Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09-12-2024 15:49
General
-
Target
7f9c4f99669b5c05535075cc97e746e9df229b8177f56a0a9e989b861e8a2ef4.exe
-
Size
3.1MB
-
MD5
03bb6c45bf7f0ce8caa6c8ba6ca33509
-
SHA1
f59d3d9d070984d3bd3e4bd7c903990b204ed554
-
SHA256
7f9c4f99669b5c05535075cc97e746e9df229b8177f56a0a9e989b861e8a2ef4
-
SHA512
0e99313226eb3df882a9372820532d71ebe95616f7290e4eb08256681af7bf8826c66cea34cd50f89b1dc34af145fa7803d036d64d58a45855e998982d4259be
-
SSDEEP
49152:qmZuKkpYpaS4Zqf63VQkUfHZjTvfS1REpnlt+nzZWF5whsj1NbyE5Hd:qeg4Cqf63Vsf5jTvfeEntzohs5sE
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
xworm
5.0
45.200.148.155:5050
i5ZVKLKJz2PVTovK
-
Install_directory
%AppData%
-
install_file
SecurityHealthSystray.exe
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detect Xworm Payload 5 IoCs
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 19 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 32 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 35 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of FindShellTrayWindow 15 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f9c4f99669b5c05535075cc97e746e9df229b8177f56a0a9e989b861e8a2ef4.exe"C:\Users\Admin\AppData\Local\Temp\7f9c4f99669b5c05535075cc97e746e9df229b8177f56a0a9e989b861e8a2ef4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe"C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 105⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\Users\Admin\AppData\Local\Temp\1012982001\qtmPs7h.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 205⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 205⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\10000800101\888.exe"C:\Users\Admin\AppData\Local\Temp\10000800101\888.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\10000800101\888.exe"C:\Users\Admin\AppData\Local\Temp\10000800101\888.exe"8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\word.exe"C:\Users\Admin\AppData\Local\Temp\word.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\word.exe"C:\Users\Admin\AppData\Local\Temp\word.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe"C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\callmobile.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 6165⤵
- Loads dropped DLL
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe"C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1013334001\vdGy6gA.exe"C:\Users\Admin\AppData\Local\Temp\1013334001\vdGy6gA.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1013433001\ziNGMDa.exe"C:\Users\Admin\AppData\Local\Temp\1013433001\ziNGMDa.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1013433001\ziNGMDa.exe"C:\Users\Admin\AppData\Local\Temp\1013433001\ziNGMDa.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013458001\9Qk4n8B.exe"C:\Users\Admin\AppData\Local\Temp\1013458001\9Qk4n8B.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1013458001\9Qk4n8B.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9Qk4n8B.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013459001\fbde09cecd.exe"C:\Users\Admin\AppData\Local\Temp\1013459001\fbde09cecd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1013460001\daf9b4eafe.exe"C:\Users\Admin\AppData\Local\Temp\1013460001\daf9b4eafe.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1013461001\a18b9dfa7d.exe"C:\Users\Admin\AppData\Local\Temp\1013461001\a18b9dfa7d.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.0.369713238\1752793221" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43442846-087a-4e66-9349-1adede5ffa6b} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 1292 11dd9e58 gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.1.6955270\378981106" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79bf3f39-7127-4f60-a7b3-1b2748955ea6} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 1508 d72758 socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.2.364695477\879898904" -childID 1 -isForBrowser -prefsHandle 2192 -prefMapHandle 2188 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23953e16-0aad-477f-ad56-eb875b2d5731} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 2204 1a5a6f58 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.3.2062471048\447547172" -childID 2 -isForBrowser -prefsHandle 2068 -prefMapHandle 2080 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da5807e4-fb18-4779-87b8-0bdf39200ccc} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 2060 1b5c7a58 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.4.1324436627\476459228" -childID 3 -isForBrowser -prefsHandle 3836 -prefMapHandle 4012 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4dbdf07-9975-4342-bf01-11de19a98b65} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 3988 1f28f358 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.5.1404688435\570878851" -childID 4 -isForBrowser -prefsHandle 4132 -prefMapHandle 4136 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b50ef99f-5488-496d-b0a2-bdf242e03cd1} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 4120 20bac258 tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3980.6.1994492793\654513855" -childID 5 -isForBrowser -prefsHandle 4300 -prefMapHandle 4304 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 844 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c83a9217-df64-45c9-88ee-872962e6bd5d} 3980 "\\.\pipe\gecko-crash-server-pipe.3980" 4288 1eb67258 tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013462001\ff5ebbdcb8.exe"C:\Users\Admin\AppData\Local\Temp\1013462001\ff5ebbdcb8.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1013463001\e711f577be.exe"C:\Users\Admin\AppData\Local\Temp\1013463001\e711f577be.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9F1A2493-44D6-4292-8037-9C01201ED30B} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
24KB
MD595418472a49d39a359078f93becd392b
SHA1e7c2314f406d9a6e99031de9dd048ea982d05450
SHA256fca68e37507a359354c1f4611287dbc0f79f229e048cd77e4562a5a889de4e9b
SHA512526603fd56f1bbc80f2e3940c9de075d16b147067cdfbd23651e6c9dfb2e415f768f4ada3832fc187dd08aa3fd61157653bc0f8ae3594dc5d4d9b4174782d1a0
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
4.8MB
MD595b1ed941aca053a6454fc52903f4796
SHA1428d701aa628914df3d12dd453a950b2180f761a
SHA25676caf7c9225664cf3ff98fde323af7024d4804080db8c5d92f7873527224f04d
SHA512ceab0e29fd38bd40a70b5d0332c72f15a1beb86a7684cddbbc5b1146961c7c20e7fd0358aae1f628ec9782fc91ab9652063dff830ae48efc82938912babc0d89
-
Filesize
799KB
MD589bd66e4285cb7295300a941964af529
SHA1232d9fee67a3c3652a80e1c1a258f0d789c6a6cf
SHA256a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047
SHA51272d1c8c4b74bacca619a58062441203c6cfea81d064dc1933af7a3cb9758d924b011a6935e8d255aad58159a4ecbb3677cc6a6e80f6daa8b135711195a5c8498
-
Filesize
2.2MB
MD53541c1ac26eb5bbb87f01c20fd9f8824
SHA1bf5d136c911491f59bdeb3bf37b8f1a155fd3a97
SHA256b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1
SHA512babc17723d2389919acd96f977821d57bdd737f01a9598209efafa72ae0418e914a5d229f196d80cb5ba70ce82b0f340b18aa255bbe4ed77d821a432d5794a93
-
Filesize
809KB
MD5ec31a091e3c06294cade73a10d5cae88
SHA10eadea9ac15955c791ad35ebb2719fb632ce0197
SHA25623f46ec28302b106fa23d1db2a513875c7157b803cf32f4f3f94e51ed4ba2d83
SHA512827499e195dfea6bbbcd3e92dff81dab77d32418eaa9438fe66d6c35df2c7736b5842afb83e892a2f1c84e8fba1b53f3f300a1b9ed465ecbf2cb55b6544cc328
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
9.9MB
MD553306653e88891da35bdfc1330a2dafd
SHA10870df54ca24e32bf88ccf00d7dd0ada3a0ea096
SHA256fc3471e819eafc1640b51c5c8d4bd36db60dc96d912769fa0dfd619f3ec6ff09
SHA512930ff27fc7377eaf0097cc6430f2c5486336c398a7ae08fadbcb0af62490b96c0b9ec3d36455c04e5a79d2405fc0c6f1f6a44b0298f3b6ff46f2a6c591aa51ba
-
Filesize
1.9MB
MD55d88053a8fa89daf50a22f3e7130b84f
SHA1376315c3b18c6d410a615dcc18dff4529f44ef9b
SHA25678d2025e6bfce4ee78142552e30d2eb07c9bb7901ec6407ab8ce5bba72c13074
SHA512f60af0d664d5a13555c21891a02fab76d7c63d45b6497e8c7da1cad3cc89223d1578c9b0a394fd23bb650777eb8f295cb372519db0c22a7061c0a4a0872261eb
-
Filesize
1.7MB
MD52e294f3db1a3b1f0624b69d47ba3456c
SHA1082c1d3d3a7363b86db51d01e23959f72eaf740c
SHA25603100a9686a78171ad87a164d17b5cf4defc92736db32352fc16bf60e5d731fc
SHA512c60875c1825ec998996de35c52cff8b03c0b98631578c93bce026c9f580494fd2df216bbbe6db13832b67a4f0f21d045926041ce3865f87508c5bdd422e753e7
-
Filesize
1.7MB
MD5a7af58fe0da7ef19da6ad1ce8376597e
SHA1891eb45d3c52f186cd2cfb03997b996c4535bf26
SHA256b8b2986f268c6ba53ea30d750092c0a26e7fe8cdfb74a3ff3be9513ad05b716d
SHA5127c0d7d30b7c6a013378ab2f744d45b218c5be00fc20bfc00cd983a13e60645e8dc311278c433d842151043408fb316a00c20cb655b13426dcd7e6acfdcbb25c5
-
Filesize
950KB
MD558d8b4340fa9ca05e2ecc82281f6ba30
SHA1bf7fdb9954f4763c5bd0d6f45e5df9e2fa4326e5
SHA25695cd445851e76e32539034fb5614d3bd2d04747479941dda234a0175e78dc2a4
SHA5120d8c69ff14216d151151a935a3ff76679e219f551badb37fa441e189c7364a68e03cb4b65f8400238fddd48e862b004a7b7163043fb1a524feba30da3d8e74ff
-
Filesize
2.7MB
MD50c628411b34cd221d309d406683deca1
SHA15f8be3da5456806706c322c3c83aaa60c2d5f1f3
SHA2560332638fac22e2222292b66defa0c78ac428d160e44802ca89cfe0b898f70620
SHA51240c2c39c84d56d4cd3a0541fefb04738eab0e19e9aef3baa0f9ffff89b264cddd33fa056f9a23dfdf92c6dddb5dc6334dcead943d634143bbd0d2601b3332fb9
-
Filesize
1.9MB
MD5e96cd9e1c8cbc927c9c445e155d5bd75
SHA16c8d7a80cb4635fda0f7b799ace942dcd10b3700
SHA2569f1169888c4c2acd65e79928bb27a686204fa3b622b921a7ee56c7a735924eb6
SHA512419cb0650a718f7356335745a64d441d8693c48181692bdfb22da508fa993e93772f5ee89ae5085e5ae3d04f28936b57e12e6704291be6acc45041744ba7f413
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
2.3MB
MD5ffabcc262fb699998b6191d7656c8805
SHA1fd3ea79a8550b14e9cc75fb831fd7a141964a714
SHA256f46e4a7de978baceec5f64cbc9fa1f1e772e864fa3310045cd19d77264698cde
SHA51279b2e21a9111b16b0f67ae5d1cc40a25773b847d3f4cf78711a8dfd8b67c30beec332ed65ac008c9dca62c84de891eff20d7c6050bc868bce77a17fe56da61ba
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
4.2MB
MD5c6c37b848273e2509a7b25abe8bf2410
SHA1b27cfbd31336da1e9b1f90e8f649a27154411d03
SHA256b7a7f3707beab109b66de3e340e3022dd83c3a18f444feb9e982c29cf23c29b8
SHA512222ad791304963a4b8c1c6055e02c0c4c47fce2bb404bd4f89c022ff9706e29ca6fa36c72350fbf296c8a0e3e48e3756f969c003dd1eb056cd026efe0b7eba40
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
91B
MD54c648a9e72378faa0a42a1ce8eaadbff
SHA136eb70db2718bcb875ffb47d32ab0c5f51e4f0a0
SHA256cbf47d2c9f0bf5b4976e1407418de08cc3bbd8cc3e6608347cd05e2844c141a0
SHA512e36a8825a58a01bb3c10bdd7ad294b923d8879842c002e569ba534fb032388c4631dcf6673a6e9b8b38c1353cbefbea5170050e042398a262260ea2f178e86c8
-
Filesize
91B
MD5b68ae3e9503b5db3db1197ba72ece603
SHA1a13f0ef0356025b56c842c413261919630a785c4
SHA25681af8e40d0820a0c715c32ed857b5f2ae0d671e281533a59ddc3ae76d10a7b63
SHA512268268d74922d16327800420aeeb7b19c7d02d5eeaeeb0ce7c2d0b7b558bf7af084f605a8b644fae03f4403afea4e4473c327efd2996c093ee7d85da628d8731
-
Filesize
7KB
MD5f1c24755dba80ecec42d21752e91d9bb
SHA19224e283b98ed449351b16e110ef743810457cd3
SHA2563f4b2ed7e9d531a9081839e3e215ad55c608374a3e349c11bfe0cc92ab7349b6
SHA512fbba8d39291170b14f18244329c28053a3ba09ed665ff4e35ae94bd98acd3291807c58177e53e074f49e3fc8e9e24dfcb4f959e0434638eb8d86d2a8ca1815ec
-
Filesize
2KB
MD54875fd14be7b32e315e7c7d54b338278
SHA19e69f3dac5128d8ee8ad277a7c73aa94782d7b77
SHA2562a3bd5d80a102defbeb58c454f3c51dbc7cd805dbc39a0c57f85bcf628380658
SHA512239a648ff9acc2021a860b352cb0f233251b05aea050e87ddbcb99caf6996a655567c5ebf2681d2b4f328e5151dc2ea259fc4e0994880c249cc313c77a3a72a4
-
Filesize
12KB
MD57be2e69add2cfdd740f8918a54ba1f96
SHA1a8af0afb8e152934173d3d99bad8eaf3a6a7e62b
SHA2569254760b01d320bfb2100c9d1594fa54aef2e5f5db97f0be9bed6519f3b7aaed
SHA5124397b284dfdaaff629fea93b3aca9dec8166588ac4745414824c6c5e20e29a0a9d3208b3a369eac34f1e9a2d16e8c6ec4af13077e079c796397df4e12b570749
-
Filesize
745B
MD5110e76a464ee460b71e3ca752af73c40
SHA1334a46c2f18b383ea42446b25e6a79d9c231575f
SHA256e6e66bb4ebc3ec57b9a093fcad5d15b8127bbf3a924ec106336eb73da53b7e45
SHA5125261e70162ffddc3088846179eeb633979a801cde40cea78d420517fcd960ce7ea5377aca1bfa62af71f9a3c58cead5294c30077632d02ff6055e5e6fbde3a0b
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5a70507b4f63b41d091a77f4beca881be
SHA1ffff545d3b5ed97c7fdce15bcf4ddc03986a6939
SHA256d0481bfe3cfd238b3798e79e86d5e1db7da6eb123c76b2e84b68e02c1d23e0a1
SHA51243967195e3294e2319ae335473d5f98f0cdc87904d153e5c5661e36ba7562e29d0eac7bedf009a51dbc7d8d07298ea4d6fdaba920f5d3cec92f5fd2bdfca5828
-
Filesize
7KB
MD5c24ce019d9afedad7af8be2f819feb3d
SHA109fdb67e1af2419bd1bb7be38c3a59eedd8d334c
SHA2562073e1dee97085053f3696463890a8e0d95db7f4fa893af6fd817b551fc7bb58
SHA5125252ca6ac8e32fa73735083a0fde26b84aebf402ab33034907c09fe994cc9b3fabc061f3c1780a664082d2ad58a9bd0e53f6e5616a732d55141e4f636e50bc3d
-
Filesize
6KB
MD5314f5150d1cab1e6049090abd9a28c6b
SHA106b6b0af2dc48b3117b9cfa01feabbed2f17c4e3
SHA25692f490062496199ee90a2088994221e35df0de0433dd493e2f75bba84671647f
SHA5123df615051cc242032ed7ade20e3a81c84065dd565a1f2455f6d9bfdf09eaab1e2bc4cf39af1347318be908ea47ccf3d2e15d95548025b2e7a16025563d5da217
-
Filesize
4KB
MD55ce7284c72f780807da13c134251019c
SHA11898b63977fc0994b09575ae969ee07d29640c8d
SHA2560150936099f16e0095be78be33fe34a723d099dc552adb0c456c99a2b44a668b
SHA5127556d82996b8ea189615ec6853dbed6b9d6ac4b65dee2802a3c36e2c71248b2aad84001884e86c53a0ae1173b8f8b32ebec0b389517c04d0ec33adc6128238fc
-
Filesize
1.4MB
MD5a8cf5621811f7fac55cfe8cb3fa6b9f6
SHA1121356839e8138a03141f5f5856936a85bd2a474
SHA256614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c
SHA5124479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd
-
Filesize
3.1MB
MD503bb6c45bf7f0ce8caa6c8ba6ca33509
SHA1f59d3d9d070984d3bd3e4bd7c903990b204ed554
SHA2567f9c4f99669b5c05535075cc97e746e9df229b8177f56a0a9e989b861e8a2ef4
SHA5120e99313226eb3df882a9372820532d71ebe95616f7290e4eb08256681af7bf8826c66cea34cd50f89b1dc34af145fa7803d036d64d58a45855e998982d4259be
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
824KB
-
Filesize
152KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
3.2MB
-
Filesize
8KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
3.2MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.2MB
-
Filesize
6.5MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
4.5MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
8.4MB
-
Filesize
3.2MB
-
Filesize
4.5MB
-
Filesize
8.4MB
-
Filesize
416KB
-
Filesize
8.4MB
-
Filesize
2.7MB
-
Filesize
4.5MB
-
Filesize
3.2MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.5MB
-
Filesize
3.2MB
-
Filesize
1.4MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.4MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
336KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
304KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
136KB
-
Filesize
1.4MB
-
Filesize
2.4MB
-
Filesize
104KB
-
Filesize
824KB
-
Filesize
24KB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
104KB
-
Filesize
4.5MB
-
Filesize
4.5MB