Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/02/2025, 10:28
Static task
static1
General
-
Target
e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe
-
Size
1.9MB
-
MD5
d1c4ee6a5e25dfdc0d2d2c9299af123e
-
SHA1
1415ecd3d0190709a53b76428b72e195e1633bd3
-
SHA256
e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211
-
SHA512
ea0b9f5a9275f15e68a6f5f92fd92b1939f948b486da00d41f391937319d622f423053591f311ff4145da9d26cfef3eaaf790e82b3f2b46b7004853bfa8be24a
-
SSDEEP
24576:J7PYlhBjkG7uzwoZ5+J1R7+u0gBdHT3LHulBbZi37tqHrqDz/poNgNeggahXGG1N:UoARq+BRurcRqLqfhAgNegg8+zDxZCh
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
stealc
reno
http://185.215.113.115
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
cryptbot
Signatures
-
Amadey family
-
Cryptbot family
-
Gcleaner family
-
Stealc family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 4ad81106fa.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 58453e684d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4ad81106fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e711cede3d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e3b3a8a92a.exe -
Downloads MZ/PE file 6 IoCs
flow pid Process 4 2852 axplong.exe 4 2852 axplong.exe 7 2852 axplong.exe 12 2948 BitLockerToGo.exe 10 1012 skotes.exe 14 1012 skotes.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e3b3a8a92a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4ad81106fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 58453e684d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e711cede3d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e3b3a8a92a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 58453e684d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e711cede3d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4ad81106fa.exe -
Executes dropped EXE 6 IoCs
pid Process 2852 axplong.exe 1692 e711cede3d.exe 2268 e3b3a8a92a.exe 1012 skotes.exe 112 58453e684d.exe 2488 4ad81106fa.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine e711cede3d.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine e3b3a8a92a.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine 58453e684d.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine 4ad81106fa.exe -
Loads dropped DLL 12 IoCs
pid Process 2500 e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe 2500 e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe 2852 axplong.exe 2852 axplong.exe 2852 axplong.exe 2852 axplong.exe 2268 e3b3a8a92a.exe 2268 e3b3a8a92a.exe 2852 axplong.exe 2948 BitLockerToGo.exe 2852 axplong.exe 2852 axplong.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\e711cede3d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1020044001\\e711cede3d.exe" axplong.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\e3b3a8a92a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1020045001\\e3b3a8a92a.exe" axplong.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 2500 e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe 2852 axplong.exe 1692 e711cede3d.exe 2268 e3b3a8a92a.exe 1012 skotes.exe 112 58453e684d.exe 2488 4ad81106fa.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 112 set thread context of 2948 112 58453e684d.exe 38 -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe File created C:\Windows\Tasks\skotes.job e3b3a8a92a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e711cede3d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e3b3a8a92a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58453e684d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4ad81106fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2500 e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe 2852 axplong.exe 1692 e711cede3d.exe 2268 e3b3a8a92a.exe 1012 skotes.exe 112 58453e684d.exe 2488 4ad81106fa.exe 2488 4ad81106fa.exe 2488 4ad81106fa.exe 2488 4ad81106fa.exe 2488 4ad81106fa.exe 2488 4ad81106fa.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2500 e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe 2268 e3b3a8a92a.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2852 2500 e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe 30 PID 2500 wrote to memory of 2852 2500 e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe 30 PID 2500 wrote to memory of 2852 2500 e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe 30 PID 2500 wrote to memory of 2852 2500 e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe 30 PID 2852 wrote to memory of 1692 2852 axplong.exe 32 PID 2852 wrote to memory of 1692 2852 axplong.exe 32 PID 2852 wrote to memory of 1692 2852 axplong.exe 32 PID 2852 wrote to memory of 1692 2852 axplong.exe 32 PID 2852 wrote to memory of 2268 2852 axplong.exe 33 PID 2852 wrote to memory of 2268 2852 axplong.exe 33 PID 2852 wrote to memory of 2268 2852 axplong.exe 33 PID 2852 wrote to memory of 2268 2852 axplong.exe 33 PID 2268 wrote to memory of 1012 2268 e3b3a8a92a.exe 34 PID 2268 wrote to memory of 1012 2268 e3b3a8a92a.exe 34 PID 2268 wrote to memory of 1012 2268 e3b3a8a92a.exe 34 PID 2268 wrote to memory of 1012 2268 e3b3a8a92a.exe 34 PID 2852 wrote to memory of 112 2852 axplong.exe 37 PID 2852 wrote to memory of 112 2852 axplong.exe 37 PID 2852 wrote to memory of 112 2852 axplong.exe 37 PID 2852 wrote to memory of 112 2852 axplong.exe 37 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 112 wrote to memory of 2948 112 58453e684d.exe 38 PID 2852 wrote to memory of 2488 2852 axplong.exe 41 PID 2852 wrote to memory of 2488 2852 axplong.exe 41 PID 2852 wrote to memory of 2488 2852 axplong.exe 41 PID 2852 wrote to memory of 2488 2852 axplong.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe"C:\Users\Admin\AppData\Local\Temp\e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\1020044001\e711cede3d.exe"C:\Users\Admin\AppData\Local\Temp\1020044001\e711cede3d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\1020045001\e3b3a8a92a.exe"C:\Users\Admin\AppData\Local\Temp\1020045001\e3b3a8a92a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1012
-
-
-
C:\Users\Admin\AppData\Local\Temp\1020046001\58453e684d.exe"C:\Users\Admin\AppData\Local\Temp\1020046001\58453e684d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"4⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2948
-
-
-
C:\Users\Admin\AppData\Local\Temp\1020047001\4ad81106fa.exe"C:\Users\Admin\AppData\Local\Temp\1020047001\4ad81106fa.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2488
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\service[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
1.7MB
MD538327ebdd998d57c90036b85c94ea6ed
SHA17d738868b6dd3f221c422bc1bdef62c81af799f9
SHA256ef90c3ca51a3870aa4d75b30b20149e8a532896b54698ae46e587fbc96c437a3
SHA512a0a2791dc9a8041ded8e0f9c25f2d642b404aa4d21656fdca3aa33199d8653d5478d25c0298624b604f50b8c4e5091cef36cc0b03ccb1b43bd5a1b53a68d2b85
-
Filesize
1.8MB
MD565b691ce5f3f3ed76c3687d4c7254538
SHA1aa74e3fc14c188684d9eb437e60c6246bf440355
SHA2569cc86285faca80fddab9665a4048039ec841aacfc9511c38e11f5c5cb1bdb9f8
SHA512eab1b4a4cfe65c7a30f54efbfa75e0fe7e55933b98983e7ca554ff8b54639417e4f5dbd7f40e4a2bb953b53b97c86e31ad251879481e4acc0586bea17fd9e986
-
Filesize
3.9MB
MD5d9a604a96311a8e8b556bd81b07e4f87
SHA1e30c40ee7cebeb37543a769ced4f818aaf244e3b
SHA256b45723b23862983710610015887b8f3958824934e5b2c961b174624decb7033f
SHA512240958a09975d73200643280de50489a2613ca79d3494e5aba77278a60aa6878750b78b74ecd4bb207c3a442042d021eb9c7ac84e55cd92e542931bc4418bbd4
-
Filesize
6.3MB
MD523821f432380b8dcd7097fd06c7a8aae
SHA180f1637b80eac9e9f7e143ec7d4a35be42c39dca
SHA256bb00052a59efaee0e353d909249dbb3c1740c8808419516d1ffdbce68692feab
SHA512200d24686f9a1d4587285d72ab800079370607d9abad125d2f6163e52fbc8760fcb655ff37166431eac4dc61ea3a6dad7a955f6e8228e2d24567cc52a3993d9a
-
Filesize
6.8MB
MD56cb9c9ed5157d4b3366de71513c21b49
SHA1d1c3ab28dec3abb035b14e3808543d0a2164632f
SHA2568a51bf3cfcf08e3fa1f1dc59b795499429873016da4b23bec44bf531582f208f
SHA5129701eaea011dbd5c52b7516fa3c750a84b6b38b90425999c836257cfada54fb8f8cda6a032256beceac8787664c58afa38600c1c802c292a45948df630df642f
-
Filesize
1.9MB
MD5d1c4ee6a5e25dfdc0d2d2c9299af123e
SHA11415ecd3d0190709a53b76428b72e195e1633bd3
SHA256e4ebfe05d5685af733adb8a33f0f13e93798d01bf86d834b89fea6c1f4819211
SHA512ea0b9f5a9275f15e68a6f5f92fd92b1939f948b486da00d41f391937319d622f423053591f311ff4145da9d26cfef3eaaf790e82b3f2b46b7004853bfa8be24a
-
Filesize
987KB
MD5f49d1aaae28b92052e997480c504aa3b
SHA1a422f6403847405cee6068f3394bb151d8591fb5
SHA25681e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0
SHA51241f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773