Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:00
Static task
static1
Behavioral task
behavioral1
Sample
e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe
Resource
win7-20241023-en
General
-
Target
e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe
-
Size
2.9MB
-
MD5
0f299dff09ef0812a445f45f955ce8b2
-
SHA1
08479f8270aefa0c901f42131a8c805577689de1
-
SHA256
e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b
-
SHA512
2539b8d7516e5230e70aa20dcac3d712b38c6d7a13b923ae88ad8c52b20e70ae715f8f64232c4153486d943569eba6a2abff5e3ce6c21b25b3c5852544ebda04
-
SSDEEP
49152:18GUOiFKP0FB56S2xmkHdcd7grPT/VL6Gx2NNmP3s:1p0FB56jx5c5gXNGG1P3s
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
cryptbot
Signatures
-
Amadey family
-
Cryptbot family
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4860 created 2248 4860 7e5724b6c9.exe 49 -
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 5672865eaa.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7e5724b6c9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1987133fa8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5672865eaa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d7806abc11.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 26 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5672865eaa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5672865eaa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d7806abc11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d7806abc11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7e5724b6c9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7e5724b6c9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1987133fa8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1987133fa8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation axplong.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 1987133fa8.exe -
Executes dropped EXE 12 IoCs
pid Process 1532 axplong.exe 2992 d7806abc11.exe 4860 7e5724b6c9.exe 552 1987133fa8.exe 3480 skotes.exe 3424 5672865eaa.exe 3872 skotes.exe 4952 axplong.exe 1132 axplong.exe 4848 skotes.exe 4844 skotes.exe 4596 axplong.exe -
Identifies Wine through registry keys 2 TTPs 13 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 7e5724b6c9.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 5672865eaa.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine d7806abc11.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine 1987133fa8.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Wine skotes.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d7806abc11.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007364001\\d7806abc11.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1987133fa8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007366001\\1987133fa8.exe" axplong.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
pid Process 408 e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe 1532 axplong.exe 2992 d7806abc11.exe 4860 7e5724b6c9.exe 552 1987133fa8.exe 3480 skotes.exe 3424 5672865eaa.exe 3872 skotes.exe 4952 axplong.exe 1132 axplong.exe 4848 skotes.exe 4844 skotes.exe 4596 axplong.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1987133fa8.exe File created C:\Windows\Tasks\axplong.job e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1768 4860 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5672865eaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d7806abc11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7e5724b6c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1987133fa8.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 408 e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe 408 e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe 1532 axplong.exe 1532 axplong.exe 2992 d7806abc11.exe 2992 d7806abc11.exe 4860 7e5724b6c9.exe 4860 7e5724b6c9.exe 4860 7e5724b6c9.exe 4860 7e5724b6c9.exe 4860 7e5724b6c9.exe 4860 7e5724b6c9.exe 1572 svchost.exe 1572 svchost.exe 1572 svchost.exe 1572 svchost.exe 552 1987133fa8.exe 552 1987133fa8.exe 3480 skotes.exe 3480 skotes.exe 3424 5672865eaa.exe 3424 5672865eaa.exe 3424 5672865eaa.exe 3424 5672865eaa.exe 3424 5672865eaa.exe 3424 5672865eaa.exe 3424 5672865eaa.exe 3424 5672865eaa.exe 3424 5672865eaa.exe 3424 5672865eaa.exe 3872 skotes.exe 3872 skotes.exe 4952 axplong.exe 4952 axplong.exe 1132 axplong.exe 1132 axplong.exe 4848 skotes.exe 4848 skotes.exe 4844 skotes.exe 4844 skotes.exe 4596 axplong.exe 4596 axplong.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 408 e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 408 wrote to memory of 1532 408 e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe 82 PID 408 wrote to memory of 1532 408 e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe 82 PID 408 wrote to memory of 1532 408 e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe 82 PID 1532 wrote to memory of 2992 1532 axplong.exe 83 PID 1532 wrote to memory of 2992 1532 axplong.exe 83 PID 1532 wrote to memory of 2992 1532 axplong.exe 83 PID 1532 wrote to memory of 4860 1532 axplong.exe 87 PID 1532 wrote to memory of 4860 1532 axplong.exe 87 PID 1532 wrote to memory of 4860 1532 axplong.exe 87 PID 4860 wrote to memory of 1572 4860 7e5724b6c9.exe 89 PID 4860 wrote to memory of 1572 4860 7e5724b6c9.exe 89 PID 4860 wrote to memory of 1572 4860 7e5724b6c9.exe 89 PID 4860 wrote to memory of 1572 4860 7e5724b6c9.exe 89 PID 4860 wrote to memory of 1572 4860 7e5724b6c9.exe 89 PID 1532 wrote to memory of 552 1532 axplong.exe 94 PID 1532 wrote to memory of 552 1532 axplong.exe 94 PID 1532 wrote to memory of 552 1532 axplong.exe 94 PID 552 wrote to memory of 3480 552 1987133fa8.exe 97 PID 552 wrote to memory of 3480 552 1987133fa8.exe 97 PID 552 wrote to memory of 3480 552 1987133fa8.exe 97 PID 1532 wrote to memory of 3424 1532 axplong.exe 98 PID 1532 wrote to memory of 3424 1532 axplong.exe 98 PID 1532 wrote to memory of 3424 1532 axplong.exe 98
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2248
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
-
C:\Users\Admin\AppData\Local\Temp\e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe"C:\Users\Admin\AppData\Local\Temp\e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\1007364001\d7806abc11.exe"C:\Users\Admin\AppData\Local\Temp\1007364001\d7806abc11.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\1007365001\7e5724b6c9.exe"C:\Users\Admin\AppData\Local\Temp\1007365001\7e5724b6c9.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 5444⤵
- Program crash
PID:1768
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007366001\1987133fa8.exe"C:\Users\Admin\AppData\Local\Temp\1007366001\1987133fa8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3480
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007367001\5672865eaa.exe"C:\Users\Admin\AppData\Local\Temp\1007367001\5672865eaa.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3424
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4860 -ip 48601⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3872
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4952
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1132
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4848
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4844
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD537bc9fc38023802a67c6b8902a8bd890
SHA1a31726802dece6ee4d91dec9eab23b057bd00efe
SHA256708e04b3f2d37c3cb32b2f88962676ba939525b124a757236ea3174b5b2eee74
SHA5126443fe14f8e0b75d124c5fd070870bced30f339e4718c7ec2fa875284ef7e0d46945ba17a32517b13f4e814a33cdafeabcd114b579311c20e4b374243bf2fdc5
-
Filesize
1.9MB
MD5c29eb2d3c39a0a808f1910e0e222ac94
SHA17270457cd535c48825b4328b9124985e7bf95be1
SHA2560f5afd165ede6d66b0a86c84b534afcf9ac51c46b43c023f632aa0bf4f087819
SHA5124affdc6c38038f269a51144bb22ee844918ac708e85f1c152911b0d5b82241cde79f26fd366127a0cd7cc96ecb9ac88a8b0d90677162b6f5d5e87d68b666f118
-
Filesize
2.8MB
MD58d64f1d7ace873c2aa994c6b8ded6ae7
SHA1b1fcba92c6a6180211b8e3dcd54acf041cd0fc44
SHA2564355db0995121456108e7d7630b8400f8fa6546576cdfdde15fb2a69fa616044
SHA5121e9913350667af65e81798187d81164d2057a910982d3fce42bde56b41c19a1c83fb6951778a04ccb670e6c73370a52867ef6321784fc0b67bff78061e8707ab
-
Filesize
4.3MB
MD58cd346fc831e7d59ebab0de045018b84
SHA165ecbe74b5e512c9b00dbb0d041ac1f812f3cbb5
SHA256ca2b0a34c077e6e81cde2626da1aca4de3f52190747d4f66636a0a8397e158c5
SHA5126708a808b9300845e5852f25a380abf1ce807d96695256793c7a80ebc08307f21a6ba38bc0d73c2897c46ad2828f80717ad2f79c585c658324c7b887bf797912
-
Filesize
2.9MB
MD50f299dff09ef0812a445f45f955ce8b2
SHA108479f8270aefa0c901f42131a8c805577689de1
SHA256e5b32ba4f7b2f54f95d3856220aa252c6122116e16916133d20a9f38ca9e4c7b
SHA5122539b8d7516e5230e70aa20dcac3d712b38c6d7a13b923ae88ad8c52b20e70ae715f8f64232c4153486d943569eba6a2abff5e3ce6c21b25b3c5852544ebda04