Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 03:32
Static task
static1
Behavioral task
behavioral1
Sample
9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
Resource
win7-20240611-en
General
-
Target
9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe
-
Size
2.4MB
-
MD5
b3badd1cd2cba4f587bd6737d34d3569
-
SHA1
bc229f10399c3482df1faa98bf7074a4440e82a5
-
SHA256
9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd
-
SHA512
9ab73372ed54e468d90bda23279f983db8ca2486a41718fcba4e3b2931cf40c3f6e82c1fbe3cce695057d0fca241d40cda9b272a0e1cfc0ac4fdf1a5aad05b49
-
SSDEEP
49152:rh/Kr1IeHpgDfCeER3nsxnC+Nisx8rAmTYQ:rVKBpHeDXERcM+sAW
Malware Config
Extracted
stealc
default
http://85.28.47.4
-
url_path
/920475a59bac849d.php
Extracted
amadey
4.30
4dd39d
http://77.91.77.82
-
install_dir
ad40971b6b
-
install_file
explorti.exe
-
strings_key
a434973ad22def7137dbb5e059b7081e
-
url_paths
/Hun4Ko/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
CAKKEGDGCG.exeIDGIJEGHDA.exeexplorti.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ CAKKEGDGCG.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IDGIJEGHDA.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorti.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
CAKKEGDGCG.exeexplorti.exeIDGIJEGHDA.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CAKKEGDGCG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CAKKEGDGCG.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorti.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IDGIJEGHDA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IDGIJEGHDA.exe -
Executes dropped EXE 4 IoCs
Processes:
CAKKEGDGCG.exeIDGIJEGHDA.exeexplorti.exe132979ba26.exepid process 1064 CAKKEGDGCG.exe 1244 IDGIJEGHDA.exe 1724 explorti.exe 880 132979ba26.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
CAKKEGDGCG.exeIDGIJEGHDA.exeexplorti.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine CAKKEGDGCG.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine IDGIJEGHDA.exe Key opened \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Wine explorti.exe -
Loads dropped DLL 6 IoCs
Processes:
9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.execmd.execmd.exeCAKKEGDGCG.exeexplorti.exepid process 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 2740 cmd.exe 1664 cmd.exe 1064 CAKKEGDGCG.exe 1724 explorti.exe 1724 explorti.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exeCAKKEGDGCG.exeexplorti.exeIDGIJEGHDA.exe132979ba26.exepid process 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 1064 CAKKEGDGCG.exe 1724 explorti.exe 1244 IDGIJEGHDA.exe 880 132979ba26.exe -
Drops file in Windows directory 1 IoCs
Processes:
CAKKEGDGCG.exedescription ioc process File created C:\Windows\Tasks\explorti.job CAKKEGDGCG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exeCAKKEGDGCG.exeexplorti.exeIDGIJEGHDA.exepid process 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 1064 CAKKEGDGCG.exe 1724 explorti.exe 1244 IDGIJEGHDA.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
CAKKEGDGCG.exepid process 1064 CAKKEGDGCG.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe132979ba26.exepid process 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe 880 132979ba26.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.execmd.execmd.exeCAKKEGDGCG.exeexplorti.exedescription pid process target process PID 2460 wrote to memory of 2740 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe cmd.exe PID 2460 wrote to memory of 2740 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe cmd.exe PID 2460 wrote to memory of 2740 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe cmd.exe PID 2460 wrote to memory of 2740 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe cmd.exe PID 2740 wrote to memory of 1064 2740 cmd.exe CAKKEGDGCG.exe PID 2740 wrote to memory of 1064 2740 cmd.exe CAKKEGDGCG.exe PID 2740 wrote to memory of 1064 2740 cmd.exe CAKKEGDGCG.exe PID 2740 wrote to memory of 1064 2740 cmd.exe CAKKEGDGCG.exe PID 2460 wrote to memory of 1664 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe cmd.exe PID 2460 wrote to memory of 1664 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe cmd.exe PID 2460 wrote to memory of 1664 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe cmd.exe PID 2460 wrote to memory of 1664 2460 9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe cmd.exe PID 1664 wrote to memory of 1244 1664 cmd.exe IDGIJEGHDA.exe PID 1664 wrote to memory of 1244 1664 cmd.exe IDGIJEGHDA.exe PID 1664 wrote to memory of 1244 1664 cmd.exe IDGIJEGHDA.exe PID 1664 wrote to memory of 1244 1664 cmd.exe IDGIJEGHDA.exe PID 1064 wrote to memory of 1724 1064 CAKKEGDGCG.exe explorti.exe PID 1064 wrote to memory of 1724 1064 CAKKEGDGCG.exe explorti.exe PID 1064 wrote to memory of 1724 1064 CAKKEGDGCG.exe explorti.exe PID 1064 wrote to memory of 1724 1064 CAKKEGDGCG.exe explorti.exe PID 1724 wrote to memory of 880 1724 explorti.exe 132979ba26.exe PID 1724 wrote to memory of 880 1724 explorti.exe 132979ba26.exe PID 1724 wrote to memory of 880 1724 explorti.exe 132979ba26.exe PID 1724 wrote to memory of 880 1724 explorti.exe 132979ba26.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe"C:\Users\Admin\AppData\Local\Temp\9c1c20db1d73c66795b9b49f39aff02d621dd06c05d7d3ea1007ac7bcbf3f3cd.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CAKKEGDGCG.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CAKKEGDGCG.exe"C:\Users\Admin\AppData\Local\Temp\CAKKEGDGCG.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000006001\132979ba26.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\132979ba26.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IDGIJEGHDA.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IDGIJEGHDA.exe"C:\Users\Admin\AppData\Local\Temp\IDGIJEGHDA.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000006001\132979ba26.exeFilesize
2.4MB
MD53a56a5f933e6b97840d88c99bc445f7b
SHA12406c6ebe491b5d3660b66922d90f250eeabe5fe
SHA25640f2617cfc50b6e9db64c830f38e25cca0d2bd2b2d27f155cdce68ed6c6b26fd
SHA51231a48b0e84b47527a1dafac792d831aa57d94adf826d947ac293a31c058e8f0054ceba4eabfa608829fc9b9608a844069b44298e4bdfe4c29ee8cee01ade765b
-
C:\Users\Admin\AppData\Local\Temp\CAKKEGDGCG.exeFilesize
1.8MB
MD571dd514c0a569e5b41474454618814de
SHA1a169c976a62bafb43d6513edd0dba801118c9eff
SHA256ecb8a5d642b1895d92da0f2574168d86795a3cbb4c5646ae7e3623c4af36e9c8
SHA512df57b220c0e39536e12fcf9dfe3de64035315112b46d2223944b3e35fc74da07cd3c9927b29186dedb9adf1e17ced55667dd2b0f6624fb1e946bdfa658daa006
-
\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
memory/880-113-0x0000000000E00000-0x00000000019E9000-memory.dmpFilesize
11.9MB
-
memory/880-115-0x0000000000E00000-0x00000000019E9000-memory.dmpFilesize
11.9MB
-
memory/1064-68-0x0000000000B20000-0x0000000000FE2000-memory.dmpFilesize
4.8MB
-
memory/1064-67-0x0000000000B21000-0x0000000000B4F000-memory.dmpFilesize
184KB
-
memory/1064-66-0x0000000077890000-0x0000000077892000-memory.dmpFilesize
8KB
-
memory/1064-90-0x0000000007010000-0x00000000074D2000-memory.dmpFilesize
4.8MB
-
memory/1064-65-0x0000000000B20000-0x0000000000FE2000-memory.dmpFilesize
4.8MB
-
memory/1064-89-0x0000000000B20000-0x0000000000FE2000-memory.dmpFilesize
4.8MB
-
memory/1064-74-0x0000000000B20000-0x0000000000FE2000-memory.dmpFilesize
4.8MB
-
memory/1244-93-0x0000000000FC0000-0x0000000001482000-memory.dmpFilesize
4.8MB
-
memory/1244-79-0x0000000000FC0000-0x0000000001482000-memory.dmpFilesize
4.8MB
-
memory/1664-77-0x00000000020F0000-0x00000000025B2000-memory.dmpFilesize
4.8MB
-
memory/1664-118-0x00000000020F0000-0x00000000025B2000-memory.dmpFilesize
4.8MB
-
memory/1724-116-0x0000000001030000-0x00000000014F2000-memory.dmpFilesize
4.8MB
-
memory/1724-117-0x0000000001030000-0x00000000014F2000-memory.dmpFilesize
4.8MB
-
memory/1724-126-0x0000000001030000-0x00000000014F2000-memory.dmpFilesize
4.8MB
-
memory/1724-125-0x0000000001030000-0x00000000014F2000-memory.dmpFilesize
4.8MB
-
memory/1724-124-0x0000000001030000-0x00000000014F2000-memory.dmpFilesize
4.8MB
-
memory/1724-123-0x0000000001030000-0x00000000014F2000-memory.dmpFilesize
4.8MB
-
memory/1724-91-0x0000000001030000-0x00000000014F2000-memory.dmpFilesize
4.8MB
-
memory/1724-121-0x0000000006C00000-0x00000000077E9000-memory.dmpFilesize
11.9MB
-
memory/1724-122-0x0000000006C00000-0x00000000077E9000-memory.dmpFilesize
11.9MB
-
memory/1724-120-0x0000000001030000-0x00000000014F2000-memory.dmpFilesize
4.8MB
-
memory/1724-111-0x0000000006C00000-0x00000000077E9000-memory.dmpFilesize
11.9MB
-
memory/1724-112-0x0000000006C00000-0x00000000077E9000-memory.dmpFilesize
11.9MB
-
memory/1724-119-0x0000000001030000-0x00000000014F2000-memory.dmpFilesize
4.8MB
-
memory/2460-37-0x000000007EBD0000-0x000000007EFA1000-memory.dmpFilesize
3.8MB
-
memory/2460-0-0x00000000008E0000-0x00000000014D6000-memory.dmpFilesize
12.0MB
-
memory/2460-2-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/2460-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmpFilesize
3.8MB
-
memory/2460-34-0x00000000008E0000-0x00000000014D6000-memory.dmpFilesize
12.0MB
-
memory/2460-35-0x00000000008E0000-0x00000000014D6000-memory.dmpFilesize
12.0MB
-
memory/2460-36-0x00000000008E0000-0x00000000014D6000-memory.dmpFilesize
12.0MB
-
memory/2460-72-0x00000000008E0000-0x00000000014D6000-memory.dmpFilesize
12.0MB
-
memory/2460-38-0x00000000008E0000-0x00000000014D6000-memory.dmpFilesize
12.0MB
-
memory/2460-39-0x00000000008E0000-0x00000000014D6000-memory.dmpFilesize
12.0MB
-
memory/2460-40-0x00000000008E0000-0x00000000014D6000-memory.dmpFilesize
12.0MB
-
memory/2460-46-0x00000000008E0000-0x00000000014D6000-memory.dmpFilesize
12.0MB