Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-04-2024 06:01
Static task
static1
Behavioral task
behavioral1
Sample
949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe
Resource
win10v2004-20240412-en
General
-
Target
949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe
-
Size
1.9MB
-
MD5
07cef615474a090cb5f7796b6ffed613
-
SHA1
b9e912c5305acd8b06eb6642b247fa14f70123e2
-
SHA256
949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9
-
SHA512
bae595c50567a3e4c56a8e486189153075b0dc95c3b29e3e9be14954bd2337129c8a0618e467ee27a96f9518258b10b051e57a174fa04991ed9a11519e9ffd28
-
SSDEEP
49152:FTnrnfpQW41aKqXFaj0Ur6hFjBGu9Fw50fSx0dFK+Z1u:Zrd44Kqwz6TjB9U50fNn
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2500 rundll32.exe 4 1408 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe -
Executes dropped EXE 1 IoCs
pid Process 2276 chrosha.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine 949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe Key opened \REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Wine chrosha.exe -
Loads dropped DLL 3 IoCs
pid Process 1300 rundll32.exe 2500 rundll32.exe 1408 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1520 949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe 2276 chrosha.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\chrosha.job 949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1520 949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe 1520 949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe 2276 chrosha.exe 2276 chrosha.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2328 powershell.exe 2328 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2328 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2276 wrote to memory of 1300 2276 chrosha.exe 83 PID 2276 wrote to memory of 1300 2276 chrosha.exe 83 PID 2276 wrote to memory of 1300 2276 chrosha.exe 83 PID 1300 wrote to memory of 2500 1300 rundll32.exe 84 PID 1300 wrote to memory of 2500 1300 rundll32.exe 84 PID 2500 wrote to memory of 3492 2500 rundll32.exe 85 PID 2500 wrote to memory of 3492 2500 rundll32.exe 85 PID 2500 wrote to memory of 2328 2500 rundll32.exe 87 PID 2500 wrote to memory of 2328 2500 rundll32.exe 87 PID 2276 wrote to memory of 1408 2276 chrosha.exe 89 PID 2276 wrote to memory of 1408 2276 chrosha.exe 89 PID 2276 wrote to memory of 1408 2276 chrosha.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe"C:\Users\Admin\AppData\Local\Temp\949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:3492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\263309122282_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1408
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD507cef615474a090cb5f7796b6ffed613
SHA1b9e912c5305acd8b06eb6642b247fa14f70123e2
SHA256949eec359c5477369714b627a01403c70942ba456815d59a3cf167f6f8ffc6f9
SHA512bae595c50567a3e4c56a8e486189153075b0dc95c3b29e3e9be14954bd2337129c8a0618e467ee27a96f9518258b10b051e57a174fa04991ed9a11519e9ffd28
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
Filesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705