Analysis
-
max time kernel
292s -
max time network
265s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 22:34
Static task
static1
Behavioral task
behavioral1
Sample
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe
Resource
win7-20240708-en
General
-
Target
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe
-
Size
1.8MB
-
MD5
92263218d1c0ee48c6f0428210be8217
-
SHA1
0c99feb9fd793efa1e1226ed525acf32d95b7b6e
-
SHA256
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2
-
SHA512
92c062dcd50d7287a440fdb076a06f7d3131288cafe30ca1000816ee81c03557fcbcdc842eae8d9963cdc80d100247f06ec61ddf849a16663bc0931c146eb461
-
SSDEEP
49152:gQe0zB4HBg283QL2hru53srGM3hTyfOpg1xdSn:q0V+gMz3srhxwVxdS
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 4 IoCs
Processes:
axplong.exeneon.exeneon.exeneon.exepid process 2060 axplong.exe 1376 neon.exe 2548 neon.exe 648 neon.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exe36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe -
Loads dropped DLL 4 IoCs
Processes:
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exeaxplong.exeneon.exepid process 808 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe 2060 axplong.exe 2060 axplong.exe 2548 neon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\neon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\neon.exe" reg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exeaxplong.exepid process 808 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe 2060 axplong.exe -
Drops file in Windows directory 1 IoCs
Processes:
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exedescription ioc process File created C:\Windows\Tasks\axplong.job 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
axplong.exeneon.exeneon.exe36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language neon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEcmd.exepid process 544 PING.EXE 2004 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exeaxplong.exeneon.exeneon.exeneon.exepid process 808 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe 2060 axplong.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 1376 neon.exe 2548 neon.exe 648 neon.exe 648 neon.exe 648 neon.exe 1376 neon.exe 1376 neon.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
neon.exeneon.exeneon.exedescription pid process Token: SeDebugPrivilege 1376 neon.exe Token: SeDebugPrivilege 2548 neon.exe Token: SeDebugPrivilege 648 neon.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exepid process 808 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exeaxplong.exeneon.execmd.exeneon.exedescription pid process target process PID 808 wrote to memory of 2060 808 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe axplong.exe PID 808 wrote to memory of 2060 808 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe axplong.exe PID 808 wrote to memory of 2060 808 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe axplong.exe PID 808 wrote to memory of 2060 808 36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe axplong.exe PID 2060 wrote to memory of 1376 2060 axplong.exe neon.exe PID 2060 wrote to memory of 1376 2060 axplong.exe neon.exe PID 2060 wrote to memory of 1376 2060 axplong.exe neon.exe PID 2060 wrote to memory of 1376 2060 axplong.exe neon.exe PID 1376 wrote to memory of 2004 1376 neon.exe cmd.exe PID 1376 wrote to memory of 2004 1376 neon.exe cmd.exe PID 1376 wrote to memory of 2004 1376 neon.exe cmd.exe PID 2004 wrote to memory of 544 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 544 2004 cmd.exe PING.EXE PID 2004 wrote to memory of 544 2004 cmd.exe PING.EXE PID 1376 wrote to memory of 2288 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2288 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2288 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2288 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2288 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2288 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2288 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2288 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 816 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 816 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 816 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 816 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 816 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 816 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 816 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 816 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2268 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2268 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2268 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2268 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2268 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2268 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2268 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2268 1376 neon.exe InstallUtil.exe PID 2004 wrote to memory of 1096 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1096 2004 cmd.exe reg.exe PID 2004 wrote to memory of 1096 2004 cmd.exe reg.exe PID 1376 wrote to memory of 2088 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2088 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2088 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2088 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2088 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2088 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2088 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2088 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2192 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2192 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2192 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2192 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2192 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2192 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2192 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2192 1376 neon.exe InstallUtil.exe PID 1376 wrote to memory of 2548 1376 neon.exe neon.exe PID 1376 wrote to memory of 2548 1376 neon.exe neon.exe PID 1376 wrote to memory of 2548 1376 neon.exe neon.exe PID 1376 wrote to memory of 2548 1376 neon.exe neon.exe PID 2548 wrote to memory of 648 2548 neon.exe neon.exe PID 2548 wrote to memory of 648 2548 neon.exe neon.exe PID 2548 wrote to memory of 648 2548 neon.exe neon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe"C:\Users\Admin\AppData\Local\Temp\36c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\system32\cmd.exe"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 75⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:544 -
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"5⤵
- Adds Run key to start application
PID:1096 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵PID:2288
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵PID:816
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵PID:2268
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵PID:2088
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"4⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\neon.exe"C:\Users\Admin\AppData\Local\Temp\neon.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\neon.exe"C:\Users\Admin\AppData\Local\Temp\neon.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5b3fd0e1003b1cd38402b6d32829f6135
SHA1c9cedd6322fb83457f56b64b4624b07e2786f702
SHA256e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31
SHA51204692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1
-
Filesize
1.8MB
MD592263218d1c0ee48c6f0428210be8217
SHA10c99feb9fd793efa1e1226ed525acf32d95b7b6e
SHA25636c21ef0049ef387de90ec5d1ed8ddbb1bcbbc0cd3c17c3212cdaf528e1c28e2
SHA51292c062dcd50d7287a440fdb076a06f7d3131288cafe30ca1000816ee81c03557fcbcdc842eae8d9963cdc80d100247f06ec61ddf849a16663bc0931c146eb461
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
64B
MD575d05ecc31198dd640cdb9b71323ae20
SHA160bf013e8f1cdd4cfefe5284a1360cc335df7aee
SHA256bdbecf10192e8a18d1ff75953375f9101873edc7486e76124cb80c1431b67634
SHA512f5d7a9058150bcc1d37490324efbafb77ed5dd11f1a8f7b6657b18cbb8a8e1b8d7910d74047a235e56365c99ae4df00367c4824a48375720a87e778c5e0e997a
-
Filesize
66B
MD569ef9ef37100d1fd7bcd5209f02dde42
SHA1d97ab1f0a1fc7c07749533e386c4418232f2430f
SHA256da0412c7bf536b25239495214feb16d03de6a7f1953cd5a3272f345dde9117ef
SHA5124c8ecb7cd8eb3ca0f47eba816857bd5c8bf5c6bc5ea53f6db132b85d43a9e14879002caa11663a2e4a25a47e49c4fe7f518ce9578652f27bb53158968b4b9d87