Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    211c253f5e7a2dde53c0288bad0d8c6e4639692daa46b0d561e3b8c8749e65b1.exe

  • Size

    1.6MB

  • MD5

    580befc5b2581c95345ef05ad0b1dbba

  • SHA1

    d57a6be2bcb4aa132b9ac07859e18d197a441ca6

  • SHA256

    211c253f5e7a2dde53c0288bad0d8c6e4639692daa46b0d561e3b8c8749e65b1

  • SHA512

    091b9bb6364f91f2bb30b7996bf030e3ff5f2d471f105e06d04ea04376a757b6350bdc0fc74760aa8311e75ce36b65727d8c741a160c499677ebb95929344b6c

  • SSDEEP

    49152:BmuwU7/qStyh6tN75kToMpe5JOV0b1b4tE:BmxStg6tgTrejMuGtE

Score
10/10
amadeyriseproevasionpersistencestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.141

http://5.42.96.7
Attributes
  • install_dir

    908f070dff

  • install_file

    explorku.exe

  • strings_key

    b25a9385246248a95c600f9a061438e1

  • url_paths

    /go34ko8/index.php

rc4.plain
rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 20 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 37 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\211c253f5e7a2dde53c0288bad0d8c6e4639692daa46b0d561e3b8c8749e65b1.exe
    "C:\Users\Admin\AppData\Local\Temp\211c253f5e7a2dde53c0288bad0d8c6e4639692daa46b0d561e3b8c8749e65b1.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2400
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4504
      • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
        "C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4700
        • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
          "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:2820
      • C:\Users\Admin\1000006002\4d2c34ef01.exe
        "C:\Users\Admin\1000006002\4d2c34ef01.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:1436
  • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
    C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3388
  • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:1780
  • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:3212
  • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
    C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4004

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\1000006002\4d2c34ef01.exe
    Filesize

    2.2MB

    MD5

    27f59bb119330754820d82336b4ee69c

    SHA1

    58011ba1ebbc13b9be5804383c947bcb2f812d79

    SHA256

    f32937818ab2906baf11406ebf408ae32fe868907fd012cb67b7023364c71926

    SHA512

    ce8edeb1ee88805b4b2b6bc0f6f3b7756f37b846b1dd53c0b289a43e1bf1e7a92494f6061b3ad2a6efecd4f344b1e3f1502cafa7bb1f6bab62610d5e52e10821

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
    Filesize

    1.8MB

    MD5

    902edaad070df1a0642b38e23bd06977

    SHA1

    e59e89620fb7b801875c8bb0ca08fd31c8415efb

    SHA256

    aaa4d4fc58cfbb5c4cf25d1ac2f80aa9bec54cab740c047b1e223c772fc932bc

    SHA512

    e7bd670b37f46ab9bf98a60a32ec5e141abeb9f3c8fea6dd20304f3a72f86f70b4fb722de4a38cf36334470dc0f10c2dbe0b68e306a485ede62697c08a405d5f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
    Filesize

    1.6MB

    MD5

    580befc5b2581c95345ef05ad0b1dbba

    SHA1

    d57a6be2bcb4aa132b9ac07859e18d197a441ca6

    SHA256

    211c253f5e7a2dde53c0288bad0d8c6e4639692daa46b0d561e3b8c8749e65b1

    SHA512

    091b9bb6364f91f2bb30b7996bf030e3ff5f2d471f105e06d04ea04376a757b6350bdc0fc74760aa8311e75ce36b65727d8c741a160c499677ebb95929344b6c

    Download Submit

  • memory/1436-118-0x0000000000C50000-0x00000000012E1000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1436-123-0x0000000000C50000-0x00000000012E1000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1436-129-0x0000000000C50000-0x00000000012E1000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1436-120-0x0000000000C50000-0x00000000012E1000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1436-124-0x0000000000C50000-0x00000000012E1000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1436-125-0x0000000000C50000-0x00000000012E1000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1436-122-0x0000000000C50000-0x00000000012E1000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1436-121-0x0000000000C50000-0x00000000012E1000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1436-119-0x0000000000C50000-0x00000000012E1000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1436-117-0x0000000000C50000-0x00000000012E1000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/1780-146-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2400-5-0x0000000000700000-0x0000000000C33000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2400-1-0x0000000000700000-0x0000000000C33000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2400-21-0x0000000000700000-0x0000000000C33000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2400-4-0x0000000000700000-0x0000000000C33000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2400-2-0x0000000000700000-0x0000000000C33000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2400-3-0x0000000000700000-0x0000000000C33000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2400-0-0x0000000000700000-0x0000000000C33000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2400-8-0x0000000000700000-0x0000000000C33000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2400-7-0x0000000000700000-0x0000000000C33000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2400-6-0x0000000000700000-0x0000000000C33000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2820-127-0x00000000007E0000-0x0000000000C90000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2820-97-0x00000000007E0000-0x0000000000C90000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2820-131-0x00000000007E0000-0x0000000000C90000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2820-134-0x00000000007E0000-0x0000000000C90000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/3212-178-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3212-176-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3388-148-0x00000000007E0000-0x0000000000C90000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4004-180-0x00000000007E0000-0x0000000000C90000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4004-175-0x00000000007E0000-0x0000000000C90000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4192-22-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4192-75-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4192-126-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4192-23-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4192-24-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4192-26-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4192-27-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4192-28-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4192-30-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4192-29-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4192-25-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4504-36-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-58-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-47-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-44-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-43-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-42-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-41-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-40-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-62-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-76-0x0000000077BE4000-0x0000000077BE6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4504-51-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-37-0x0000000000AF0000-0x0000000001023000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4504-52-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-33-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-53-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-55-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-56-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-50-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-59-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-63-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-64-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-65-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-66-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-60-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-61-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-57-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-54-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-130-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-49-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-48-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-45-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-46-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-39-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4504-38-0x0000000000400000-0x00000000009DD000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/4700-96-0x0000000000A40000-0x0000000000EF0000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4700-84-0x0000000000A40000-0x0000000000EF0000-memory.dmp

    Filesize

    4.7MB

    Download