Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
21-06-2024 06:26
General
-
Target
b9ad6114e19d0a7a823778e9bf6598167b12ec9eb162c09337a92c9e56061a77.exe
-
Size
1.8MB
-
MD5
068f5c9fdcea7176de4a38c9c7e162e8
-
SHA1
135650b05bdf06e820ab95a30e0548dea2d17d2d
-
SHA256
b9ad6114e19d0a7a823778e9bf6598167b12ec9eb162c09337a92c9e56061a77
-
SHA512
a9d7fa7a5936aeea2ba1a30b5cba69b33b7f5e3d5a3c3abb310f3afc9ca101a201ae082111810c112efd616bbd1f80b61b83d0f53d2c26aabffec08b5fea71af
-
SSDEEP
24576:GdlgySq8qNjQiINXaOenHynzbk4OnFznh0dWk9jnC9jCl2k81C4SHqDzmhp7Pp3G:8l31N0iakHGcNc9Mm34wQmhz5
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9ad6114e19d0a7a823778e9bf6598167b12ec9eb162c09337a92c9e56061a77.exe"C:\Users\Admin\AppData\Local\Temp\b9ad6114e19d0a7a823778e9bf6598167b12ec9eb162c09337a92c9e56061a77.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\e43b18099e.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\e43b18099e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\1be04df1f1.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\1be04df1f1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9744fab58,0x7ff9744fab68,0x7ff9744fab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3204 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4400 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4532 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:85⤵
- Modifies registry class
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 --field-trial-handle=1792,i,1486170397185793834,711246732867697812,131072 /prefetch:85⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336B
MD506b74939a7c10c03292afc598ebc7466
SHA1eea28440f675a168b460e20bcc6d79c64f89e8ea
SHA2569631af8984b3800050c46ccc16661e1ce4c86e37b6d1b03f62300f87d7933846
SHA5125d1e759a0814a6169bd205e265d9686aa0f2c031c51c30704e7f797914a95f9e77a48a5c6e9e95582aac061195d31923e62da5622cf126d0ff48334c83f053ad
-
Filesize
2KB
MD5df7bba1ccc003536002213e01b412faa
SHA1968137f65e0bc177757a1a3ae5579cb2662fd342
SHA256e4ae51643711e00b7f52bd9ddc406b09d1b41272a4c4cd043d0db6ffefcb8f4d
SHA5121e062796205dbc0c2b34573e7b14e938c50b347f2a630f672028e4aee961a49c9211772bc596bfc3c930ebce79f3e7f15a0434de1398a7ca6ecc5dbed7c10bb5
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD54da9ee33670ca53a0df7a339b2ee0a9f
SHA1717076c822301a83c9c938e950e28c7d0727f15d
SHA2569d1aca3794b208641e40b906e2e250c0b105a9f9da80b764ef875b4d57306764
SHA512c20700a18a63641200b94712cf12d654bde6bea816d576f8559272a6489175d62d8c55b27b3e9980f9c358d980c39009a8dd67be77751380830077d7efeb905a
-
Filesize
524B
MD564ef9ffce46ec3c93654eb62d784afa7
SHA1bf244b2723109a4e2c397f750144a7fa62dc65dd
SHA256112022fd60b1cb4f9b6f135a59be177f5f9a63217f3b1f9d66fa6c141707efbf
SHA512cd8c7a74df119dc22566ea90d57104dd902a0c00e7df4a05b3376883ba7d38c360797ede413c2b0082f919109d6e6c84e417439ee8c413127f0c6a61ca5d4e1b
-
Filesize
16KB
MD59d2fcba2e350a9523edf7b368a5d88d4
SHA1976c53ff3f961472be240fef01cfe8e8bfe05ade
SHA256a2a191815063b86f5d1a173910fe37e45b42b569650b6343d4a93daf7fcaf05a
SHA5122ac841b411d49e83b93f69617a77f26c88dffb861588a20518c4f3d77a2b800c3ad47cd367ecbe3d920a16dfea39ecf01bf88abf2ee43c4ac8379123e10fa855
-
Filesize
7KB
MD5527f341c93fd3e59ea7e1343fa2a3126
SHA166e105a978c9a5b04481d86e2e90788eef435715
SHA2568e5cf32970612c8a60a2ad49ccb63f011b53eca0a30829c7123a085c0027f3ce
SHA5122785c02aa03f015d756fc2d1e7fd6a10b24ee36324f3df12c3a9d64581ecf78290911385394b5de876827f56dca89fde7148c43138ed07f99b7226ec5aa2d237
-
Filesize
279KB
MD5c4ba0440a73b8278537ce7846382bd6c
SHA160f518597381de191e6f35dcd9e1373e4b1cf6ad
SHA2567ff529780d30a15ca5709fcd45e3235de088419079ec12a708b7fc90a82080d6
SHA5121088de8aec85f7b2c8ae02ca8d728a057a7efdaa6e178faa993d80e732e845ab4b1bc5f22e265998bf5413acafdcae582b6fa62f60323193f55d8611fedddf41
-
Filesize
2.3MB
MD51da7f1736535b272205820e8bb409aca
SHA13b1d1aded4d0a95526c63cf1c33bd9c4d60405ba
SHA256b3f339bc8d497e16b9e639cf5f730b2c4b5cf034c5c0432dca5c6fc3913b2759
SHA51246a3979fe33651ba6abaef7d2c06be21eab4599be9838e3a219c1dd0159aa4cad380834e33324504ebd049122172db532afa2f25a08399f6b797cfd2f287f897
-
Filesize
2.3MB
MD587e1078f78d2abbf646433815e67625f
SHA1ae8f0cb2ff2e69c6253dac1682fd8fd48d1433f8
SHA256f7a27813429b68fd267449a960205ffd146a28867f1bf492881c58ae751df877
SHA512617c0e54fea9f8198a30e48137133963384ce0237a44463c99542d74da41aca699a08d7d47d49dfad2ec4f04e812d1fc77bcc8073cbd2fc02abf13c20c90b0e9
-
Filesize
1.8MB
MD5068f5c9fdcea7176de4a38c9c7e162e8
SHA1135650b05bdf06e820ab95a30e0548dea2d17d2d
SHA256b9ad6114e19d0a7a823778e9bf6598167b12ec9eb162c09337a92c9e56061a77
SHA512a9d7fa7a5936aeea2ba1a30b5cba69b33b7f5e3d5a3c3abb310f3afc9ca101a201ae082111810c112efd616bbd1f80b61b83d0f53d2c26aabffec08b5fea71af
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB