Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 02:09
Static task
static1
Behavioral task
behavioral1
Sample
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
Resource
win7-20240611-en
General
-
Target
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe
-
Size
1.9MB
-
MD5
5ad5e4f1f3126c5d6cfdbfbbe5597c84
-
SHA1
47b46cbe987e0e33c9d23f4c6cc304d116e5e80f
-
SHA256
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0
-
SHA512
8c58379f3107cc67944d003df964f123848c9e7b55edbda3d256915cbbf666fa62e8878bb0c091c84e0057fe5097fef8e3eb49f2382519dc4a06f31a4c37b163
-
SSDEEP
49152:izPvPgeS5GaqaHrxCTZtEsO/kLMUunFvGA0WyUAD:YfgbNHrxCTkRWunZRyUA
Malware Config
Extracted
amadey
8254624243
e76b71
http://77.91.77.81
-
install_dir
8254624243
-
install_file
axplong.exe
-
strings_key
90049e51fabf09df0d6748e0b271922e
-
url_paths
/Kiru9gu/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeaxplong.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
axplong.exeaxplong.exee5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation axplong.exe -
Executes dropped EXE 4 IoCs
Processes:
axplong.exeZharkBOT.exeaxplong.exeaxplong.exepid process 3004 axplong.exe 4948 ZharkBOT.exe 3864 axplong.exe 4976 axplong.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exeaxplong.exee5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine axplong.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeaxplong.exeaxplong.exepid process 568 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe 3004 axplong.exe 3864 axplong.exe 4976 axplong.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ZharkBOT.exedescription pid process target process PID 4948 set thread context of 3704 4948 ZharkBOT.exe wab.exe -
Drops file in Windows directory 1 IoCs
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exedescription ioc process File created C:\Windows\Tasks\axplong.job e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exepowershell.exeaxplong.exeaxplong.exepid process 568 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe 568 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe 3004 axplong.exe 3004 axplong.exe 4056 powershell.exe 4056 powershell.exe 4056 powershell.exe 3864 axplong.exe 3864 axplong.exe 4976 axplong.exe 4976 axplong.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4056 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exepid process 568 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exeaxplong.exeZharkBOT.exedescription pid process target process PID 568 wrote to memory of 3004 568 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe axplong.exe PID 568 wrote to memory of 3004 568 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe axplong.exe PID 568 wrote to memory of 3004 568 e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe axplong.exe PID 3004 wrote to memory of 4948 3004 axplong.exe ZharkBOT.exe PID 3004 wrote to memory of 4948 3004 axplong.exe ZharkBOT.exe PID 4948 wrote to memory of 4056 4948 ZharkBOT.exe powershell.exe PID 4948 wrote to memory of 4056 4948 ZharkBOT.exe powershell.exe PID 4948 wrote to memory of 3704 4948 ZharkBOT.exe wab.exe PID 4948 wrote to memory of 3704 4948 ZharkBOT.exe wab.exe PID 4948 wrote to memory of 3704 4948 ZharkBOT.exe wab.exe PID 4948 wrote to memory of 3704 4948 ZharkBOT.exe wab.exe PID 4948 wrote to memory of 3704 4948 ZharkBOT.exe wab.exe PID 4948 wrote to memory of 3704 4948 ZharkBOT.exe wab.exe PID 4948 wrote to memory of 3704 4948 ZharkBOT.exe wab.exe PID 4948 wrote to memory of 3704 4948 ZharkBOT.exe wab.exe PID 4948 wrote to memory of 3704 4948 ZharkBOT.exe wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe"C:\Users\Admin\AppData\Local\Temp\e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000149001\ZharkBOT.exe"C:\Users\Admin\AppData\Local\Temp\1000149001\ZharkBOT.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeC:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000149001\ZharkBOT.exeFilesize
2.9MB
MD580958a4b85453f4df82ec131554a5412
SHA144cefe96467895934ec9d1c2461036704c971458
SHA25670afebe71346475e1f6d4a1c591f920f7ed1d055261eb5d6a4276831aef77783
SHA512cab01e1d63b4ff9a8d35c48fddd18b0959068510b1ca0e66997ed2d59a34b8903f23d3b3736180b52130a325eda3665f9babe2dcad91308f16526e8812fee1c8
-
C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exeFilesize
1.9MB
MD55ad5e4f1f3126c5d6cfdbfbbe5597c84
SHA147b46cbe987e0e33c9d23f4c6cc304d116e5e80f
SHA256e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0
SHA5128c58379f3107cc67944d003df964f123848c9e7b55edbda3d256915cbbf666fa62e8878bb0c091c84e0057fe5097fef8e3eb49f2382519dc4a06f31a4c37b163
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmvd3sdw.ii2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/568-1-0x0000000077834000-0x0000000077836000-memory.dmpFilesize
8KB
-
memory/568-2-0x0000000000F71000-0x0000000000F9F000-memory.dmpFilesize
184KB
-
memory/568-3-0x0000000000F70000-0x0000000001448000-memory.dmpFilesize
4.8MB
-
memory/568-4-0x0000000000F70000-0x0000000001448000-memory.dmpFilesize
4.8MB
-
memory/568-15-0x0000000000F70000-0x0000000001448000-memory.dmpFilesize
4.8MB
-
memory/568-0-0x0000000000F70000-0x0000000001448000-memory.dmpFilesize
4.8MB
-
memory/3004-72-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-77-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-20-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-19-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-91-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-90-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-89-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-62-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-71-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-18-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-73-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-74-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-75-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-21-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-85-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-84-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-80-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-81-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-82-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3004-83-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3704-61-0x0000000000400000-0x00000000004D6000-memory.dmpFilesize
856KB
-
memory/3704-60-0x0000000000400000-0x00000000004D6000-memory.dmpFilesize
856KB
-
memory/3864-79-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/3864-78-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/4056-55-0x0000013E4C530000-0x0000013E4C552000-memory.dmpFilesize
136KB
-
memory/4976-87-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB
-
memory/4976-88-0x0000000000E90000-0x0000000001368000-memory.dmpFilesize
4.8MB