Malware Analysis Report

2024-10-18 23:34

Sample ID 240926-2nnhls1hqp
Target 7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7
SHA256 7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7
Tags
amadey fed3aa discovery evasion trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7

Threat Level: Known bad

The file 7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7 was found to be: Known bad.

Malicious Activity Summary

amadey fed3aa discovery evasion trojan persistence

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Identifies Wine through registry keys

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-26 22:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-26 22:43

Reported

2024-09-26 22:49

Platform

win10-20240404-en

Max time kernel

296s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe

"C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp

Files

memory/2612-0-0x00000000000A0000-0x0000000000556000-memory.dmp

memory/2612-1-0x0000000077444000-0x0000000077445000-memory.dmp

memory/2612-2-0x00000000000A1000-0x00000000000CF000-memory.dmp

memory/2612-3-0x00000000000A0000-0x0000000000556000-memory.dmp

memory/2612-5-0x00000000000A0000-0x0000000000556000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 211e2a18a305834618abddd71045360c
SHA1 e30300f3a4b6abc7808d18174bd2205f4f2c45be
SHA256 7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7
SHA512 212649d62a264d9a9b02a97b8750d42501dcf5463e7ed8b1a22ab79aab235da527a928843fc6adcec38b57fd284fc878df3bbc357f84e6e5c2cc619b7e3ae524

memory/2612-14-0x00000000000A0000-0x0000000000556000-memory.dmp

memory/832-13-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-16-0x0000000000BA1000-0x0000000000BCF000-memory.dmp

memory/832-17-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-18-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-19-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-20-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-22-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-23-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-24-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-25-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-26-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/876-28-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-29-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-30-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-31-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-32-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-33-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-34-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/828-36-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/828-37-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-38-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-39-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-40-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-41-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-42-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-43-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/304-45-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-46-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-47-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-48-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-49-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-50-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-51-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/4136-53-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-54-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-55-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-56-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-57-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-58-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/832-59-0x0000000000BA0000-0x0000000001056000-memory.dmp

memory/4428-61-0x0000000000BA0000-0x0000000001056000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-26 22:43

Reported

2024-09-26 22:49

Platform

win7-20240903-en

Max time kernel

294s

Max time network

270s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\neon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\neon.exe" C:\Windows\system32\reg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplong.job C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\neon.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2788 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2788 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2788 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
PID 2560 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe
PID 2560 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe
PID 2560 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe
PID 2560 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe
PID 924 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1972 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1972 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 1972 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1972 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1972 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 924 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 924 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Users\Admin\AppData\Local\Temp\neon.exe
PID 924 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Users\Admin\AppData\Local\Temp\neon.exe
PID 924 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Users\Admin\AppData\Local\Temp\neon.exe
PID 924 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe C:\Users\Admin\AppData\Local\Temp\neon.exe
PID 2612 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\neon.exe C:\Users\Admin\AppData\Local\Temp\neon.exe
PID 2612 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\neon.exe C:\Users\Admin\AppData\Local\Temp\neon.exe
PID 2612 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\neon.exe C:\Users\Admin\AppData\Local\Temp\neon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe

"C:\Users\Admin\AppData\Local\Temp\7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7.exe"

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

"C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"

C:\Windows\system32\cmd.exe

"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 6

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

C:\Users\Admin\AppData\Local\Temp\neon.exe

"C:\Users\Admin\AppData\Local\Temp\neon.exe"

Network

Country Destination Domain Proto
RU 185.215.113.16:80 185.215.113.16 tcp
RU 185.215.113.16:80 185.215.113.16 tcp

Files

memory/2788-0-0x0000000000B10000-0x0000000000FC6000-memory.dmp

memory/2788-1-0x00000000776D0000-0x00000000776D2000-memory.dmp

memory/2788-2-0x0000000000B11000-0x0000000000B3F000-memory.dmp

memory/2788-3-0x0000000000B10000-0x0000000000FC6000-memory.dmp

memory/2788-5-0x0000000000B10000-0x0000000000FC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

MD5 211e2a18a305834618abddd71045360c
SHA1 e30300f3a4b6abc7808d18174bd2205f4f2c45be
SHA256 7efca2633006752b9b024297c43a41310985b59f258dd4b16a7e3084803ce2f7
SHA512 212649d62a264d9a9b02a97b8750d42501dcf5463e7ed8b1a22ab79aab235da527a928843fc6adcec38b57fd284fc878df3bbc357f84e6e5c2cc619b7e3ae524

memory/2788-16-0x0000000000B10000-0x0000000000FC6000-memory.dmp

memory/2788-14-0x0000000006650000-0x0000000006B06000-memory.dmp

memory/2560-17-0x0000000000C60000-0x0000000001116000-memory.dmp

memory/2560-18-0x0000000000C61000-0x0000000000C8F000-memory.dmp

memory/2560-19-0x0000000000C60000-0x0000000001116000-memory.dmp

memory/2560-20-0x0000000000C60000-0x0000000001116000-memory.dmp

memory/2560-22-0x0000000000C60000-0x0000000001116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

MD5 b3fd0e1003b1cd38402b6d32829f6135
SHA1 c9cedd6322fb83457f56b64b4624b07e2786f702
SHA256 e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31
SHA512 04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1

memory/924-46-0x0000000003510000-0x0000000003607000-memory.dmp

memory/924-44-0x0000000001410000-0x0000000001519000-memory.dmp

memory/924-43-0x00000000011B0000-0x0000000001279000-memory.dmp

memory/924-42-0x00000000007F0000-0x0000000000861000-memory.dmp

memory/924-41-0x0000000000AB0000-0x0000000000B4C000-memory.dmp

memory/924-40-0x0000000000ED0000-0x0000000000FFD000-memory.dmp

memory/924-39-0x0000000000060000-0x000000000007F000-memory.dmp

memory/924-38-0x0000000000A10000-0x0000000000AAF000-memory.dmp

memory/924-47-0x0000000000B50000-0x0000000000ECC000-memory.dmp

memory/924-48-0x000000001C380000-0x000000001C4AC000-memory.dmp

memory/2560-49-0x0000000000C60000-0x0000000001116000-memory.dmp

memory/924-50-0x000000001C520000-0x000000001C542000-memory.dmp

memory/924-51-0x000000001CC30000-0x000000001CC47000-memory.dmp

memory/924-52-0x0000000021470000-0x000000002150E000-memory.dmp

memory/924-53-0x0000000021520000-0x00000000215C0000-memory.dmp

memory/924-54-0x0000000023280000-0x0000000023495000-memory.dmp

memory/924-55-0x00000000234A0000-0x0000000023601000-memory.dmp

memory/2560-56-0x0000000000C60000-0x0000000001116000-memory.dmp

memory/2560-57-0x0000000000C60000-0x0000000001116000-memory.dmp

memory/2560-58-0x0000000000C60000-0x0000000001116000-memory.dmp

memory/2560-59-0x0000000000C60000-0x0000000001116000-memory.dmp

memory/924-60-0x00000000215C0000-0x00000000215DA000-memory.dmp

memory/924-61-0x000000001E9F0000-0x000000001E9F6000-memory.dmp

memory/2296-63-0x0000000000610000-0x0000000000804000-memory.dmp

memory/2296-64-0x0000000000610000-0x0000000000804000-memory.dmp

memory/2296-70-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

memory/2296-68-0x0000000000610000-0x0000000000804000-memory.dmp

memory/2296-66-0x0000000000610000-0x0000000000804000-memory.dmp

memory/924-71-0x00000000215E0000-0x00000000215F4000-memory.dmp

memory/2280-80-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

memory/1012-89-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

memory/2560-90-0x0000000000C60000-0x0000000001116000-memory.dmp

memory/2436-99-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

memory/944-108-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\neon.exe

MD5 0e362e7005823d0bec3719b902ed6d62
SHA1 590d860b909804349e0cdc2f1662b37bd62f7463
SHA256 2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512 518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

memory/2612-119-0x00000000001F0000-0x000000000020A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\neon.txt

MD5 7fbbc13b58424f6d745a0c8d40f50056
SHA1 22c2c7d4405404af3425fd0175d8533c2902e0a1
SHA256 c6e29dec194eac652a9b60537e4bd2a4aecb7185139f5ba5a14e4e75014d64e1
SHA512 ded0aa6a07ea41a7faf62f549717160bb6df0bc285052a498e5b853943ce547a803b96cd2d838109a1e82fb51f657e617bc29273db1abd813390214c8fd21c5c

C:\Users\Admin\AppData\Local\Temp\neon.txt

MD5 7a9fe2d53be44957d01223fe88ae27ea
SHA1 eacfe44289f65ed4f80d4022e6edcb7569574314
SHA256 ea9a8df4163594f4e495711fe5012e1dd9ba1d624bd72e3ade3951739e8ad5dc
SHA512 af4f4c7e96c5fb9f03cc30c412a531a36794520008d8768baaeb7699b831f63f2a01f6e4bf8a9fdac41a9d20c2c03d0888eff326c586a5a9c99171a9fc972e9f

C:\Users\Admin\AppData\Local\Temp\neon.txt

MD5 69d7dea11f9a3b194ecb1ac4851abaa8
SHA1 db8699ba3303f441087450770ecf0e5895c7784d
SHA256 7b3f2e59d879d6a96f5a4b4e244dce0a3484652c44e573e6464b867857f09064
SHA512 90789d83277c1414b6b1765a290a5ecdbc88ff77581fa67c2cad418ba004a5c7a042a32b0097e5e0801d6862a4262eedc9716fc8dec53745cdb73522d1628883