Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-03-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe
Resource
win10-20240221-en
General
-
Target
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe
-
Size
1.8MB
-
MD5
4fbb379faf60b95bc8187f9e05fe3ec7
-
SHA1
6ba311ae532033c5afc2c8a2fa0b6d435e882a51
-
SHA256
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9
-
SHA512
9c38817b64412d27bf2f2ba58bb207eaa88665a63f3d659139d5e686c12387969790fb33f6aafbe762191763b5f3a8a9dc894ac21381f48ce46a52b6b2d1f758
-
SSDEEP
24576:vHrHDqdPZRwyv6X6O2FsALnUBNujAWhvPY/ZssOcFnuVH0/uGwwfYvX+58TeSD0r:frHK3v6X6O2FrwBzWmsTAnuVzvuCaV
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Wine 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exepid process 2892 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe -
Drops file in Windows directory 1 IoCs
Processes:
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exedescription ioc process File created C:\Windows\Tasks\explorgu.job 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exepid process 2892 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exepid process 2892 28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe"C:\Users\Admin\AppData\Local\Temp\28d411ec9f701ef3ff672be31fab1a82a154c90290e33979b36bd29789daf6b9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2892-0-0x0000000000340000-0x00000000007F4000-memory.dmpFilesize
4.7MB
-
memory/2892-1-0x0000000077040000-0x0000000077042000-memory.dmpFilesize
8KB
-
memory/2892-2-0x0000000000340000-0x00000000007F4000-memory.dmpFilesize
4.7MB
-
memory/2892-3-0x00000000024B0000-0x00000000024B2000-memory.dmpFilesize
8KB
-
memory/2892-4-0x0000000002790000-0x0000000002791000-memory.dmpFilesize
4KB
-
memory/2892-6-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/2892-11-0x0000000002200000-0x0000000002201000-memory.dmpFilesize
4KB
-
memory/2892-10-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/2892-9-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/2892-12-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/2892-8-0x0000000002210000-0x0000000002211000-memory.dmpFilesize
4KB
-
memory/2892-7-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/2892-5-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/2892-14-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/2892-13-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/2892-16-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/2892-17-0x0000000002CB0000-0x0000000002CB1000-memory.dmpFilesize
4KB
-
memory/2892-21-0x0000000000340000-0x00000000007F4000-memory.dmpFilesize
4.7MB