amadey | 98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe
Size

1.8MB
MD5

19030cec80e83963c6cf09fcdda61543
SHA1

5cd0333a24ed0a81c535b735b9caec28c427ce6c
SHA256

98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154
SHA512

474e8f4add612ac5115bd0b53a997e117e5e135cf623be2675a094eb83bb5044640a32a103e101cf79755e6004a7730de76b038be9cb7b362fd4268f090beb70
SSDEEP

49152:NznMhhXu4TCudwwWrC65ZVKejrhWcNPOp64yxXlyVsrqCe9MS:NznMPdxWrCu3Pg2SAyfLM

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ac87b88c30.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ebecb7affa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ac87b88c30.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ac87b88c30.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ebecb7affa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ebecb7affa.exe

Executes dropped EXE 6 IoCs

pid	Process
1604	explortu.exe
4760	ac87b88c30.exe
1176	ebecb7affa.exe
4740	explortu.exe
3556	explortu.exe
4744	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	ac87b88c30.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	ebecb7affa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\ac87b88c30.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\ac87b88c30.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1176-117-0x0000000000510000-0x0000000000A77000-memory.dmp	autoit_exe
behavioral2/memory/1176-147-0x0000000000510000-0x0000000000A77000-memory.dmp	autoit_exe
behavioral2/memory/1176-154-0x0000000000510000-0x0000000000A77000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
3120	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe
1604	explortu.exe
4760	ac87b88c30.exe
1176	ebecb7affa.exe
4740	explortu.exe
4744	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636696823971022"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3120	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe
3120	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe
1604	explortu.exe
1604	explortu.exe
4760	ac87b88c30.exe
4760	ac87b88c30.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
4332	chrome.exe
4332	chrome.exe
4740	explortu.exe
4740	explortu.exe
4908	chrome.exe
4908	chrome.exe
4744	explortu.exe
4744	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe
Token: SeShutdownPrivilege	4332	chrome.exe
Token: SeCreatePagefilePrivilege	4332	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
1176	ebecb7affa.exe
4332	chrome.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
4332	chrome.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe
1176	ebecb7affa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 1604	3120	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe	77
PID 3120 wrote to memory of 1604	3120	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe	77
PID 3120 wrote to memory of 1604	3120	98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe	77
PID 1604 wrote to memory of 3884	1604	explortu.exe	78
PID 1604 wrote to memory of 3884	1604	explortu.exe	78
PID 1604 wrote to memory of 3884	1604	explortu.exe	78
PID 1604 wrote to memory of 4760	1604	explortu.exe	79
PID 1604 wrote to memory of 4760	1604	explortu.exe	79
PID 1604 wrote to memory of 4760	1604	explortu.exe	79
PID 1604 wrote to memory of 1176	1604	explortu.exe	80
PID 1604 wrote to memory of 1176	1604	explortu.exe	80
PID 1604 wrote to memory of 1176	1604	explortu.exe	80
PID 1176 wrote to memory of 4332	1176	ebecb7affa.exe	81
PID 1176 wrote to memory of 4332	1176	ebecb7affa.exe	81
PID 4332 wrote to memory of 340	4332	chrome.exe	84
PID 4332 wrote to memory of 340	4332	chrome.exe	84
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 3476	4332	chrome.exe	85
PID 4332 wrote to memory of 628	4332	chrome.exe	86
PID 4332 wrote to memory of 628	4332	chrome.exe	86
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87
PID 4332 wrote to memory of 1412	4332	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe
"C:\Users\Admin\AppData\Local\Temp\98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:3884
- - C:\Users\Admin\AppData\Local\Temp\1000016001\ac87b88c30.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\ac87b88c30.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4760
- - C:\Users\Admin\AppData\Local\Temp\1000017001\ebecb7affa.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\ebecb7affa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff98311ab58,0x7ff98311ab68,0x7ff98311ab78
        5⤵
        
        PID:340
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1924,i,18415526312425620510,17781033807615521046,131072 /prefetch:2
        5⤵
        
        PID:3476
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1924,i,18415526312425620510,17781033807615521046,131072 /prefetch:8
        5⤵
        
        PID:628
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1924,i,18415526312425620510,17781033807615521046,131072 /prefetch:8
        5⤵
        
        PID:1412
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1924,i,18415526312425620510,17781033807615521046,131072 /prefetch:1
        5⤵
        
        PID:2196
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1924,i,18415526312425620510,17781033807615521046,131072 /prefetch:1
        5⤵
        
        PID:2352
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3484 --field-trial-handle=1924,i,18415526312425620510,17781033807615521046,131072 /prefetch:1
        5⤵
        
        PID:4604
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4204 --field-trial-handle=1924,i,18415526312425620510,17781033807615521046,131072 /prefetch:8
        5⤵
        
        PID:1616
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1924,i,18415526312425620510,17781033807615521046,131072 /prefetch:8
        5⤵
        
        PID:2676
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 --field-trial-handle=1924,i,18415526312425620510,17781033807615521046,131072 /prefetch:8
        5⤵
        
        PID:592
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 --field-trial-handle=1924,i,18415526312425620510,17781033807615521046,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4908

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3556

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
7a565a0890169b5e7bd9031f13d7c614

SHA1
779d0e8da0fab4bfcb77e6377d686393ef3866d5

SHA256
36a0de98728178a274f74453f14f7594761ad188cf4759879c7d2dc01825cb2b

SHA512
6cf707c96aba2ff0d84eeb62275ac7044afbc2369c3e712bc9601aeb2afe84674440e9f3b58f31831ddb4962af328baaf3292bf3c7e01eb1ee2fb35b52120734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
96911358b1de0600088a6e306182a7ad

SHA1
557fce60ba0253041ea583b2b2fc01aa3c4a22bf

SHA256
7f000df08b9079e8fd2750803ba6d02a4a65f87d702e2366e8ef6eaf49f77235

SHA512
fb16d516171ff8936e897c2891a2666b08aad5a678abd83c0ef59617895aa9d0c366b0c132d2892a16388c2ea04589a98707cf97a79dc008224faee3acfe9621

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
bef154a1e7c90a1ba4699630cdddd311

SHA1
7912969565e050a9e5b1490aa3b1311f081e01ce

SHA256
65997a4c61f9234749939ecd29fcb13ddb848dce3566fe4a7a41392739ddc143

SHA512
cebabd156b1f0c882926f0efb4b2cbe323fcc5aa67e6065034a8a67b2909ce91c2357141c5825d8b20227fb365a91283c8ae0f486a7ebdea1eff11a0459e116b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
eb3c4f1aef2934cffeee08ce07d0afd1

SHA1
9ae2d82f02086a0e4d6c3a3216b07df8b715d8c4

SHA256
f6e0f9bf77592c4575ff20e394789c25bcdcf43d208afbd11400c0408d8f7071

SHA512
0156501457110bb64eb633b62cd203e086e7cef68b4eeb8b72c2ff45df51729882d44cfc8bb42dcd0131e10ee3a83285dfe994e358787b6eab99f25aab255823

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ef92761367747c379443d07a84b64736

SHA1
38cc994ea22cc0f54fffb2911f1f1b7337e662b4

SHA256
8ae1d773aca89d950d22b59acb79198f03d846f7a53b7d9c2b50cc369a113c22

SHA512
71015a26d26af3733938e2364ef702a1786a07adc840949ff2e9b0f8d8ff787d8aa3f21611d9b3904bba43cf2163bcabdbea1cb31b94ef81f235fb0f686589c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
08a5f7c1ea00308ba609f37f1b51ea8f

SHA1
326e52d19e74742d3a13ceab673dde882518aa1b

SHA256
eeb81b4c98082a5de7359014c8d87acb9f7a241c90b2b46180812b246ea8eea4

SHA512
e84e41248049d54ab6bdd2a19e78f290f649eb57ee3e31d944ad175187f2fee90cc8df7061515cee879fd28af70fab487d91311eef7c19a056583808378db4db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
271KB

MD5
1734b0aaac5b50e0f469b4d38cf3b9f9

SHA1
35c86f8e48e2426556a3123ca9da255fa09e261b

SHA256
29877d0a3d588747ae8b0ee5a8ecb28db08c7361fcdb8decfdd07f24b3b194f0

SHA512
029a8ae1c69503d21300cb5e8b0a5ea3bcebef9f1c590f03ecfb0b0f975f5dc69f3f335779313564cf753a2a996069d625215b95e43a5bc45a680a6afdb45a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\ac87b88c30.exe

Filesize
2.3MB

MD5
77f8d7d9467a0e4efecd16ebc7ddbc64

SHA1
8ddd616a43df01a63e4405e35e931de0abc0bd27

SHA256
787650677b73c6a1012d4b1429e874b0eddae20aaa3c5f820b6d5aed08a487ce

SHA512
6809fdf7b9ddf5025a1d14a3f242166e770f4f76139722be4a7dbe34db1c063b8ebc021e43ecdf740cf026f3859cd28174f0612eb74b3c9d62fe3d7dc3ceddf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\ebecb7affa.exe

Filesize
2.3MB

MD5
8ac2bc8851c15af9677f5f384f1cd52a

SHA1
6f123b66a4e149771e80dd6dd7bdb82fb806628c

SHA256
91a0dd153fe8b3782bf853f2647c82384f383567ef7036ca0ef8ee777692baf6

SHA512
2437913db1ee6cef2e3d975a1646eb9369d2d367e4f9851f524fb1b9b7d3eb53201a1c33b73793d41ea566470a435b463d2abc22820487d32ba50adb498439c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
19030cec80e83963c6cf09fcdda61543

SHA1
5cd0333a24ed0a81c535b735b9caec28c427ce6c

SHA256
98ed1771901a3b0eaa770213164ce9ee832046b77b72a7d5d43d756ab391d154

SHA512
474e8f4add612ac5115bd0b53a997e117e5e135cf623be2675a094eb83bb5044640a32a103e101cf79755e6004a7730de76b038be9cb7b362fd4268f090beb70

Download Submit
memory/1176-147-0x0000000000510000-0x0000000000A77000-memory.dmp

Filesize
5.4MB

Download
memory/1176-117-0x0000000000510000-0x0000000000A77000-memory.dmp

Filesize
5.4MB

Download
memory/1176-60-0x0000000000510000-0x0000000000A77000-memory.dmp

Filesize
5.4MB

Download
memory/1176-154-0x0000000000510000-0x0000000000A77000-memory.dmp

Filesize
5.4MB

Download
memory/1604-167-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-195-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-191-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-172-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-169-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-19-0x0000000000181000-0x00000000001AF000-memory.dmp

Filesize
184KB

Download
memory/1604-118-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-20-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-18-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-193-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-136-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-137-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-107-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-211-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-206-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-197-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-156-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-153-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-21-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/1604-199-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/3120-3-0x0000000000DB0000-0x0000000001276000-memory.dmp

Filesize
4.8MB

Download
memory/3120-0-0x0000000000DB0000-0x0000000001276000-memory.dmp

Filesize
4.8MB

Download
memory/3120-2-0x0000000000DB1000-0x0000000000DDF000-memory.dmp

Filesize
184KB

Download
memory/3120-5-0x0000000000DB0000-0x0000000001276000-memory.dmp

Filesize
4.8MB

Download
memory/3120-17-0x0000000000DB0000-0x0000000001276000-memory.dmp

Filesize
4.8MB

Download
memory/3120-1-0x00000000772C6000-0x00000000772C8000-memory.dmp

Filesize
8KB

Download
memory/3556-174-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/3556-175-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/4740-110-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/4740-109-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/4744-208-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/4744-209-0x0000000000180000-0x0000000000646000-memory.dmp

Filesize
4.8MB

Download
memory/4760-145-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-198-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-194-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-176-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-200-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-157-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-192-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-155-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-196-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-42-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-168-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-170-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-210-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-146-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-116-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download
memory/4760-221-0x0000000000BF0000-0x00000000011E2000-memory.dmp

Filesize
5.9MB

Download