Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
22-06-2024 18:50
General
-
Target
aa7dbc55de09cbe91dbae7496e2c237194ff6d827fd4af2af4ea56efb526c34c.exe
-
Size
1.8MB
-
MD5
4621751c3f6eefa29e8d24d472b7fd5c
-
SHA1
1ef528e0517c76e2d57740ad070965e982528924
-
SHA256
aa7dbc55de09cbe91dbae7496e2c237194ff6d827fd4af2af4ea56efb526c34c
-
SHA512
8fa13bc0e78e81e915930bcccf8a5c9a2fe3ff31f931d9424ca24348b8b3d003ee65a3fe7bebcae1ac984cb5c5db57795739204d37b59486b7285f6872ab21a6
-
SSDEEP
49152:hoQhmzwEzS0f8dhhZmhxk4Epba/iv7MRYldlJ2gm2BZC:h//EzS5hGhGbtK+5c
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa7dbc55de09cbe91dbae7496e2c237194ff6d827fd4af2af4ea56efb526c34c.exe"C:\Users\Admin\AppData\Local\Temp\aa7dbc55de09cbe91dbae7496e2c237194ff6d827fd4af2af4ea56efb526c34c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\5de82fc541.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\5de82fc541.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\0ec209697b.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\0ec209697b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa715cab58,0x7ffa715cab68,0x7ffa715cab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1904,i,15741164129928812414,18036067825732941726,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1904,i,15741164129928812414,18036067825732941726,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2196 --field-trial-handle=1904,i,15741164129928812414,18036067825732941726,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1904,i,15741164129928812414,18036067825732941726,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1904,i,15741164129928812414,18036067825732941726,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=1904,i,15741164129928812414,18036067825732941726,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 --field-trial-handle=1904,i,15741164129928812414,18036067825732941726,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3440 --field-trial-handle=1904,i,15741164129928812414,18036067825732941726,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1904,i,15741164129928812414,18036067825732941726,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1904,i,15741164129928812414,18036067825732941726,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5d46f3dec10cdaace2cd189446befaa2c
SHA1c85bc0538e4e479c9081a24106afb9eb9ed551ca
SHA2562db1bfbe1c5713e6656ebe71d9f35a2360d1e08df9bd3e81424ebaf21033101b
SHA512964ab80c7128481bc31c6e5713506d1814ce1a3ed67aad68621a3fdf0557bb87429a39c130155635dfae2504137e6fb75999ed571ceb739c4d3b0d2f0086b7f7
-
Filesize
2KB
MD5edc385504cd9fec6b24bb38a55cd9409
SHA169b8068c2d432f7a2443f7528cea5b7957b996a3
SHA25631fd74941046d774608cb17a914d6be97c994aae4ce3f08b4302ca930f10decc
SHA512ad2b94e500fcbe1b732733df1c6c306b2b78e583bcb5fbaed2cb90ea1f740a12004824dfe0f2dddbbb024f7995c39d418079ad9487ea6fbd372209ec38d32362
-
Filesize
2KB
MD51cb11c6768196dff7c1b26d3f48e0504
SHA178e4a7b56ff1b9ca4318f63d213a36481b1c8c54
SHA256705e9aa8567edb856e8bb3c43c5e5f653d5824ba4ac0765c43f4d3dd15e5aead
SHA5121dfdb914fc176c74483cc0c145b8c0ee8aa57b58b8e3bfd4c15df5fe88b933b46f2481593ab978d2387bf8ad8c614190c5a319f7ab2068026422b69ccf49e3a2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD501098760078b5ba722e6bcd5c052368a
SHA1fd07a990ee9f8abf2fddf706e1791d9ecedc3ddd
SHA256c4e2e65ee71e64aba1ce30438b95c2f03bcec7245231c54ca1c9114983351bd2
SHA512d542e258e537371f97dc4aca617ea11e38ceed17fa181fa42e2040322b95b3873a145855a840b09738ecc38536e5a594edaf80e8a45d22f1ce72f4b12f828546
-
Filesize
7KB
MD52935864303534054cbdcf24c8716e9ba
SHA12816f0ac9c6c9d03a32816ef28c73ba2cf5cee3b
SHA256a729dc708262d40bd54a9422716dacba3d4c20165b7a0b50ae39a121f9e58d27
SHA51273ea4d5ee1e9efead5c628e59edf1a5b752a8b5df54c08c0fb17384d828065a178878fae79b95e218e4d522c394a1118cc16cc146dc310db8811a2a56d5ce09d
-
Filesize
16KB
MD5e1a357eafdc0a8922a610740375c9c2c
SHA1e4b2f3cd54483c8c5496ca5a720fa99814136a23
SHA256f2bbccb71c0fbb15b2b61804a83b803f565bbab4535d99d423dafaf2abdcc813
SHA512703acfe9191d6190729b99a310a54973cf2e99e12dd4d175a5c2e6c428573307836c011aff2289ecbf28ddccced1fff38bc34fbd8f95633b88b591f8e38f692f
-
Filesize
271KB
MD54ad30622dba5ec8fdd0c40f0f5fdb937
SHA15720cebc87a7318a3e4909af1a6cc1900fc0c72b
SHA2569820f1da80c842b6566f5a877ea2a4209db94ef2995e63cacfca33a0cce9f12d
SHA5129ed0b235715e40ff4d5128fee693c4d186175fd2006a50b7309de80f9672e5ea7828bb0a90dc9299e92bc1fb104361cf6ab25334089c632581bb4d83aadd9d0d
-
Filesize
2.3MB
MD5213e7951851167e0bb9d53275277d463
SHA11886e306ec92af7ac8119f2a12efe836bc1ff80d
SHA25608f07e8b1518ff29821af26422b88c6adb795c058ce48f8d4a23fd5c2b5e1d93
SHA512c1a060d5f3e87fa05bfc26e81e31566a8417b4d402c223a4bd1c36b471e9b034a52e2beca2dfce3a6516558de9420a52b896093cc01e69f7d983ab27f17c1633
-
Filesize
2.3MB
MD51c5cddae925bb6af43bdd29d8eba0c6a
SHA132ddad157b3201834dbffba6a948f480ce7ff7b5
SHA256425c50983953fafa7b7e9966b55cd0283c8d7e017a5ddae5eab4dc51965b96d8
SHA512dc8c495824284ddfd9d9de473853730a0e9a1b20bad8f3ca1316eaf47f140762db6072bd2f5018b1c889038fe28ce6973367e66b4b21ad43d080dc2895f111f3
-
Filesize
1.8MB
MD54621751c3f6eefa29e8d24d472b7fd5c
SHA11ef528e0517c76e2d57740ad070965e982528924
SHA256aa7dbc55de09cbe91dbae7496e2c237194ff6d827fd4af2af4ea56efb526c34c
SHA5128fa13bc0e78e81e915930bcccf8a5c9a2fe3ff31f931d9424ca24348b8b3d003ee65a3fe7bebcae1ac984cb5c5db57795739204d37b59486b7285f6872ab21a6
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB