Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe

  • Size

    1.8MB

  • MD5

    0600379e0b43eca022435a1b6d2e9391

  • SHA1

    2dc38dd0d363b958f5fc959dca2b0a5cca79dbb5

  • SHA256

    2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4

  • SHA512

    2d9de6bace93d53cfbe3b79ac4312c829fc32f17dc9bc5a9f17d560e8848b607b5d5a7c2f446a576b2a7189105e42d469e85dd6a6672d436c82e3edd372a9545

  • SSDEEP

    49152:xWe+x52aAyz4uU++JkTGd+GSRwvwh1RLm:xV+SjuU++JWGoGxw3RLm

Score
10/10
amadeyrisepro0e674049e482evasionpersistencestealerthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes
  • install_dir

    1b29d73536

  • install_file

    axplont.exe

  • strings_key

    4d31dd1a190d9879c21fac6d87dc0043

  • url_paths

    /tr8nomy/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 10 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe
    "C:\Users\Admin\AppData\Local\Temp\2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4540
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:5000
        • C:\Users\Admin\1000004002\36d3fb4ee7.exe
          "C:\Users\Admin\1000004002\36d3fb4ee7.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3312
          • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:3496
        • C:\Users\Admin\AppData\Local\Temp\1000005001\6fecaa723a.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\6fecaa723a.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          PID:392
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4552
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4732
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4544
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1480
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1436
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:848

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\1000004002\36d3fb4ee7.exe
      Filesize

      1.8MB

      MD5

      fe4e61e13c0b9d8f179b18608530cc21

      SHA1

      fae41b564cca41ad4140584622fe23627944c24d

      SHA256

      35cadd2f3c589e6bc0dd06b1bb5ae9d62fa5d108142aa81006dae50b7945e25f

      SHA512

      68f8ba9f8e627099e6c2b4fbe0ba3edee11a240a5c999cb7f17431354ade072dc32e9581c65d56a33f44fd790e5336d70107e42fc284d7f51315cad71f2b01ff

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\1000005001\6fecaa723a.exe
      Filesize

      2.0MB

      MD5

      cea34b445e6306e6863c10100cc93948

      SHA1

      d64b6074cc20de96c2afc6f5071510ec55023a0f

      SHA256

      1dedd8a775a1fcaf26d8c1e1e4f2a6cba45809e2b5e36fbb0056f572ee04b286

      SHA512

      2a9cde8739c22afef43516c2a67e9c95646f813aaa36ffcca2548fa69baeacc0504e7659e0d20ef434413607061c4700680010bb1933ca2e4c3d7bb0bb40b594

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      Filesize

      1.8MB

      MD5

      0600379e0b43eca022435a1b6d2e9391

      SHA1

      2dc38dd0d363b958f5fc959dca2b0a5cca79dbb5

      SHA256

      2a297763a18a51c9d48e3deb80cffdafaa73f36f440b0d72f87d0eab364d2ec4

      SHA512

      2d9de6bace93d53cfbe3b79ac4312c829fc32f17dc9bc5a9f17d560e8848b607b5d5a7c2f446a576b2a7189105e42d469e85dd6a6672d436c82e3edd372a9545

      Download Submit
    • memory/60-118-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-133-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-101-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-91-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-18-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-90-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-19-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-21-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-107-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-80-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-130-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-143-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-127-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-124-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-104-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-92-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-95-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-98-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-20-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/60-121-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/392-73-0x0000000000AD0000-0x000000000112F000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/392-77-0x0000000000AD0000-0x000000000112F000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/392-79-0x0000000000AD0000-0x000000000112F000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/392-78-0x0000000000AD0000-0x000000000112F000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/392-75-0x0000000000AD0000-0x000000000112F000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/392-72-0x0000000000AD0000-0x000000000112F000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/392-89-0x0000000000AD0000-0x000000000112F000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/392-76-0x0000000000AD0000-0x000000000112F000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/392-74-0x0000000000AD0000-0x000000000112F000-memory.dmp
      Filesize

      6.4MB

      Download
    • memory/848-137-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/848-140-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/1436-136-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1436-139-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1480-111-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/1480-114-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/3312-68-0x0000000000E00000-0x00000000012CC000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3312-40-0x0000000000E00000-0x00000000012CC000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3312-39-0x0000000000E00000-0x00000000012CC000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-122-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-96-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-69-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-125-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-99-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-141-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-93-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-131-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-116-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-102-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-119-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-128-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-88-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/3496-105-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/4540-1-0x0000000077CF4000-0x0000000077CF6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/4540-0-0x0000000000FE0000-0x000000000148C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4540-17-0x0000000000FE0000-0x000000000148C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4540-5-0x0000000000FE0000-0x000000000148C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4540-3-0x0000000000FE0000-0x000000000148C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4540-2-0x0000000000FE1000-0x000000000100F000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4544-115-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/4544-110-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/4552-84-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/4552-86-0x0000000000890000-0x0000000000D5C000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/4732-83-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4732-87-0x0000000000F90000-0x000000000143C000-memory.dmp
      Filesize

      4.7MB

      Download