amadey | 7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
21-06-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe
Size

1.8MB
MD5

80ea847b61bacb9f112fad12d0acef67
SHA1

2619ebae02116a23f0f250dba0c30c6762fbb4fb
SHA256

7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024
SHA512

ab000bdc77b02e10319e3953027b5319b87685120f7ad1f0447a7d183a5f0d5d4faa90bbb71400f48b26eb895b4a7ed493c9269f814d1be41654863fd3723b30
SSDEEP

49152:M3C4Vr2aTo6vwhyh3zUzYqktvMwhBFlDdMSjPbyPy6HC:MRbFvwohAlCvjlDXby66HC

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5d137bed6e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5457a90fda.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5d137bed6e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5457a90fda.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5d137bed6e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5457a90fda.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe

Executes dropped EXE 6 IoCs

pid	Process
5032	explortu.exe
1624	explortu.exe
4812	5d137bed6e.exe
1980	5457a90fda.exe
240	explortu.exe
1560	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	5d137bed6e.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	5457a90fda.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\5d137bed6e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\5d137bed6e.exe"	explortu.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1980-120-0x0000000000790000-0x0000000000CDB000-memory.dmp	autoit_exe
behavioral2/memory/1980-149-0x0000000000790000-0x0000000000CDB000-memory.dmp	autoit_exe
behavioral2/memory/1980-156-0x0000000000790000-0x0000000000CDB000-memory.dmp	autoit_exe
behavioral2/memory/1980-157-0x0000000000790000-0x0000000000CDB000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
232	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe
5032	explortu.exe
1624	explortu.exe
4812	5d137bed6e.exe
1980	5457a90fda.exe
240	explortu.exe
1560	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634703713882287"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
232	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe
232	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe
5032	explortu.exe
5032	explortu.exe
1624	explortu.exe
1624	explortu.exe
4812	5d137bed6e.exe
4812	5d137bed6e.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
2748	chrome.exe
2748	chrome.exe
240	explortu.exe
240	explortu.exe
1560	explortu.exe
1560	explortu.exe
2516	chrome.exe
2516	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe
Token: SeShutdownPrivilege	2748	chrome.exe
Token: SeCreatePagefilePrivilege	2748	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1980	5457a90fda.exe
1980	5457a90fda.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
1980	5457a90fda.exe
2748	chrome.exe
1980	5457a90fda.exe
2748	chrome.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1980	5457a90fda.exe
1980	5457a90fda.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
2748	chrome.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe
1980	5457a90fda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 5032	232	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe	82
PID 232 wrote to memory of 5032	232	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe	82
PID 232 wrote to memory of 5032	232	7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe	82
PID 5032 wrote to memory of 2928	5032	explortu.exe	84
PID 5032 wrote to memory of 2928	5032	explortu.exe	84
PID 5032 wrote to memory of 2928	5032	explortu.exe	84
PID 5032 wrote to memory of 4812	5032	explortu.exe	85
PID 5032 wrote to memory of 4812	5032	explortu.exe	85
PID 5032 wrote to memory of 4812	5032	explortu.exe	85
PID 5032 wrote to memory of 1980	5032	explortu.exe	86
PID 5032 wrote to memory of 1980	5032	explortu.exe	86
PID 5032 wrote to memory of 1980	5032	explortu.exe	86
PID 1980 wrote to memory of 2748	1980	5457a90fda.exe	87
PID 1980 wrote to memory of 2748	1980	5457a90fda.exe	87
PID 2748 wrote to memory of 1536	2748	chrome.exe	90
PID 2748 wrote to memory of 1536	2748	chrome.exe	90
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 2472	2748	chrome.exe	91
PID 2748 wrote to memory of 4876	2748	chrome.exe	92
PID 2748 wrote to memory of 4876	2748	chrome.exe	92
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93
PID 2748 wrote to memory of 3864	2748	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe
"C:\Users\Admin\AppData\Local\Temp\7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\1000016001\5d137bed6e.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\5d137bed6e.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4812
- - C:\Users\Admin\AppData\Local\Temp\1000017001\5457a90fda.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\5457a90fda.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8f4aab58,0x7fff8f4aab68,0x7fff8f4aab78
        5⤵
        
        PID:1536
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1788,i,3241400865196226743,1961975722129076486,131072 /prefetch:2
        5⤵
        
        PID:2472
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1788,i,3241400865196226743,1961975722129076486,131072 /prefetch:8
        5⤵
        
        PID:4876
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=1788,i,3241400865196226743,1961975722129076486,131072 /prefetch:8
        5⤵
        
        PID:3864
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1788,i,3241400865196226743,1961975722129076486,131072 /prefetch:1
        5⤵
        
        PID:3368
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1788,i,3241400865196226743,1961975722129076486,131072 /prefetch:1
        5⤵
        
        PID:1676
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1788,i,3241400865196226743,1961975722129076486,131072 /prefetch:1
        5⤵
        
        PID:668
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 --field-trial-handle=1788,i,3241400865196226743,1961975722129076486,131072 /prefetch:8
        5⤵
        
        PID:716
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 --field-trial-handle=1788,i,3241400865196226743,1961975722129076486,131072 /prefetch:8
        5⤵
        
        PID:5060
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1788,i,3241400865196226743,1961975722129076486,131072 /prefetch:8
        5⤵
        
        PID:1516
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1788,i,3241400865196226743,1961975722129076486,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:240

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
413bab911ba3ebcc11fc7af13c604d83

SHA1
ddfb0514239b10c7c764e3a09d4f2694a0dbef5d

SHA256
e6a992c55c983d2c4e12f4a299737e28e283657b4478368d3780baa03b73b9c9

SHA512
75731755540aa6850ee0c92b5c0ef6ae7e12adea3a11e1caded42874cb3fb01d2d76dc0a0596b560df5cff23170b90c30464d64a5301c7f40a49f12f727d4cef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cc62011d2a853abba307a371d380b8f8

SHA1
d91733119e87f8d79d9bfb464cd363a536a9eae5

SHA256
32944432d15d704d97e6e72018a1626c4f58e12bc4401669a75527d67a187544

SHA512
10189939884a4b8e57177d81d883bc529302623d92a5380a339567a16abb6700932417f59fed12300e6bc9a36e66c75343f24602802750af283b1968e897939d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bc51e598bd1134b9bd9d6e357001ee29

SHA1
3f3556776fff8cd0e37ec129bd1ac5db01f6c1d7

SHA256
02f093df80d8600c884faa6457b8243e28955a058f39784c06270f683958de37

SHA512
2f2691345f380e3b0e70da251a16712167585b7dc7d5fdd107601af0dd7bb2781a4c2aa9ec3ba83e96ea441dad0ac6e6aeda9b1ba1d796da40acee5bb1af8222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
dc29d368b7ea04129c3f68a76cf9c68f

SHA1
d5791de5b84f76556aac94832c88333461824647

SHA256
097b5ef62177ef63b664c767d9e503e0cfbb576f91fc2cc4a29c8869cc2c30c4

SHA512
8ff8ba9f3dc0b63df1486b8b7dd6d75609a2a6bef4aaa25d6e41e4ea3a7b88437a526d07543cf21fd587a793e39666140dc6e017b4dc452c0b356663cab05231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ac5635645c315532b86a325cf370478c

SHA1
1e8cf7d1005d69b1bcf36af5f009aaad4ad7772e

SHA256
5a0220211be1712a821af4deca135c45ea0fbba72cbd1c6b41a286416c411191

SHA512
c33091a8bb3627051e86afb3c148d0ef0fbb29b5a7e7fe1a44f3ed1eae8f8962c554a021e9764b65e5105435a4a8b997b2b69a595e1695831335858e6fb8a50c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
738ddede2949e887dc663603bdcd275b

SHA1
3c683a731d8e805f9a680b6a1a0640a54f4a5105

SHA256
ddf7faee11d77c6d3a2206d49c9ec37e46ab46f60560020a2d2f3e472c1fc422

SHA512
324b99c7df669d72ced08c1874dd443db3edb244143dfe0f5d2962080aa0af5e13e3145c72de899c658fcb6d5a75a210844f8fda1be5a44dc1d1390343febb1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
ddff19ab87e4aa1b37d5011d62a51745

SHA1
3419b86da3b1f22aa0523ae42f78c817ba45bfaa

SHA256
80c55d22a2b953b9f41ca2a865ef9a6ad8c90e68f48b111ae5c18fb3ee99f060

SHA512
06298c9520ee5eb54cedb11ed1a7b9697e16cf72d35ef150fa233374c65e10997fb2d93d726b6d0f551c0b96c2c2f94c72072048588cd134313ac6ad496c1c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\5d137bed6e.exe

Filesize
2.3MB

MD5
aa9183e7f7f375d156da6277ec54affe

SHA1
98f383bae7157063c482faaff27bc17bb6200e23

SHA256
bd4211a6c3b196508c720cb7d3e976eae0728f6c8f87f2f86334649cab22c512

SHA512
a8dd15dc99c4020a56d06f0bc43f7514baffeffe161e4f7b08056be3e4e37807d48c829c04c3dd4be4d8c0d03c529470eac89585c1286487f91efa33a9234776

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\5457a90fda.exe

Filesize
2.2MB

MD5
32ef7685e2c30734db57643987bb0458

SHA1
96a4861820aa209439fbe02274b4355f0d46c5a5

SHA256
16074af61b545793fb280a9a4065b2d875cf5e242ed8b246ed5695fd64220b5a

SHA512
e51846f892d4242f6a51095f61c3226730ff28242a49a0743176cfbfa94ddab7315c95b2ce31e23b7a97827a90991524bf805b5318f031d383c36e153eb8eff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
80ea847b61bacb9f112fad12d0acef67

SHA1
2619ebae02116a23f0f250dba0c30c6762fbb4fb

SHA256
7f722a3feeb5c6776646810ca68fd0dc1d91ead13cd7e141dc21f35597f33024

SHA512
ab000bdc77b02e10319e3953027b5319b87685120f7ad1f0447a7d183a5f0d5d4faa90bbb71400f48b26eb895b4a7ed493c9269f814d1be41654863fd3723b30

Download Submit
memory/232-0-0x0000000000D30000-0x00000000011FA000-memory.dmp

Filesize
4.8MB

Download
memory/232-3-0x0000000000D30000-0x00000000011FA000-memory.dmp

Filesize
4.8MB

Download
memory/232-1-0x0000000077C76000-0x0000000077C78000-memory.dmp

Filesize
8KB

Download
memory/232-4-0x0000000000D30000-0x00000000011FA000-memory.dmp

Filesize
4.8MB

Download
memory/232-16-0x0000000000D30000-0x00000000011FA000-memory.dmp

Filesize
4.8MB

Download
memory/232-2-0x0000000000D31000-0x0000000000D5F000-memory.dmp

Filesize
184KB

Download
memory/240-176-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/240-174-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/1560-205-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/1560-206-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/1624-23-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/1624-20-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/1624-25-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/1980-149-0x0000000000790000-0x0000000000CDB000-memory.dmp

Filesize
5.3MB

Download
memory/1980-156-0x0000000000790000-0x0000000000CDB000-memory.dmp

Filesize
5.3MB

Download
memory/1980-64-0x0000000000790000-0x0000000000CDB000-memory.dmp

Filesize
5.3MB

Download
memory/1980-157-0x0000000000790000-0x0000000000CDB000-memory.dmp

Filesize
5.3MB

Download
memory/1980-120-0x0000000000790000-0x0000000000CDB000-memory.dmp

Filesize
5.3MB

Download
memory/4812-202-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-177-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-225-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-180-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-214-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-207-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-119-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-158-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-200-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-160-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-198-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-171-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-196-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-148-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/4812-46-0x0000000000490000-0x0000000000A87000-memory.dmp

Filesize
6.0MB

Download
memory/5032-112-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-139-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-24-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-121-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-195-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-172-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-197-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-170-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-199-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-159-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-201-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-118-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-203-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-22-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-21-0x0000000000E21000-0x0000000000E4F000-memory.dmp

Filesize
184KB

Download
memory/5032-147-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-213-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-155-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-17-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-224-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download
memory/5032-179-0x0000000000E20000-0x00000000012EA000-memory.dmp

Filesize
4.8MB

Download