Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
25-05-2024 01:23
General
-
Target
d976872ec1c5e744ee984b6889240c57c9461c6dba5edaacade16add2f38babd.exe
-
Size
1.8MB
-
MD5
c9415b76faae8ce45f4f2a71ce5cba5c
-
SHA1
9a0e33247cfb000ee364f269d06a6751fb119ec7
-
SHA256
d976872ec1c5e744ee984b6889240c57c9461c6dba5edaacade16add2f38babd
-
SHA512
6af9829a845d3a7964c42da11296b02ebbd476efebd5fd9d7707c9a1caf2fe74ba2c68958e46bd0eb1370d5b369c66f31ce1cbcb013053bbc91d3847fa71a7cb
-
SSDEEP
49152:CTI3vWOMCi1mkgnYkacgtKXlrvGb65avF5a5:CWmCi1mkgYka76lrvGia/a5
Score
10/10
Malware Config
Extracted
Family
amadey
Version
4.21
Botnet
0e6740
C2
http://147.45.47.155
Attributes
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
rc4.plain
Extracted
Family
amadey
Version
4.21
Botnet
49e482
C2
http://147.45.47.70
Attributes
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
rc4.plain
Extracted
Family
risepro
C2
147.45.47.126:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d976872ec1c5e744ee984b6889240c57c9461c6dba5edaacade16add2f38babd.exe"C:\Users\Admin\AppData\Local\Temp\d976872ec1c5e744ee984b6889240c57c9461c6dba5edaacade16add2f38babd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
C:\Users\Admin\1000004002\050eceb111.exe"C:\Users\Admin\1000004002\050eceb111.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000005001\aea588a890.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\aea588a890.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\1000004002\050eceb111.exeFilesize
1.8MB
MD557c7215a1a2ef3e9a1bc2a764bffeaf5
SHA152d29aaa290d1f57c4cbc3e788e9e41215c5e393
SHA25683e53f1d7c790b7c645177db24ecf2a28c57cd54ac8221dcd04fd9086df7ec83
SHA512cb3ce1ed65133671cc7f995206149bdd6ba4c00bc909c82e4b5d40fc71e9b3533b6baa275d61cd478d7ea50bba826092de88337a07f9b4caf19c33d73ba6d265
-
C:\Users\Admin\AppData\Local\Temp\1000005001\aea588a890.exeFilesize
2.1MB
MD5323c10e3acd47931d320f87ab1d9664b
SHA1bb61e97738a68212141b341795db55624ea7b005
SHA256525dcc914385956fbdeb3ce0a6af0d67ef59f95822737bcb51a0b81f6674e8c0
SHA51276937c4d1ff12a69cf3c44938c7095dc334b803fb375a91aa11c992a00ac852278f59e725ca68d0c2d876912882e04a10266e58d5fd790ec5d161186ea1d3dd2
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeFilesize
1.8MB
MD5c9415b76faae8ce45f4f2a71ce5cba5c
SHA19a0e33247cfb000ee364f269d06a6751fb119ec7
SHA256d976872ec1c5e744ee984b6889240c57c9461c6dba5edaacade16add2f38babd
SHA5126af9829a845d3a7964c42da11296b02ebbd476efebd5fd9d7707c9a1caf2fe74ba2c68958e46bd0eb1370d5b369c66f31ce1cbcb013053bbc91d3847fa71a7cb
-
memory/368-77-0x0000000000690000-0x0000000000D08000-memory.dmpFilesize
6.5MB
-
memory/368-79-0x0000000000690000-0x0000000000D08000-memory.dmpFilesize
6.5MB
-
memory/368-84-0x0000000000690000-0x0000000000D08000-memory.dmpFilesize
6.5MB
-
memory/368-80-0x0000000000690000-0x0000000000D08000-memory.dmpFilesize
6.5MB
-
memory/368-78-0x0000000000690000-0x0000000000D08000-memory.dmpFilesize
6.5MB
-
memory/368-74-0x0000000000690000-0x0000000000D08000-memory.dmpFilesize
6.5MB
-
memory/368-76-0x0000000000690000-0x0000000000D08000-memory.dmpFilesize
6.5MB
-
memory/368-75-0x0000000000690000-0x0000000000D08000-memory.dmpFilesize
6.5MB
-
memory/368-73-0x0000000000690000-0x0000000000D08000-memory.dmpFilesize
6.5MB
-
memory/1396-102-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/1396-105-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2244-39-0x0000000000E60000-0x0000000001313000-memory.dmpFilesize
4.7MB
-
memory/2244-51-0x0000000000E60000-0x0000000001313000-memory.dmpFilesize
4.7MB
-
memory/2268-90-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-121-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-137-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-21-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-20-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-19-0x0000000000531000-0x000000000055F000-memory.dmpFilesize
184KB
-
memory/2268-18-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-134-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-131-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-81-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-82-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-106-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-72-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-85-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-86-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-87-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-118-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-115-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-112-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-93-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-109-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2268-96-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/2880-103-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/2880-101-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/3100-3-0x00000000002C0000-0x0000000000777000-memory.dmpFilesize
4.7MB
-
memory/3100-0-0x00000000002C0000-0x0000000000777000-memory.dmpFilesize
4.7MB
-
memory/3100-1-0x0000000077334000-0x0000000077336000-memory.dmpFilesize
8KB
-
memory/3100-17-0x00000000002C0000-0x0000000000777000-memory.dmpFilesize
4.7MB
-
memory/3100-5-0x00000000002C0000-0x0000000000777000-memory.dmpFilesize
4.7MB
-
memory/3100-2-0x00000000002C1000-0x00000000002EF000-memory.dmpFilesize
184KB
-
memory/3480-130-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/3480-126-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-110-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-94-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-116-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-88-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-119-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-83-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-122-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-53-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-91-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-135-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-113-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-107-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-132-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4780-97-0x00000000006A0000-0x0000000000B53000-memory.dmpFilesize
4.7MB
-
memory/4916-128-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB
-
memory/4916-127-0x0000000000530000-0x00000000009E7000-memory.dmpFilesize
4.7MB