Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
21-06-2024 16:50
General
-
Target
442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe
-
Size
1.8MB
-
MD5
f4e6fbc2e750b30ce2d722824fef95ed
-
SHA1
45be637815aa265173fb9083dc735f95c341a303
-
SHA256
442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e
-
SHA512
e56975582c904a42db10086f36a3ff897ac04a418bca1f2f7129c49502f95f1262131ae0167a56bd066915313b9f0594c36d9012e80e06f8476e92203543530f
-
SSDEEP
24576:mFUBtmghMAZ783yVaFX6B2veZzyzvSVpOfymwfQaAo6U7ptDJj+j7+ZdbMaAb5zv:/cghMMdaIJbVp0ymv67ptD9AqZFmqa1
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe"C:\Users\Admin\AppData\Local\Temp\442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\16040f7a20.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\16040f7a20.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\b4be17ff7d.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\b4be17ff7d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffcf9a9ab58,0x7ffcf9a9ab68,0x7ffcf9a9ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1948,i,1481504913553337387,8150089370520018953,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1948,i,1481504913553337387,8150089370520018953,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2296 --field-trial-handle=1948,i,1481504913553337387,8150089370520018953,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1948,i,1481504913553337387,8150089370520018953,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1948,i,1481504913553337387,8150089370520018953,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3952 --field-trial-handle=1948,i,1481504913553337387,8150089370520018953,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 --field-trial-handle=1948,i,1481504913553337387,8150089370520018953,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1948,i,1481504913553337387,8150089370520018953,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1948,i,1481504913553337387,8150089370520018953,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1948,i,1481504913553337387,8150089370520018953,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD51d43c25448c24d18c2313478ab5d8cf0
SHA11b2936df1a6fe9eecf578b7823329ee9fa511533
SHA256b417c25dd5991397cddf52e3221a81221aea94d379d35c56742d4ff1aa603d61
SHA512335fdad1cd170ba29427790c34bd800a341e42dc0aa59d54900c781ca4d57845e8473b3c6086ed9eaa549ed62457645c1bb853995c5a01c24103f1d38d5dd8bf
-
Filesize
2KB
MD5bad9bf017c668e0def4e2c508461db32
SHA1b21adb93a2c318ef0b9845aecc029217ddd0ecdc
SHA2568772c91b066c41c9b3b17097d51219f215960532386598dfb7eb87696111525b
SHA512662a3f4fee8fff4e021e3cd2729e8d4764fe03742f156cac64aefb025f1c7540cb777ce1e408520d1246a2a86330988c5586c31ed6babd0e4aa3f9cf4253269f
-
Filesize
1KB
MD547ab813145625a1806006c2a933fb30c
SHA1b4d9d8b05a7f2026a1d9fbb44fea055904da9be1
SHA256bc09182b0e6c5616d8be32b7e212bb3f2b655acf53fe4a5fc7748af4739985ca
SHA512785c23f7b68777dfe2e116368cab85bccd096ed10d0ece92497b8df93535482317fb09221c2b3b710b63698e979fa647b48d46190413455d869e91d7e9124779
-
Filesize
3KB
MD5afa0cd7e0947606ba661ada82c4897d9
SHA1dc26a8a18941e355fd24d385326bda3641316531
SHA2565ccd34e7507edecd77ed26f16f4900e51742b4297c294f741aaa9f81004fbcd9
SHA5123afbc9fc3ec447f88fc1de4e56610342108769ca6dea26ed76565dda7cf81830b48ce9040b0352959ab034996534ce45f2248c9474137df3bec275754f8795e0
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD599daf8fcb27ed0410c58ade68662d8b3
SHA149bd1a7c6e849a4695aff183468fb65f3a6a81a9
SHA256e3282b6ce3af98732645acec4e901edbe6e3b37b260799b4adbc01f70512bcf3
SHA5121980d719006423dc8fed2ca3f11f6770856c5e3ef49137208c5160ce53c4541bdedee2d4b376f1e4a403b5308e931159114ef25fee2d96a1bebb76931dd8a3aa
-
Filesize
7KB
MD5ce2bc4149179ccee69d1c1830f9cea21
SHA18eb03294bc7e29a5e8ef6c1c4a333cb069d6650c
SHA2565e334b23e6106b3a11ba49bf829292cf321d87d0d945a15fea5b29d843235372
SHA512081bee08d2afdc3da69e2946e4e8510ef6dab1c497b3dcfe96e7a2aa2cd04429c9af4127b56448e10ca7e643d4e39f20a096d44407471a6d3f7d61873bda7c8f
-
Filesize
16KB
MD571577ae953e5807c455aeb0ea9375f66
SHA1991f018728af1028e9dc8ae981371c6f3cbdba1c
SHA25627e8ad9540daf47ee832ac5e2411c42dd913ca610f58cc4913027356bfdf3e37
SHA5121147fe390b48a56c94734cee9e7bccd8a862a52a589d457be8b6270f116247c0651d92ec46b7ea91f9e0b4ac6cbf5651e82dd94b8856f4f2df9ddd4780ee3d2a
-
Filesize
279KB
MD5af446b1d4d7a9aeef8cd6753094c9e69
SHA19e47210983c3cd3679c4efa2a094f6b4260e2809
SHA25643dbf76f3ac110021d833ed4cf2acdea8cfc811277c10916cf4e5c1489112dd1
SHA512760d16d6e1c9682fbde45ceb08c03df2d818531d15c22e2073b02d23b84a669a67a3ca0d3dc3e35b7ac6d68613822cc8fc61858518b55f1b50198f8c23051264
-
Filesize
2.3MB
MD5d9f41a788841bc57db1e3c375bdb906d
SHA1a53f4e3f93d799835bd22d47b3214a536d982c3f
SHA25678636a12d3a9ad85208987feb964844591099e53abf3da39fe4cbf4cc6692b99
SHA512bfcdda147b7bf71836dfa151b3b03dad4e170a8f079eed21af6ae215cfba2f9c2f10a8177e288c2ba0805634ca5646bbe01c20033aa1c9f159b56794aea4ffdd
-
Filesize
2.3MB
MD5fbcba4b35f383ebe81632e3ed35a6850
SHA1c46d61e2a6dbe1fab73c52c8471ccdd021fcab44
SHA256eb62faafd69090cb30ca0defd13be853289d90256ad2b37f2d3533fb98cb7c75
SHA5129cc6c6f6b0731e19e9eedf19f0e59bc726cd5c3a694a6ba7e09d8edeb385b8cb9ccca4fbf7f01abbc01b22fa70fbf65f5bb30770a13f34c709807bc88019faa0
-
Filesize
1.8MB
MD5f4e6fbc2e750b30ce2d722824fef95ed
SHA145be637815aa265173fb9083dc735f95c341a303
SHA256442c25cecc8369d4b855ca28b3be8fad8a707fa8da8fd91b12aea17c601f3b4e
SHA512e56975582c904a42db10086f36a3ff897ac04a418bca1f2f7129c49502f95f1262131ae0167a56bd066915313b9f0594c36d9012e80e06f8476e92203543530f
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.8MB
-
Filesize
4.8MB