Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2024 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d67c105be8b195ae99cb0e5117779583f757882f8944cb175fc57acf95bb51a6.exe

  • Size

    1.6MB

  • MD5

    0765d5749f393ce67e35f8d1437b0e38

  • SHA1

    0f1d89e7d0d5c4ec646a0ba9e5f9a30b42c756e4

  • SHA256

    d67c105be8b195ae99cb0e5117779583f757882f8944cb175fc57acf95bb51a6

  • SHA512

    aab2995ed3ab7149de043f0bf0b4cbada634818bb428646d4f09fc361886ae316e34a588a6c60d867b6c954e67caa2597af3f4cbb7b031efc82b0eb39e45d5a3

  • SSDEEP

    49152:EDHkYqNNtbIETTdahfkU9tP3HZm1N0YfBeXyPQAy0rjuzR:ExqC6TdVUv/5e0YayvS

Score
10/10
amadeyriseproevasionpersistencestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://5.42.96.141

http://5.42.96.7
Attributes
  • install_dir

    908f070dff

  • install_file

    explorku.exe

  • strings_key

    b25a9385246248a95c600f9a061438e1

  • url_paths

    /go34ko8/index.php

rc4.plain
rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 49 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d67c105be8b195ae99cb0e5117779583f757882f8944cb175fc57acf95bb51a6.exe
    "C:\Users\Admin\AppData\Local\Temp\d67c105be8b195ae99cb0e5117779583f757882f8944cb175fc57acf95bb51a6.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:404
      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        "C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
        3⤵
          PID:2492
        • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
            "C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:4960
        • C:\Users\Admin\1000006002\683419f3e1.exe
          "C:\Users\Admin\1000006002\683419f3e1.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          PID:1824
    • C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2896
    • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:3052
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1188
      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:2220
      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:3068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\1000006002\683419f3e1.exe
        Filesize

        2.2MB

        MD5

        0180109cd0f4ef6780d40d6a93ce1bc0

        SHA1

        ed0ba4495c5322434a422d4739187390d390b42e

        SHA256

        c3238cc3b1def1bb9756e606c869e8aa5c33df29d2a1778e642b6a3738d6c210

        SHA512

        544844225a8caaa445baf2df99955db6ea9a3116be1723f04444df15c7579d32beb1930f5b9a43452bb254a4a87c7190343a8c2baf40e200c40efdde21e7d0af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1000005001\amers.exe
        Filesize

        1.8MB

        MD5

        08f0bb3717f58ab2b62ed1dd86e59ef4

        SHA1

        8ab583c4de2c2a947d85a95aeda14eebc1bcf677

        SHA256

        cbe9c7e92ad27706285a19ae995c4664fe7324d4f653271163b9d43bffa506f9

        SHA512

        ec17648c379402fe5fa2820f3762efcb77b774d9fbf5be930ffa1be603ea5a101939ff674a1294ec00bfaa560bcaf24211695020ef6067eaf68eb42c2478fe9e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
        Filesize

        1.6MB

        MD5

        0765d5749f393ce67e35f8d1437b0e38

        SHA1

        0f1d89e7d0d5c4ec646a0ba9e5f9a30b42c756e4

        SHA256

        d67c105be8b195ae99cb0e5117779583f757882f8944cb175fc57acf95bb51a6

        SHA512

        aab2995ed3ab7149de043f0bf0b4cbada634818bb428646d4f09fc361886ae316e34a588a6c60d867b6c954e67caa2597af3f4cbb7b031efc82b0eb39e45d5a3

        Download Submit

      • memory/404-26-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/404-21-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/404-22-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/404-23-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/404-24-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/404-102-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/404-27-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/404-25-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/404-28-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/1824-96-0x0000000000C00000-0x000000000128C000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1824-70-0x0000000000C00000-0x000000000128C000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1824-85-0x0000000000C00000-0x000000000128C000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1824-98-0x0000000000C00000-0x000000000128C000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1824-97-0x0000000000C00000-0x000000000128C000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1824-84-0x0000000000C00000-0x000000000128C000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1824-95-0x0000000000C00000-0x000000000128C000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1824-83-0x0000000000C00000-0x000000000128C000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1824-103-0x0000000000C00000-0x000000000128C000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1824-82-0x0000000000C00000-0x000000000128C000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2220-128-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2220-127-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2220-123-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2220-122-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2220-126-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2220-125-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2220-124-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2220-129-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/2340-78-0x0000000000490000-0x0000000000941000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2340-47-0x0000000077554000-0x0000000077556000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2340-46-0x0000000000490000-0x0000000000941000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2896-110-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2896-104-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2896-132-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2896-90-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2896-121-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2896-118-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2896-115-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2896-112-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/2896-107-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/3052-92-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3052-89-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3052-86-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3052-99-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3052-88-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3052-94-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3052-93-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3052-87-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3052-91-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3068-157-0x00000000009A0000-0x0000000000ED6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3892-1-0x0000000000290000-0x00000000007C6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3892-0-0x0000000000290000-0x00000000007C6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3892-3-0x0000000000290000-0x00000000007C6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3892-9-0x0000000000290000-0x00000000007C6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3892-5-0x0000000000290000-0x00000000007C6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3892-6-0x0000000000290000-0x00000000007C6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3892-4-0x0000000000290000-0x00000000007C6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3892-7-0x0000000000290000-0x00000000007C6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3892-2-0x0000000000290000-0x00000000007C6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/3892-20-0x0000000000290000-0x00000000007C6000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4960-81-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/4960-101-0x00000000001C0000-0x0000000000671000-memory.dmp

        Filesize

        4.7MB

        Download