Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
Resource
win10v2004-20231222-en
General
-
Target
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
-
Size
1.8MB
-
MD5
fd99bc3307c9d14045736fd8dbcc06df
-
SHA1
556af12bac58f37ed315a8567f9b0b3d181571cf
-
SHA256
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f
-
SHA512
d19154f5fa63bc8bf5fa2f3b24ada0a1fa1be890b5972fe984a8dcf1735020baf6c831aae0739a55855078bc7ab2017623107cb297d361abd760a2f84696258e
-
SSDEEP
49152:XNfmZUvuyENu82GjpFezMtr46xkif1KwIjiNB:dfgUvutu2jpYzMq6x31KwJN
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Wine 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exepid process 2148 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe -
Drops file in Windows directory 1 IoCs
Processes:
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exedescription ioc process File created C:\Windows\Tasks\explorgu.job 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exepid process 2148 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exepid process 2148 7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe"C:\Users\Admin\AppData\Local\Temp\7652ee2b1fdb8e7fcce7fc8af5298e595e92bd910def9c5e4ec68d60059ab54f.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2148-0-0x00000000002D0000-0x0000000000790000-memory.dmpFilesize
4.8MB
-
memory/2148-1-0x0000000077AB0000-0x0000000077AB2000-memory.dmpFilesize
8KB
-
memory/2148-2-0x00000000002D0000-0x0000000000790000-memory.dmpFilesize
4.8MB
-
memory/2148-13-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/2148-12-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/2148-14-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB
-
memory/2148-11-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/2148-10-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/2148-9-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/2148-8-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/2148-7-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/2148-6-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/2148-5-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB
-
memory/2148-4-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/2148-3-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/2148-16-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/2148-17-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/2148-18-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/2148-19-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/2148-23-0x00000000002D0000-0x0000000000790000-memory.dmpFilesize
4.8MB