Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
21-06-2024 06:26
General
-
Target
b9ad6114e19d0a7a823778e9bf6598167b12ec9eb162c09337a92c9e56061a77.exe
-
Size
1.8MB
-
MD5
068f5c9fdcea7176de4a38c9c7e162e8
-
SHA1
135650b05bdf06e820ab95a30e0548dea2d17d2d
-
SHA256
b9ad6114e19d0a7a823778e9bf6598167b12ec9eb162c09337a92c9e56061a77
-
SHA512
a9d7fa7a5936aeea2ba1a30b5cba69b33b7f5e3d5a3c3abb310f3afc9ca101a201ae082111810c112efd616bbd1f80b61b83d0f53d2c26aabffec08b5fea71af
-
SSDEEP
24576:GdlgySq8qNjQiINXaOenHynzbk4OnFznh0dWk9jnC9jCl2k81C4SHqDzmhp7Pp3G:8l31N0iakHGcNc9Mm34wQmhz5
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9ad6114e19d0a7a823778e9bf6598167b12ec9eb162c09337a92c9e56061a77.exe"C:\Users\Admin\AppData\Local\Temp\b9ad6114e19d0a7a823778e9bf6598167b12ec9eb162c09337a92c9e56061a77.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\ccfeca345b.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\ccfeca345b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\ac8e158d48.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\ac8e158d48.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeed42ab58,0x7ffeed42ab68,0x7ffeed42ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4312 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4544 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4680 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:85⤵
- Modifies registry class
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3296 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1960,i,7514339287364909134,9567634313830908415,131072 /prefetch:85⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c897b9a2cdda005a77b2bd6aaf0fd9d4
SHA1c5d5917561381dbb8638d69465b229f884000225
SHA256176d21740ce60c6c6ca81def5a3a98b5c16917ff32005f38b0cce031999600f6
SHA512d546c1c147170f6a5bed41963deb3839b333db7aea14eb4da6c5771c325b2f59db3568fd451a5a58e28dcf5cd525af931421dc459db4ec5e805ffc7a56d02796
-
Filesize
336B
MD5a70d979fb67c9d85328b1c43dca8247c
SHA16f7493a8a0d80663da55413713e6165c7052577a
SHA25626e9d07ca670eb19f63e1d866ea3e78f8e9dad7f08acdb5a16d1efd69883b458
SHA5128ac04c4228ee16b5403fca88e2a5425e6e9a2aaf6f119e35c64580dde24c8aea365d5fe42f66ce4502820d4422c34298e41f203a07b926f5a55b716230f3acc1
-
Filesize
2KB
MD5712dc9406e173e91698ca7a4555d096e
SHA1c8cc5fda0f111075962941c2aee3fb04c7e95dd6
SHA25665a9f35a41a1bf143a8ad30116efa3a474e915d0d21585d4cc173a01e08e005a
SHA512128220fd88598e99e3f1ca65d6d7f32d7a5ca9e8c55f7b53e20c45acb9ff6481b4ef0513f116d33c5667e88fd7dc5bb121e800bc7a2125f2f9fda512a3069c1a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD57659d4481b67be4721e5907a681d7396
SHA1ff06c5eef764b1a78119119871bce7dfbddf76a8
SHA25652d13b4fbee587d97c96dbc4337058f5d71bf0e44908b34a16b001f30e156a41
SHA5129f200a51b83d0c4ec157a70b31db0038d7bcfb5902ff6e5995f96f743ee9577dd8423c3dfd6da1deedd23768527301b4c369bb7adefba1f3883bd88b3afb4b53
-
Filesize
524B
MD57ee2c15abf97642131da768161879150
SHA135f7ec58a87216effdfe2aadf923f045c4eac4c7
SHA25692233687098bf590289b78b0318a3b72d7664a012009a2c330a2a982f912576b
SHA5122fcb15fac07afddd728966b66a2524782ec1393146b62a082b97fab2d930a5b3b775db62c698c3a3c7b87773c86a01c2324d78837cac6d87e8a961f8262aca97
-
Filesize
16KB
MD514f3a8895dfa9680ad63a453534d5c4d
SHA10b9c0b6855f5d50f8cb30420780e13d97122454f
SHA256303e00b74a0796ad5a533559b156bf4e7024cf33e4da9a9dba29a8f3ed282777
SHA51214abb1deaa1754c24328c445c3015e7c5fd99fffd7021c77dbefa88194d0efa9390e13cf75c38d3b6f7830a18a3d6b98c64516ff81788ba8c37e1ae6d4027743
-
Filesize
270KB
MD516c78560ba27b241c8f454fddf113b07
SHA1a79a2c977d95e2d7b85adceb3c03163a43f1b3af
SHA2569933d8cc11acf2d5aa480f890add95cf5b66d31007d3dcb5dbeacc6bbe1569ca
SHA5126215ff5dc916f07ff7d409f2b11e08096431aec504c97deffe07a72cfe91ff9f8b20cc3e58cba7b131a0d8624b33a4415834967b62a926964ce776da8dbb5fa4
-
Filesize
2.3MB
MD51da7f1736535b272205820e8bb409aca
SHA13b1d1aded4d0a95526c63cf1c33bd9c4d60405ba
SHA256b3f339bc8d497e16b9e639cf5f730b2c4b5cf034c5c0432dca5c6fc3913b2759
SHA51246a3979fe33651ba6abaef7d2c06be21eab4599be9838e3a219c1dd0159aa4cad380834e33324504ebd049122172db532afa2f25a08399f6b797cfd2f287f897
-
Filesize
2.3MB
MD587e1078f78d2abbf646433815e67625f
SHA1ae8f0cb2ff2e69c6253dac1682fd8fd48d1433f8
SHA256f7a27813429b68fd267449a960205ffd146a28867f1bf492881c58ae751df877
SHA512617c0e54fea9f8198a30e48137133963384ce0237a44463c99542d74da41aca699a08d7d47d49dfad2ec4f04e812d1fc77bcc8073cbd2fc02abf13c20c90b0e9
-
Filesize
1.8MB
MD5068f5c9fdcea7176de4a38c9c7e162e8
SHA1135650b05bdf06e820ab95a30e0548dea2d17d2d
SHA256b9ad6114e19d0a7a823778e9bf6598167b12ec9eb162c09337a92c9e56061a77
SHA512a9d7fa7a5936aeea2ba1a30b5cba69b33b7f5e3d5a3c3abb310f3afc9ca101a201ae082111810c112efd616bbd1f80b61b83d0f53d2c26aabffec08b5fea71af
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
4.7MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB