Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
04/11/2024, 02:08
General
-
Target
1e0c279995b4cbe44ef6cd051ae88d31a3b8870663065439dfd05632deabd3fe.exe
-
Size
1.8MB
-
MD5
659a28dd5c85f4482c3818467461f372
-
SHA1
a9f54c9aa53da8f3e8b47ab4ed4650b9e0df0f3f
-
SHA256
1e0c279995b4cbe44ef6cd051ae88d31a3b8870663065439dfd05632deabd3fe
-
SHA512
123c05cbc778406da4fab525c84fc8650c714826d8984a5de4753ccc17dcf59e43f4a2b48d16aa56d54466616f42d485e9b4307ce7a24fa56b1691064ec3c5cf
-
SSDEEP
49152:TQsjXkTmwxhOCTzyr9uInP/OkMk8X+dINgZcb:dnONHSUIe1Rxb
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
default_valenciga
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
amadey
5.03
7c4393
http://185.215.113.217
-
install_dir
f9c76c1660
-
install_file
corept.exe
-
strings_key
9808a67f01d2f0720518035acbde7521
-
url_paths
/CoreOPT/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://necklacedmny.store/api
https://founpiuer.store/api
https://navygenerayk.store/api
https://goalyfeastz.site/api
https://contemteny.site/api
https://dilemmadu.site/api
https://authorisev.site/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 6 IoCs
-
Executes dropped EXE 26 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Windows directory 8 IoCs
-
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 38 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1e0c279995b4cbe44ef6cd051ae88d31a3b8870663065439dfd05632deabd3fe.exe"C:\Users\Admin\AppData\Local\Temp\1e0c279995b4cbe44ef6cd051ae88d31a3b8870663065439dfd05632deabd3fe.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000477001\Offnewhere.exe"C:\Users\Admin\AppData\Local\Temp\1000477001\Offnewhere.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\10000090101\JavvUm.exe"C:\Users\Admin\AppData\Local\Temp\10000090101\JavvUm.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10000101101\stail.exe"C:\Users\Admin\AppData\Local\Temp\10000101101\stail.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-RQH9T.tmp\stail.tmp"C:\Users\Admin\AppData\Local\Temp\is-RQH9T.tmp\stail.tmp" /SL5="$1801DE,5983289,54272,C:\Users\Admin\AppData\Local\Temp\10000101101\stail.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\MP4LoadBar 5.14.5\mp4addon3264.exe"C:\Users\Admin\AppData\Local\MP4LoadBar 5.14.5\mp4addon3264.exe" -i8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000817001\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\1000817001\splwow64.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1970366⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\197036\Jurisdiction.pifJurisdiction.pif T6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000828001\new_v8.exe"C:\Users\Admin\AppData\Local\Temp\1000828001\new_v8.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1000833001\b53ae4cd43.exe"C:\Users\Admin\AppData\Local\Temp\1000833001\b53ae4cd43.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Applaunch.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000857001\5f448853ce.exe"C:\Users\Admin\AppData\Local\Temp\1000857001\5f448853ce.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000965001\GOLD1234.exe"C:\Users\Admin\AppData\Local\Temp\1000965001\GOLD1234.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1000965001\GOLD1234.exe"C:\Users\Admin\AppData\Local\Temp\1000965001\GOLD1234.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 12886⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 2565⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001096001\RDX123456.exe"C:\Users\Admin\AppData\Local\Temp\1001096001\RDX123456.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 12525⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 13205⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001527001\j4vzzuai.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\j4vzzuai.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1001527001\j4vzzuai.exe"C:\Users\Admin\AppData\Local\Temp\1001527001\j4vzzuai.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 12726⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 2885⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001567001\hhnjqu9y.exe"C:\Users\Admin\AppData\Local\Temp\1001567001\hhnjqu9y.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 6206⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\1001567001\hhnjqu9y.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ucloud.exe'5⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001791001\gdn5yfjd.exe"C:\Users\Admin\AppData\Local\Temp\1001791001\gdn5yfjd.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMQA3ADkAMQAwADAAMQBcAGcAZABuADUAeQBmAGoAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAxADAAMAAxADcAOQAxADAAMAAxAFwAZwBkAG4ANQB5AGYAagBkAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABUAHkAcABlAEkAZAAuAGUAeABlAA==5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001808001\ec6064631e.exe"C:\Users\Admin\AppData\Local\Temp\1001808001\ec6064631e.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1001809001\c5d5282450.exe"C:\Users\Admin\AppData\Local\Temp\1001809001\c5d5282450.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\Admin\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit2⤵
- Drops startup file
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2984 -ip 29841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4120 -ip 41201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3060 -ip 30601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4900 -ip 49001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3060 -ip 30601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1432 -ip 14321⤵
-
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3236 -ip 32361⤵
-
C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exeC:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2.6MB
MD5b95cffb87435ca187426688b2aec43fa
SHA123b52acea8c625e372caae5237b59afb85fe1bea
SHA25666f1de45fe8cab1e0bf51285b83dd4d0fad78e898596fdd39a1d6d7bd6b944cc
SHA5123b071077e322cd1f466e7fa42f00fb394259cc15391bc8d69a14f624f433412b2ac1cce789f60f1d0db6c2038cef171399dbabfcb8ead01b1ae3ad1a2e73fcb9
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5f0f35365eca74b4287abd84bfc74b94f
SHA1ee83784def28aa4f58837b682c47e4c71eed3d38
SHA256d58b73eb82fbd61af558f5186b34005e5456d411ac52fd6e8c46a306607fe192
SHA51221dae40c7a0ae40041c77c92ae954e54d2d5f71bb3a1c2a136ca39993248b9bf551c44c0ac67ccf555d9aa8fac644c1f33a6bbb5a6f038feea6af8eb5dc78cb8
-
Filesize
7.2MB
MD5b5d1fc40f35d46445f7f69d7bf4a04d7
SHA1b897b558fb0f2c5aa0d4de6152f5b1eb0c00ee37
SHA2564b81371832a31aa1b9a3f4caf3da072dbadc9793dc92d90ba3ea89c8ba7dd17e
SHA5121e5d46ef32a800b795cb9de57210784cfa84a4c6f7f1fbe23056265b3c1d693dce5de74b0230e074360227d6c24a3e9b2e7d4a80ac4e5412f1add6d10c825b5d
-
Filesize
5.9MB
MD576e13aec5f23fe5dc4fa208adfb7607f
SHA1b7520e125aa63b8badbb77276dad11237882eaf1
SHA256bf1e76b416fc0342d49fe79da89995717679ad80f8c0dd1a9b591044ef02f0e2
SHA51238c75c73e4663fcff7a73a979d098965a38defc482adbfaa75071bffc5b1b469f047f2b8f093b6d5ed4629f1d7b515ea63ccda90e5418d63040c6d92430e0b4a
-
Filesize
307KB
MD568a99cf42959dc6406af26e91d39f523
SHA1f11db933a83400136dc992820f485e0b73f1b933
SHA256c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA5127342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75
-
Filesize
429KB
MD5c07e06e76de584bcddd59073a4161dbb
SHA108954ac6f6cf51fd5d9d034060a9ae25a8448971
SHA256cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9
SHA512e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f
-
Filesize
1.2MB
MD55d97c2475c8a4d52e140ef4650d1028b
SHA1da20d0a43d6f8db44ff8212875a7e0f7bb223223
SHA256f34dd7ec6030b1879d60faa8705fa1668adc210ddd52bcb2b0c2406606c5bccf
SHA51222c684b21d0a9eb2eaa47329832e8ee64b003cfb3a9a5d8b719445a8532b18aad913f84025a27c95296ebeb34920fa62d64f28145ccfa3aa7d82ba95381924ee
-
Filesize
5.7MB
MD55009b1ef6619eca039925510d4fd51a1
SHA122626aa57e21291a995615f9f6bba083d8706764
SHA256fbc8c32bf799a005c57540a2e85dd3662ed5795a55f11495f0ba569bbb09df59
SHA5122b5bbd9449be00588058966db487c0adfac764827a6691f6a9fc6c3a770a93bda11c732d2eb2a3c660697cbc69b1c71a2bf76d2957f65cd2599fb28098b24f14
-
Filesize
734KB
MD598e538d63ec5a23a3acc374236ae20b6
SHA1f3fec38f80199e346cac912bf8b65249988a2a7e
SHA2564d8fbc7578dca954407746a1d73e3232cd8db79dccd57acbeef80da369069a91
SHA512951a750998448cd3653153bdf24705101136305ff4744ee2092952d773121817fa36347cb797586c58d0f3efc9cfa40ae6d9ce6ea5d2e8ec41acf8d9a03b0827
-
Filesize
2.9MB
MD5217876654c78eaa7e9b94565c9313f11
SHA1024dd55ea886bd3fa76223f51b97721927ec453e
SHA25633c5dc1a5907b7cf151684a7f680dfc4ea482ce46979bb0125630c39d4deefd6
SHA5126cf5f7f8f9b8c7199dc180805fdd7bbeb19497439ec3518cb1d4f25e487abe2c53dcd562aaf64041cfea0c43105c93e039d4a05ecadca1f86a482f85ab34ceeb
-
Filesize
645KB
MD5bdf3c509a0751d1697ba1b1b294fd579
SHA13a3457e5a8b41ed6f42b3197cff53c8ec50b4db2
SHA256d3948ae31c42fcba5d9199e758d145ff74dad978c80179afb3148604c254be6d
SHA512aa81ccbae9f622531003f1737d22872ae909b28359dfb94813a39d74bde757141d7543681793102a1dc3dcaecea27cffd0363de8bbb48434fcf8b6dafef320b3
-
Filesize
327KB
MD5fba8f56206955304b2a6207d9f5e8032
SHA1f84cbcc3e34f4d2c8fea97c2562f937e1e20fe28
SHA25611227ead147b4154c7bd21b75d7f130b498c9ad9b520ca1814c5d6a688c89b1b
SHA51256e3a0823a7abe08e1c9918d8fa32c574208b462b423ab6bde03345c654b75785fdc3180580c0d55280644b3a9574983e925f2125c2d340cf5e96b98237e99fa
-
Filesize
629KB
MD5f8b9bbe568f4f8d307effddb44d4c6b3
SHA14bd7686eca3eeaffe79c4261aef9cebee422e8fd
SHA25650104b13a245621a1a0291eac4f9eb9c010fae46cc511b936d6f3b42a398cab3
SHA51256c692e195771b02f9cf45786b233e2d996561360a5402577651a67c538c94a5f3e58925ba6e671515a8dd0dbcf1c0917b53d86d5ae6d2bc8dfd30ed5e60b9bf
-
Filesize
3.4MB
MD5b45668e08c03024f2432ff332c319131
SHA14bef9109eaeace4107c47858eef2d9d3487e45f0
SHA2564b5a876b1c230b28c0862d5f8158b3657016709855bf3329d8fea6cada3adbfe
SHA512538c8471fc0313e68885d4d09140ec3e3374af3464af626195b6387a67b9bae9c3c9fd369d9dc7965decc182d13e8bbf95b4cf96b5ffc78af5d7904d59325bbc
-
Filesize
9.5MB
MD50143accc4350dcc3d211d0453f0db35c
SHA190a15d873d020b9e89c81c3240835ea939302ead
SHA25676089a25e76533661a8e8712847e024151b6c7b390634edd8cf1968d04917e57
SHA51236d5e9ff52d31f00f494a9f7bb840a0c37f8aaec065e633fdb6a3509745a5c2fdabcc47e6a6779ce9c019aedbc997770f59e10ab24203f17bf3bd1bb976c483f
-
Filesize
2.0MB
MD565ed3bcfe7c423aef11ad136275bab5f
SHA1572cbb3be18d27ceacbcfedd09e40e51cfe598f7
SHA256b2aa0446dc6a4f25c4f083155b7b237d66a432f6255d65b85ab524f596935345
SHA512329a3406855b4585dd7b2413afa0ad2307980aafa2b5c00cdce2a835dc2dcc7e83b439b6e5f94f512494f8737a67413e64a0a9ac726496381f2d98143bf3d672
-
Filesize
2.8MB
MD5c695df1872b28812321df9528ed0fe35
SHA10fb47357f0f8a70cf0b6f20c867d5bb210015e83
SHA256636832ede50a4ce20c3d26c15012738d15f833b823ae22cadf4615e44e892e04
SHA512a68ff1389bfa5a4aef3d3378dd6240ed6452128c1d1a849fdfd7662b2d400cd6a414f4a45b3d231c63db4a61ee39a6baded65df6e36ff9627d083dbddcbd7ad1
-
Filesize
872KB
MD518ce19b57f43ce0a5af149c96aecc685
SHA11bd5ca29fc35fc8ac346f23b155337c5b28bbc36
SHA256d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd
SHA512a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558
-
Filesize
580KB
MD54b0812fabc1ba34d8d45d28180f6c75f
SHA1b9d99c00a6f9d5f23e244cc0555f82a7d0eeb950
SHA25673312c3ea63faf89e2067e034a9148bf73efb5140c1ba6a67aaf62170ee98103
SHA5127f72ffd39f7b66ea701ec642a427c90f9c3ee9be69a3e431c492be76ae9a73e8b2b1fbb16553a5a6d8722baf30b2a392a47c7c998d618459bf398d47d218d158
-
Filesize
1.8MB
MD5659a28dd5c85f4482c3818467461f372
SHA1a9f54c9aa53da8f3e8b47ab4ed4650b9e0df0f3f
SHA2561e0c279995b4cbe44ef6cd051ae88d31a3b8870663065439dfd05632deabd3fe
SHA512123c05cbc778406da4fab525c84fc8650c714826d8984a5de4753ccc17dcf59e43f4a2b48d16aa56d54466616f42d485e9b4307ce7a24fa56b1691064ec3c5cf
-
Filesize
81KB
MD5270c48487ccd0178d0d0a7f98593495d
SHA1dc1065dd26de2a6212253b20d05cd9119bf9228f
SHA2560e7217a763b05e260ae78bda07a9dea703bc8edb82081225e11b18e288ee4cdc
SHA51296485954ec58aa1528f579820f61312079618f38fd0007fb087b5ae73fdccf956b672d6fe6955898ef41ac8d460c617381ff1c89ff45089b3279af39994a25b1
-
Filesize
24KB
MD52a84a77ad125a30e442d57c63c18e00e
SHA168567ee0d279087a12374c10a8b7981f401b20b8
SHA2560c6ead18e99077a5dde401987a0674b156c07ccf9b7796768df8e881923e1769
SHA5129d6a720f970f8d24ed4c74bed25c5e21c90191930b0cc7e310c8dd45f6ed7a0b3d9b3abbd8f0b4979f992c90630d215b1852b3242c5d0a6e7a42ecef03c0076a
-
Filesize
62KB
MD546a51002cdbe912d860ce08c83c0376b
SHA16d0ae63850bd8d5c86e45cba938609a7f051f59b
SHA25618070c4700df6609e096f2e79f353844e3e98c9aacca69919a8baeb9f9890017
SHA512ed7c8d09e305687dc687ab23f6a83692232677c120836c8f4b876c4dfa867b47e29684e7e1c7973f6c29eeed1b8530b96f609a6111dde36d94f6657c9b5a4e44
-
Filesize
69KB
MD58ca4bbb4e4ddf045ff547cb2d438615c
SHA13e2fc0fdc0359a08c7782f44a5ccebf3a52b5152
SHA2564e4bb4aa1f996e96db8e18e4f2a6576673c00b76126f846ba821b4cd3998afed
SHA512b45ed05fa6d846c0a38cefcd5d256fdee997b9010bc249a34d830953100ca779ab88547353cc8badaf2908f59ff3a8c780f7cac189c0f549246feb504ecb5af9
-
Filesize
7KB
MD5f3d7abb7a7c91203886dd0f2df4fc0d6
SHA160ffbb095fceeb2ea2b9e65355e9dbf1de736d6c
SHA2565867350b8ad8bb5d83111aed8b296b8c28328ba72b5bedb0cbeb99b3dc600cb3
SHA5129af80787c63fa7de9a22eea3d1f13d25ff1558ed95321a8178da734dce5126f0b7322f13cddd40c1bc67b65140f684a190dd117247f06600a07db97b015aa367
-
Filesize
58KB
MD584c831b7996dfc78c7e4902ad97e8179
SHA1739c580a19561b6cde4432a002a502bea9f32754
SHA2561ac7db51182a2fc38e7831a67d3ff4e08911e4fca81a9f2aa0b7c7e393cc2575
SHA512ae8e53499535938352660db161c768482438f5f6f5afb632ce7ae2e28d9c547fcf4ed939dd136e17c05ed14711368bdd6f3d4ae2e3f0d78a21790b0955745991
-
Filesize
80KB
MD50814e2558c8e63169d393fac20c668f9
SHA152e8b77554cc098410408668e3d4f127fa02d8bd
SHA256cfdc18b19fe2c0f099fd9f733fe4494aa25b2828d735c226d06c654694fcf96d
SHA51280e70a6eb57df698fe85d4599645c71678a76340380d880e108b391c922adadf42721df5aa994fcfb293ab90e7b04ff3d595736354b93fcb6b5111e90b475319
-
Filesize
71KB
MD56785e2e985143a33c5c3557788f12a2b
SHA17a86e94bc7bc10bd8dd54ade696e10a0ae5b4bf0
SHA25666bbe1741f98dbb750aa82a19bc7b5dc1cdbecf31f0d9ddb03ff7cf489f318c7
SHA5123edad611d150c99dbb24a169967cc31e1d3942c3f77b3af2de621a6912356400c8003b1c99a7236b6bed65bd136d683414e96c698eabd33d66d7ab231cdfee91
-
Filesize
865KB
MD56cee6bd1b0b8230a1c792a0e8f72f7eb
SHA166a7d26ed56924f31e681c1af47d6978d1d6e4e8
SHA25608ac328ad30dfc0715f8692b9290d7ac55ce93755c9aca17f1b787b6e96667ab
SHA5124d78417accf1378194e4f58d552a1ea324747bdec41b3c59a6784ee767f863853eebafe2f2bc6315549bddc4d7dc7ce42c42ff7f383b96ae400cac8cf4c64193
-
Filesize
95KB
MD5ba8c4239470d59c50a35a25b7950187f
SHA1855a8f85182dd03f79787147b73ae5ed61fb8d7b
SHA256a6272116dc959a3197a969923f85c000a1388b0a02df633dec59b7273bdb421b
SHA5121e6d42c249d206815000cc85d5216d13729246e114647d8ccf174b9bd679530b6b39dfab2bfcc5d957cc0778a8cf029e544228978682fa285c5e3f9564c2eaf0
-
Filesize
92KB
MD52759c67bccd900a1689d627f38f0a635
SHA1d71b170715ed2b304167545af2bd42834ccf1881
SHA256510cfd9523a0f8462e8cbdcbbf1afccf2aa69a9153472ee48fd28ad4fe06ca05
SHA512aa9e26ad8824ed2ca8bf45c24939e305660cbc19f821a84a7407a16f91d71b2eb9daba9059d379908f17c9e5a17c0c3e873e5cd7350ee8715e45b2b3eff2531e
-
Filesize
53KB
MD579156afddd310be36f037a8f0708a794
SHA109ef36ae22b5eab65d1f62166542601b8919399d
SHA2567faaf10d09a27842330725e6510d2754487c5b69bd40e11181dd75b03df61503
SHA512d1449126f2365f607a390e3b6fecb3be100bff9fae1a773cf5815cab29eeb72ab4e341022bde9de653fd62ede0fb0c26d9010e524d87060aa364bf92a14e9d01
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
688KB
MD580c86047bb3eee014ff6256c0396eeb7
SHA10f24079e20ca8c5092b8b2a7d9406219dba109a9
SHA2569a84d3043a9a402228d39d6ecef131c01d1fb2435ad336953eec97f74e6f13ed
SHA512c74ff8077b831968a6d7a72596aca9d9cf52783f503aa8ed4eec0877704aa0b93dd5f85a72b41fb0a021b633c4a6bc32c154bad06a8a96b169b9da5e55f59add
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
760KB
-
Filesize
520KB
-
Filesize
344KB
-
Filesize
656KB
-
Filesize
848KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
624KB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
1.2MB
-
Filesize
8.5MB
-
Filesize
8.5MB
-
Filesize
80KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
972KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
584KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
336KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
20.3MB
-
Filesize
304KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
20.3MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
20.3MB
-
Filesize
1.5MB
-
Filesize
944KB
-
Filesize
20.3MB
-
Filesize
20.3MB
-
Filesize
8.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
7.2MB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
3.3MB