Analysis
-
max time kernel
144s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
21-05-2024 05:17
General
-
Target
03b054227a8f087a0b939c8f88d9ab8c11ef6634db7167be7bb07d78808f1e57_NeikiAnalytics.exe
-
Size
1.7MB
-
MD5
b74e25bfe1ef2b74dea5d8955d654c20
-
SHA1
a32dc324923d256dbfbf7cfb222862d42f7248d2
-
SHA256
03b054227a8f087a0b939c8f88d9ab8c11ef6634db7167be7bb07d78808f1e57
-
SHA512
4b140ff1bb6aa3d484f321d9713889a1cdd5cd3cbe3b9b10acacb9bf98348a11dbe2b54f2023f6e5b3fd051e9b5bbcf6f72b7b1b2a2bb9434e601aceb0eb4043
-
SSDEEP
49152:LjA8ggSDcajICf3Ckh7lzBmwrqNGOHWG/gQtHyftAmYirEI5:Lc8h6Zh7Xmwr+HboQtSlAmYIX
Score
10/10
Malware Config
Extracted
Family
amadey
Version
4.20
Botnet
18befc
C2
http://5.42.96.141
Attributes
-
install_dir
908f070dff
-
install_file
explorku.exe
-
strings_key
b25a9385246248a95c600f9a061438e1
-
url_paths
/go34ko8/index.php
rc4.plain
Extracted
Family
risepro
C2
147.45.47.126:58709
Extracted
Family
amadey
Version
4.20
Botnet
c767c0
C2
http://5.42.96.7
Attributes
-
install_dir
7af68cdb52
-
install_file
axplons.exe
-
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
-
url_paths
/zamo7h/index.php
rc4.plain
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 44 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\03b054227a8f087a0b939c8f88d9ab8c11ef6634db7167be7bb07d78808f1e57_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\03b054227a8f087a0b939c8f88d9ab8c11ef6634db7167be7bb07d78808f1e57_NeikiAnalytics.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000014001\249ef1a66c.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\249ef1a66c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\1000017002\4ae841cec2.exe"C:\Users\Admin\1000017002\4ae841cec2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exeC:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeC:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000013001\amers.exeFilesize
1.8MB
MD564ef9db2e99a81627ad6c0a0b1b08edc
SHA13990546b6a2a3469484b6272acc5a15db71566c7
SHA2562048e8ec13c962b62b65a68009b0a193f15c79836cfde6eee1599b670cd04936
SHA5123a64aece886da3a9e511f0f244e48d017f5262a455bf4f30886b817a653e6b0df1f541bce573405384dd62203dd7e2cd81c26fb72226ccc77a8fb7fc3c8b1e63
-
C:\Users\Admin\AppData\Local\Temp\1000014001\249ef1a66c.exeFilesize
2.3MB
MD531797d50301d1482d6c578c514c692c9
SHA1a63fdcc4d7fff1e890ca147c0ae645e8de58f91a
SHA256d4441dd27d9112a39817fe23d183b494a66df4189e2be10f9b3b801d3002ab4f
SHA5122958616d2c4203251b3b69d3bd299092007a0ef9e8837a8f37d31486097e264bb7e0376d674277a7ad79cadb59c1e63f1a80058f13333658138e68012d713086
-
C:\Users\Admin\AppData\Local\Temp\908f070dff\explorku.exeFilesize
1.7MB
MD5b74e25bfe1ef2b74dea5d8955d654c20
SHA1a32dc324923d256dbfbf7cfb222862d42f7248d2
SHA25603b054227a8f087a0b939c8f88d9ab8c11ef6634db7167be7bb07d78808f1e57
SHA5124b140ff1bb6aa3d484f321d9713889a1cdd5cd3cbe3b9b10acacb9bf98348a11dbe2b54f2023f6e5b3fd051e9b5bbcf6f72b7b1b2a2bb9434e601aceb0eb4043
-
memory/1828-92-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1828-156-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1828-22-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1828-24-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1828-25-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1828-23-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1828-28-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1828-26-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1828-27-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1828-29-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1828-30-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1952-81-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1952-83-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1952-77-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1952-95-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1952-91-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1952-80-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1952-79-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1952-82-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/1952-78-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/2264-0-0x0000000000340000-0x0000000000891000-memory.dmpFilesize
5.3MB
-
memory/2264-2-0x0000000000340000-0x0000000000891000-memory.dmpFilesize
5.3MB
-
memory/2264-21-0x0000000000340000-0x0000000000891000-memory.dmpFilesize
5.3MB
-
memory/2264-6-0x0000000000340000-0x0000000000891000-memory.dmpFilesize
5.3MB
-
memory/2264-3-0x0000000000340000-0x0000000000891000-memory.dmpFilesize
5.3MB
-
memory/2264-4-0x0000000000340000-0x0000000000891000-memory.dmpFilesize
5.3MB
-
memory/2264-8-0x0000000000340000-0x0000000000891000-memory.dmpFilesize
5.3MB
-
memory/2264-1-0x0000000000340000-0x0000000000891000-memory.dmpFilesize
5.3MB
-
memory/2264-7-0x0000000000340000-0x0000000000891000-memory.dmpFilesize
5.3MB
-
memory/2264-5-0x0000000000340000-0x0000000000891000-memory.dmpFilesize
5.3MB
-
memory/3244-185-0x00000000009F0000-0x0000000000E9A000-memory.dmpFilesize
4.7MB
-
memory/3244-173-0x00000000009F0000-0x0000000000E9A000-memory.dmpFilesize
4.7MB
-
memory/3412-108-0x00000000009F0000-0x0000000000E9A000-memory.dmpFilesize
4.7MB
-
memory/3412-164-0x00000000009F0000-0x0000000000E9A000-memory.dmpFilesize
4.7MB
-
memory/3640-205-0x00000000009F0000-0x0000000000E9A000-memory.dmpFilesize
4.7MB
-
memory/3640-219-0x00000000009F0000-0x0000000000E9A000-memory.dmpFilesize
4.7MB
-
memory/4188-208-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/4188-217-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/4432-37-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/4432-42-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-55-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-54-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-53-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-61-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-63-0x0000000077AF4000-0x0000000077AF6000-memory.dmpFilesize
8KB
-
memory/4432-57-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-67-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-66-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-65-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-64-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-62-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-58-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-59-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-60-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-48-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-49-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-51-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-52-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-33-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-40-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-41-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-56-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-36-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-43-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-45-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-38-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-39-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-44-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-50-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-47-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-160-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4432-46-0x0000000000400000-0x00000000009EA000-memory.dmpFilesize
5.9MB
-
memory/4500-183-0x0000000000A60000-0x0000000000FB1000-memory.dmpFilesize
5.3MB
-
memory/4788-133-0x0000000000070000-0x0000000000714000-memory.dmpFilesize
6.6MB
-
memory/4788-129-0x0000000000070000-0x0000000000714000-memory.dmpFilesize
6.6MB
-
memory/4788-131-0x0000000000070000-0x0000000000714000-memory.dmpFilesize
6.6MB
-
memory/4788-132-0x0000000000070000-0x0000000000714000-memory.dmpFilesize
6.6MB
-
memory/4788-165-0x0000000000070000-0x0000000000714000-memory.dmpFilesize
6.6MB
-
memory/4788-134-0x0000000000070000-0x0000000000714000-memory.dmpFilesize
6.6MB
-
memory/4788-130-0x0000000000070000-0x0000000000714000-memory.dmpFilesize
6.6MB
-
memory/4788-128-0x0000000000070000-0x0000000000714000-memory.dmpFilesize
6.6MB
-
memory/4928-107-0x00000000008B0000-0x0000000000D5A000-memory.dmpFilesize
4.7MB
-
memory/4928-93-0x00000000008B0000-0x0000000000D5A000-memory.dmpFilesize
4.7MB
-
memory/4936-153-0x0000000000CB0000-0x000000000115A000-memory.dmpFilesize
4.7MB
-
memory/4936-155-0x0000000000CB0000-0x000000000115A000-memory.dmpFilesize
4.7MB