amadey | dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f

Analysis

max time kernel
149s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
21/06/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe
Size

1.8MB
MD5

8d487627035eed9b73928dfe64e1f0fc
SHA1

a8c79ffd756091998aa04c560c2355aca1bce886
SHA256

dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f
SHA512

bc0448ba4374af2126e364ca22f063e9e4e6d92b88b130a5fbe5b0bd1968257a9b4fc83aa9b2d27675391d85d0a1f95f12b72464cedcddd2c18bccba3f8d8ba6
SSDEEP

49152:DsGzMPclg3SPH2IJZoPSo5bHB0vdj+1w2+gEbnwbi+/J:DsgMklcU2IJZQFhwdjIwXs

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	63144682d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e8d47f427b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e8d47f427b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e8d47f427b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	63144682d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	63144682d3.exe

Executes dropped EXE 5 IoCs

pid	Process
1436	explortu.exe
1192	63144682d3.exe
2840	e8d47f427b.exe
5040	explortu.exe
2744	explortu.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	63144682d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	e8d47f427b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\63144682d3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\63144682d3.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2840-122-0x0000000000FE0000-0x000000000152F000-memory.dmp	autoit_exe
behavioral2/memory/2840-150-0x0000000000FE0000-0x000000000152F000-memory.dmp	autoit_exe
behavioral2/memory/2840-156-0x0000000000FE0000-0x000000000152F000-memory.dmp	autoit_exe
behavioral2/memory/2840-159-0x0000000000FE0000-0x000000000152F000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3904	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe
1436	explortu.exe
1192	63144682d3.exe
2840	e8d47f427b.exe
5040	explortu.exe
2744	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634118959449333"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1276817940-128734381-631578427-1000\{16222087-5965-4C4C-B60A-41500A58C7B5}	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3904	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe
3904	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe
1436	explortu.exe
1436	explortu.exe
1192	63144682d3.exe
1192	63144682d3.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
1444	chrome.exe
1444	chrome.exe
5040	explortu.exe
5040	explortu.exe
2744	explortu.exe
2744	explortu.exe
3524	chrome.exe
3524	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe
Token: SeShutdownPrivilege	1444	chrome.exe
Token: SeCreatePagefilePrivilege	1444	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
1444	chrome.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
1444	chrome.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe
2840	e8d47f427b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 1436	3904	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe	77
PID 3904 wrote to memory of 1436	3904	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe	77
PID 3904 wrote to memory of 1436	3904	dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe	77
PID 1436 wrote to memory of 648	1436	explortu.exe	78
PID 1436 wrote to memory of 648	1436	explortu.exe	78
PID 1436 wrote to memory of 648	1436	explortu.exe	78
PID 1436 wrote to memory of 1192	1436	explortu.exe	79
PID 1436 wrote to memory of 1192	1436	explortu.exe	79
PID 1436 wrote to memory of 1192	1436	explortu.exe	79
PID 1436 wrote to memory of 2840	1436	explortu.exe	80
PID 1436 wrote to memory of 2840	1436	explortu.exe	80
PID 1436 wrote to memory of 2840	1436	explortu.exe	80
PID 2840 wrote to memory of 1444	2840	e8d47f427b.exe	81
PID 2840 wrote to memory of 1444	2840	e8d47f427b.exe	81
PID 1444 wrote to memory of 1876	1444	chrome.exe	84
PID 1444 wrote to memory of 1876	1444	chrome.exe	84
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 3404	1444	chrome.exe	85
PID 1444 wrote to memory of 2084	1444	chrome.exe	86
PID 1444 wrote to memory of 2084	1444	chrome.exe	86
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87
PID 1444 wrote to memory of 4364	1444	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe
"C:\Users\Admin\AppData\Local\Temp\dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:648
- - C:\Users\Admin\AppData\Local\Temp\1000016001\63144682d3.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\63144682d3.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1192
- - C:\Users\Admin\AppData\Local\Temp\1000017001\e8d47f427b.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\e8d47f427b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc4bf7ab58,0x7ffc4bf7ab68,0x7ffc4bf7ab78
        5⤵
        
        PID:1876
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:2
        5⤵
        
        PID:3404
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:8
        5⤵
        
        PID:2084
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:8
        5⤵
        
        PID:4364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:1
        5⤵
        
        PID:4352
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:1
        5⤵
        
        PID:2328
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3912 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:1
        5⤵
        
        PID:960
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3420 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:1
        5⤵
        
        PID:2720
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4396 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:8
        5⤵
        
        PID:3352
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:8
        5⤵
        Modifies registry class
        
        PID:4816
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:8
        5⤵
        
        PID:492
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:8
        5⤵
        
        PID:2368
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:8
        5⤵
        
        PID:1252
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=872 --field-trial-handle=1792,i,12495046311254209526,16188625825745498559,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3524

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
5b65fe0d5da2e0c30991a26e2af46267

SHA1
4ae466417ee6e956decb123f1df195967d474d55

SHA256
7a47581c6fb1b5a042101445cba46e525f6c057701830dd98009e6d9233d84cd

SHA512
c4237d02658ec737312266f4e716ce7d38df8a30342dc0879b1bb416cfc1099d86a2c8dd9be7abdb1161553ad44d14af2e67c5e2f72bcf29b980b317c692272a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7f15034baab087080bc8550c8f8bc08b

SHA1
59877ad44f11b773f278d9bc32ca8005782f2e13

SHA256
8b2fc2e04937af9ed15f18bf55b3f86d3dcb0258477abd8e3ef950c8e186c10a

SHA512
84455f2735b4ac1d60ca5e9e18771abff169b10d07d13415bbf8548f75e95ce2c58152dc1357e0e0fdc2fe183462c9d9d012d3e585099d0b96d221ed2acb9241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
060d6d27af51b8b0fb2f650c1cf2b228

SHA1
86102079752daed8545abfd3754dfc7d88822f21

SHA256
23cb8ab2a410a9ede53f20f7c90bbfa514ca9955f158e43d45ef560ccb3eb255

SHA512
e1990687608a3c4ea04bc196cbab8f645ae304dfbe418f56792da10fee57fead157317a0c0ef50229926f9da79f9b79bfa609af5c578d9336ed32fa14bc4f269

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
5e065f7bc501dd786073376f28010374

SHA1
8f444190ad36b59258815f6dca3f3578fcaccb9d

SHA256
cf24e80996db2869fffb2f18fbfecfc60b8464a3741a8277d768a4a1176f4c22

SHA512
060ce27ab3bd3fd258a0cc44eab95aec745c73e3537157f37817826253879ddc713b71400131ba006e8fd6752a32a0dd31e4f37132baf3f64049eb4063529dd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
66d1cdbc558321dd256fa9b13772c573

SHA1
ace061e12fc148f2f5d8343ac320b340a3f9ae21

SHA256
3ee1fd0148998bbfbe5d076280b0c1799cd1f2ee93f985db89cd62ea9f53e60e

SHA512
aa63ef579ccd1f040cd81d3c52c710f96ccc7c202425a19420eaeabb830f110972cdb509d543711da35870a0caf9eaf2a957fa22d74ffb29aeb5402468cfe605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4f8c0c1868ff8e6e590bcffd15a6dd72

SHA1
eb14b2f3f5f3e70eeca9f1de069033f927649343

SHA256
8135009ae8db805733fe18c76af76d6743d5a20cbe2722db04ec5f9830fdad46

SHA512
a5181e0ea8675c5b1dd5a5cefaaf38a3b290118b5d80c5f77642e185edf459d58907bcb4e6659542a04b9b37e51656d91f41766936ea8bf39b8c4c50d1308ca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
4480dde349172e30d5bcd1495a6d9b1e

SHA1
70e94e9f07def7cada5e9469db6e025c406c4b13

SHA256
374a2186e64b4bfa38966245b683127b9f1e027bf80da757d425d48630ceb119

SHA512
81f17bc3b6e9522447e7fdb81c4e5bd67b128ba70237c521ce89dc9dd27021fa1d061dc9f252f792d2f323313464a47cc80464911e9f745a28ac988af748e273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
2ec88d1a0da3cd0fe37c0a5dcbb086ab

SHA1
864a5758fe5f46b75c7b10f8431dd30118717e1b

SHA256
0fe2d7fc3731ebf43237723afaede99f297f51d1d046871e3e9e5dede70f2885

SHA512
0f26bb420a46d968770aaa49c6045c5648507a55ad631752225a0d5fcc75bdd7adbc275fb9220561f028907e6dc2319a0f557805fff023689ff8fd06b66abb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\63144682d3.exe

Filesize
2.3MB

MD5
5fd0908cf481e86cb9dbb4d4e49f9ee5

SHA1
f8ff837531ba659bdc214fa9aa0174e37ba5d959

SHA256
c91b870f8252d8da56df52503050ed9bed377f4aa4ceed9ef762d622885bce6d

SHA512
c09cbfa15091aff7e5d8ca2134904e7f5a9cbc4073d24f0fc58bb804f41b5b6278ebe4696500f83c32b8c54c788af82dbec3263501413e2602d1e15ee6ad62fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\e8d47f427b.exe

Filesize
2.3MB

MD5
14d4e2b884e4515cf36d5fd9c9ef32f9

SHA1
33829d49b1b7c90a7575eab8af09573e1c1f674d

SHA256
5a4c6ebab6e9f2291382835288bced4093add42d0fb13ae723bc5f238da8a8d5

SHA512
bfd948772845f81213d1175c208968d064139f20a4190680dc6e6f881ce64d1454415fa15b9ecc554c20ce2cdaff9723b432de4112f05c43da4dd846d2e2f615

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
8d487627035eed9b73928dfe64e1f0fc

SHA1
a8c79ffd756091998aa04c560c2355aca1bce886

SHA256
dd709233d3451c0b814b09a6f2c5086fdb55e8300b4def2d5c5dc650c4c53b6f

SHA512
bc0448ba4374af2126e364ca22f063e9e4e6d92b88b130a5fbe5b0bd1968257a9b4fc83aa9b2d27675391d85d0a1f95f12b72464cedcddd2c18bccba3f8d8ba6

Download Submit
memory/1192-148-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-149-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-223-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-216-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-214-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-212-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-207-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-42-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-118-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-204-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-180-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-177-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-175-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-164-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1192-158-0x0000000000630000-0x0000000000C32000-memory.dmp

Filesize
6.0MB

Download
memory/1436-205-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-211-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-61-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-222-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-215-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-43-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-213-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-157-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-18-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-21-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-147-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-105-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-163-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-19-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-174-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-20-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-176-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-206-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-179-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-117-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-111-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/1436-119-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/2744-209-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/2744-210-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/2840-159-0x0000000000FE0000-0x000000000152F000-memory.dmp

Filesize
5.3MB

Download
memory/2840-62-0x0000000000FE0000-0x000000000152F000-memory.dmp

Filesize
5.3MB

Download
memory/2840-122-0x0000000000FE0000-0x000000000152F000-memory.dmp

Filesize
5.3MB

Download
memory/2840-150-0x0000000000FE0000-0x000000000152F000-memory.dmp

Filesize
5.3MB

Download
memory/2840-156-0x0000000000FE0000-0x000000000152F000-memory.dmp

Filesize
5.3MB

Download
memory/3904-1-0x0000000077056000-0x0000000077058000-memory.dmp

Filesize
8KB

Download
memory/3904-17-0x00000000005D0000-0x0000000000A7B000-memory.dmp

Filesize
4.7MB

Download
memory/3904-5-0x00000000005D0000-0x0000000000A7B000-memory.dmp

Filesize
4.7MB

Download
memory/3904-2-0x00000000005D1000-0x00000000005FF000-memory.dmp

Filesize
184KB

Download
memory/3904-3-0x00000000005D0000-0x0000000000A7B000-memory.dmp

Filesize
4.7MB

Download
memory/3904-0-0x00000000005D0000-0x0000000000A7B000-memory.dmp

Filesize
4.7MB

Download
memory/5040-162-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download
memory/5040-161-0x00000000003B0000-0x000000000085B000-memory.dmp

Filesize
4.7MB

Download