Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 14:15
Static task
static1
Behavioral task
behavioral1
Sample
c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
Resource
win7-20241010-en
General
-
Target
c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
-
Size
2.8MB
-
MD5
62cfbf48cbec19b909d15fc91d70cb47
-
SHA1
1c900301e2fa4b10cc69fb53c160f27254c607c6
-
SHA256
c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b
-
SHA512
952f885a05b2474d76cf53607323c06646908470bf30770f2c639c5440421b1ad8c8a130807b0ad38ca88267dff2d52cbdc790aaff827b8e422d04b2148e878c
-
SSDEEP
49152:2r4wwAxziwgFtvyMcy4MmjQfcMIQVzhzsSWSbnDBQkk:2r7wOefvyMc1MmUflFWSbnDBQkk
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://shineugler.biz/api
Extracted
lumma
https://shineugler.biz/api
Signatures
-
Amadey family
-
Lumma family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation sintv.exe -
Executes dropped EXE 6 IoCs
pid Process 2232 axplong.exe 3300 sintv.exe 756 Out.exe 5116 Out.exe 3540 axplong.exe 4748 axplong.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine axplong.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2412 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 2232 axplong.exe 3540 axplong.exe 4748 axplong.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\Application\chrome.exe sintv.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe sintv.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Out.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Out.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2412 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 2412 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 2232 axplong.exe 2232 axplong.exe 3300 sintv.exe 5116 Out.exe 5116 Out.exe 5116 Out.exe 5116 Out.exe 3540 axplong.exe 3540 axplong.exe 4748 axplong.exe 4748 axplong.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3300 sintv.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2412 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2232 2412 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 82 PID 2412 wrote to memory of 2232 2412 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 82 PID 2412 wrote to memory of 2232 2412 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 82 PID 2232 wrote to memory of 3300 2232 axplong.exe 83 PID 2232 wrote to memory of 3300 2232 axplong.exe 83 PID 3300 wrote to memory of 2268 3300 sintv.exe 85 PID 3300 wrote to memory of 2268 3300 sintv.exe 85 PID 2232 wrote to memory of 756 2232 axplong.exe 89 PID 2232 wrote to memory of 756 2232 axplong.exe 89 PID 2232 wrote to memory of 756 2232 axplong.exe 89 PID 756 wrote to memory of 5116 756 Out.exe 94 PID 756 wrote to memory of 5116 756 Out.exe 94 PID 756 wrote to memory of 5116 756 Out.exe 94 PID 756 wrote to memory of 5116 756 Out.exe 94 PID 756 wrote to memory of 5116 756 Out.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe"C:\Users\Admin\AppData\Local\Temp\c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe"C:\Users\Admin\AppData\Local\Temp\1006591001\sintv.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -silent -importPFX -p "" -f "C:\Users\Admin\AppData\Local\Temp\tmp8908.tmp"4⤵PID:2268
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"C:\Users\Admin\AppData\Local\Temp\1006664001\Out.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5116
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3540
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4748
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD538fcaa23700e62fb0b3fc2591f82cc80
SHA1abedd6ec573a6fede05d15920f3ac3763062c75c
SHA256fb829a6a8535a443932cd167e8301b5e74c60702b5f7fade7e9f13a736ce72b0
SHA5125da88a61c716a9891cb225f36f275040d69915c4c731c2a5c042d5c997ca39241a3e9d6646569468d477f47db42462c21b58f2de7f56a84cb145e6cee478eeef
-
Filesize
2.5MB
MD57ff947867bc70055adffa2164a741b01
SHA1cff424168c2f6bcef107ebc9bd65590f3ead76ae
SHA256b6d6628d2dc7dea808eef05180c27abe10a1af245d624aacdacccc52a1eb7b40
SHA512da507d1847056d0dc2c122c45ecbea4901a81c06890bcdbffc2f18ad4b96f0ac2c2fa9ebde1a315828c74a97af653062a8c50ce70c9b6d6966c48871150747ee
-
Filesize
2.8MB
MD562cfbf48cbec19b909d15fc91d70cb47
SHA11c900301e2fa4b10cc69fb53c160f27254c607c6
SHA256c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b
SHA512952f885a05b2474d76cf53607323c06646908470bf30770f2c639c5440421b1ad8c8a130807b0ad38ca88267dff2d52cbdc790aaff827b8e422d04b2148e878c
-
Filesize
2KB
MD5672a8e6ec2586079941130a4864da99d
SHA1b2277e422c886528e4bf7cc8df302f7406a1c28d
SHA25636136eba77d1bdaac3d15c9374fc18febba966e74f7a812a4486c98613a77449
SHA5122ba1d5abe612d5d99323a4058fecf8c26ada3aa7eac96edc86ef733f77f988d9de3b9e10a6c943c95fb9876b3d4648256d33567dc3ea417d047ef344114b37ed
-
Filesize
2KB
MD5129a8f2f7d23a27feff0e65809658249
SHA1be154b3a87f3e661114781b9a498c4d5ebbaa893
SHA2560f05be961dee1be611827b96aa12df4673672a6c02eb5c4a695e5fc4ed632e57
SHA5129ab9cbf68c017d5439d25071921fea65d5f3f3f8c2087ecdaf3ed079de67ba87e8304be6d206b3318aa524b53d05aec6bcf9bfec985e519cc74107f3dfd2141f
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\2DA4AA4D1DA45876978C05BCE34E20CF177B77CA
Filesize1KB
MD51721f0d1a609972036059a72af07b6e2
SHA1afec55d2ee616969af5597d371375b00b2880fa3
SHA2569115250974b70b0c96f4e5e44748b3412188ac85702b1ccd4ef0390a30d8cd86
SHA512be09dc2d8ddc8c01600f271603f8b86add9c04bf5dfc54f838c01973c124a75277b304a4e9a525fee4619788e4bf30ea2144b24ae514ff562bbefeb668300b8c