Analysis
-
max time kernel
25s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 17:18
Static task
static1
Behavioral task
behavioral1
Sample
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe
Resource
win7-20231129-en
General
-
Target
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe
-
Size
1.8MB
-
MD5
00d2b75c4c3e234c8576a67d24849596
-
SHA1
d5badbb62b2adbcef7e01b3b5bd342d11c09cdb5
-
SHA256
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12
-
SHA512
0fa5377df174c92130fea3352e60a9571e6724c39fb5397a94d93d84fec3b044ad3935a1ba5ab9243a66d2b5dc02756aeb087118e6a7097b810c01da6813cd7d
-
SSDEEP
49152:g3/bnubds8ARZks8cBX2uYpSRFtbq9XHO:gjnu72QRGt
Malware Config
Extracted
amadey
4.20
http://193.233.132.139
-
install_dir
5454e6f062
-
install_file
explorta.exe
-
strings_key
c7a869c5ba1d72480093ec207994e2bf
-
url_paths
/sev56rkm/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exeexplorta.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorta.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exeexplorta.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorta.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorta.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe -
Executes dropped EXE 1 IoCs
Processes:
explorta.exepid Process 3088 explorta.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exeexplorta.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe Key opened \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine explorta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exeexplorta.exepid Process 4904 c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe 3088 explorta.exe -
Drops file in Windows directory 1 IoCs
Processes:
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exedescription ioc Process File created C:\Windows\Tasks\explorta.job c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exeexplorta.exetaskmgr.exepid Process 4904 c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe 4904 c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe 3088 explorta.exe 3088 explorta.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid Process Token: SeDebugPrivilege 5008 taskmgr.exe Token: SeSystemProfilePrivilege 5008 taskmgr.exe Token: SeCreateGlobalPrivilege 5008 taskmgr.exe Token: 33 5008 taskmgr.exe Token: SeIncBasePriorityPrivilege 5008 taskmgr.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
taskmgr.exepid Process 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
Processes:
taskmgr.exepid Process 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe 5008 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exedescription pid Process procid_target PID 4904 wrote to memory of 3088 4904 c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe 87 PID 4904 wrote to memory of 3088 4904 c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe 87 PID 4904 wrote to memory of 3088 4904 c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe"C:\Users\Admin\AppData\Local\Temp\c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3088
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD500d2b75c4c3e234c8576a67d24849596
SHA1d5badbb62b2adbcef7e01b3b5bd342d11c09cdb5
SHA256c81600b4e9f10f09529b539f4440225522777ad2d6b58400e4081f3117af7b12
SHA5120fa5377df174c92130fea3352e60a9571e6724c39fb5397a94d93d84fec3b044ad3935a1ba5ab9243a66d2b5dc02756aeb087118e6a7097b810c01da6813cd7d