Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
12-12-2024 09:58
General
-
Target
4578d207fc6610750df1d6005c8e1ba3c00bdf9b89d8ac6d49bb4e6904729062.exe
-
Size
1.8MB
-
MD5
9e50d297946c37d3a1d1da00762d4e48
-
SHA1
f7c1f6d79350183902532f4f74c55110099418b7
-
SHA256
4578d207fc6610750df1d6005c8e1ba3c00bdf9b89d8ac6d49bb4e6904729062
-
SHA512
e6a29fabdf67f7080513a2ef677e324f8c94817c9504ab020a034a9fa6ae12c7935963be490842ace30b458ff8d51a9229887ff3a8bdca1b80472cc80925f114
-
SSDEEP
49152:o9I0TNAwTWApTxMORD1vKsBFsAjthoLj:x0pAoZSmFsAjtW
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 24 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4578d207fc6610750df1d6005c8e1ba3c00bdf9b89d8ac6d49bb4e6904729062.exe"C:\Users\Admin\AppData\Local\Temp\4578d207fc6610750df1d6005c8e1ba3c00bdf9b89d8ac6d49bb4e6904729062.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1005970001\chrome11.exe"C:\Users\Admin\AppData\Local\Temp\1005970001\chrome11.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmpD4DE.tmp"4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006029001\l4.exe"C:\Users\Admin\AppData\Local\Temp\1006029001\l4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\onefile_1444_133784711469740000\l4.exeC:\Users\Admin\AppData\Local\Temp\1006029001\l4.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006032001\Qtdedcpuf.exe"C:\Users\Admin\AppData\Local\Temp\1006032001\Qtdedcpuf.exe"3⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 6324⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006092001\Ixpla.exe"C:\Users\Admin\AppData\Local\Temp\1006092001\Ixpla.exe"3⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 6324⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006141001\networkmanager.exe"C:\Users\Admin\AppData\Local\Temp\1006141001\networkmanager.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1006192001\e4174b8c0b.exe"C:\Users\Admin\AppData\Local\Temp\1006192001\e4174b8c0b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1006193001\6dfe352cad.exe"C:\Users\Admin\AppData\Local\Temp\1006193001\6dfe352cad.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD55b39766f490f17925defaee5de2f9861
SHA19c89f2951c255117eb3eebcd61dbecf019a4c186
SHA256de615656d7f80b5e01bc6a604a780245ca0ccefd920a6e2f1439bf27c02b7b7a
SHA512d216fa45c98e423f15c2b52f980fc1c439d365b9799e5063e6b09837b419d197ba68d52ea7facf469eae38e531f17bd19eaf25d170465dc41217ca6ab9eb30bf
-
Filesize
5.9MB
MD5d68f79c459ee4ae03b76fa5ba151a41f
SHA1bfa641085d59d58993ba98ac9ee376f898ee5f7b
SHA256aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6
SHA512bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e
-
Filesize
1.4MB
MD5338cbbffa6028ee1a0beb3e7e6c4abd9
SHA1bd008e415d2d85a124d33d455a2e2b0a0312be39
SHA2561af9406ad522df70d8b59054cbdbef1a267fe199ab0ec1369523cdce9884bea6
SHA512a8bb96d8ab47a3f57d5f1fc48c61392e9b28b379517cd12a468044d42a7ecdf9c099244d94784ff2411b358ea2272f8069a2fee2ea952b693ee460de0f689215
-
Filesize
1.4MB
MD56e7ffd057086e44e4fcc01846cd2b152
SHA105712e7e7b8429b2dd201ea504dc32fefe5795da
SHA256fbc587e990949e428e8ce7a2c74dbf85cd63ffa07370756ad854595fea0033d7
SHA5128cab1824b32c54273658d28738109c8a1ef3170c1fbe02deeee40d40990acb6d45431bfb65a3facebee9a919bd972734012b1e8de035b9c1329f1bd0e709ecd2
-
Filesize
2.1MB
MD5f8d528a37993ed91d2496bab9fc734d3
SHA14b66b225298f776e21f566b758f3897d20b23cad
SHA256bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02
SHA51275dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a
-
Filesize
1.7MB
MD56731bd7e893f440a5f73edfd40b73112
SHA18e396ca101830e0116881c8d8c81c6d5e7918afe
SHA256599399619509681016345f5e4e50f6edd38a70496201d1a9fbfe5c53d7f4690b
SHA512d0247ad0a1392a9b622d08e22feee7d79854c8f1492f0b4d5d5e669f7efce409e3a3961f8229ebb40aca97ed6e36066b40393b3e9cb78d7356d34d530c125110
-
Filesize
2.7MB
MD59aa3e28acbd0b5a2e045a6d513c93b6b
SHA19381e49745b0e1c2fab053f8d4d2a59bc61988f1
SHA2562f1568be0dd8f9a154b003441a09464578fc012d81f60faab98f8ba9c1913898
SHA512994aacaaafb7a60400aa05ad2524eac325b50b46109a75a71e2907e0dc08b5147ad7f63d308c72b92dc70d232335134815b461b00c18c722a365e6e0f8491471
-
Filesize
1.8MB
MD59e50d297946c37d3a1d1da00762d4e48
SHA1f7c1f6d79350183902532f4f74c55110099418b7
SHA2564578d207fc6610750df1d6005c8e1ba3c00bdf9b89d8ac6d49bb4e6904729062
SHA512e6a29fabdf67f7080513a2ef677e324f8c94817c9504ab020a034a9fa6ae12c7935963be490842ace30b458ff8d51a9229887ff3a8bdca1b80472cc80925f114
-
Filesize
2KB
MD55b922b9b430d52708ffd7c4f9ae7fb2a
SHA110fa700bb7771186bf5cad1b18ae0949a66f9a5b
SHA25691ac342b09947d76e5ac10794e57f09a916fa546bc2229a7796e9a9b95c5bae2
SHA51217186baa3ad61b737f80580ed7b319de8d9fd0237c11634761038f11f4cc375ae70e4c36fe4753dc1ca0b3531d146e74b0dceb3e1465c4cae41ec02bcaeeb9e5
-
Filesize
5.9MB
MD563c4e3f9c7383d039ab4af449372c17f
SHA1f52ff760a098a006c41269ff73abb633b811f18e
SHA256151524f6c1d1aeac530cfd69de15c3336043dc8eb3f5aeaa31513e24bfd7acdd
SHA512dcfb4804c5569ad13e752270d13320f8769601b7092544741e35bc62a22af363b7a5ea7c5a65132c9575540a3e689a6946110502bd0f046385b8739e81761fbf
-
Filesize
6.6MB
MD5166cc2f997cba5fc011820e6b46e8ea7
SHA1d6179213afea084f02566ea190202c752286ca1f
SHA256c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546
SHA51249d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb
-
Filesize
1KB
MD50db5be0ec79017ee37b99d323ac2f4a4
SHA19a4e81d4bfe9a26bde6c733d3f223fca96b43547
SHA256b0e8d393d1415c26c2b22ab0fb9e4bbec1584bf85caf55471dd2d28f24542c1b
SHA5123e611d5e3f50f124b3ba6c943ab0c1bcbae8f1b7946672ecad459176a22ca0a29708ff1a17769dd08202e43ba004d9500b48f7777e728cc218ef85c9ab056947
-
Filesize
82B
MD5107a610c004bfc1ebb8b87365b2c4600
SHA104695e838daaaf45d91f0b51868c8995b80d3392
SHA2563a5be027d623c694cc4874fbb6cd2f434bbaf65033607f6d2acfc1d05c3f6fdc
SHA5124b26a04ec889e149bf4fb974178990804d371d72b239c1d55c5acc32636cfd7ad02f8d21ed9e289358873242493303de25f2a0bca7d1b5da9b0426854ff4a2d2
-
Filesize
1.4MB
MD5495c1259248262162db242763cd67db8
SHA1af4e854569d445b067b346408672b72b053055f5
SHA256317127a1b0af48d4686101df29a8c4063c3934cd9485890467d00505ad1712b1
SHA5125bd5e7dfc243c18b732f5666c8c7b570ff4f3832de7e8bf1126c4016562c2caad783a31841768958576ecf897dd1634271b08be78d1beac33d4b2a1c6f953853
-
Filesize
4.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
336KB
-
Filesize
304KB
-
Filesize
552KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.4MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
7.5MB
-
Filesize
4.7MB
-
Filesize
7.5MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
1.4MB
-
Filesize
1.1MB
-
Filesize
552KB