Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/04/2024, 17:25
Static task
static1
General
-
Target
217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe
-
Size
1.8MB
-
MD5
8facf6d258ba6125d842d5e0d5469bfb
-
SHA1
4374fc7f57ea001165cdcf36bbc6f6015203ef05
-
SHA256
217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854
-
SHA512
41c9e23c7b29c8901bd7fcf3932f44144116faa5505c33e0572d4c2b6ef687ddda8b77559cc4187007abcdb74620d1740c3075b9601c39a700a17f792555de8f
-
SSDEEP
24576:hUzyuEf7LB7EMsFYxUoPXvwRUJIu9iYOBlyId1NW/0j6qUYAliVNbr6wHMb2Mjs2:kyuoBUFgQSJR9fOr3qO6q/dDHCsEJVd
Malware Config
Extracted
amadey
4.17
http://193.233.132.167
-
install_dir
4d0ab15804
-
install_file
chrosha.exe
-
strings_key
1a9519d7b465e1f4880fa09a6162d768
-
url_paths
/enigma/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ chrosha.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 26 1528 rundll32.exe 28 4020 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion chrosha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion chrosha.exe -
Executes dropped EXE 1 IoCs
pid Process 1932 chrosha.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe Key opened \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Wine chrosha.exe -
Loads dropped DLL 3 IoCs
pid Process 4092 rundll32.exe 1528 rundll32.exe 4020 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4476 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe 1932 chrosha.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\chrosha.job 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4476 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe 4476 217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe 1932 chrosha.exe 1932 chrosha.exe 1528 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe 5032 powershell.exe 5032 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5032 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1932 wrote to memory of 4092 1932 chrosha.exe 88 PID 1932 wrote to memory of 4092 1932 chrosha.exe 88 PID 1932 wrote to memory of 4092 1932 chrosha.exe 88 PID 4092 wrote to memory of 1528 4092 rundll32.exe 89 PID 4092 wrote to memory of 1528 4092 rundll32.exe 89 PID 1528 wrote to memory of 4128 1528 rundll32.exe 90 PID 1528 wrote to memory of 4128 1528 rundll32.exe 90 PID 1528 wrote to memory of 5032 1528 rundll32.exe 92 PID 1528 wrote to memory of 5032 1528 rundll32.exe 92 PID 1932 wrote to memory of 4020 1932 chrosha.exe 94 PID 1932 wrote to memory of 4020 1932 chrosha.exe 94 PID 1932 wrote to memory of 4020 1932 chrosha.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe"C:\Users\Admin\AppData\Local\Temp\217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4476
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵PID:4128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\777591257247_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD58facf6d258ba6125d842d5e0d5469bfb
SHA14374fc7f57ea001165cdcf36bbc6f6015203ef05
SHA256217534469e02f0637a69df31094188ed270d523f9259140b2cfaa3c74ff87854
SHA51241c9e23c7b29c8901bd7fcf3932f44144116faa5505c33e0572d4c2b6ef687ddda8b77559cc4187007abcdb74620d1740c3075b9601c39a700a17f792555de8f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
Filesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705