amadey | ca87e1282bfd72af8ef9181fa8a50158f000e5e33add3d1fa10bddb291492e9a

Analysis

max time kernel
141s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.8MB
MD5

a95edab150e25ad53e3400e7f26d14fc
SHA1

1c9819b39fc3944fba4fecbbf69efba1a6a11dcf
SHA256

ca87e1282bfd72af8ef9181fa8a50158f000e5e33add3d1fa10bddb291492e9a
SHA512

0177e2e75f8425a897614989e4ed933809487bb94eda5b6e594561c658f676dd8830311e184767eae936e2204276bf9753b9f47bba0b3d02998af996b9ab435b
SSDEEP

49152:cwwq22JXAB/owOrSU0YaG5X8JGsB1ixcYbj2D1qE3gg0gaF:bwq0Br9Yr5XUnidbYQE0gaF

Score

10^/10

amadey lumma stealc fed3aa tale discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

http://185.215.113.206

Attributes

url_path
/6c4adf523b719729.php

Extracted

Family

lumma

https://navygenerayk.store/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ee09e278c7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0bd70d5c1f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0bd70d5c1f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ee09e278c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ee09e278c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0bd70d5c1f.exe

Executes dropped EXE 5 IoCs

pid	Process
2728	axplong.exe
1912	7cl16anh.exe
1652	Cooper.pif
2208	ee09e278c7.exe
2840	0bd70d5c1f.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	ee09e278c7.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	0bd70d5c1f.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	file.exe

Loads dropped DLL 9 IoCs

pid	Process
1788	file.exe
1788	file.exe
2728	axplong.exe
1912	7cl16anh.exe
2412	cmd.exe
2728	axplong.exe
2728	axplong.exe
2728	axplong.exe
2728	axplong.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ee09e278c7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002394001\\ee09e278c7.exe"	axplong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\0bd70d5c1f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1002395001\\0bd70d5c1f.exe"	axplong.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2824	tasklist.exe
2332	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1788	file.exe
2728	axplong.exe
2208	ee09e278c7.exe
2840	0bd70d5c1f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee09e278c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cl16anh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0bd70d5c1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cooper.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	0bd70d5c1f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	0bd70d5c1f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	0bd70d5c1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Cooper.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Cooper.pif

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1788	file.exe
2728	axplong.exe
1652	Cooper.pif
1652	Cooper.pif
1652	Cooper.pif
2208	ee09e278c7.exe
2840	0bd70d5c1f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	tasklist.exe
Token: SeDebugPrivilege	2332	tasklist.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1788	file.exe
1652	Cooper.pif
1652	Cooper.pif
1652	Cooper.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1652	Cooper.pif
1652	Cooper.pif
1652	Cooper.pif

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2728	1788	file.exe	30
PID 1788 wrote to memory of 2728	1788	file.exe	30
PID 1788 wrote to memory of 2728	1788	file.exe	30
PID 1788 wrote to memory of 2728	1788	file.exe	30
PID 2728 wrote to memory of 1912	2728	axplong.exe	32
PID 2728 wrote to memory of 1912	2728	axplong.exe	32
PID 2728 wrote to memory of 1912	2728	axplong.exe	32
PID 2728 wrote to memory of 1912	2728	axplong.exe	32
PID 1912 wrote to memory of 2412	1912	7cl16anh.exe	33
PID 1912 wrote to memory of 2412	1912	7cl16anh.exe	33
PID 1912 wrote to memory of 2412	1912	7cl16anh.exe	33
PID 1912 wrote to memory of 2412	1912	7cl16anh.exe	33
PID 2412 wrote to memory of 2824	2412	cmd.exe	35
PID 2412 wrote to memory of 2824	2412	cmd.exe	35
PID 2412 wrote to memory of 2824	2412	cmd.exe	35
PID 2412 wrote to memory of 2824	2412	cmd.exe	35
PID 2412 wrote to memory of 2672	2412	cmd.exe	36
PID 2412 wrote to memory of 2672	2412	cmd.exe	36
PID 2412 wrote to memory of 2672	2412	cmd.exe	36
PID 2412 wrote to memory of 2672	2412	cmd.exe	36
PID 2412 wrote to memory of 2332	2412	cmd.exe	38
PID 2412 wrote to memory of 2332	2412	cmd.exe	38
PID 2412 wrote to memory of 2332	2412	cmd.exe	38
PID 2412 wrote to memory of 2332	2412	cmd.exe	38
PID 2412 wrote to memory of 2948	2412	cmd.exe	39
PID 2412 wrote to memory of 2948	2412	cmd.exe	39
PID 2412 wrote to memory of 2948	2412	cmd.exe	39
PID 2412 wrote to memory of 2948	2412	cmd.exe	39
PID 2412 wrote to memory of 408	2412	cmd.exe	40
PID 2412 wrote to memory of 408	2412	cmd.exe	40
PID 2412 wrote to memory of 408	2412	cmd.exe	40
PID 2412 wrote to memory of 408	2412	cmd.exe	40
PID 2412 wrote to memory of 2316	2412	cmd.exe	41
PID 2412 wrote to memory of 2316	2412	cmd.exe	41
PID 2412 wrote to memory of 2316	2412	cmd.exe	41
PID 2412 wrote to memory of 2316	2412	cmd.exe	41
PID 2412 wrote to memory of 2132	2412	cmd.exe	42
PID 2412 wrote to memory of 2132	2412	cmd.exe	42
PID 2412 wrote to memory of 2132	2412	cmd.exe	42
PID 2412 wrote to memory of 2132	2412	cmd.exe	42
PID 2412 wrote to memory of 1652	2412	cmd.exe	43
PID 2412 wrote to memory of 1652	2412	cmd.exe	43
PID 2412 wrote to memory of 1652	2412	cmd.exe	43
PID 2412 wrote to memory of 1652	2412	cmd.exe	43
PID 2412 wrote to memory of 2404	2412	cmd.exe	44
PID 2412 wrote to memory of 2404	2412	cmd.exe	44
PID 2412 wrote to memory of 2404	2412	cmd.exe	44
PID 2412 wrote to memory of 2404	2412	cmd.exe	44
PID 2728 wrote to memory of 2208	2728	axplong.exe	45
PID 2728 wrote to memory of 2208	2728	axplong.exe	45
PID 2728 wrote to memory of 2208	2728	axplong.exe	45
PID 2728 wrote to memory of 2208	2728	axplong.exe	45
PID 2728 wrote to memory of 2840	2728	axplong.exe	47
PID 2728 wrote to memory of 2840	2728	axplong.exe	47
PID 2728 wrote to memory of 2840	2728	axplong.exe	47
PID 2728 wrote to memory of 2840	2728	axplong.exe	47

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\1002393001\7cl16anh.exe
    "C:\Users\Admin\AppData\Local\Temp\1002393001\7cl16anh.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 578678
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:408
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "PEACEFOLKSEXUALISLANDS" Hill
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
    - - C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif
        
        Cooper.pif y
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1652
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
- - C:\Users\Admin\AppData\Local\Temp\1002394001\ee09e278c7.exe
    "C:\Users\Admin\AppData\Local\Temp\1002394001\ee09e278c7.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\1002395001\0bd70d5c1f.exe
    "C:\Users\Admin\AppData\Local\Temp\1002395001\0bd70d5c1f.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1002393001\7cl16anh.exe

Filesize
986KB

MD5
4f2e93559f3ea52ac93ac22ac609fc7f

SHA1
17b3069bd25aee930018253b0704d3cca64ab64c

SHA256
6d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d

SHA512
20c95b9ee479bf6c0bc9c83116c46e7cc2a11597b760fd8dcd45cd6f6b0e48c78713564f6d54aa861498c24142fde7d3eb9bd1307f4f227604dd2ee2a0142dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1002394001\ee09e278c7.exe

Filesize
2.1MB

MD5
6d1973227d581ada32cb4395e84299c7

SHA1
31522ab4124049f7c11c2289bca299fd7a9623bf

SHA256
7866a89c6f42515fa054330c648112c7b1ace05ddaa172a8ca7c20da1136988d

SHA512
1e3ef405b41220227874062cb2d8392cc8c412877441a2fef5213647c0f2fdc85a4f6ff23ae9278208a2f552229126d2e6cded467c606baf76344dbba6c7ed56

Download Submit
C:\Users\Admin\AppData\Local\Temp\1002395001\0bd70d5c1f.exe

Filesize
3.1MB

MD5
9c70a66e10de4d5374ddce5f12bb1b05

SHA1
c0e839231d95b2ab7a75190c937b1bb2c0ba1a2e

SHA256
e554edba080baa3b153e6cfce6a7e60bf91672816aea798d9eb0a8c46e8ff2f9

SHA512
abec5c1927d2476274c2388e3287414783149fc7e6bd191d2ee1dd3f7389eb8b02143c26114782a2b043247252c990fabb7ea13553b4d9e5f348c6731651edaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\578678\y

Filesize
469KB

MD5
01aa075f055b346c3fc5734a64e3d57c

SHA1
fdda7fad433d6914a669310795e0709d28ef38bf

SHA256
64980eb891466f0c5f8e8df49fc8915fb81bb08dd5b0ffd17146cabece19f2fb

SHA512
cdca877a1cb68ec3e24aa8812a1174c34e7f82367e27107c67d8c18d4479bbda50f9751c5ff16c5d8303bb5cd505949de020cac91a42046e2f50895dfcc31f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bond

Filesize
908KB

MD5
7b40cadef1ded67a46bd0659c6cc374d

SHA1
3a03378d6a51ff618f713e67a684f37dea01922d

SHA256
f7827e5cbeba48532109208753a4e8dde264b7fb21e230a963c2c3684248296c

SHA512
ac51db075fca42fa9af601b85b3ec915b070dd6cf877994046caa6ba16ef216c44e0624fd1663142997b087aa711c147de68cb1b243da8135b7fd214675e7146

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE39D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exotic

Filesize
80KB

MD5
7d0bc01be7120c9430aefde09261ae99

SHA1
f13d1476ca39fa84a3050e4fb1856c7c92861f89

SHA256
a4ac99467d4f925bfa62fad61a5ebf3e150d414f56c90c034a7e35f04ddd0f28

SHA512
be1f4fda51f2b909c9b64d78a9f34fa783665a12d1e70196ca52d262e1bd470319a1900f8ffaea04ea385d5e075a61b834091b54dbad31ebf41830927a94d08f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hill

Filesize
13KB

MD5
2bca8a1bcbc57478fd079c572a2dadbc

SHA1
fd6e370bb531c34ed8f94916c09f3b96fe836d23

SHA256
780b30a011c2a4be6884bcbcd69087c6660309832facffdd5d21df6bb6408007

SHA512
afb31a261bacd35271cd13f85cc0e9210249238485b852f2ea863747f7ebac60b6d9278c36c1a233bbb82452b88e3ce55c31aebe5bdf72088752acba2c0dd8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Impacts

Filesize
20KB

MD5
e66bce26cc9f5ea1c9e1d78fdb060e57

SHA1
5a83a6454cb6384fdaaf68585d743da3488eed28

SHA256
34e6b48e8a53c7f983f7944c69764cbac28fbd0d2283e797506d0e256debf3d2

SHA512
94ef52636660fb3d7aadc10459460781d95e1d83389e3519f19d093806f273b330b4596f03ac1f9268aad45a244e537ff6d0ba773be33c627fe86f18128bff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Myth

Filesize
45KB

MD5
85dbc3d77f4dcde7fc0c62bce25f21f5

SHA1
c530ca9b4ffe7d07f54eba33fd3e313679c9abb5

SHA256
2f5ead4a5c318263671e35cd675a6d3ff1ce1f483422000dd8ccdd592bab2add

SHA512
99fb163a5568aa83555146dbbcf30014e6e860a79c57e5faa2f6950201c7460d48ff28a52c2236622d22d352ec9abb676af46746da63b7cec3420da0dcb50667

Download Submit
C:\Users\Admin\AppData\Local\Temp\Relief

Filesize
58KB

MD5
ee03e70a965bafb53b08e19f72dc0789

SHA1
30e9322a1a61ff9e977fd8b04c1991a1ccb71a23

SHA256
dd1e7af944824cfe1598eb0b917d9d9b2b62607f61a42efabbced5b4bacbcd8e

SHA512
7a330b5c06fb709e7d16b6b45c2694e98129278f5dafe240a17870ed19226a1391f8173d34888824efe8a0a6f7d67cb18e6dfbd16435df6d242e58ff48a81e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seo

Filesize
70KB

MD5
6f4cf6a0c8b09bf525be59cd5684d6c8

SHA1
56e4ac49946c614ec8e61285fb3782ca038de7eb

SHA256
6516b9ce395eebefa884a003ede2fef81d68200f6c0b3ec11e70c2fc41e02ae8

SHA512
b733e2c78beaabbd6221805e26cd3cc5c452c43d69affca69c4693c19b9bf6438b7b28602d419a3da660fa56dbf388c7e3c41f9c3095c9eebcf2943c1671dfbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Serious

Filesize
70KB

MD5
2da24e10cf4770b7966e05652562d615

SHA1
66e4f5df755f7b27ef21f416897d66865037d33f

SHA256
c3b15b9b25c1f22eb43c6081b20984733a5e073fab87d50f994c631d0295edc2

SHA512
0749f8ff49a59ae4143e2f2d5a29eba83bcf92e30a720000acba75c5e51c669af32511da016fe8a73a00d3a12ebc0e8d60fc47ffd81f0cc46db348d851bb3287

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE3BF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Von

Filesize
63KB

MD5
5a749362858179e1bc70fd9136a6e9a2

SHA1
f1cc590b577e975264b0ea2ffc7f3f160f0b9d4b

SHA256
926245ef744666e70e2314588590360d3693ef707fad21fd615dceef34adac79

SHA512
faf1a5c47724a0bb25926a52e2f99a17ce573b929d71bc463bce81af83d5c9f347dd735a128fc6643e890325cf9f72739dfdf6cf15f574ca83b2bd6af8886781

Download Submit
C:\Users\Admin\AppData\Local\Temp\Webpage

Filesize
83KB

MD5
ec148bb551bbb361764151ad22cf677c

SHA1
66cac1953aed306861b7f7c45e1dee2edbed182b

SHA256
ad3ddd66fea4121607cc43fc547b18b55379345390d9e61112f51dddda936988

SHA512
ed99e7712af09f85df36b7df401238bcf6ec89e8e8587e32562582c318d045a32769b435acd3130b0331458bb826143db15fc45b056b2369d43478d35eb24762

Download Submit
\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
a95edab150e25ad53e3400e7f26d14fc

SHA1
1c9819b39fc3944fba4fecbbf69efba1a6a11dcf

SHA256
ca87e1282bfd72af8ef9181fa8a50158f000e5e33add3d1fa10bddb291492e9a

SHA512
0177e2e75f8425a897614989e4ed933809487bb94eda5b6e594561c658f676dd8830311e184767eae936e2204276bf9753b9f47bba0b3d02998af996b9ab435b

Download Submit
\Users\Admin\AppData\Local\Temp\578678\Cooper.pif

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/1652-621-0x0000000003630000-0x0000000003689000-memory.dmp

Filesize
356KB

Download
memory/1652-620-0x0000000003630000-0x0000000003689000-memory.dmp

Filesize
356KB

Download
memory/1652-619-0x0000000003630000-0x0000000003689000-memory.dmp

Filesize
356KB

Download
memory/1652-618-0x0000000003630000-0x0000000003689000-memory.dmp

Filesize
356KB

Download
memory/1652-617-0x0000000003630000-0x0000000003689000-memory.dmp

Filesize
356KB

Download
memory/1788-3-0x0000000000E90000-0x0000000001340000-memory.dmp

Filesize
4.7MB

Download
memory/1788-0-0x0000000000E90000-0x0000000001340000-memory.dmp

Filesize
4.7MB

Download
memory/1788-19-0x0000000006BE0000-0x0000000007090000-memory.dmp

Filesize
4.7MB

Download
memory/1788-17-0x0000000000E90000-0x0000000001340000-memory.dmp

Filesize
4.7MB

Download
memory/1788-5-0x0000000000E90000-0x0000000001340000-memory.dmp

Filesize
4.7MB

Download
memory/1788-1-0x0000000077B90000-0x0000000077B92000-memory.dmp

Filesize
8KB

Download
memory/1788-2-0x0000000000E91000-0x0000000000EBF000-memory.dmp

Filesize
184KB

Download
memory/2208-542-0x0000000000E40000-0x0000000001574000-memory.dmp

Filesize
7.2MB

Download
memory/2208-545-0x0000000000E40000-0x0000000001574000-memory.dmp

Filesize
7.2MB

Download
memory/2728-629-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-635-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-547-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-24-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-558-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-564-0x0000000006AF0000-0x0000000006E05000-memory.dmp

Filesize
3.1MB

Download
memory/2728-25-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-21-0x00000000010B1000-0x00000000010DF000-memory.dmp

Filesize
184KB

Download
memory/2728-580-0x0000000006AF0000-0x0000000007224000-memory.dmp

Filesize
7.2MB

Download
memory/2728-543-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-540-0x0000000006AF0000-0x0000000007224000-memory.dmp

Filesize
7.2MB

Download
memory/2728-636-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-522-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-20-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-637-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-546-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-565-0x0000000006AF0000-0x0000000006E05000-memory.dmp

Filesize
3.1MB

Download
memory/2728-623-0x0000000006AF0000-0x0000000006E05000-memory.dmp

Filesize
3.1MB

Download
memory/2728-624-0x0000000006AF0000-0x0000000006E05000-memory.dmp

Filesize
3.1MB

Download
memory/2728-625-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-626-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-627-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-628-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-541-0x0000000006AF0000-0x0000000007224000-memory.dmp

Filesize
7.2MB

Download
memory/2728-630-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-631-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-632-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-633-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-634-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2728-22-0x00000000010B0000-0x0000000001560000-memory.dmp

Filesize
4.7MB

Download
memory/2840-616-0x0000000000CB0000-0x0000000000FC5000-memory.dmp

Filesize
3.1MB

Download
memory/2840-567-0x0000000000CB0000-0x0000000000FC5000-memory.dmp

Filesize
3.1MB

Download