amadey | 1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5

Analysis

max time kernel
150s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe
Size

1.8MB
MD5

81256c2cce3918ee10b9d4192c6d4ef7
SHA1

4dfd228946254af49f9847336a643a0e76abafe7
SHA256

1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5
SHA512

431c3d1ed84050408ae3dd4db7577518689b44ff0a65c4c906700c570547e5b6ebb461d6a9817cb5d56cce3d77d5293f081d0acb7303259e72ce83a92809967f
SSDEEP

49152:9ZCIgaAtOWuP3H8EJ71g+eT+eNmk+/0bzcl:9sZtOl/8cJW+e0Vmc

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	929e7aaf78.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d24d191a68.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d24d191a68.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	929e7aaf78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d24d191a68.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	929e7aaf78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Executes dropped EXE 6 IoCs

pid	Process
796	explortu.exe
2080	929e7aaf78.exe
1812	d24d191a68.exe
3812	explortu.exe
3080	explortu.exe
3432	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	929e7aaf78.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	d24d191a68.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\929e7aaf78.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\929e7aaf78.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1812-118-0x00000000004C0000-0x0000000000A15000-memory.dmp	autoit_exe
behavioral2/memory/1812-148-0x00000000004C0000-0x0000000000A15000-memory.dmp	autoit_exe
behavioral2/memory/1812-155-0x00000000004C0000-0x0000000000A15000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3144	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe
796	explortu.exe
2080	929e7aaf78.exe
1812	d24d191a68.exe
3812	explortu.exe
3080	explortu.exe
3432	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636064374643893"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3144	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe
3144	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe
796	explortu.exe
796	explortu.exe
2080	929e7aaf78.exe
2080	929e7aaf78.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1516	chrome.exe
1516	chrome.exe
3812	explortu.exe
3812	explortu.exe
3080	explortu.exe
3080	explortu.exe
1312	chrome.exe
1312	chrome.exe
3432	explortu.exe
3432	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1812	d24d191a68.exe
1516	chrome.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe
1812	d24d191a68.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 796	3144	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe	82
PID 3144 wrote to memory of 796	3144	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe	82
PID 3144 wrote to memory of 796	3144	1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe	82
PID 796 wrote to memory of 1288	796	explortu.exe	83
PID 796 wrote to memory of 1288	796	explortu.exe	83
PID 796 wrote to memory of 1288	796	explortu.exe	83
PID 796 wrote to memory of 2080	796	explortu.exe	84
PID 796 wrote to memory of 2080	796	explortu.exe	84
PID 796 wrote to memory of 2080	796	explortu.exe	84
PID 796 wrote to memory of 1812	796	explortu.exe	85
PID 796 wrote to memory of 1812	796	explortu.exe	85
PID 796 wrote to memory of 1812	796	explortu.exe	85
PID 1812 wrote to memory of 1516	1812	d24d191a68.exe	86
PID 1812 wrote to memory of 1516	1812	d24d191a68.exe	86
PID 1516 wrote to memory of 1020	1516	chrome.exe	89
PID 1516 wrote to memory of 1020	1516	chrome.exe	89
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 5100	1516	chrome.exe	90
PID 1516 wrote to memory of 1272	1516	chrome.exe	91
PID 1516 wrote to memory of 1272	1516	chrome.exe	91
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92
PID 1516 wrote to memory of 1520	1516	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe
"C:\Users\Admin\AppData\Local\Temp\1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:1288
- - C:\Users\Admin\AppData\Local\Temp\1000016001\929e7aaf78.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\929e7aaf78.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2080
- - C:\Users\Admin\AppData\Local\Temp\1000017001\d24d191a68.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\d24d191a68.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8f66ab58,0x7fff8f66ab68,0x7fff8f66ab78
        5⤵
        
        PID:1020
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1796,i,16684991826447366277,17965185568879136036,131072 /prefetch:2
        5⤵
        
        PID:5100
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1796,i,16684991826447366277,17965185568879136036,131072 /prefetch:8
        5⤵
        
        PID:1272
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1796,i,16684991826447366277,17965185568879136036,131072 /prefetch:8
        5⤵
        
        PID:1520
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1796,i,16684991826447366277,17965185568879136036,131072 /prefetch:1
        5⤵
        
        PID:4212
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1796,i,16684991826447366277,17965185568879136036,131072 /prefetch:1
        5⤵
        
        PID:1588
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1796,i,16684991826447366277,17965185568879136036,131072 /prefetch:1
        5⤵
        
        PID:5040
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 --field-trial-handle=1796,i,16684991826447366277,17965185568879136036,131072 /prefetch:8
        5⤵
        
        PID:1452
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1796,i,16684991826447366277,17965185568879136036,131072 /prefetch:8
        5⤵
        
        PID:900
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1796,i,16684991826447366277,17965185568879136036,131072 /prefetch:8
        5⤵
        
        PID:3540
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1796,i,16684991826447366277,17965185568879136036,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1312

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3812

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3080

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
eb2b3144773f7eff07e4842c7c71497d

SHA1
99cbfc32b5b947d07dfb21197352280a57f512fb

SHA256
498054a6b135f7b60bdab0037a8e648b1f157b932a279e989e18b265f166428d

SHA512
48f7b5e5029db8a12d2b946c92162ac0e32c66f2ee0c109d507061263f886a99c3fa0be38e49b7998a2cd97d2ba322ae54c14d6ad23655222be61873448684d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
802fb7e0a03f55e10888b250ca47aba5

SHA1
05ef823a58dfff6fb32dbc1133da8d9585f0975f

SHA256
d62fdee3570d6ece8b74a0ad04d006cfab4db8a62d4b96af87ada9d5a0a7ebde

SHA512
d38a063ead39ee78ea4e7b82c148ef57c0177295ccfbec858ab9a01fabe618e24476dfbbad3235aac57f97d43b89f9f2e85b4173572d86be97428e502750e4f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5d44639ffef1671d7fe502eaf1d6acb5

SHA1
9f0c2d49d607962d9f4b685832604ecea597a5f7

SHA256
24ebd12d76680d9843bb44f7186a6c6bdb95cb2d319baf950d958a8e619f8058

SHA512
3290003f5ec305300c42d3477dad00efb425906d1cf57c1a5f60939527b944ce568dc21eb027a70a489bf4a23767c0f54a1bdbb1d98d322ecde410a54ba35dcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
ac5f8b1a7d72e372a077812fa40cac04

SHA1
f13dbfcaa050a742743342163559202ca7b0dda3

SHA256
47570e54260b7ed6557f933c5b0a528cd770394fc2faf3d4d5e0f93929cd68c7

SHA512
6a08084dd4d5a1ac2fd09b5dc395f8c6e2d89cdb5f70b1f98fa8966fad8460df062d19c781554727a7f18b3fc0010c02c5be90a0c87bda1cb388e1cf26b14351

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b888737ec96eabacda87aaecebb877ef

SHA1
20350e2548fa6a2766fea24d8a5085a6be94fc86

SHA256
0fe76ee9ec98e4c944517b914175e984b3ac20f7ca9df24d5966400554527747

SHA512
316cbaeb2b7b0983dad44d6ec3230cc89cf7cf42754576c2289191d621e4541993129d71a17336f70549c1865bc127ad2891f038838812d12d04e05cde7c2a63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
2ee4a61436d98e62227cfd693e7a36d4

SHA1
bd7cffaecd703fc036185d4d5697a5dc3bf22ea1

SHA256
52b69a733e89a98ed491ff998fe47ca72cb1f4b931077d8d1c810f53a686fa97

SHA512
359e52bb8797d08d3b86eff939650a62378f2b6371dcdadfb73b66e5541adc06b08aa9a68ba3984bd9ee9bb921766ab3679ac2e1f239af64b77ae846a8cd5127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
279KB

MD5
838afceb7302c353b1eb04d1a18f6df4

SHA1
126af898036162db5812530c75b7cc29593b1929

SHA256
2efb0135ef27e9126260cbc09353dbae8eb7006994093f074fbbd971a4999d1b

SHA512
0294e9a8580e3684dde759fc6d96a2211349ec100b95594f3c7d279dd9d45f05c055398bcea615c96db1714e043995d9d3cf29fcd4b1b1c37f1d464a4500ebfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\929e7aaf78.exe

Filesize
2.3MB

MD5
8b6eba5bc07eb45859edc62fbaa50e37

SHA1
790c7094ef46f142160de5ff9ee584e48a7402d6

SHA256
a784f924eb3d2045a30fec2d9b94f239d64a30d0b7e70d3e263ab7754bd5c48f

SHA512
eeb60036582822fa61de73dfe46c7e3422bb066b4b7cd763d30c3439be8523dd27a8de96adb820425bda157988e78637fff06828dba96d5261a262111cf48482

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\d24d191a68.exe

Filesize
2.3MB

MD5
21e0e1ce0e48745e57f3b3cafbf33097

SHA1
46ec98d432c605c9dedaa86358244bce0d4c3cf4

SHA256
a55746c4fa3d1e97ca93094573c760e5974eba24f34b08c8d8284f87c8deb69b

SHA512
4d44e48db147747c7140a1a8649cf46b5963a36fcd0fd802c53bd2c4112c5d744a99f33f3f47fe7d806de5296558a97728e06bc0affbd1cd6582045ae6721330

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
81256c2cce3918ee10b9d4192c6d4ef7

SHA1
4dfd228946254af49f9847336a643a0e76abafe7

SHA256
1b7077a87fd3b8dc0ec016015b9cebbae34710bac69f08ed6268eaaf7832ffd5

SHA512
431c3d1ed84050408ae3dd4db7577518689b44ff0a65c4c906700c570547e5b6ebb461d6a9817cb5d56cce3d77d5293f081d0acb7303259e72ce83a92809967f

Download Submit
memory/796-193-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-18-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-168-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-21-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-20-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-107-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-114-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-221-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-208-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-201-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-154-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-119-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-19-0x0000000000141000-0x000000000016F000-memory.dmp

Filesize
184KB

Download
memory/796-157-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-199-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-137-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-138-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-197-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-195-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-173-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/796-170-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/1812-148-0x00000000004C0000-0x0000000000A15000-memory.dmp

Filesize
5.3MB

Download
memory/1812-118-0x00000000004C0000-0x0000000000A15000-memory.dmp

Filesize
5.3MB

Download
memory/1812-155-0x00000000004C0000-0x0000000000A15000-memory.dmp

Filesize
5.3MB

Download
memory/1812-60-0x00000000004C0000-0x0000000000A15000-memory.dmp

Filesize
5.3MB

Download
memory/2080-156-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-147-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-42-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-169-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-222-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-171-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-146-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-174-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-113-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-209-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-202-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-200-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-194-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-158-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-196-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/2080-198-0x0000000000790000-0x0000000000D8A000-memory.dmp

Filesize
6.0MB

Download
memory/3080-178-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/3080-176-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/3144-4-0x00000000006C0000-0x0000000000B78000-memory.dmp

Filesize
4.7MB

Download
memory/3144-15-0x00000000006C0000-0x0000000000B78000-memory.dmp

Filesize
4.7MB

Download
memory/3144-0-0x00000000006C0000-0x0000000000B78000-memory.dmp

Filesize
4.7MB

Download
memory/3144-2-0x00000000006C1000-0x00000000006EF000-memory.dmp

Filesize
184KB

Download
memory/3144-1-0x0000000077C76000-0x0000000077C78000-memory.dmp

Filesize
8KB

Download
memory/3144-3-0x00000000006C0000-0x0000000000B78000-memory.dmp

Filesize
4.7MB

Download
memory/3432-211-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/3812-117-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download
memory/3812-116-0x0000000000140000-0x00000000005F8000-memory.dmp

Filesize
4.7MB

Download