Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
23-06-2024 22:52
General
-
Target
1a70d50051e700d960a0b4dce9dcd5f81ddf76066b617a99fdaec7131bc713d0.exe
-
Size
1.8MB
-
MD5
9bcd44d1f00d63d7e63f6d09c3d49272
-
SHA1
a950dbf3c9e28e41dc06bc660fbaf5645117e235
-
SHA256
1a70d50051e700d960a0b4dce9dcd5f81ddf76066b617a99fdaec7131bc713d0
-
SHA512
64afbefad0cf4ed887720fa34486a8ae62d2eed44598882fdf939ad936e8b957fd60303a7c5e85f06a157f88b17727b0f5ff1a1fb6ebc59fa44997f089349ec9
-
SSDEEP
49152:efu2rNnYRV5WA3OSoeg1Y868YzCE2aqlEI/x5NIEii:eryRfp+XLx6nl3qrX6V
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 61 IoCs
-
Suspicious use of SendNotifyMessage 59 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a70d50051e700d960a0b4dce9dcd5f81ddf76066b617a99fdaec7131bc713d0.exe"C:\Users\Admin\AppData\Local\Temp\1a70d50051e700d960a0b4dce9dcd5f81ddf76066b617a99fdaec7131bc713d0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\9d1eeb57cb.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\9d1eeb57cb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\a4fcb6916d.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\a4fcb6916d.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91a01ab58,0x7ff91a01ab68,0x7ff91a01ab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3008 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3016 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4180 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:85⤵
- Modifies registry class
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=852 --field-trial-handle=1900,i,4273629382256546020,3194530343349314265,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5c7f331010abeb60549266a0e8ffa3da9
SHA1b3f9712db433a643c115888268dc8fce718e9b37
SHA256d4fa2985019b173c68aca16d9d85087a5765b3a1437fc147f0b7328aa0cb50a1
SHA5129b102b4d81ce9ff09a7b1728d99a4b82f8420ffc5c3889e61816a2c1091f87a69d872906c82b2a779daa54ccc6bf8e734d16093b706be4ba2bc15761fd910237
-
Filesize
2KB
MD54c9c6e020fedf0b264637aa0efaa88c4
SHA1a502fe36fe2a1dad7d7e33e4998c3836dad01b1b
SHA2568155194ab74924ece1c7bb886e9bf2c0deb869763751bda32525d597e9a0da9e
SHA5121f214a87aeb63221e9afc98ce560b02f33df883c36bfd1f3669886a158dfd3da68c9146554f5ac2b029f179aec993513909a993a9ee474c72f3fed5a391c129f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5725f26d1f19604aea9deebd6e76d982a
SHA14e272e6acf258dcfa0c88b021e5950067e2a9ccc
SHA256136c968c91296f468e72cec3d1557d5bf1cd032c802bc1da627332df5ebb553a
SHA5128bcaa889b8218cc96c57ec99e3a390c8485d1a03ae155bd0dfa906d6acbccdb3867f4498ba1d2f63e0c567c5c82bd5f3c39585356437344a989cb6fb7d9260b0
-
Filesize
7KB
MD560b4de6ca1118870c5e369f4b8e3c612
SHA1a219da1cfd26f06b577310392e5bcf60879b57f3
SHA25686b5db5bb5bc3b5c00591f7ac73da3751b33f2e3e0901ca5e36bb92e5579a51f
SHA51205383fdf066a685edc34f4f728662a4e18d11d2981b3f79832997939b68dc61c405b41eb46937ab890c2fe3375dde92112a513e2291c12127fe5acd44bcf1a9e
-
Filesize
16KB
MD59101d466ce717ea32f78f1098873a627
SHA153eb1445129264bbec5d99b70464a11e3e2c6a92
SHA25681dd90c6d6ba060ebfa8245c2ded10526ec06fa14fd43c46fd5bedfb12b6ad75
SHA512611065144bd2d591ad23503b46c6f408054ca8e621de1ddf34929ca462a876045bb5b16ed16a9131cf9d8d11241344b326e11cdf36207815dff8b95f6afba2d7
-
Filesize
279KB
MD5cc9ad8d3d977bd8be4c6d8f17627817e
SHA148a13dee9813f8fa146dab6dd3758ea73e1a37b8
SHA2560cfac09e5495cb9c7e6e2044f10442112302ccea3f2bcbebb7c1ca4d23cede4c
SHA512b90cef2b80ed122a9f73f66d1f22cdbb88784feb99c89cfcdd57c3e51197ed7ebcd8137082eeace5fabc88006ba47d470293eb6dcc6a1ad1136a52134fdf7050
-
Filesize
2.4MB
MD5fedab1634aab14226774907c3834e775
SHA1198357ed2f3772f56573c254753a2c7f621a9c27
SHA2565d7d2fac3b0ee2da5d32ab67a6d9b2961aa94f8b598d7b2b6b02fbf87fb33b25
SHA512916c5eb428664cdfd8becb45a69e411f4f6a327ab577cdc87228ff5e5c1cb53c407baca9ba9e6bd1452d7c9434c22da23cc18c27007244f9f0a2a927158fbbcb
-
Filesize
2.2MB
MD5783d2e1bd21598ace9f11de6a48a87a5
SHA1ebc95ad120a60fa2008336f92c9d4176a4129e89
SHA256e8e886949270adc21171f3da304ce0fd4374ad184af9f72dc63d1bcced3b0bbe
SHA5124fe1e1c40337006349d3c1773c585fe5c7276638f4ee126b1b4f59f79ee9bc0fd3544b7707617d57ed6418a9606bf3e5808c2f8dd20e39bddd1ccf348509a700
-
Filesize
1.8MB
MD59bcd44d1f00d63d7e63f6d09c3d49272
SHA1a950dbf3c9e28e41dc06bc660fbaf5645117e235
SHA2561a70d50051e700d960a0b4dce9dcd5f81ddf76066b617a99fdaec7131bc713d0
SHA51264afbefad0cf4ed887720fa34486a8ae62d2eed44598882fdf939ad936e8b957fd60303a7c5e85f06a157f88b17727b0f5ff1a1fb6ebc59fa44997f089349ec9
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
5.3MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB