Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-04-2024 16:59
Static task
static1
Behavioral task
behavioral1
Sample
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe
Resource
win10v2004-20240226-en
General
-
Target
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe
-
Size
1.8MB
-
MD5
f526fa05d3c69d651ae6e2326da3ef17
-
SHA1
3bb26890dfc9d6dc31ce3aed7a25e89cd96fffb1
-
SHA256
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b
-
SHA512
6eb2cae48b275a0b2ab0f793ea11a97f4b8647597e61c0ffd5aceae1c02df5c176072fcd3d16b719632a3046ff7210d0e12c918539d6259ae5857c0f85bf78c9
-
SSDEEP
49152:vQagaKNSadS4I41j3pTGZgLZ6uufLPl7x:vQagaKNSIBf96uCPl7x
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exeexplorha.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 6 2372 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exeexplorha.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe -
Executes dropped EXE 1 IoCs
Processes:
explorha.exepid Process 32 explorha.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exeexplorha.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe Key opened \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine explorha.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2372 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exeexplorha.exepid Process 2344 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe 32 explorha.exe -
Drops file in Windows directory 1 IoCs
Processes:
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exedescription ioc Process File created C:\Windows\Tasks\explorha.job 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exeexplorha.exepid Process 2344 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe 2344 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe 32 explorha.exe 32 explorha.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exepid Process 2344 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exeexplorha.exerundll32.exedescription pid Process procid_target PID 2344 wrote to memory of 32 2344 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe 77 PID 2344 wrote to memory of 32 2344 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe 77 PID 2344 wrote to memory of 32 2344 487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe 77 PID 32 wrote to memory of 2000 32 explorha.exe 78 PID 32 wrote to memory of 2000 32 explorha.exe 78 PID 32 wrote to memory of 2000 32 explorha.exe 78 PID 2000 wrote to memory of 5008 2000 rundll32.exe 79 PID 2000 wrote to memory of 5008 2000 rundll32.exe 79 PID 32 wrote to memory of 2372 32 explorha.exe 80 PID 32 wrote to memory of 2372 32 explorha.exe 80 PID 32 wrote to memory of 2372 32 explorha.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe"C:\Users\Admin\AppData\Local\Temp\487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵PID:5008
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2372
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5f526fa05d3c69d651ae6e2326da3ef17
SHA13bb26890dfc9d6dc31ce3aed7a25e89cd96fffb1
SHA256487c298e3d6c21c263a9208547e97bbc706546e7549e290aa261cf4488bdff1b
SHA5126eb2cae48b275a0b2ab0f793ea11a97f4b8647597e61c0ffd5aceae1c02df5c176072fcd3d16b719632a3046ff7210d0e12c918539d6259ae5857c0f85bf78c9
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
576KB
MD50dbf7be9756a1527348b822603b77d03
SHA115c815137220fd4fadaf2752b91c991149a7910f
SHA2568bc98d48ba8672dd85aa33a7dfe0178553a3705d42f84359f047cf57fab21284
SHA512a0f4b373e13ef062806b63bce74acfc237d5c696386b8af741354ff0a2eda80ef4a8bfa6859ffb7f26cc2a7e16ce2802baeeb3aa6c2f9afe482186b81690ce3a