Analysis

  • max time kernel
    147s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 20:14

General

  • Target

    451be1c8e503a768b9ea4056432997a15beab289ce5efea503ae7f3a25092138.exe

  • Size

    1.8MB

  • MD5

    d35b7e8d7b6b81f6eaf131b148b52c13

  • SHA1

    a3863491e0c24ff8901f5f97c223b800d2f27db9

  • SHA256

    451be1c8e503a768b9ea4056432997a15beab289ce5efea503ae7f3a25092138

  • SHA512

    409a63f240be852c1883c52aee153accc2239719e38fb623ee70b10d2aed40b7fc835e72591ed24f3571b3ea70282a41886932796e5a1230443a45e81dbc0590

  • SSDEEP

    24576:RGN0VnevFQCXB+KopOeit89NJppXje51h8Z2bcXseZaUR/CB89LDtrIo584tpXCd:tle9Qg+K+O989NzU51aseZaSC6XxHXd

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

C2

http://147.45.47.155

Attributes
  • install_dir

    9217037dc9

  • install_file

    explortu.exe

  • strings_key

    8e894a8a4a3d0da8924003a561cfb244

  • url_paths

    /ku4Nor9/index.php

rc4.plain

Extracted

Family

amadey

Version

4.21

Botnet

49e482

C2

http://147.45.47.70

Attributes
  • install_dir

    1b29d73536

  • install_file

    axplont.exe

  • strings_key

    4d31dd1a190d9879c21fac6d87dc0043

  • url_paths

    /tr8nomy/index.php

rc4.plain

Extracted

Family

risepro

C2

147.45.47.126:58709

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\451be1c8e503a768b9ea4056432997a15beab289ce5efea503ae7f3a25092138.exe
    "C:\Users\Admin\AppData\Local\Temp\451be1c8e503a768b9ea4056432997a15beab289ce5efea503ae7f3a25092138.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
        "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
        3⤵
          PID:3628
        • C:\Users\Admin\1000004002\fa7bfe84b4.exe
          "C:\Users\Admin\1000004002\fa7bfe84b4.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3748
          • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
            "C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"
            4⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:636
        • C:\Users\Admin\AppData\Local\Temp\1000005001\5870fc4af7.exe
          "C:\Users\Admin\AppData\Local\Temp\1000005001\5870fc4af7.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:3108
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3448
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4752
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3720
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1468
    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4888
    • C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3400

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\1000004002\fa7bfe84b4.exe
      Filesize

      1.8MB

      MD5

      b868254534dd8f6d00af889afd536d2e

      SHA1

      ba9e400580c8ee869f057b71a5a39a2d2d52fe94

      SHA256

      89f74508e812f6f5890128bacb1b90063a0384618b29285519632c8f87bf51be

      SHA512

      0a2405905487a118bed25af153fff7a7806abca5f9574d202e8827287ec331e68515d1cea782c83175c56a333bda5924230e429dd7cbe15d083dab39c93d4e42

    • C:\Users\Admin\AppData\Local\Temp\1000005001\5870fc4af7.exe
      Filesize

      2.4MB

      MD5

      dad715e1489cf8a475ff58c7687fe0b9

      SHA1

      888f4294e971cc3d8464ad00a4ead42d13f1a6c3

      SHA256

      8e6ade8a2a316fdc0daf5d8157f18ff371d20cdc0a6aca34208bb76a30233499

      SHA512

      e528a3496bc647ca813dcffcce97164081c73466f0069b62c1442cc1f44543f9064ab8d4ed60d12ac96b2d8aec73d759e68d6767c02b56393c0ba0a7922e6e0c

    • C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
      Filesize

      1.8MB

      MD5

      d35b7e8d7b6b81f6eaf131b148b52c13

      SHA1

      a3863491e0c24ff8901f5f97c223b800d2f27db9

      SHA256

      451be1c8e503a768b9ea4056432997a15beab289ce5efea503ae7f3a25092138

      SHA512

      409a63f240be852c1883c52aee153accc2239719e38fb623ee70b10d2aed40b7fc835e72591ed24f3571b3ea70282a41886932796e5a1230443a45e81dbc0590

    • memory/636-74-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-52-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-88-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-90-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-127-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-124-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-121-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-118-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-93-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-115-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-112-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-96-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-99-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-102-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/636-86-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/1468-107-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/1468-109-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/1920-1-0x0000000077184000-0x0000000077186000-memory.dmp
      Filesize

      8KB

    • memory/1920-5-0x0000000000560000-0x0000000000A22000-memory.dmp
      Filesize

      4.8MB

    • memory/1920-0-0x0000000000560000-0x0000000000A22000-memory.dmp
      Filesize

      4.8MB

    • memory/1920-2-0x0000000000561000-0x000000000058F000-memory.dmp
      Filesize

      184KB

    • memory/1920-17-0x0000000000560000-0x0000000000A22000-memory.dmp
      Filesize

      4.8MB

    • memory/1920-3-0x0000000000560000-0x0000000000A22000-memory.dmp
      Filesize

      4.8MB

    • memory/3108-94-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-122-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-87-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-128-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-125-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-119-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-91-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-116-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-113-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-72-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-103-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-75-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-97-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3108-100-0x0000000000AA0000-0x00000000010BF000-memory.dmp
      Filesize

      6.1MB

    • memory/3400-135-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/3400-133-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/3448-85-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/3448-82-0x0000000000F00000-0x00000000013AE000-memory.dmp
      Filesize

      4.7MB

    • memory/3720-111-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/3720-108-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/3748-39-0x0000000000490000-0x000000000093E000-memory.dmp
      Filesize

      4.7MB

    • memory/3748-53-0x0000000000490000-0x000000000093E000-memory.dmp
      Filesize

      4.7MB

    • memory/4140-21-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-20-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-73-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-98-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-114-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-104-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-92-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-117-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-76-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-95-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-120-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-78-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-77-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-123-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-19-0x0000000000D91000-0x0000000000DBF000-memory.dmp
      Filesize

      184KB

    • memory/4140-89-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-126-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-18-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-101-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4140-129-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4752-83-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4752-81-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4888-132-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB

    • memory/4888-134-0x0000000000D90000-0x0000000001252000-memory.dmp
      Filesize

      4.8MB