Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 00:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0deaf5eda6a1895787e1231c8c173964eeaf01d6c75c3cbb0271437f7e3c106d.exe

  • Size

    1.8MB

  • MD5

    ee9644154c6741a3daefcaf68ad8b89f

  • SHA1

    32cecf28a7cea80dacdf713f59b75f1c72019c04

  • SHA256

    0deaf5eda6a1895787e1231c8c173964eeaf01d6c75c3cbb0271437f7e3c106d

  • SHA512

    43b2fa09bb33e6707e217d2d9e73f6020b549f13a1b3ea40b9f74b1acec0cb313a77f7edb405ac72f4d128e28e33a918dbcded8b350c9fb96046ba241a80a853

  • SSDEEP

    49152:zT8TKaZM2Kw6O7WZztSOoqJ3VidGTh6g0B00UT+oJbOzA:Er5KQWDi6MgRd+oJC0

Score
10/10
amadeyrisepro0e674049e482evasionpersistencestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes
  • install_dir

    1b29d73536

  • install_file

    axplont.exe

  • strings_key

    4d31dd1a190d9879c21fac6d87dc0043

  • url_paths

    /tr8nomy/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 10 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0deaf5eda6a1895787e1231c8c173964eeaf01d6c75c3cbb0271437f7e3c106d.exe
    "C:\Users\Admin\AppData\Local\Temp\0deaf5eda6a1895787e1231c8c173964eeaf01d6c75c3cbb0271437f7e3c106d.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:1808
        • C:\Users\Admin\1000004002\50f748d7c5.exe
          "C:\Users\Admin\1000004002\50f748d7c5.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4252
          • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:1040
        • C:\Users\Admin\AppData\Local\Temp\1000005001\533e673a8b.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\533e673a8b.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          PID:2460
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:116
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2180
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:5020
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2192
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:5020
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2652

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\1000004002\50f748d7c5.exe
      Filesize

      1.9MB

      MD5

      8770844d27273e43452b451440790fce

      SHA1

      2e111edbdb49266f51503c02e172011724faba4c

      SHA256

      2e755d6122d46f6bcf56eff18f03a9d58354b3ce92b28b0b6c4c533d46afd358

      SHA512

      afd9be819c40bef746f64ec0141e7f132b497e95a2b95ae97218574b7dfc5e991196143560ace13585936b49cf511ce10908d5ea17fb802f6783dd728df0dac2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\1000005001\533e673a8b.exe
      Filesize

      2.1MB

      MD5

      98660f47b96363c7daa37d827599c91a

      SHA1

      7cc750a98d315f8a655f0a52e61224f51ccecbb8

      SHA256

      b6979caab5615f99852bb6c7d9cf0fd8262c0e2d98660cbbe313fc359ada43b4

      SHA512

      6fc48643e5bd814811e1c0033a8ee9a658b9cf1a418c776e0a261889e2fe0d186e37751006badd9d652333d13208f290752810e247763acb2570d3ad9643d9d5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      Filesize

      1.8MB

      MD5

      ee9644154c6741a3daefcaf68ad8b89f

      SHA1

      32cecf28a7cea80dacdf713f59b75f1c72019c04

      SHA256

      0deaf5eda6a1895787e1231c8c173964eeaf01d6c75c3cbb0271437f7e3c106d

      SHA512

      43b2fa09bb33e6707e217d2d9e73f6020b549f13a1b3ea40b9f74b1acec0cb313a77f7edb405ac72f4d128e28e33a918dbcded8b350c9fb96046ba241a80a853

      Download Submit
    • memory/116-86-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/116-85-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-118-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-103-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-16-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-19-0x0000000000FA1000-0x0000000000FCF000-memory.dmp
      Filesize

      184KB

      Download
    • memory/856-20-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-21-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-124-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-127-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-115-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-107-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-130-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-121-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-101-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-98-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-95-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-92-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-91-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-90-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-139-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-80-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/856-83-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-113-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-128-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-51-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-116-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-88-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-137-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-119-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-122-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-105-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-93-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-125-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-96-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-102-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1040-99-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2004-2-0x00000000005C1000-0x00000000005EF000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2004-5-0x00000000005C0000-0x0000000000A85000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2004-17-0x00000000005C0000-0x0000000000A85000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2004-3-0x00000000005C0000-0x0000000000A85000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2004-0-0x00000000005C0000-0x0000000000A85000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2004-1-0x0000000077294000-0x0000000077296000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2180-84-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2180-87-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2192-110-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2192-112-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2460-76-0x0000000000350000-0x00000000009C1000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/2460-74-0x0000000000350000-0x00000000009C1000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/2460-79-0x0000000000350000-0x00000000009C1000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/2460-72-0x0000000000350000-0x00000000009C1000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/2460-78-0x0000000000350000-0x00000000009C1000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/2460-75-0x0000000000350000-0x00000000009C1000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/2460-77-0x0000000000350000-0x00000000009C1000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/2460-89-0x0000000000350000-0x00000000009C1000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/2460-73-0x0000000000350000-0x00000000009C1000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/2652-134-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/2652-136-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/4252-39-0x00000000004B0000-0x0000000000985000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/4252-53-0x00000000004B0000-0x0000000000985000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/5020-111-0x0000000000FA0000-0x0000000001465000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/5020-133-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/5020-135-0x0000000000A50000-0x0000000000F25000-memory.dmp
      Filesize

      4.8MB

      Download