Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
25-05-2024 05:10
General
-
Target
0eb659a4d6ae1274cccbd2857f08c85951265764685c5dbd946729682896e162.exe
-
Size
1.8MB
-
MD5
960e350d0826e0dfb4deb06203ef9de8
-
SHA1
c90314ec63d474ef31db8a3abf1223d313c04006
-
SHA256
0eb659a4d6ae1274cccbd2857f08c85951265764685c5dbd946729682896e162
-
SHA512
6ac6eaedf1708f2473578c8159c5fbd265aaefb9bf926d21b2d863f167de6cb0826290d60e1319dbfda9912bf54d15af2792c862eff2da9673266871b39bcb10
-
SSDEEP
24576:GWPnMx2UWGW+Y9EFtGJYZGqBY5cQjuvybL0y9lVdSYIUHQHTYJvwIB525ezYBqP2:5PnMxhWGAjy7Y3jua30SlG9EOIttP
Score
10/10
Malware Config
Extracted
Family
amadey
Version
4.21
Botnet
0e6740
C2
http://147.45.47.155
Attributes
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
rc4.plain
Extracted
Family
risepro
C2
147.45.47.126:58709
Extracted
Family
amadey
Version
4.21
Botnet
49e482
C2
http://147.45.47.70
Attributes
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
rc4.plain
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eb659a4d6ae1274cccbd2857f08c85951265764685c5dbd946729682896e162.exe"C:\Users\Admin\AppData\Local\Temp\0eb659a4d6ae1274cccbd2857f08c85951265764685c5dbd946729682896e162.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
C:\Users\Admin\1000004002\8bfe1ebe86.exe"C:\Users\Admin\1000004002\8bfe1ebe86.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000005001\dac34d87f9.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\dac34d87f9.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\1000004002\8bfe1ebe86.exeFilesize
1.8MB
MD58ceb952cf1466064ce6bc52aaeecd274
SHA1ef92e3336cb30fdd8f1d8256b9fa2eb50ef2f61f
SHA25601c5e8e80a8a4086c91cad427ef82bddacb069e24e59beea3acc5f7ed4be6b3b
SHA5125e7ed2a7ec226e70cb85374111a86f2dd07eb3662305798e9f32296f0270d7437237f003c687b1c0b56c022d6b25802580f6c7f8777b892ba5aeb7561da913ad
-
C:\Users\Admin\AppData\Local\Temp\1000005001\dac34d87f9.exeFilesize
2.2MB
MD5db67279a0f4c9c6149b79698a37bd62b
SHA1d4edd977d6145b4869402a27b2a0b288cc6b8ecc
SHA25636eb5ff6d300a523026286bdb1364302f358f1195571b4a76b5c884686c106fe
SHA512bc54c433a42ce905f7f701a632d6135fe5367f725a57109db1e9c413b3a2baf04c1ee3b5037c3c213754e55a6383a88013587345bcb992bc890f5cd554c71f7a
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeFilesize
1.8MB
MD5960e350d0826e0dfb4deb06203ef9de8
SHA1c90314ec63d474ef31db8a3abf1223d313c04006
SHA2560eb659a4d6ae1274cccbd2857f08c85951265764685c5dbd946729682896e162
SHA5126ac6eaedf1708f2473578c8159c5fbd265aaefb9bf926d21b2d863f167de6cb0826290d60e1319dbfda9912bf54d15af2792c862eff2da9673266871b39bcb10
-
memory/520-124-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/520-122-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/1380-87-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-128-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-107-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-116-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-110-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-134-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-131-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-104-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-113-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-119-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-79-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-91-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-95-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1380-92-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1384-100-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1384-98-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/1920-78-0x0000000000FB0000-0x0000000001457000-memory.dmpFilesize
4.7MB
-
memory/1920-42-0x0000000000FB0000-0x0000000001457000-memory.dmpFilesize
4.7MB
-
memory/2240-123-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/2240-125-0x00000000001C0000-0x0000000000667000-memory.dmpFilesize
4.7MB
-
memory/2548-20-0x0000000000490000-0x0000000000943000-memory.dmpFilesize
4.7MB
-
memory/2548-8-0x0000000000490000-0x0000000000943000-memory.dmpFilesize
4.7MB
-
memory/2548-6-0x0000000000490000-0x0000000000943000-memory.dmpFilesize
4.7MB
-
memory/2548-5-0x0000000000490000-0x0000000000943000-memory.dmpFilesize
4.7MB
-
memory/2548-4-0x0000000000490000-0x0000000000943000-memory.dmpFilesize
4.7MB
-
memory/2548-0-0x0000000000490000-0x0000000000943000-memory.dmpFilesize
4.7MB
-
memory/2548-3-0x0000000000490000-0x0000000000943000-memory.dmpFilesize
4.7MB
-
memory/2548-2-0x0000000000491000-0x00000000004BF000-memory.dmpFilesize
184KB
-
memory/2548-1-0x0000000077554000-0x0000000077556000-memory.dmpFilesize
8KB
-
memory/3500-101-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3500-99-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-85-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-24-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-89-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-88-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-132-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-84-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-21-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-102-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-22-0x0000000000741000-0x000000000076F000-memory.dmpFilesize
184KB
-
memory/3712-105-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-129-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-108-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-23-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-111-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-126-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-114-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-93-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-117-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-62-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/3712-70-0x0000000000740000-0x0000000000BF3000-memory.dmpFilesize
4.7MB
-
memory/4916-76-0x0000000000770000-0x0000000000DF5000-memory.dmpFilesize
6.5MB
-
memory/4916-77-0x0000000000770000-0x0000000000DF5000-memory.dmpFilesize
6.5MB
-
memory/4916-75-0x0000000000770000-0x0000000000DF5000-memory.dmpFilesize
6.5MB
-
memory/4916-74-0x0000000000770000-0x0000000000DF5000-memory.dmpFilesize
6.5MB
-
memory/4916-80-0x0000000000770000-0x0000000000DF5000-memory.dmpFilesize
6.5MB
-
memory/4916-83-0x0000000000770000-0x0000000000DF5000-memory.dmpFilesize
6.5MB
-
memory/4916-81-0x0000000000770000-0x0000000000DF5000-memory.dmpFilesize
6.5MB
-
memory/4916-82-0x0000000000770000-0x0000000000DF5000-memory.dmpFilesize
6.5MB
-
memory/4916-86-0x0000000000770000-0x0000000000DF5000-memory.dmpFilesize
6.5MB