Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
23-06-2024 05:02
General
-
Target
2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe
-
Size
1.8MB
-
MD5
c7a009c46b4fe26f2096f60bed34ec5c
-
SHA1
c234aaadce392af45117566af537133be7e36ff4
-
SHA256
2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68
-
SHA512
c02238e9d104439be653d6843528b0ecc878ccb35281d6645c1ac42fe6213098b77d391d61441c0bed4e4c59bd4a3f29fdb569caefe1ad691963fc24230676db
-
SSDEEP
49152:+u19N7vN2Vmn+E3czo66sNohI1hCclz7vYFfy:+u1hIBAUo66sNohI1hCk7AJy
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe"C:\Users\Admin\AppData\Local\Temp\2b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\0081b1e46a.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\0081b1e46a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\dc703a2869.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\dc703a2869.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadbdbab58,0x7ffadbdbab68,0x7ffadbdbab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1880,i,13007895573243677560,16376783665553185552,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1880,i,13007895573243677560,16376783665553185552,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1880,i,13007895573243677560,16376783665553185552,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1880,i,13007895573243677560,16376783665553185552,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1880,i,13007895573243677560,16376783665553185552,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3588 --field-trial-handle=1880,i,13007895573243677560,16376783665553185552,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3268 --field-trial-handle=1880,i,13007895573243677560,16376783665553185552,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 --field-trial-handle=1880,i,13007895573243677560,16376783665553185552,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1880,i,13007895573243677560,16376783665553185552,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2592 --field-trial-handle=1880,i,13007895573243677560,16376783665553185552,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5169e0cb37596cb160000ad0d644ea023
SHA18b7db783d425234a69510c34c95bad78fc12bff8
SHA256a91901ab38bb50f85d650a1331f967d117dd370ef6331675a4caad8f5d96f9bc
SHA512e0bbae1e6c1821c657a2f6eac216e1f099d028bdb5d9c0504c2dabe2f37359e7d285cf883e0d7622f54880aab97a5f9e020cae191fe86eb765cb8f55cd1e503d
-
Filesize
2KB
MD5afa2eb9593cab07575eb1264fedb167f
SHA19e5f594092962a1ac813a40810a67a98364f7ad7
SHA256227beea6822e114c5c62d6e6940b5aad8d00cfb57a13ccba207924575cf1e688
SHA512f118410f07175d21a56df6abd932d1faa531dc5eae31f021ef280555fb160cffcb276338c99f68ac2623599f1f529cffe6dfd2ed853929ac0c27a203aa2ae90a
-
Filesize
2KB
MD55bdc1f4425b76ac89be30f7649150af2
SHA15fc3aa2e9500fdf7f35f6c0d04159208743a83af
SHA256b4ad349e0ad1028abdf37d4e5eee9910a1a36d0ed9fcc750ba0a0fab61be3509
SHA512bb9d6469fb67a675d5ddda5fd0f9cd144baa5b59c8146409d4f02323a0a28ba5c03cd62485840b4f678d451f364d4a7a03f384292105a191f05aeb61286bd26c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5852075456aeae051ec48a1ace32cdf76
SHA1589c224d483a873084a0e4067a22e264755b085c
SHA2563e356079c85e08b6b751c024cf89a1531aaca91425cabfd6f35efeb7d4324785
SHA51259b1f9f327584bc814669935b913bb9382b4bae224893db091af18e19613df7988dff37c7232cdd58b2d00c51d5956635c4ac70303ab54505dc5e8783148f755
-
Filesize
7KB
MD5b9152d896b5d2d929722d7d52b484741
SHA12210be9b5aa6afdbc34fe3d6e0c5a660ec7a490f
SHA2567dda5df636e2fccb11edd6ca742fe39828ec9758d0f9cd4c9f10d5c2746980d2
SHA5124d6f22921dd572e2873e30608df78efa30785170858e0e4a0b1a88097628b663865881fa66daa9546f35d7b27a9d392b813cbf42d8c24f713636d750f4d50456
-
Filesize
16KB
MD584d25c261a43c08f91c74b05f1d2d427
SHA1e9111a98e4f5b41ffae75b870254d563bd3b1184
SHA256f48bc30fc4fd2525f814b1958bae8c559d8cee4088678b6f2f00fd31daaa551c
SHA512db858696414fe95f4a3f3bb640a14ce48519cceaff375aef1cdd4d0d10c68134581bdd700c00e0f56610bde59349ffcd2c7ebbc6ce3ddbe4741fdd63530cb908
-
Filesize
279KB
MD51c6b0e491684ccee0d39aa72d407b973
SHA1bdb8dd5d3f14ac773b7810a066ca6b71eea13d26
SHA256fe00b0c16ed7166fc5cae3a43f5dc88c9681ffb4b6c5081d1217225f0ee0a957
SHA5125749cec37f4bb79f2d8a80b2d78457ee38d7bd58c09873e048e478269b9a607f947844580d88ce5f7c2ffeded9cbec817f353aef8415d2cfea55606691f41fc9
-
Filesize
2.4MB
MD54793141479e5bf1b051e4ee32644c502
SHA1efc700b401b6dfa0facf9836f6a16f35ddcc0690
SHA25648e4cb62fb5f994fb229e18f3f237d3a55cf84ae3934908b34a58cba1fdbaa4c
SHA512a077f404ac1fcd80c6169aa64d33b18a96ea8d0196d9d109cae8bb5da2a698d8683a9e6168ec502d1d203af2af69fb4a2a41a62375e173cc95ef05893595ae84
-
Filesize
2.3MB
MD5d73636e05ef7b39f35123cff48ef22ee
SHA18202c02a82f7c4a94122bb3b98810c739f020bae
SHA256c0dc88cc34916d03aa1236957cb78601af4b565bd2e604f1f6678cc47e70c2e2
SHA512f14b152c732e4798a29882097ca87d56a1ba18484e3c67d2d49f4ba51b01c4f4bcde04ced09112c87cc9a16d17ceca818ccb48d2f6026a2415799ac91d93c31c
-
Filesize
1.8MB
MD5c7a009c46b4fe26f2096f60bed34ec5c
SHA1c234aaadce392af45117566af537133be7e36ff4
SHA2562b52418e5a5758f5b219c8fb61afccd97672a058f533541d5632fd149797fa68
SHA512c02238e9d104439be653d6843528b0ecc878ccb35281d6645c1ac42fe6213098b77d391d61441c0bed4e4c59bd4a3f29fdb569caefe1ad691963fc24230676db
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB