amadey | 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76

Analysis

max time kernel
292s
max time network
302s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
Size

1.8MB
MD5

b140d0e0a9bfb0c0be35c9c605d046c1
SHA1

f82a8c33fa2dbf8fc327be0dfd764660252d1d74
SHA256

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76
SHA512

f2f25b3fbe54ee18f89e825dd34ce7728873d4847e2882886a7d6f8c6dd0e0c7887263900b954abdd853935b01ecaad94a04dffad61940b402d94d859c96bf1f
SSDEEP

49152:6pu/+DBuLQmTEPEpEw+Lyak4YUjd0hmEQY0eBJ:3/+MsmBpEw+k+WmED

Score

10^/10

amadey e76b71 evasion trojan

Malware Config

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe

Executes dropped EXE 4 IoCs

Processes:

axplong.exeNewLatest.exeHkbsse.exe1.exe

pid process

2692 axplong.exe
1424 NewLatest.exe
1584 Hkbsse.exe
2380 1.exe

pid	process
2692	axplong.exe
1424	NewLatest.exe
1584	Hkbsse.exe
2380	1.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Wine	axplong.exe

Loads dropped DLL 5 IoCs

Processes:

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.exeNewLatest.exeHkbsse.exe

pid process

2240 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
2692 axplong.exe
1424 NewLatest.exe
1584 Hkbsse.exe
1584 Hkbsse.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

21 bitbucket.org
22 bitbucket.org
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.exe

pid process

2240 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
2692 axplong.exe
Drops file in Windows directory 2 IoCs

Processes:

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeNewLatest.exe

description ioc process

File created C:\Windows\Tasks\axplong.job 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
File created C:\Windows\Tasks\Hkbsse.job NewLatest.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2240	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
2692	axplong.exe
1424	NewLatest.exe
1584	Hkbsse.exe
1584	Hkbsse.exe

flow	ioc
21	bitbucket.org
22	bitbucket.org

pid	process
2240	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
2692	axplong.exe

description	ioc	process
File created	C:\Windows\Tasks\axplong.job	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
File created	C:\Windows\Tasks\Hkbsse.job	NewLatest.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

axplong.exeHkbsse.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	axplong.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Hkbsse.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Hkbsse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axplong.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.exe

pid process

2240 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
2692 axplong.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeNewLatest.exe

pid process

2240 67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
1424 NewLatest.exe

pid	process
2240	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
2692	axplong.exe

pid	process
2240	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
1424	NewLatest.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exeaxplong.exeNewLatest.exeHkbsse.exe

description	pid	process	target process
PID 2240 wrote to memory of 2692	2240	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe	axplong.exe
PID 2240 wrote to memory of 2692	2240	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe	axplong.exe
PID 2240 wrote to memory of 2692	2240	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe	axplong.exe
PID 2240 wrote to memory of 2692	2240	67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe	axplong.exe
PID 2692 wrote to memory of 1424	2692	axplong.exe	NewLatest.exe
PID 2692 wrote to memory of 1424	2692	axplong.exe	NewLatest.exe
PID 2692 wrote to memory of 1424	2692	axplong.exe	NewLatest.exe
PID 2692 wrote to memory of 1424	2692	axplong.exe	NewLatest.exe
PID 1424 wrote to memory of 1584	1424	NewLatest.exe	Hkbsse.exe
PID 1424 wrote to memory of 1584	1424	NewLatest.exe	Hkbsse.exe
PID 1424 wrote to memory of 1584	1424	NewLatest.exe	Hkbsse.exe
PID 1424 wrote to memory of 1584	1424	NewLatest.exe	Hkbsse.exe
PID 1584 wrote to memory of 2380	1584	Hkbsse.exe	1.exe
PID 1584 wrote to memory of 2380	1584	Hkbsse.exe	1.exe
PID 1584 wrote to memory of 2380	1584	Hkbsse.exe	1.exe
PID 1584 wrote to memory of 2380	1584	Hkbsse.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe
"C:\Users\Admin\AppData\Local\Temp\67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
"C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe
"C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe"
5⤵
- Executes dropped EXE
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
806d7dd25d7a4f43689a7afc8402f7d4

SHA1
ea2a0b5efc25d0624bc88c2e44b495169e83a509

SHA256
0ffd0e166a38133e5ed6c2e340a405101e7230b97863cd8eae190ad9a23b603a

SHA512
08c754175449916bd8b2e4dffe85f062d79a90ce084081be71e4c5e7a33626adf309c16f795e0cd9b6236364b609f555ac8fd498707416fdceef91571d5a698b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
32ef524378acba63fc5e7fc669cbee94

SHA1
6a854ec85ce5969be6ac8f55224d8d5ab2722a48

SHA256
ce8d4bfa22a60d2e64b0596c9aee7a0a3ae2f295917eb50ecf057587c94e82dd

SHA512
a7c45edae245dda8a55acd1dc012ac02a28eaaf47834725f85dd9ffab66e9d22597257fbaadda151d54e6370eb933bfea59bb92a1662005211ffaa9224b6cce4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
5944ccd42d46dbea2059a12883890f2d

SHA1
0081e56db4c8585c062871b4c03571fbc6c39a7a

SHA256
b5540eef1bc8dc90c73c4ad48351535acae3d0e8d54f712460a67b33d5db47dc

SHA512
89e739f104f6a75b91566f506df28c25849285ce4079df6ba6806a005509bd7643809a71ea1d5c3a2c0bfd6565a18f033872f1e62db858eb8a613c064e080721

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\1.exe
Filesize
317KB

MD5
e1b59d2805b38262b9967bce3e719dbf

SHA1
4081416cfaa76941981c34518d45b60e8d4b2013

SHA256
d5bba713d11ebbb7a91be59dae0f2d4b818897fe756b854dfe40babe7664c173

SHA512
bcea30a8f2a10aed0e2c97133734a34a850c18ee9447966ed8cdae8bbf72b98ebd2703a7cadf53b8991ef5eb3047d871242e990a4b7baf00eda8ca5f5f7dda35

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000023001\FirstZ.exe
Filesize
2.3MB

MD5
d32184f37d747e0422b5afde5e530ef0

SHA1
6ca4539d15cfb4af43d5dbd52a65ef50b0aa4dc2

SHA256
95e7a62779c57e46a5ec968dc9612c3ca1c58b98742418c39c8525ae8644d36f

SHA512
d9205bca35f6b3a68febdaaa0c03b1309c0131b6b13c2957ccb98c809bd3551264b2cf0784aca2a728093cffd13af98959f57978cafc432efbdd394d7f61d784

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\NewLatest.exe
Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000110001\123.exe
Filesize
128KB

MD5
fe3417de54d944903bf539b09f2821be

SHA1
e173b089317a29313c3f2df1fcbcf2acc42ed3c7

SHA256
645f9f07b7754a2cf7e3245aea942c8a2084f50d765a177604839d6d55567463

SHA512
2d4dcac4a35933a95bc6381927a1b7e250a697f8ae59e0bde82b18849e5fc3c24411991bfd507525562e104a8951ae011f8791dcf2c321be03b4593e54e639b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
Filesize
2.5MB

MD5
50c426f26e157d9b3b9ae3716239aa27

SHA1
b5033f2f676e070aa874582cf4715480a9bc71f4

SHA256
ddc952ef4e9725d11b2d40dc9e3a8413eb74958c22d9a70ec2d15b653e2c3225

SHA512
dee61dae15b193d2b39019521ef098deb586a7d4e12689cb2b69c5ade7fc243daae6c093c6dc9273e8e1ef8ad87ad601a693dd6dff2bd591e281288bc279fd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
Filesize
1.8MB

MD5
b140d0e0a9bfb0c0be35c9c605d046c1

SHA1
f82a8c33fa2dbf8fc327be0dfd764660252d1d74

SHA256
67772e72ea6536254aef5687a6eec2ac0337c81698239e8fbc109b953790be76

SHA512
f2f25b3fbe54ee18f89e825dd34ce7728873d4847e2882886a7d6f8c6dd0e0c7887263900b954abdd853935b01ecaad94a04dffad61940b402d94d859c96bf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8BB3.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2240-5-0x0000000000930000-0x0000000000E02000-memory.dmp

Filesize
4.8MB

Download
memory/2240-0-0x0000000000930000-0x0000000000E02000-memory.dmp

Filesize
4.8MB

Download
memory/2240-15-0x0000000000930000-0x0000000000E02000-memory.dmp

Filesize
4.8MB

Download
memory/2240-3-0x0000000000930000-0x0000000000E02000-memory.dmp

Filesize
4.8MB

Download
memory/2240-2-0x0000000000931000-0x000000000095F000-memory.dmp

Filesize
184KB

Download
memory/2240-1-0x0000000077810000-0x0000000077812000-memory.dmp

Filesize
8KB

Download
memory/2380-264-0x0000000000400000-0x000000000236B000-memory.dmp

Filesize
31.4MB

Download
memory/2692-29-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-509-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-229-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-203-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-244-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-245-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-246-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-142-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-81-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-265-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-266-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-30-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-21-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-287-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-20-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-18-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-496-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-204-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-510-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-511-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-512-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-17-0x0000000000941000-0x000000000096F000-memory.dmp

Filesize
184KB

Download
memory/2692-523-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-524-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-525-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-526-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-527-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-528-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-529-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-530-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-16-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-542-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-543-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-544-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download
memory/2692-545-0x0000000000940000-0x0000000000E12000-memory.dmp

Filesize
4.8MB

Download