Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
21-06-2024 15:25
General
-
Target
afa57924908d9a8789e86db3f4a913820534546314d889435cceb49563cc47be.exe
-
Size
1.8MB
-
MD5
2de14de2f71f6f99a0f1672e352d366f
-
SHA1
48d1facb8716baba4159047c87f082f4c6e2f37f
-
SHA256
afa57924908d9a8789e86db3f4a913820534546314d889435cceb49563cc47be
-
SHA512
d50db9513521bf44ef62d8c60ec2cdbdde6ee50061df3375647c588b0e012f0b3b2d3c358e12e9d5ca0ac040f4d9b745bda3b314f303302148efd06b98843482
-
SSDEEP
49152:YX1wguoauuxbnKFj5g46MLBwpdBXw5YeaImm+N0vcsj+m:YFhuzuvN6ML2K5YePmK
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\afa57924908d9a8789e86db3f4a913820534546314d889435cceb49563cc47be.exe"C:\Users\Admin\AppData\Local\Temp\afa57924908d9a8789e86db3f4a913820534546314d889435cceb49563cc47be.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\975461baf4.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\975461baf4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\6134c05e6c.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\6134c05e6c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffc3965ab58,0x7ffc3965ab68,0x7ffc3965ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1936,i,13882565033442823623,15724098032899879041,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1936,i,13882565033442823623,15724098032899879041,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1936,i,13882565033442823623,15724098032899879041,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1936,i,13882565033442823623,15724098032899879041,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1936,i,13882565033442823623,15724098032899879041,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1936,i,13882565033442823623,15724098032899879041,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1936,i,13882565033442823623,15724098032899879041,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 --field-trial-handle=1936,i,13882565033442823623,15724098032899879041,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3312 --field-trial-handle=1936,i,13882565033442823623,15724098032899879041,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3836 --field-trial-handle=1936,i,13882565033442823623,15724098032899879041,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD58d690415739374ef491f2054c3099bbf
SHA1e522ec236e8e1ec626e49659cf2a1ee061defcce
SHA256bfb3c0a2c01985c9bbcfefbd7ca0a40b66119904e14290b5a67b68da5b1ee2f7
SHA512f1d7c8ea88cded42f70a920e0eec9f3638c24d93e4df759e5cdf3c4e6981b05d08778290f0e9797ef0daf7578139f6a449038f942ac6975782158c8d6b90bd35
-
Filesize
2KB
MD594e25de54d913285f7b0110712871613
SHA176af85c96c45d6f23fc0dff27142d5cade5274a3
SHA256284649629c98439dddf36bcddb0d8a355449af6fe155a2a5c293c2da9b6c5e9a
SHA512042644eeca6d55a02d76fe0d48a598260edd6cc07107de367f7c7b3ae844dfc3e11cba6b5f12bfe688a8fc7d9801b2a62401f683b346ad789ed11d355519df1b
-
Filesize
3KB
MD500909c0a74190a08f78cc374ff02aa56
SHA1d066d6073a49c84180e089354ca7a61db50b3abc
SHA2562dc50061509b50d83289789812f0897dc66d82f07a299566f4898e3d0662af4d
SHA512d9c8faf31356599bee1876fed2bda74f46c764121b75a84e0468904dd26497e75050cce087cb21857079fe20c352504e1c6928b35a50dc8f7856558e69d87a2a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
688B
MD5d81d43fdec3aac6a5b32334c05e6423d
SHA1357eac4254f299ea5f5c3ecc75e50909f5f2f8d9
SHA256d938fed2b198c00e927ad9c644afa084cdd2532c6021a01adb9c3a8b1724fd19
SHA512ced3653f1889d2f2afaba59e7cfbfb0454105fec5e512c0ce81fa8c41b3f481f8a0c619299e2bbd3ea4dd31763ac7b85bf83c41278ff264fa88ae7d6b23e2cdb
-
Filesize
7KB
MD5e3fc717229040a7a7313b89f53aca6bb
SHA1c05346f324abac441b7cc0530d770170d37e6d1d
SHA256f873ef339103d402ba503af83f3b1c779b0efc616fadf0c8db5800e6e354f7ba
SHA51260ed108fb63013b7870035d9ca75cac2ed1682619ee1c06697d3f1a2041a7f1173ca951c6b59798831761be080c4daed3827ab8ae21d3d38ccc03d8107b64884
-
Filesize
16KB
MD54b830846af7ea9227996abf44b2210f9
SHA172f46d33194dd842690f028aaeae8a5a5375c4e9
SHA2567d7a8f90ad608da0d97f3d458f5d5f7506b6f72a889852a908c4f86653830a3e
SHA51260ad7cf7c63dd504e9b7fa34481b7a3e77c02aac4d5d33391ebfd256038179675e6dfccc21e6750f7fd602e77c7bc689b2738cd88e1c43bc375fd0a9d592588c
-
Filesize
279KB
MD5842456f9da3ffc79e1e3e9fcbb3cb1f8
SHA1f5a6d5fe400b029bdc8d4ed7afd2a677ef54dc27
SHA2568637dc262baa837cc14c714e398003ae8932cef6cbd1b308e994ae84c7c2341e
SHA512e3b0e7a80796394d42ded2809381dda994be9121c491a9e11e870c1c69fb51be49bf98ae4927a281ec998ac1181cee31267c712c956cec49769b65890b7680f8
-
Filesize
2.3MB
MD507b486361c8901248eb8113742dd9dcd
SHA18ee235b44755617fb53cc5e425ec50d88d0263d7
SHA256a7e3966b2892952035c70ca580fdca681fa73468c35fcb2b811c0c94f8a9a361
SHA5120eeba8dad97ad5ddb256874b8e78f9988a5e283a0e53f5f16588f98386f461de34b03552631fb494c33a520f0c7e9e45822cb4c620038478b496bc38ad4caf78
-
Filesize
2.3MB
MD534c95734ba3f3719a905aa752c5b6e3d
SHA17c3491053fa7f1cf227fb7311ee319be79c1008d
SHA2564e10251b0f56a3d2292ca11f1f31dd45849f7288b3948404c600ce349563f56e
SHA51293359c447590562f42a1ddb0d70ac310ed7d90b187777f21291689976518a623378fc1e56e466b75a10a89b78a97a3125b5aba3436ac737907851ab49990f421
-
Filesize
1.8MB
MD52de14de2f71f6f99a0f1672e352d366f
SHA148d1facb8716baba4159047c87f082f4c6e2f37f
SHA256afa57924908d9a8789e86db3f4a913820534546314d889435cceb49563cc47be
SHA512d50db9513521bf44ef62d8c60ec2cdbdde6ee50061df3375647c588b0e012f0b3b2d3c358e12e9d5ca0ac040f4d9b745bda3b314f303302148efd06b98843482
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB