Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24-11-2024 09:24
General
-
Target
94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe
-
Size
1.8MB
-
MD5
f42590bc6a794fb1d34aba733035bc5e
-
SHA1
d3ffb11f07d68b79d7c6d7aeab5571722a603d1c
-
SHA256
94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7
-
SHA512
40e1f2367a57f1bfc7cff43d496dcca4419b2324099c8a835561f372a34b3a2eba82033aba337e20f70c7e142fee6a1ecf26ccea122bfc7191aa50d7a0b05064
-
SSDEEP
49152:m0u8PuIv8ZuAD/juxrb3LJQ8gUGza+7X0LSH71XXZ1:u8PYDkH7GRz14LSH7dZ
Malware Config
Extracted
amadey
5.04
4bee07
http://185.215.113.209
-
install_dir
fc9e0aaab7
-
install_file
defnur.exe
-
strings_key
191655f008adc880f91bfc85bc56db54
-
url_paths
/Fru7Nk9/index.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 18 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 54 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 4 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe"C:\Users\Admin\AppData\Local\Temp\94620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"C:\Users\Admin\AppData\Local\Temp\fc9e0aaab7\defnur.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10006070101\game.exe"C:\Users\Admin\AppData\Local\Temp\10006070101\game.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O1M08.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O1M08.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M9m81.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M9m81.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1U37p9.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1U37p9.exe6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008713001\2b7a1bac6d.exe"C:\Users\Admin\AppData\Local\Temp\1008713001\2b7a1bac6d.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"9⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x12c,0x130,0x134,0x100,0x138,0x7fef4889758,0x7fef4889768,0x7fef488977810⤵
-
-
C:\Windows\system32\ctfmon.exectfmon.exe10⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1356,i,321758657278824825,9672885344859760425,131072 /prefetch:210⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1428 --field-trial-handle=1356,i,321758657278824825,9672885344859760425,131072 /prefetch:810⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1356,i,321758657278824825,9672885344859760425,131072 /prefetch:810⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2172 --field-trial-handle=1356,i,321758657278824825,9672885344859760425,131072 /prefetch:110⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2180 --field-trial-handle=1356,i,321758657278824825,9672885344859760425,131072 /prefetch:110⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1364 --field-trial-handle=1356,i,321758657278824825,9672885344859760425,131072 /prefetch:210⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1412 --field-trial-handle=1356,i,321758657278824825,9672885344859760425,131072 /prefetch:110⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f9⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8089⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008718001\1743c7f598.exe"C:\Users\Admin\AppData\Local\Temp\1008718001\1743c7f598.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008719001\6ab6ff1532.exe"C:\Users\Admin\AppData\Local\Temp\1008719001\6ab6ff1532.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008720001\0a29b13a33.exe"C:\Users\Admin\AppData\Local\Temp\1008720001\0a29b13a33.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T9⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T9⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T9⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T9⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T9⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking9⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking10⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="556.0.892599705\997048598" -parentBuildID 20221007134813 -prefsHandle 1280 -prefMapHandle 1272 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24a1eef4-24f1-4680-8949-b27d08fca010} 556 "\\.\pipe\gecko-crash-server-pipe.556" 1344 10af4658 gpu11⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="556.1.1838381858\1628324507" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b09cc4a-b58f-496e-bbf3-6a8a1570b610} 556 "\\.\pipe\gecko-crash-server-pipe.556" 1548 2672a58 socket11⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="556.2.460024540\1255237840" -childID 1 -isForBrowser -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eecf2691-52c7-4fa5-b0c3-2da6544eb022} 556 "\\.\pipe\gecko-crash-server-pipe.556" 2124 1a5bf358 tab11⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="556.3.1585754963\1043108034" -childID 2 -isForBrowser -prefsHandle 2940 -prefMapHandle 2936 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56cfd359-9235-4936-be2e-5e8d09929213} 556 "\\.\pipe\gecko-crash-server-pipe.556" 2952 2664258 tab11⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="556.4.2052109017\1675123443" -childID 3 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {69e1bed5-f2a5-49a2-957e-d0e6154b54dc} 556 "\\.\pipe\gecko-crash-server-pipe.556" 3704 1e0f7058 tab11⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="556.5.1236549542\970273505" -childID 4 -isForBrowser -prefsHandle 3912 -prefMapHandle 3916 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e31ac54b-fb66-4540-9e9f-c3328f3a587b} 556 "\\.\pipe\gecko-crash-server-pipe.556" 3900 20779358 tab11⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="556.6.956341493\217338706" -childID 5 -isForBrowser -prefsHandle 4036 -prefMapHandle 3868 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 880 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e06134df-a853-4e44-add3-43e05eb74a68} 556 "\\.\pipe\gecko-crash-server-pipe.556" 4024 20779658 tab11⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008721001\f23d4648cb.exe"C:\Users\Admin\AppData\Local\Temp\1008721001\f23d4648cb.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 7969⤵
- Loads dropped DLL
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2y9598.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2y9598.exe6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3y27e.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3y27e.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4y227q.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4y227q.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 7965⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10006170101\7efb1b6c24.exe"C:\Users\Admin\AppData\Local\Temp\10006170101\7efb1b6c24.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\kreon.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\cmd.execmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\kreon.exe"5⤵
- Loads dropped DLL
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost -n 16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\kreon.exeC:\Users\Admin\AppData\Local\kreon.exe6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {F0FE0BDB-36F3-4B03-B051-EA8E824EB3B4} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Authentication Process
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
31KB
MD50df3f7836900bc4ecfd96625d504e4bd
SHA124ab8ba5f08b55ad8c3e72cfe2a1fe9893568d53
SHA2562781fb070c40e22ebf23d7c28f8394a8c6f307954dbf4695bf8a36f796180021
SHA51282ccd777f5026e5d9ebed6c5ea091ef98146ba86a5156e317599f055a2aa52e719ce955098af15ce820fea0a99a8a57197f626443a6f460283da367792e932cc
-
Filesize
13KB
MD5f99b4984bd93547ff4ab09d35b9ed6d5
SHA173bf4d313cb094bb6ead04460da9547106794007
SHA256402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069
SHA512cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759
-
Filesize
7.0MB
MD54fc22f06935dd2c58d9d978f0f8c97cc
SHA19b4b2b20db88599bed357b5dcab97fe2497ac30b
SHA256513544f9a75630e32a26c2d54c69247a32ffa85e4bcc9eca24547416634911d9
SHA512eadeb4dea146ccd56515bcb05ccedd8e6815409d516b6e9b677522754fc4c14bcddedf8e4f33406330aed2bcec7a4a2b1adbc81aa2e52dc3e75876382988cc6d
-
Filesize
3.5MB
MD5ca480193e4b8159dd1283118ebde8896
SHA1857fb4852f31428ead5e2d9fbd5bfb16d9714d1a
SHA256377717dd342a9169589d1e2c8509d12ceafe9c43b3407ab16771ec611a367a2a
SHA512a49927f1dffe8d14f592e767415c490f4bdc9fb5d7ce45f10f5e6c7aa5c20b79412abc8d4f799cfd88aeeac3ef73f55a9710503a9a612efb5d414ec95a3e7ed9
-
Filesize
4.1MB
MD53de87de137ed1adcde5de7897a8c2c3f
SHA1389fe91d75a961e11296f7c45acc9264ed581965
SHA25692edd16fc04624fc69b9be59155def1c28600e9d1bb8c804df61fc4f1422e017
SHA51272df63c38f986c018da256058e67814dbede64f1339e863cc51b74d4af6c2b6cc1e51eb186908d5b2b8c49ef8abd5e8dbe8fe8d26b1ace81ce7a620c303a00ec
-
Filesize
1.7MB
MD526a229c3047fc18806af40412a2c7f9e
SHA16b101bbe11e63eeca7dcb158598e5debe247a5f8
SHA256b7ddf1ea8408262be1584cca601fafac7d18e8e9e1f075c0579395d1ae30616d
SHA5120135ed88a5cd3ce2218a6105f90752b8e80fe98dce4b6e49ec0ef8bfdf4cefa88fb006ce15d0f1a09d2cf4be792c8a9983fc342f5d3880aaed6ec0a036fb3113
-
Filesize
1.7MB
MD50e05441bffbe8e424ed49ccd5af1ce65
SHA1a9d995171095a1aa14f4f13bc6063f339aaac768
SHA256327b96e7de0c91b4799d730b5c18641fe694ab2e367f1a1d7665dbca7e37aba9
SHA512ef22c5679124e5fa84816781f595b13212734f840ce72e50f46226e3ccb317da56db3085441cc799c548994155dc374a6533d32f979e5d4364a6e2ab21e5ae95
-
Filesize
901KB
MD52c54882be674e76f31f1f13cfd331d55
SHA1e33e4a54e11cc4eda645ffadfedf17f57decf4f8
SHA256f2c117fe2b73781335a3b701890ad7b61dc1970b2a25be7fd4ed6a2b3264d308
SHA51264816d2518652e80748738b103258833f62ee88714bdf02fb376861c1736f5dfadee4d52f61849bc8bb471e9f5d5a4424d982cc8bd10efba3739f29e07104869
-
Filesize
2.7MB
MD59835cbfe3dc7ae0fee6a1f29ecead86f
SHA1c12ea6931edf523dd704fcc85b943b45968b2daa
SHA25643b97c1dc396c9492f6e13786f748ee59cfcab42eebcf7d9ff3a959940aab53b
SHA5129ea4be09d4cc6bf3168f79bcbffa608411a6ba5ebbf82deda4d81acbd418122941c699e36ac193e4006aaf245e780e25725c6c6c803da2e7388d7392782cf13e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
5.4MB
MD585a4f9352f9065b1bd9e766e7d523d90
SHA10194f589a94855124987f7a86811aa3b467a07ec
SHA256a3e340fcdfd20f88c060c740149adf3920bcddb009906f328121a9889ff8656a
SHA5122726e2da483b8c001401607ce4f1fda4910d6730e70bc9549225c914f75f8b725d448ec1264118da039e444bcab0131e736a24d5ef1638b8a862e0d8d35da777
-
Filesize
1.8MB
MD50a75820b356a011e9fa427d658f1e3c0
SHA1a57469622af0b25fc3a07d071dcbe1526c41881f
SHA2566f064372869eee9be9b504a086011c8beb3d7c753a87bd0a28c44ee5a22c6ffc
SHA51237641be0b9191f3688c9dd539da7ad20729b6e1fbac770e08868e8ad3226138a58fe95390ed28cb10ec478eec44065e68b4a8c5136b5d9a638db17767f75cecb
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
2KB
MD5e910f4ae06c6b7e97a521c530f51faa9
SHA17ba28a62516adbfe9397b3eafb248a20edfe221a
SHA256d8edf824c9f4eeeea7b24a82459c58d00e6854e4aaa5d6312de8f4526b51a3a2
SHA512f5243ccf391a8e8bc070b984adc270b67692dba967f191ef139589c07f68227480967c59f8870483cd1443acec2e2df0f78cfa77caf954cb8a1f52dd102e328e
-
Filesize
11KB
MD556ac3aefb024385e49626ca96615037d
SHA161d65fcf0f3e4c5ce8a575af51dac2ced10fe46a
SHA256c99063372e165325c4278938d3f5c27d5865bc6184dde7c75ccf2a9b56ab5bdd
SHA512fdf93b3141101fb1dfbcc4e5d514bed82de210e93bbf5a0197416db709b516012f00d50546d47856116f6e6dcc2fee93fb111bfbd74fabd15b82f5df0533a16c
-
Filesize
745B
MD5196993b7fd1cf6f388522fd077db790f
SHA13332bd052a7c383a7e4e45dd651d61cc12e0ad21
SHA25643eb14cd1a7495240771bd3485c6c184bde9e60a4d789e93cae2e2f07b2cc354
SHA5123c1d35f7ac3bdb366909881b8e84f2e232b3a565d5aaaa164150ae1f549f32bd3d8982d44e4b9e19e09986546a1271e6ec701e1762223308813be527c3c90eec
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD5f2e5d3742b8e27e1dab0012a55c424fb
SHA175ef369ca9d1caeeb2a60a2ef2471d40a859835d
SHA25631923c9289449f8c339762020887f6913c75a010b979a25203462cd6d5d84d84
SHA512a14def23a59dceb4a23b8eb4fe4accf46b447eeeb0bcea3ee01d77f22b8062f8ef4d4c32efdc1a3be3a8c7a543a5db0471928748d5e77dbb163d8955b33fbd77
-
Filesize
7KB
MD5a75de17e95d8e70083a887721f8a48d7
SHA17b91d811f95d9e31c27a773bfbd1fbd5478f55a5
SHA256f5ac16eab38f74d4772303baf6729cb7878129aa65222fb437519de7f8469813
SHA5127b88a71a842e43c28eda8c88a6b084435dfa8511cab0e0000bdfe27fbbe6bd33a5c93dfb5714efb340f450807af50a6e63620f99f5fda84364ac57510c7465ca
-
Filesize
4KB
MD5e91562779aa47353e8f95b004b34a4a7
SHA155f2634e761d6d3d77c22a433cbee103886f6c01
SHA2564b2ce2fa5c7dbab3f890ca9cdc5fd6d5caea9eebcbe7625cd8576f5bb33c50e6
SHA51212df29b98f1e250de33fc8dd18044ee98cac647882e913fa959fa8277a977ba41f21f9fc52ee0dce2333cf8925f1de34890e260cb0bd9f59a1dd6ace7ed2d0c7
-
Filesize
124KB
MD50d3418372c854ee228b78e16ea7059be
SHA1c0a29d4e74d39308a50f4fd21d0cca1f98cb02c1
SHA256885bf0b3b12b77ef3f953fbb48def1b45079faa2a4d574ee16afdbafa1de3ac7
SHA512e30dced307e04ae664367a998cd1ba36349e99e363f70897b5d90c898de2c69c393182c3afba63a74956b5e6f49f0635468e88ed31dd1e3c86c21e987ddd2c19
-
Filesize
2.7MB
MD5f8c7e8376a3d8b22affd98f1ce37ad40
SHA1cdb6712157abf20c004727e9a3a318c226331bc5
SHA256ac875e32c67120a2f55ce2120782aa50edb5bca31fc9767dd808882df740091f
SHA512818f8f6f18705399a2f13a3a8a828a23ae818f095996bd03e8cced23693899c7a157e672e2d17314265fb7c70a8c6ec782f66656362d73aeedc208687a7ebb45
-
Filesize
1.7MB
MD5cb78b3cf97d74f0540679225a564e8b0
SHA195b72e4eb9f28a6534e1d902f802f2988ad6735f
SHA2563427282a0e679abf14880c48f47728c97e1c3f870d1bf3bc0116736f3abde675
SHA51288f693df96058aa6f91ba582ce5c213e9c7761eeb1379b8993c4de83b106632083cd90bbd3eba98a4038b6b951adf81f7f64e7bab903eba431ee4497abd5cde6
-
Filesize
3.6MB
MD59b4ce888fcd43f1595714b7de583c05e
SHA1005296bd0d3360684b6b4fd573fc8149ac7f6645
SHA256dda5701d4fde3d5ca305ea1294dfd8474d8d6a6c552f324a10b6597e649a4670
SHA51206b8243a29585cd4f41c846757f95dbbfd18d3764fb270aa7003d975d6e82af510167aba10b7c74069c4a3cecf74d952e6d8c05ef34486a4824114862081bfa6
-
Filesize
1.8MB
MD5bd3c9426f58b0aa58a0622b721f7c17f
SHA1aadbfb4fcc6a8c76b8cc15a62d8e2d7d139a09f6
SHA256715223f9d8cbff4640796f95054a54aaba8a06c7215d167a13d9f1ebf8bc1f17
SHA5129de240534deb097953f8971bc716384c9e4118d4fbd7de5bf943408c9a92e610542538b2f9396d8bf3fab679837d22a8201cad3973fa07d44664a882d8a02c15
-
Filesize
1.8MB
MD5f42590bc6a794fb1d34aba733035bc5e
SHA1d3ffb11f07d68b79d7c6d7aeab5571722a603d1c
SHA25694620a76353f019700029a53664a5b388bb67e49dfb4512ef688a733552f0fc7
SHA51240e1f2367a57f1bfc7cff43d496dcca4419b2324099c8a835561f372a34b3a2eba82033aba337e20f70c7e142fee6a1ecf26ccea122bfc7191aa50d7a0b05064
-
Filesize
2.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.5MB
-
Filesize
4.6MB
-
Filesize
4.5MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.5MB
-
Filesize
12.2MB
-
Filesize
10.4MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
6.5MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.2MB