Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
24-06-2024 02:27
General
-
Target
98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe
-
Size
1.8MB
-
MD5
19030cec80e83963c6cf09fcdda61543
-
SHA1
5cd0333a24ed0a81c535b735b9caec28c427ce6c
-
SHA256
98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154
-
SHA512
474e8f4add612ac5115bd0b53a997e117e5e135cf623be2675a094eb83bb5044640a32a103e101cf79755e6004a7730de76b038be9cb7b362fd4268f090beb70
-
SSDEEP
49152:NznMhhXu4TCudwwWrC65ZVKejrhWcNPOp64yxXlyVsrqCe9MS:NznMPdxWrCu3Pg2SAyfLM
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe"C:\Users\Admin\AppData\Local\Temp\98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\b03c361bc3.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\b03c361bc3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\ebecb7affa.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\ebecb7affa.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9c2bab58,0x7ffa9c2bab68,0x7ffa9c2bab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1892,i,12170917580663389387,956701436097028485,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1892,i,12170917580663389387,956701436097028485,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1892,i,12170917580663389387,956701436097028485,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1892,i,12170917580663389387,956701436097028485,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1892,i,12170917580663389387,956701436097028485,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4236 --field-trial-handle=1892,i,12170917580663389387,956701436097028485,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1892,i,12170917580663389387,956701436097028485,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1892,i,12170917580663389387,956701436097028485,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1892,i,12170917580663389387,956701436097028485,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1856 --field-trial-handle=1892,i,12170917580663389387,956701436097028485,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD55005979d2e4678d9ecff3be0c1475e10
SHA18ff2185c2ee0a854871b2498b280f40867fb0747
SHA2566cf3b113285465c8b3803dd07ecdf136ed07124db3a546ff86a7379f3c7e77d7
SHA512dc365b493e2b9493a44b5908eca5df4162248ae0ab68d38352d487312583bd9ce3120b27a9ac720c30fd080f1a82a2d70b82c9facd6f1877bef6c6a511de163b
-
Filesize
2KB
MD5075ebfc4ede543d37ff2285695c28431
SHA17759c34d819ae65b2c86c830cb5c5f6d58683f49
SHA2564d65266d1bfe184b9887bf540fdd0b20583b02d9b7d7339a13bfe5ba9b6b7306
SHA5123c7c8bd7b6b184318ef0860bd0e61ffe835d7bb696e1807a2fc5fecf85ee565ea4c6090ceecd434d2fe735019f72daccb75d90dd66f131f60eeae7aab1aa4159
-
Filesize
2KB
MD559cae1986a131286e4aa7d5680200a7a
SHA1698b80bc62b0c7838892f174781cce47ccb49ffe
SHA2561407ea6e3e84c93b5cce35bd591e80637acc71b643da47372f2579c5539f4be6
SHA51285a90142817ffe8f57a32b52242680587af4c093320a5cbc7166cf218bdb354408a8d5303f64dcaccc60a783caf6d9ea663ba9a6dffb18979d9571a39254ca36
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5b7893aaafd0696c99d88c04099a41834
SHA16881d8f4ec8e8111e6f451ad7134cb548559253d
SHA2563c8ab8e795b7129a961ef34c352876e32a152bb4ba705e8fbaa355a70c2b4d54
SHA512fdd46508285713931346e229f6642f88e8f1625e90fe050cb49dfa44619f4d3fafcbb6952d2522b507d6c30c408b8e79befdd4f566ac6b3cb18231330f583a7c
-
Filesize
7KB
MD527c29c664e293d1f082d3c642276c430
SHA11525e081137f76845f6748ddfe1a4eb790f95c35
SHA256d7bd10fa6b3a00f5ac72eb0fac144913de3833ba6022eb8448d81435cb3df601
SHA5128ef207bf170831b1773bc4d66164169db05d915d7a4039b2e3103dfe8aa1a4212c8786ff590145c539e7215474287e591d93fbe585b8860099a1781881ede003
-
Filesize
16KB
MD555cb1e5bfed00182a88913e5ee77d5d2
SHA1522b783e6cf6d39e779f6b31c29caa6054822408
SHA2564f3c7eb2431b5acbda5e6a9c2ae3d2f8cede104eabc7c55cc099fdbe71bd1a41
SHA512ae62dbfdd24552564db92cabece42a80a78f05c2160e93fbdc7599558a42d9d601e2d27b5f2bf403700ee4877c733066e3235fc57dcd9860228c428711d6afe8
-
Filesize
279KB
MD56c2aeb34cdbcc7df3256cfa875928faa
SHA15145139f6a21cda63df50d778cbd433b75e0fad2
SHA2560647289185dc692c46c875e07642566ad395596eec02d4ead0d2644c3b298659
SHA5120d060e0f169036af1d621c281ba04032760a8532206eabed050c56771b85796059b65f48985bc544449a63dbe046fdaf1b02835e497842b401a5644302a42aab
-
Filesize
2.3MB
MD577f8d7d9467a0e4efecd16ebc7ddbc64
SHA18ddd616a43df01a63e4405e35e931de0abc0bd27
SHA256787650677b73c6a1012d4b1429e874b0eddae20aaa3c5f820b6d5aed08a487ce
SHA5126809fdf7b9ddf5025a1d14a3f242166e770f4f76139722be4a7dbe34db1c063b8ebc021e43ecdf740cf026f3859cd28174f0612eb74b3c9d62fe3d7dc3ceddf8
-
Filesize
2.3MB
MD58ac2bc8851c15af9677f5f384f1cd52a
SHA16f123b66a4e149771e80dd6dd7bdb82fb806628c
SHA25691a0dd153fe8b3782bf853f2647c82384f383567ef7036ca0ef8ee777692baf6
SHA5122437913db1ee6cef2e3d975a1646eb9369d2d367e4f9851f524fb1b9b7d3eb53201a1c33b73793d41ea566470a435b463d2abc22820487d32ba50adb498439c5
-
Filesize
1.8MB
MD519030cec80e83963c6cf09fcdda61543
SHA15cd0333a24ed0a81c535b735b9caec28c427ce6c
SHA25698ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154
SHA512474e8f4add612ac5115bd0b53a997e117e5e135cf623be2675a094eb83bb5044640a32a103e101cf79755e6004a7730de76b038be9cb7b362fd4268f090beb70
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
2.0MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.0MB
-
Filesize
4.8MB
-
Filesize
2.0MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.0MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB