Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
21-06-2024 22:52
General
-
Target
67b32cf29afd8b763314843bf996c18e04be025d672d94538c5b220abb4c2365.exe
-
Size
1.8MB
-
MD5
1da72135a3e45e1729d05164d02490ef
-
SHA1
6faef4b35a2e9b6fd9cac445b9b888491fbb7f37
-
SHA256
67b32cf29afd8b763314843bf996c18e04be025d672d94538c5b220abb4c2365
-
SHA512
718984bfb5213d0f69fa6e188cb3c14f5142c142ab671f2e21d5940fd5a661861c1609686f2d59a5914016fac2be53bcccad7ebc74cc76b387b20456c59b5475
-
SSDEEP
49152:7MADibRtFMZyiT+gFj/neV3f52+em8XDGrl9RZX:7MAWV/0yiqgFjveVBOu9RZ
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\67b32cf29afd8b763314843bf996c18e04be025d672d94538c5b220abb4c2365.exe"C:\Users\Admin\AppData\Local\Temp\67b32cf29afd8b763314843bf996c18e04be025d672d94538c5b220abb4c2365.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\a3f496d131.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\a3f496d131.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\8f5c2cd661.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\8f5c2cd661.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae5e5ab58,0x7ffae5e5ab68,0x7ffae5e5ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=2076,i,4732416494034371322,18009660777311719897,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=2076,i,4732416494034371322,18009660777311719897,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2020 --field-trial-handle=2076,i,4732416494034371322,18009660777311719897,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=2076,i,4732416494034371322,18009660777311719897,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=2076,i,4732416494034371322,18009660777311719897,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4280 --field-trial-handle=2076,i,4732416494034371322,18009660777311719897,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=2076,i,4732416494034371322,18009660777311719897,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=2076,i,4732416494034371322,18009660777311719897,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=2076,i,4732416494034371322,18009660777311719897,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2712 --field-trial-handle=2076,i,4732416494034371322,18009660777311719897,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5b691276cd60dc83995251d2e95c3b006
SHA1737393fce714b7a23152430c30d183ccffec0c8a
SHA2560543bd095442865baeaeb628f67fe0b07b14ac14d61830c24b87745335523b51
SHA512bb423e0d709eaf4a93d6dfe3b5b6e4967a7f5f820f4595abadfa972e243ad6af1a4eec8d523daeaef62d0bc03f63ea83469f1a6dd2d1d5833b1be9d90ac1812f
-
Filesize
2KB
MD5e8f9551e2971feaebaf54858ed4f245a
SHA175e20e45c7d0190d89ad446d266860da2c9d8305
SHA25608eac9d664e48645255120c57cfc3255d7b2da32fcfb361d13199f2a15f331c3
SHA51211c089724a6c9fc6dd66df9b4954af61758fffc401553db7e47ee09c3ca15dd75cacf857e4d303418a61cdb3d6a02159a175e7d70596ef59f794204de4f029cd
-
Filesize
2KB
MD5e57fefe44a676c2cbc0a056d90927607
SHA1dfeb30bbb4a25154b4188db53773b34c5464bea1
SHA256e0c281e74d8c5822035a3c038bac3f7c2fd77aa31d4ffe53050e8e3af771f8e5
SHA5126673c69e8bae0fe26502cd5847541c503b5c54a0df15bc4b1899354fa1b2e2a0b831d1395ee7549fd4b54cded35b75fdaf611f3b6bd372ed84e49c11204d71e0
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD55cab5de327ce40664b9d5c5f5e52ad5a
SHA1e516bb0abed1471f6fb174f21db69f6c6fd0bfcb
SHA256313346cd2a07215a6d6ea044ea6e40dabaa011e3b2efa2fe4b17a047cb17fd2a
SHA512f9ff27dcdebfd0b43f8ce9baa45e877c1016873de76dc49ac33735aa34d6c9a22062ce027e02867ab2b89ea7261e32c9057a22aabc628b8c2a2ea0329a341cd4
-
Filesize
7KB
MD5ab5219a7b800672d927d0cec715f6b78
SHA1d2f50979384659bf125484ea6ce0a41bb383f8b2
SHA2566cdc83e49a570c4563f040eae9ef4c564e3595c4fe055f7e8c5c0a88ed7b43df
SHA5124598afdbf311fcbfdd7d565ba40aa65937146ac8cee318eab828822b8c58cc92141727a6bf139b8be90c667a8080db70616d9f9ca93d982f3977810fc3f6ae14
-
Filesize
16KB
MD55b3d43ba62d331c2e3a75a446ecf0989
SHA14b58e13b0dca5384ce8cd98be86f0f5720976ad6
SHA256f034c01b30a26d5f95edfc2c74c41448e85278f0b31e2a274c628ebdf7a874df
SHA5120e647fbdeca1063804e3ab62f5f275315ac69006dfea12edcf1034163ade86dfa39504f0738047d83fb72579c79e1e31d9c738dd6e0269f5dcf3f8388ee61497
-
Filesize
270KB
MD54100cc4b9df30d636f9d5f5e61ca6dc6
SHA1052886d3c1e3503c642b25e0797223e2e8b06912
SHA256156d9a606d4e0d460e0b339d726a4460a9affc4b6d53dfefa3f7b8acd1b36bad
SHA512064719a297be5551b43121d567ce83cb2df1e7a8e7561ab014d51bf39e418b86a4b5b88660aa2193d020cd7407ec1733f909cc9fcaf79adaa6bfac8e793971d8
-
Filesize
2.3MB
MD542cc22ed96b3c65baa8a4fd15476c5a3
SHA18b4b4301d12cc52c286a1e514010d94b391af88c
SHA256990ed7c16465f153b9f42be5428adacb777345e72845fc21b4034a6549ac37b7
SHA512eba258fa0415555d0a17c5bf9096728d078252033eaf0f2a2f72064c33680b073c64853681522c411e696bca1105b6bee2af27f559b9e2eaabf537f7416062ba
-
Filesize
2.3MB
MD5e88846c5bfe6070253d1c3642e8e1ca4
SHA1f165e80e8d19856c4a282f94e8b83d9d88702564
SHA256a3d38b7450601203f1c57bc62e138f5ae6d34c5cad1bdf781e5c0e2f628ec99d
SHA5124d9884bad2c8e104c18b00283536b050a3a820994a75bd55ae182819e72c1e0dccde138004b19d78038bbb2a8e61d9a1d1a50bad5dd1e2cf4c23f716335ede19
-
Filesize
1.8MB
MD51da72135a3e45e1729d05164d02490ef
SHA16faef4b35a2e9b6fd9cac445b9b888491fbb7f37
SHA25667b32cf29afd8b763314843bf996c18e04be025d672d94538c5b220abb4c2365
SHA512718984bfb5213d0f69fa6e188cb3c14f5142c142ab671f2e21d5940fd5a661861c1609686f2d59a5914016fac2be53bcccad7ebc74cc76b387b20456c59b5475
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB