amadey | 1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481

Resubmissions

20-05-2024 21:19

240520-z6ancsge55 10

20-05-2024 16:03

240520-thk7asgd55 10

Analysis

max time kernel
149s
max time network
123s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
20-05-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe
Size

1.7MB
MD5

93ce2f1033f7d26a12bdb0ae8f721d80
SHA1

c8aada969ad142a99e696416263e6fd4c28d3b58
SHA256

1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481
SHA512

c420ec6f6be3226dc8bc4718c088c47be77de348ae1308049244f35ef8ff3aa96c7e0656ab6c5559d20c50ee8b4c861429b694a780ec6205f8b8edf5b5d8a5d9
SSDEEP

24576:QKmeWJMjRaVdFtAK59foIK5w/6clN9+PzVyo6NxnfAPEZKLooMe1N3QnlRNlOdcv:oZJeRm3zfUUlNAPzVlY5AMaoAL3Yv

Score

10^/10

amadey risepro 18befc c767c0 evasion persistence stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

4.20

Botnet

18befc

http://5.42.96.141

Attributes

install_dir
908f070dff
install_file
explorku.exe
strings_key
b25a9385246248a95c600f9a061438e1
url_paths
/go34ko8/index.php

rc4.plain

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

risepro

147.45.47.126:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amers.exeaxplons.exe6b6f953361.exeaxplons.exeaxplons.exeaxplons.exe1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exeexplorku.exeexplorku.exeexplorku.exe84fd6b9a56.exeexplorku.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amers.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6b6f953361.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplons.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	84fd6b9a56.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorku.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

amers.exeaxplons.exeaxplons.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exe84fd6b9a56.exe6b6f953361.exe1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exeexplorku.exeexplorku.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amers.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	84fd6b9a56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6b6f953361.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6b6f953361.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	84fd6b9a56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplons.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorku.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe

Executes dropped EXE 11 IoCs

Processes:

explorku.exeamers.exeaxplons.exe84fd6b9a56.exe6b6f953361.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exeaxplons.exeexplorku.exe

pid	process
540	explorku.exe
4432	amers.exe
3120	axplons.exe
3860	84fd6b9a56.exe
3596	6b6f953361.exe
2472	axplons.exe
1528	explorku.exe
4156	axplons.exe
5020	explorku.exe
2368	axplons.exe
632	explorku.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6b6f953361.exeaxplons.exeaxplons.exeaxplons.exeamers.exeaxplons.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	6b6f953361.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	axplons.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	amers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine	axplons.exe

Themida packer 49 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3988-2-0x0000000000B30000-0x0000000001075000-memory.dmp	themida
behavioral2/memory/3988-3-0x0000000000B30000-0x0000000001075000-memory.dmp	themida
behavioral2/memory/3988-1-0x0000000000B30000-0x0000000001075000-memory.dmp	themida
behavioral2/memory/3988-0-0x0000000000B30000-0x0000000001075000-memory.dmp	themida
behavioral2/memory/3988-5-0x0000000000B30000-0x0000000001075000-memory.dmp	themida
behavioral2/memory/3988-7-0x0000000000B30000-0x0000000001075000-memory.dmp	themida
behavioral2/memory/3988-6-0x0000000000B30000-0x0000000001075000-memory.dmp	themida
behavioral2/memory/3988-8-0x0000000000B30000-0x0000000001075000-memory.dmp	themida
behavioral2/memory/3988-4-0x0000000000B30000-0x0000000001075000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe	themida
behavioral2/memory/540-23-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/540-24-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/540-29-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/540-28-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/540-26-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/540-27-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/540-25-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/540-22-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/3988-21-0x0000000000B30000-0x0000000001075000-memory.dmp	themida
behavioral2/memory/540-30-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000014001\84fd6b9a56.exe	themida
behavioral2/memory/3860-82-0x0000000000A30000-0x00000000010AA000-memory.dmp	themida
behavioral2/memory/3860-83-0x0000000000A30000-0x00000000010AA000-memory.dmp	themida
behavioral2/memory/3860-86-0x0000000000A30000-0x00000000010AA000-memory.dmp	themida
behavioral2/memory/3860-85-0x0000000000A30000-0x00000000010AA000-memory.dmp	themida
behavioral2/memory/3860-84-0x0000000000A30000-0x00000000010AA000-memory.dmp	themida
behavioral2/memory/3860-87-0x0000000000A30000-0x00000000010AA000-memory.dmp	themida
behavioral2/memory/3860-88-0x0000000000A30000-0x00000000010AA000-memory.dmp	themida
behavioral2/memory/3860-89-0x0000000000A30000-0x00000000010AA000-memory.dmp	themida
behavioral2/memory/3860-90-0x0000000000A30000-0x00000000010AA000-memory.dmp	themida
behavioral2/memory/540-105-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/3860-110-0x0000000000A30000-0x00000000010AA000-memory.dmp	themida
behavioral2/memory/1528-118-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/1528-117-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/1528-116-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/1528-115-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/1528-119-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/1528-121-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/1528-120-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/1528-122-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/1528-125-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/5020-149-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/5020-151-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/5020-153-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/5020-150-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/5020-152-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/5020-148-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/5020-158-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida
behavioral2/memory/632-190-0x0000000000FA0000-0x00000000014E5000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorku.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\84fd6b9a56.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\84fd6b9a56.exe"	explorku.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

explorku.exeexplorku.exe1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exeexplorku.exe84fd6b9a56.exeexplorku.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	84fd6b9a56.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorku.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

amers.exeaxplons.exe6b6f953361.exeaxplons.exeaxplons.exeaxplons.exe

pid process

4432 amers.exe
3120 axplons.exe
3596 6b6f953361.exe
2472 axplons.exe
4156 axplons.exe
2368 axplons.exe

Drops file in Windows directory 2 IoCs

Processes:

1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exeamers.exe

description	ioc	process
File created	C:\Windows\Tasks\explorku.job	1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe
File created	C:\Windows\Tasks\axplons.job	amers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

amers.exeaxplons.exe6b6f953361.exeaxplons.exeaxplons.exeaxplons.exe

pid	process
4432	amers.exe
4432	amers.exe
3120	axplons.exe
3120	axplons.exe
3596	6b6f953361.exe
3596	6b6f953361.exe
2472	axplons.exe
2472	axplons.exe
4156	axplons.exe
4156	axplons.exe
2368	axplons.exe
2368	axplons.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exeexplorku.exeamers.exe

description	pid	process	target process
PID 3988 wrote to memory of 540	3988	1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe	explorku.exe
PID 3988 wrote to memory of 540	3988	1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe	explorku.exe
PID 3988 wrote to memory of 540	3988	1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe	explorku.exe
PID 540 wrote to memory of 1452	540	explorku.exe	explorku.exe
PID 540 wrote to memory of 1452	540	explorku.exe	explorku.exe
PID 540 wrote to memory of 1452	540	explorku.exe	explorku.exe
PID 540 wrote to memory of 4432	540	explorku.exe	amers.exe
PID 540 wrote to memory of 4432	540	explorku.exe	amers.exe
PID 540 wrote to memory of 4432	540	explorku.exe	amers.exe
PID 4432 wrote to memory of 3120	4432	amers.exe	axplons.exe
PID 4432 wrote to memory of 3120	4432	amers.exe	axplons.exe
PID 4432 wrote to memory of 3120	4432	amers.exe	axplons.exe
PID 540 wrote to memory of 3860	540	explorku.exe	84fd6b9a56.exe
PID 540 wrote to memory of 3860	540	explorku.exe	84fd6b9a56.exe
PID 540 wrote to memory of 3860	540	explorku.exe	84fd6b9a56.exe
PID 540 wrote to memory of 3596	540	explorku.exe	6b6f953361.exe
PID 540 wrote to memory of 3596	540	explorku.exe	6b6f953361.exe
PID 540 wrote to memory of 3596	540	explorku.exe	6b6f953361.exe

C:\Users\Admin\AppData\Local\Temp\1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe
"C:\Users\Admin\AppData\Local\Temp\1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"
3⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3120

C:\Users\Admin\AppData\Local\Temp\1000014001\84fd6b9a56.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\84fd6b9a56.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3860

C:\Users\Admin\1000017002\6b6f953361.exe
"C:\Users\Admin\1000017002\6b6f953361.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3596

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2472

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1528

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4156

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5020

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe
Filesize
1.9MB

MD5
5f89b335cf25eafade8f46f6c535513d

SHA1
c6c4449d042a2bbb7b96c0dc41053ed1cc7735d6

SHA256
30805c5e9564511d5f43aa4259460250e0f59e0a4823bc7fa6e18d1317e07f72

SHA512
ba239dab919153c5bc3f829d7682ef44cd6446f66591172c48cbc563a8c94ee85a585d5123ea42d556a6414caa0d8bf79f81804f0b7f032c599c7004954d662d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\84fd6b9a56.exe
Filesize
2.1MB

MD5
960147d6387efb8a493256195bf10c3b

SHA1
6f832a19ed46dd5810105083fabea9a90002adba

SHA256
e560df3beb2997f55a1071c65bebf3794b17084b4da4d065bccd6bad203171c9

SHA512
45d3c850f7a9a7daf2439aec67b63a0315954f3e650296c3ea0d306a2e72fe214482377e8facd8ef9a8090e597523c64f8d6ea65187c7327271fcfa656b277fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe
Filesize
1.7MB

MD5
93ce2f1033f7d26a12bdb0ae8f721d80

SHA1
c8aada969ad142a99e696416263e6fd4c28d3b58

SHA256
1ba832d06573b1784c09a0b65f23bf348d0beb4efe415053d23f58d687056481

SHA512
c420ec6f6be3226dc8bc4718c088c47be77de348ae1308049244f35ef8ff3aa96c7e0656ab6c5559d20c50ee8b4c861429b694a780ec6205f8b8edf5b5d8a5d9

Download Submit
memory/540-30-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/540-22-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/540-105-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/540-25-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/540-27-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/540-26-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/540-23-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/540-24-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/540-29-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/540-28-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/632-190-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/1528-122-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/1528-121-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/1528-120-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/1528-119-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/1528-125-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/1528-115-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/1528-116-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/1528-117-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/1528-118-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/2368-178-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2368-188-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2472-124-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/2472-113-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/3120-126-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/3120-139-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/3120-128-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/3120-130-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/3120-133-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/3120-136-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/3120-142-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/3120-63-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/3120-109-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/3596-108-0x0000000000050000-0x0000000000524000-memory.dmp

Filesize
4.8MB

Download
memory/3596-107-0x0000000000050000-0x0000000000524000-memory.dmp

Filesize
4.8MB

Download
memory/3860-83-0x0000000000A30000-0x00000000010AA000-memory.dmp

Filesize
6.5MB

Download
memory/3860-110-0x0000000000A30000-0x00000000010AA000-memory.dmp

Filesize
6.5MB

Download
memory/3860-82-0x0000000000A30000-0x00000000010AA000-memory.dmp

Filesize
6.5MB

Download
memory/3860-90-0x0000000000A30000-0x00000000010AA000-memory.dmp

Filesize
6.5MB

Download
memory/3860-89-0x0000000000A30000-0x00000000010AA000-memory.dmp

Filesize
6.5MB

Download
memory/3860-86-0x0000000000A30000-0x00000000010AA000-memory.dmp

Filesize
6.5MB

Download
memory/3860-88-0x0000000000A30000-0x00000000010AA000-memory.dmp

Filesize
6.5MB

Download
memory/3860-87-0x0000000000A30000-0x00000000010AA000-memory.dmp

Filesize
6.5MB

Download
memory/3860-84-0x0000000000A30000-0x00000000010AA000-memory.dmp

Filesize
6.5MB

Download
memory/3860-85-0x0000000000A30000-0x00000000010AA000-memory.dmp

Filesize
6.5MB

Download
memory/3988-6-0x0000000000B30000-0x0000000001075000-memory.dmp

Filesize
5.3MB

Download
memory/3988-7-0x0000000000B30000-0x0000000001075000-memory.dmp

Filesize
5.3MB

Download
memory/3988-5-0x0000000000B30000-0x0000000001075000-memory.dmp

Filesize
5.3MB

Download
memory/3988-2-0x0000000000B30000-0x0000000001075000-memory.dmp

Filesize
5.3MB

Download
memory/3988-8-0x0000000000B30000-0x0000000001075000-memory.dmp

Filesize
5.3MB

Download
memory/3988-4-0x0000000000B30000-0x0000000001075000-memory.dmp

Filesize
5.3MB

Download
memory/3988-21-0x0000000000B30000-0x0000000001075000-memory.dmp

Filesize
5.3MB

Download
memory/3988-0-0x0000000000B30000-0x0000000001075000-memory.dmp

Filesize
5.3MB

Download
memory/3988-1-0x0000000000B30000-0x0000000001075000-memory.dmp

Filesize
5.3MB

Download
memory/3988-3-0x0000000000B30000-0x0000000001075000-memory.dmp

Filesize
5.3MB

Download
memory/4156-146-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/4156-156-0x0000000000840000-0x0000000000D14000-memory.dmp

Filesize
4.8MB

Download
memory/4432-62-0x0000000000550000-0x0000000000A24000-memory.dmp

Filesize
4.8MB

Download
memory/4432-49-0x00000000772F6000-0x00000000772F8000-memory.dmp

Filesize
8KB

Download
memory/4432-48-0x0000000000550000-0x0000000000A24000-memory.dmp

Filesize
4.8MB

Download
memory/5020-149-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/5020-148-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/5020-152-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/5020-158-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/5020-150-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/5020-153-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download
memory/5020-151-0x0000000000FA0000-0x00000000014E5000-memory.dmp

Filesize
5.3MB

Download