Malware Analysis Report

2025-03-15 03:58

Sample ID 240519-gp6eladf28
Target 01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367
SHA256 01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367
Tags
amadey risepro 18befc c767c0 evasion persistence stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367

Threat Level: Known bad

The file 01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367 was found to be: Known bad.

Malicious Activity Summary

amadey risepro 18befc c767c0 evasion persistence stealer themida trojan

RisePro

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Themida packer

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 05:59

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 05:59

Reported

2024-05-19 06:02

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\40bee91304.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\40bee91304.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\40bee91304.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40bee91304.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\40bee91304.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\40bee91304.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3292 set thread context of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2044 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 2044 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 3292 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 3292 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 3292 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 4712 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4712 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 4712 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 3292 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\40bee91304.exe
PID 3292 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\40bee91304.exe
PID 3292 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\40bee91304.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe

"C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\40bee91304.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\40bee91304.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
RU 5.42.96.141:80 5.42.96.141 tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 5.42.96.141:80 5.42.96.141 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/2044-2-0x0000000000A20000-0x0000000000F1E000-memory.dmp

memory/2044-0-0x0000000000A20000-0x0000000000F1E000-memory.dmp

memory/2044-3-0x0000000000A20000-0x0000000000F1E000-memory.dmp

memory/2044-1-0x0000000000A20000-0x0000000000F1E000-memory.dmp

memory/2044-5-0x0000000000A20000-0x0000000000F1E000-memory.dmp

memory/2044-8-0x0000000000A20000-0x0000000000F1E000-memory.dmp

memory/2044-7-0x0000000000A20000-0x0000000000F1E000-memory.dmp

memory/2044-6-0x0000000000A20000-0x0000000000F1E000-memory.dmp

memory/2044-4-0x0000000000A20000-0x0000000000F1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 2f2e36c7cf44716df7af572adba72551
SHA1 090b3ed6ad1f1a73f81d2b55becd2f474a7576ff
SHA256 01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367
SHA512 f8286451e04dc960c751e75dd2e7b65f8941e36141eaf1d08bbd3547eba359624d6576cd689456c91323cb82b6fd701e1493cf5ddb152ed97319af32e9d23efc

memory/3292-23-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3292-24-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3292-30-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3292-28-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3292-25-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3292-29-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3292-27-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3292-26-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3292-22-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/2044-21-0x0000000000A20000-0x0000000000F1E000-memory.dmp

memory/3292-31-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3292-39-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3612-43-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-44-0x0000000000D40000-0x000000000123E000-memory.dmp

memory/3612-45-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-40-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-50-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-51-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-52-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-54-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-59-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-57-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-56-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-58-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-53-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-55-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-49-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-47-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-48-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-46-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-61-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-66-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-73-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-72-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-71-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-70-0x0000000077524000-0x0000000077526000-memory.dmp

memory/3612-68-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-67-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-69-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-65-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-63-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-62-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-64-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/3612-60-0x0000000000400000-0x00000000009EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 a74a4675ae9de7d4d233cb1dca2ce171
SHA1 b9df6e1d6abeb16dd72b88e2a39a482048c70112
SHA256 b77ad385f7230a726cfafcb71bd998b7e29921d44bcc82bc1383692279c6c802
SHA512 d4c12aea5b8fe5a2a8c0d4823f50c073591036dc86dd4641b8c725aa0baef10264690992ead75b6a999666647c790c36aab088f691a6d01f5649b91d829cbf70

memory/4712-90-0x0000000000D50000-0x0000000001201000-memory.dmp

memory/4712-105-0x0000000000D50000-0x0000000001201000-memory.dmp

memory/912-103-0x0000000000B20000-0x0000000000FD1000-memory.dmp

memory/3292-102-0x0000000000D40000-0x000000000123E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\40bee91304.exe

MD5 a728d47242b4ff5ae0d61514fdef5f8f
SHA1 0597adc779c4f351df4950f529ce8648f5e90b7a
SHA256 b03b13cdbb8baecd813a8076a1abf5560cd9a350e2a489e454901356d146b001
SHA512 c2920f3dd71cfcf088276cd6fa5a64e9d97c738cbccde806d5236751c7079374f900845e74b743b31db7c161394e773ba8d6229d6bd724e35aa798f5d4bfc551

memory/2360-124-0x0000000000B20000-0x00000000011A6000-memory.dmp

memory/2360-127-0x0000000000B20000-0x00000000011A6000-memory.dmp

memory/2360-126-0x0000000000B20000-0x00000000011A6000-memory.dmp

memory/2360-129-0x0000000000B20000-0x00000000011A6000-memory.dmp

memory/2360-131-0x0000000000B20000-0x00000000011A6000-memory.dmp

memory/2360-130-0x0000000000B20000-0x00000000011A6000-memory.dmp

memory/2360-128-0x0000000000B20000-0x00000000011A6000-memory.dmp

memory/2360-125-0x0000000000B20000-0x00000000011A6000-memory.dmp

memory/3612-135-0x0000000000400000-0x00000000009EF000-memory.dmp

memory/912-139-0x0000000000B20000-0x0000000000FD1000-memory.dmp

memory/2360-141-0x0000000000B20000-0x00000000011A6000-memory.dmp

memory/324-148-0x0000000000B20000-0x0000000000FD1000-memory.dmp

memory/324-150-0x0000000000B20000-0x0000000000FD1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 05:59

Reported

2024-05-19 06:02

Platform

win11-20240426-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe"

Signatures

Amadey

trojan amadey

RisePro

stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000014001\fd903a8055.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\fd903a8055.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000014001\fd903a8055.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\fd903a8055.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\fd903a8055.exe" C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\1000014001\fd903a8055.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\axplons.job C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe N/A
File created C:\Windows\Tasks\explorku.job C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4980 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 4980 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 1512 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 1512 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 1512 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
PID 1512 wrote to memory of 252 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 1512 wrote to memory of 252 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 1512 wrote to memory of 252 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
PID 252 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 252 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 252 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
PID 1512 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\fd903a8055.exe
PID 1512 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\fd903a8055.exe
PID 1512 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe C:\Users\Admin\AppData\Local\Temp\1000014001\fd903a8055.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe

"C:\Users\Admin\AppData\Local\Temp\01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"

C:\Users\Admin\AppData\Local\Temp\1000014001\fd903a8055.exe

"C:\Users\Admin\AppData\Local\Temp\1000014001\fd903a8055.exe"

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe

Network

Country Destination Domain Proto
RU 5.42.96.141:80 5.42.96.141 tcp
US 8.8.8.8:53 141.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 5.42.96.7:80 5.42.96.7 tcp
US 8.8.8.8:53 7.96.42.5.in-addr.arpa udp
RU 5.42.96.141:80 5.42.96.141 tcp
RU 5.42.96.7:80 5.42.96.7 tcp

Files

memory/4980-0-0x0000000000A90000-0x0000000000F8E000-memory.dmp

memory/4980-2-0x0000000000A90000-0x0000000000F8E000-memory.dmp

memory/4980-3-0x0000000000A90000-0x0000000000F8E000-memory.dmp

memory/4980-7-0x0000000000A90000-0x0000000000F8E000-memory.dmp

memory/4980-8-0x0000000000A90000-0x0000000000F8E000-memory.dmp

memory/4980-4-0x0000000000A90000-0x0000000000F8E000-memory.dmp

memory/4980-6-0x0000000000A90000-0x0000000000F8E000-memory.dmp

memory/4980-5-0x0000000000A90000-0x0000000000F8E000-memory.dmp

memory/4980-1-0x0000000000A90000-0x0000000000F8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe

MD5 2f2e36c7cf44716df7af572adba72551
SHA1 090b3ed6ad1f1a73f81d2b55becd2f474a7576ff
SHA256 01287057c2295ac72f4ffa1f3f83df8c3b380e20ddfe64923b3cc817413a5367
SHA512 f8286451e04dc960c751e75dd2e7b65f8941e36141eaf1d08bbd3547eba359624d6576cd689456c91323cb82b6fd701e1493cf5ddb152ed97319af32e9d23efc

memory/4980-21-0x0000000000A90000-0x0000000000F8E000-memory.dmp

memory/1512-29-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/1512-26-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/1512-28-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/1512-30-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/1512-27-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/1512-25-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/1512-23-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/1512-24-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/1512-22-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/1512-31-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/1512-40-0x0000000000D80000-0x000000000127E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe

MD5 a74a4675ae9de7d4d233cb1dca2ce171
SHA1 b9df6e1d6abeb16dd72b88e2a39a482048c70112
SHA256 b77ad385f7230a726cfafcb71bd998b7e29921d44bcc82bc1383692279c6c802
SHA512 d4c12aea5b8fe5a2a8c0d4823f50c073591036dc86dd4641b8c725aa0baef10264690992ead75b6a999666647c790c36aab088f691a6d01f5649b91d829cbf70

memory/252-56-0x00000000007D0000-0x0000000000C81000-memory.dmp

memory/252-57-0x00000000779D6000-0x00000000779D8000-memory.dmp

memory/848-71-0x0000000000EB0000-0x0000000001361000-memory.dmp

memory/252-70-0x00000000007D0000-0x0000000000C81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000014001\fd903a8055.exe

MD5 a728d47242b4ff5ae0d61514fdef5f8f
SHA1 0597adc779c4f351df4950f529ce8648f5e90b7a
SHA256 b03b13cdbb8baecd813a8076a1abf5560cd9a350e2a489e454901356d146b001
SHA512 c2920f3dd71cfcf088276cd6fa5a64e9d97c738cbccde806d5236751c7079374f900845e74b743b31db7c161394e773ba8d6229d6bd724e35aa798f5d4bfc551

memory/1876-90-0x00000000004B0000-0x0000000000B36000-memory.dmp

memory/1876-91-0x00000000004B0000-0x0000000000B36000-memory.dmp

memory/1876-93-0x00000000004B0000-0x0000000000B36000-memory.dmp

memory/1876-94-0x00000000004B0000-0x0000000000B36000-memory.dmp

memory/1876-92-0x00000000004B0000-0x0000000000B36000-memory.dmp

memory/1876-95-0x00000000004B0000-0x0000000000B36000-memory.dmp

memory/1876-97-0x00000000004B0000-0x0000000000B36000-memory.dmp

memory/1876-98-0x00000000004B0000-0x0000000000B36000-memory.dmp

memory/1876-96-0x00000000004B0000-0x0000000000B36000-memory.dmp

memory/1512-99-0x0000000000D80000-0x000000000127E000-memory.dmp

memory/848-100-0x0000000000EB0000-0x0000000001361000-memory.dmp

memory/1876-102-0x00000000004B0000-0x0000000000B36000-memory.dmp

memory/848-103-0x0000000000EB0000-0x0000000001361000-memory.dmp

memory/848-106-0x0000000000EB0000-0x0000000001361000-memory.dmp

memory/1540-110-0x0000000000EB0000-0x0000000001361000-memory.dmp

memory/1540-111-0x0000000000EB0000-0x0000000001361000-memory.dmp

memory/848-112-0x0000000000EB0000-0x0000000001361000-memory.dmp

memory/848-115-0x0000000000EB0000-0x0000000001361000-memory.dmp