Analysis
-
max time kernel
143s -
max time network
99s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-06-2024 06:27
Static task
static1
General
-
Target
ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe
-
Size
1.8MB
-
MD5
b1453c5feef2303e562c10722d614d22
-
SHA1
7804134f566830349b4492620b352cb84b1c04fe
-
SHA256
ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00
-
SHA512
d3c26e75c0e3e4cadc0aa964bed7037c6651b85bd2818840aaba61157aff29f086b26c8203c509e95dd38f65606fba43d785c543df278d1f2535050f5d25e155
-
SSDEEP
49152:VEtc2dkVaxkm5mcos8bNvlXvznsAa3qGk936I6:VEtc2ZPosCBrsAa3Tk93/
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exeaxplong.exeae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 3 IoCs
Processes:
axplong.exeaxplong.exeaxplong.exepid process 864 axplong.exe 4756 axplong.exe 3948 axplong.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exeaxplong.exeae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exeaxplong.exeaxplong.exeaxplong.exepid process 3956 ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe 864 axplong.exe 4756 axplong.exe 3948 axplong.exe -
Drops file in Windows directory 1 IoCs
Processes:
ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exedescription ioc process File created C:\Windows\Tasks\axplong.job ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exeaxplong.exeaxplong.exeaxplong.exepid process 3956 ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe 3956 ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe 864 axplong.exe 864 axplong.exe 4756 axplong.exe 4756 axplong.exe 3948 axplong.exe 3948 axplong.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exepid process 3956 ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exedescription pid process target process PID 3956 wrote to memory of 864 3956 ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe axplong.exe PID 3956 wrote to memory of 864 3956 ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe axplong.exe PID 3956 wrote to memory of 864 3956 ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe axplong.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe"C:\Users\Admin\AppData\Local\Temp\ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.8MB
MD5b1453c5feef2303e562c10722d614d22
SHA17804134f566830349b4492620b352cb84b1c04fe
SHA256ae8325d1e8cd76a8d15448d878d6996de5ff1bbccbdb0ec47c5776969f019a00
SHA512d3c26e75c0e3e4cadc0aa964bed7037c6651b85bd2818840aaba61157aff29f086b26c8203c509e95dd38f65606fba43d785c543df278d1f2535050f5d25e155
-
memory/864-27-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-43-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-26-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-44-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-42-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-38-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-37-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-20-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-19-0x0000000000C41000-0x0000000000C6F000-memory.dmpFilesize
184KB
-
memory/864-21-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-22-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-23-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-24-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-25-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-45-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-36-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-18-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-35-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-34-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/864-33-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/3948-40-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/3948-41-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/3956-2-0x0000000000581000-0x00000000005AF000-memory.dmpFilesize
184KB
-
memory/3956-17-0x0000000000580000-0x0000000000A4E000-memory.dmpFilesize
4.8MB
-
memory/3956-1-0x0000000077DE6000-0x0000000077DE8000-memory.dmpFilesize
8KB
-
memory/3956-0-0x0000000000580000-0x0000000000A4E000-memory.dmpFilesize
4.8MB
-
memory/3956-5-0x0000000000580000-0x0000000000A4E000-memory.dmpFilesize
4.8MB
-
memory/3956-3-0x0000000000580000-0x0000000000A4E000-memory.dmpFilesize
4.8MB
-
memory/4756-32-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/4756-31-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/4756-30-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB
-
memory/4756-29-0x0000000000C40000-0x000000000110E000-memory.dmpFilesize
4.8MB