d04c835a290d
SHA256ac00ebdeb848fa8e06604e331a608b1a9e78d7c4f6097ded48a06fbc8e27570d
SHA512c90bb7395c25a1b8f9f8626cc577a301dfc161d9fe212a5d8a18a88cbad455441fbd0f822cc8b97fc0a3bbc8d1cc376bcee07e25ef976a32b095c51df8811c76
-
Filesize
2KB
MD5a8ea919515ad98d65a73bf06ce725c81
SHA1c5353949e0c719c765bf2d0b1db5e72083339206
SHA256e5b1b0655fb8e3f8c7bc68a15cf6dfdaa52e7c08e25558e5c4e71b9251c334ba
SHA5125df6ac7477484ff979ef0dd8a39659d6e64055831b970427be112c662fb6e72b7936fd1ac5ec5589eb52a4cdd04f4128cf9fe3020ad2985ae50b27eae42af464
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
136KB
-
Filesize
3.1MB
-
Filesize
624KB
-
Filesize
4.4MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
408KB
-
Filesize
568KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
12.4MB
-
Filesize
480KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
328KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
584KB
-
Filesize
1.0MB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
328KB
-
Filesize
320KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.3MB
-
Filesize
972KB
-
Filesize
2.3MB
-
Filesize
328KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
560KB
-
Filesize
120KB
-
Filesize
5.2MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
472KB
-
Filesize
1.8MB
-
Filesize
560KB
-
Filesize
512KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
336KB
-
Filesize
1.1MB
-
Filesize
3.6MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB