Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 16:43
Static task
static1
Behavioral task
behavioral1
Sample
00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe
Resource
win7-20240729-en
General
-
Target
00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe
-
Size
1.8MB
-
MD5
9063b2ae28f32ddb9a530a00cd68e233
-
SHA1
542508a4d9751a27fc38da41b7487ef9e2e6f7f9
-
SHA256
00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362
-
SHA512
6b62d8e0085b02a7dae4aff78b9e767724f17732773bccdcad0677162c581c7a64ae60cdec40a630ab61a61b7f36a098273ed2e8e5678565853d9228b610d764
-
SSDEEP
49152:fOhy9DGlEPIz8p6Ihe46UEjnJtxvGoaREP/M5+rQnN:fOhy9DUEhPs46LFyREN
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 608e6a2960.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6b81f184a4.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 608e6a2960.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 608e6a2960.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6b81f184a4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6b81f184a4.exe -
Executes dropped EXE 3 IoCs
pid Process 2572 axplong.exe 1220 608e6a2960.exe 2100 6b81f184a4.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 608e6a2960.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine 6b81f184a4.exe -
Loads dropped DLL 4 IoCs
pid Process 2932 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe 2572 axplong.exe 2572 axplong.exe 2572 axplong.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\608e6a2960.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005871001\\608e6a2960.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\6b81f184a4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005872001\\6b81f184a4.exe" axplong.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2932 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe 2572 axplong.exe 1220 608e6a2960.exe 2100 6b81f184a4.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6b81f184a4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608e6a2960.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2932 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe 2572 axplong.exe 1220 608e6a2960.exe 2100 6b81f184a4.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2932 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2572 2932 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe 31 PID 2932 wrote to memory of 2572 2932 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe 31 PID 2932 wrote to memory of 2572 2932 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe 31 PID 2932 wrote to memory of 2572 2932 00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe 31 PID 2572 wrote to memory of 1220 2572 axplong.exe 32 PID 2572 wrote to memory of 1220 2572 axplong.exe 32 PID 2572 wrote to memory of 1220 2572 axplong.exe 32 PID 2572 wrote to memory of 1220 2572 axplong.exe 32 PID 2572 wrote to memory of 2100 2572 axplong.exe 34 PID 2572 wrote to memory of 2100 2572 axplong.exe 34 PID 2572 wrote to memory of 2100 2572 axplong.exe 34 PID 2572 wrote to memory of 2100 2572 axplong.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe"C:\Users\Admin\AppData\Local\Temp\00f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\1005871001\608e6a2960.exe"C:\Users\Admin\AppData\Local\Temp\1005871001\608e6a2960.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\1005872001\6b81f184a4.exe"C:\Users\Admin\AppData\Local\Temp\1005872001\6b81f184a4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2100
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5be752df2a3bae5d9fbd14d433b351967
SHA164355c823c38b257e469ff717c5ba8a9e0b0bbf2
SHA25608570ded4cf2c4a1d44b1837436d241c0392f3c9f35ff96da78ffc80dcdcf0fc
SHA512600cb7a8e7832f70909f53ea387c850d8a8b7e255d80f7049ff4833b198ae18cb817460e2343ff92021935c17d4845caa88ecf4ecbad8b832083d6f0fd83b151
-
Filesize
1.8MB
MD5fc730cc04cea274ba94c95faad570950
SHA19959c1e33b3fe4f3e4da5e033f97a39004518b7d
SHA256478b4646887cf4961943568f8aef881f2991e0fffaf5d2592939724c6a8c2d78
SHA5125eb3af384e548e3ae02a1a0b972394b6a4b40798df44e379d50dd251c1f61eccc0d90460f966de2c3868ed9b521daae7e59c1eef449b02e884ffb96b408a7281
-
Filesize
1.8MB
MD59063b2ae28f32ddb9a530a00cd68e233
SHA1542508a4d9751a27fc38da41b7487ef9e2e6f7f9
SHA25600f4d4cc428634dbcb742e22647679bc7d16fa8c34bedf2b72a8030e1b24c362
SHA5126b62d8e0085b02a7dae4aff78b9e767724f17732773bccdcad0677162c581c7a64ae60cdec40a630ab61a61b7f36a098273ed2e8e5678565853d9228b610d764