Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-10-2024 04:47
General
-
Target
b448e7b4306637a59a6da75290b06bc45544c3852b16a339c10cd60341661459.exe
-
Size
1.8MB
-
MD5
2b8f8da02a0d1183a5c1bbd227d95d3c
-
SHA1
f2411bb89078eb8ea6a4670ff8cad110041d3228
-
SHA256
b448e7b4306637a59a6da75290b06bc45544c3852b16a339c10cd60341661459
-
SHA512
2acf6321f8144930abade59476056878ddda60e5a6b39f0538584378cbd772f3c19dd4cc81876f3c5e29ec5aec92416b8b28d6f67f00219bb7554a55c0b5e2fb
-
SSDEEP
49152:/CjLroXYosGLc3YDtxtJFy3x5x3FDWlVp7Y+p00LYdM:/PIv3aPpy3BJoVtY+p01M
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
lumma
https://drawwyobstacw.sbs
https://condifendteu.sbs
https://ehticsprocw.sbs
https://vennurviot.sbs
https://resinedyw.sbs
https://enlargkiw.sbs
https://allocatinow.sbs
https://mathcucom.sbs
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Extracted
stealc
default_valenciga
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
stealc
doma
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
1176f2
http://185.215.113.19
-
install_dir
417fd29867
-
install_file
ednfoki.exe
-
strings_key
183201dc3defc4394182b4bff63c4065
-
url_paths
/CoreOPT/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 31 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b448e7b4306637a59a6da75290b06bc45544c3852b16a339c10cd60341661459.exe"C:\Users\Admin\AppData\Local\Temp\b448e7b4306637a59a6da75290b06bc45544c3852b16a339c10cd60341661459.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 12364⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RAufD5nfuD.exe"C:\Users\Admin\AppData\Roaming\RAufD5nfuD.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\LpfZmRmaHl.exe"C:\Users\Admin\AppData\Roaming\LpfZmRmaHl.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 2724⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000354001\56acea32a4.exe"C:\Users\Admin\AppData\Local\Temp\1000354001\56acea32a4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000355001\4c40817500.exe"C:\Users\Admin\AppData\Local\Temp\1000355001\4c40817500.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000349001\fe671ac1ed.exe"C:\Users\Admin\AppData\Local\Temp\1000349001\fe671ac1ed.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\1000350002\50f373de54.exe"C:\Users\Admin\1000350002\50f373de54.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000357001\82f7c2b3f1.exe"C:\Users\Admin\AppData\Local\Temp\1000357001\82f7c2b3f1.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000401001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000401001\num.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe"C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-AOUDV.tmp\2927.tmp"C:\Users\Admin\AppData\Local\Temp\is-AOUDV.tmp\2927.tmp" /SL5="$90236,922170,832512,C:\Users\Admin\AppData\Local\Temp\1000091001\2927.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-BNAQT.tmp\my.bat""7⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000092001\JavUmar1.exe"C:\Users\Admin\AppData\Local\Temp\1000092001\JavUmar1.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start context.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\context.execontext.exe5⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "InstallUtil.exe"8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 18⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "InstallUtil.exe"6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe"C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA0ADIANAAwADAAMQBcAGEAcABwAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADEAMAAwADAANAAyADQAMAAwADEAXABhAHAAcAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABzAHEAZABxAHMAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAHMAcQBkAHEAcwBkAC4AZQB4AGUA4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4132 -ip 41321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2024 -ip 20241⤵
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
328B
MD56444efa3d28f08a231004b1eb41f4308
SHA1adec356235648f8ed1d72bc209e628b7dd013c73
SHA25696b9f7cf69ac8c54578713ed1a993ec55eb6a0982cdfb78358c95cb4bea86d5c
SHA5127713db8773c3260123d891856b286f9ed7b1b50bc6fe7a16f11f0e3cedec444aca31f1930cb23d16802215511d5250d48b0c00de0b193592af1794eb2fdba75a
-
Filesize
2.5MB
MD5eab5dd4b0d7f9e18d26862b312600f93
SHA19278a96cff76785646971f8252d70ab14328ee24
SHA256631d8bebaa32e939ece2d304bf739987941cbb4a0e4a1326074e355e508e0c0c
SHA5129efcbdc853b81b0a378e8ea8cf5779edf614b8534970927a68b91be1d6958ea11a63ddd47f132fc6956b53bbe53bda2d0cc143f7b6298f162f8a82e64b75248e
-
Filesize
1.4MB
MD5e6d27b60afe69ac02b1eaec864c882ae
SHA1a72b881867b7eaa9187398bd0e9e144af02ffff4
SHA256aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75
SHA5124f11fc2b36589fc9ff7dc5afd27cb91614f6a89bfd60942baebef025f53cb56ed7413abeff57fc7c85b3a2a4b0feec2649d5c5a856d3e2e9c13f6a0d8c777764
-
Filesize
307KB
MD568a99cf42959dc6406af26e91d39f523
SHA1f11db933a83400136dc992820f485e0b73f1b933
SHA256c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA5127342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75
-
Filesize
1.7MB
MD5f734d3c885625d361b085cfc8af1fc25
SHA163ebbfac1ae03d7db04bf55523f07f3f4aa2b534
SHA2561fc070d52f6c24eb6e83d5e9474d63868d47509a8aea3687782ebf61ebe97cfd
SHA512e798e083f0f7c8d51988d105cdd1ca388befbd68f9045c980b689eb183ce99e512821f9dbc48cdfc9db03f507e61c26113279f7e3a5c150eee1dad09756e7024
-
Filesize
6.3MB
MD55e8fec7f2f2102b5dcd44c061f3197fc
SHA13d8f67a861dd144b6dba216db88012ee62aed4a6
SHA2564caa926d2422c584f16a4373daea24880fbd08a7baf3c9214421281965f89ec6
SHA5120aafde8e576e305c9d8a61af774235ff32e769270971e66b9cc6cce9ac4dccf1f4434cf1f63b0801beb8a271877d89ccd3b58e6c899d9fae17a6e9c19798ca08
-
Filesize
2.8MB
MD52b434bcb7db640789705849b9d48fc7d
SHA1619af2a7e4df253acf006214bd517f0d5f699d25
SHA2562703ef1f4f7a9df3104e5d4fb728a3814d6f666421edd34a31b293c73d01712f
SHA5122349b83a5808e33e2a627429d45ee4041d80d741389d612c27dc10fc7a7dbd3286cbcd4c2d59149863d4c0f72e6a785aa27f7c265b06e095f4b942cf5011ffd8
-
Filesize
1.8MB
MD528002a329080201c0f8acbd9aa336108
SHA1fa98e415bb279ffc1061c4440fd2dfb70e31dade
SHA2561afefbdc5c74028d884eaf13674f6ddcce5a290d77ab230d53df2a786d30374d
SHA512d51acbf422c45ac960b7a60b805869da1194c888ed119c292a68f354faee55a190fabfd94b3244ce8a3ddc483800786ac4a06251e77b5392329b589756ad3a04
-
Filesize
1.9MB
MD5038bbf70510b5b370641509a2c873217
SHA1be0eb98566393d157fb33ea4202dc40bf3015d5e
SHA2567c68936dca7643d020c3c4c60bfecbe67bea3e07f7fd406ddc28643d7566a6d3
SHA5124025734063bfdf22a8114d64155b7b667773067ddca03645541f3cb0c9437449b69093d6de48d71071f79b88c9b3746974a0ee258b4406be51e6961bfafc8770
-
Filesize
1.7MB
MD5973b2f110938477f07b1e647f7d8fb8d
SHA119f01293cdc1f0a4a8516f27ba1bb3d61260163c
SHA2567b5867c2ef958e0ec5143efc9c55690494841d14d7d5d86d40e58ca670fdfbf0
SHA512a0fff6e9e1b9633e0935bab869269fbf611fea2ca4986f42ede07d6ad9bd5e9189202cda9f778c524b29c858b3bf0501ffe73817ba8dfe9697f89e863b66526e
-
Filesize
314KB
MD5ff5afed0a8b802d74af1c1422c720446
SHA17135acfa641a873cb0c4c37afc49266bfeec91d8
SHA25617ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10
SHA51211724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac
-
Filesize
307KB
MD5791fcee57312d4a20cc86ae1cea8dfc4
SHA104a88c60ae1539a63411fe4765e9b931e8d2d992
SHA25627e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d
SHA5122771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
6KB
MD5c042782226565f89ce3954489075e516
SHA1256dd5ba42837a33c7aa6cb71cef33d5617117ee
SHA256a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6
SHA5129f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd
-
Filesize
1.1MB
MD5ed9393d5765529c845c623e35c1b1a34
SHA1d3eca07f5ce0df847070d2d7fe5253067f624285
SHA25653cd2428c9883acca7182781f22df82c38f8cc115dc014b68e32f8b1cdbf246a
SHA512565f66ef604b10d5be70920d9813e58f5bde174d6a6d30eb8654f467775da8a665c555b7e4127fc22f8a5a5b54466137bde228fd932335517dd017d0ea51f3f8
-
Filesize
20.4MB
MD57172ee8de6490094d4a5112eceaaaa90
SHA146a82d7628f31d91fb883056dfbd4d15d26bbd77
SHA25611cabbb368deb30bc1f45feb6509b222c2b360707ff31c8b1e056c617477f28e
SHA51291e2da0921f8d2596ac2e99e91b108e4d7dba6a97800c775bc9d9b4411fae3b7f0d811f48b107054664aff69c7cdd2c052220960cec9c525470f7266de5780d8
-
Filesize
85KB
MD5b28b444ae9f97111e5a73286e1df61a3
SHA138671b212f42f9fe1ef6511e760d54d12473aa34
SHA256b0a8a623d561597f333ff7f6afe8304e023b8386d88613418c864df1f6356102
SHA512ce117e36ab1e10b50e02a994298be7f8043babb37a95efb38cb434b2d3b66afb1cc9f3fba17ab0ed8619966610e137578070f74c56b1e26ae219081ad81baf84
-
Filesize
1.8MB
MD52b8f8da02a0d1183a5c1bbd227d95d3c
SHA1f2411bb89078eb8ea6a4670ff8cad110041d3228
SHA256b448e7b4306637a59a6da75290b06bc45544c3852b16a339c10cd60341661459
SHA5122acf6321f8144930abade59476056878ddda60e5a6b39f0538584378cbd772f3c19dd4cc81876f3c5e29ec5aec92416b8b28d6f67f00219bb7554a55c0b5e2fb
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.1MB
MD5bba584f217419c351e6ae092c664271d
SHA1972ba560cdff81c57ce852687e9b3e85542d2c61
SHA256b6e4f561c0b627441f052fc40bf2dcab04c4320da15205f24e64b40d55fa4151
SHA51204fd9a7fa34fc8056d3ac8006cdccbd98c42389424c5301981d3223645eb9792ac23d8202fc9948e97bd02832d0635607586783ccd53e2643ad43175acccf6e1
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
393KB
MD57d7366ab79d6d3d8d83d13a8b30de999
SHA175c6c49a6701d254c3ce184054a4a01329c1a6f3
SHA2563d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465
SHA51264f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022
-
Filesize
70B
MD51c5c0d2105718982915d88e1e34b7c24
SHA1ecb11df5274a3a37c81fc19b95ec316d39bb6f03
SHA256b5fd05a1a23d90dee32a1f61158a1e0859fde6882b289267c90845bb995b0c09
SHA5129e1f86ca561c034078acbce22e6b3b2dc938a883f4897167c96ad7c61f28d30075d66557335825c18a00f96467fbd1dee067bb756388ba60b21443ba964ba331
-
Filesize
602KB
MD5e4fc58d334930a9d6572c344e5129f6b
SHA1d38fbd0c4c86eee14722f40cc607e2128c01b00f
SHA256973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a
SHA512a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
6.3MB
-
Filesize
6.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
32KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
452KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
6.6MB
-
Filesize
452KB
-
Filesize
6.6MB
-
Filesize
528KB
-
Filesize
1.1MB
-
Filesize
336KB
-
Filesize
5.6MB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
376KB
-
Filesize
752KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
240KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
584KB
-
Filesize
120KB
-
Filesize
328KB
-
Filesize
40KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
472KB
-
Filesize
3.9MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
20.4MB
-
Filesize
1.2MB
-
Filesize
664KB
-
Filesize
304KB
-
Filesize
336KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
864KB
-
Filesize
864KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
624KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
972KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB