amadey | 5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe
Size

1.8MB
MD5

57417c027a4140c3e5def85c31b40a17
SHA1

250b272d82e258046f49df98b076d181b87fee0f
SHA256

5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00
SHA512

48f25aea42c92753d380c97a81ba3b3838ba65b6a48a97ff01bfb359e8c673bf94f68c196ce3b834f9f510edad95fae7829131557a9a464e63fa7adb9b7a086b
SSDEEP

24576:evUUu7weBzsyDb7y19RdBcUeraJMD4ZVDDhKh66Q0EhQm8Wttvkg13Il2fMG5Ptb:0uLBvwcUCO22DDY63bFqg13IkVEei

Score

10^/10

amadey risepro 0e6740 evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Extracted

Family

risepro

77.91.77.66:58709

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4bb9af0e5b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ddc011057d.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4bb9af0e5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4bb9af0e5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ddc011057d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ddc011057d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe

Executes dropped EXE 6 IoCs

pid	Process
3324	explortu.exe
4824	4bb9af0e5b.exe
1984	ddc011057d.exe
1316	explortu.exe
4968	explortu.exe
4540	explortu.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	4bb9af0e5b.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	ddc011057d.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe
Key opened	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Wine	explortu.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\4bb9af0e5b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000016001\\4bb9af0e5b.exe"	explortu.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1984-115-0x00000000005E0000-0x0000000000B4C000-memory.dmp	autoit_exe
behavioral2/memory/1984-148-0x00000000005E0000-0x0000000000B4C000-memory.dmp	autoit_exe
behavioral2/memory/1984-155-0x00000000005E0000-0x0000000000B4C000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
3144	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe
3324	explortu.exe
4824	4bb9af0e5b.exe
1984	ddc011057d.exe
1316	explortu.exe
4968	explortu.exe
4540	explortu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explortu.job	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636971498474730"	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3144	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe
3144	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe
3324	explortu.exe
3324	explortu.exe
4824	4bb9af0e5b.exe
4824	4bb9af0e5b.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
5116	chrome.exe
5116	chrome.exe
1316	explortu.exe
1316	explortu.exe
4968	explortu.exe
4968	explortu.exe
2872	chrome.exe
2872	chrome.exe
4540	explortu.exe
4540	explortu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe
Token: SeShutdownPrivilege	5116	chrome.exe
Token: SeCreatePagefilePrivilege	5116	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
5116	chrome.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
5116	chrome.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe
1984	ddc011057d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 3324	3144	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe	82
PID 3144 wrote to memory of 3324	3144	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe	82
PID 3144 wrote to memory of 3324	3144	5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe	82
PID 3324 wrote to memory of 4804	3324	explortu.exe	83
PID 3324 wrote to memory of 4804	3324	explortu.exe	83
PID 3324 wrote to memory of 4804	3324	explortu.exe	83
PID 3324 wrote to memory of 4824	3324	explortu.exe	84
PID 3324 wrote to memory of 4824	3324	explortu.exe	84
PID 3324 wrote to memory of 4824	3324	explortu.exe	84
PID 3324 wrote to memory of 1984	3324	explortu.exe	85
PID 3324 wrote to memory of 1984	3324	explortu.exe	85
PID 3324 wrote to memory of 1984	3324	explortu.exe	85
PID 1984 wrote to memory of 5116	1984	ddc011057d.exe	86
PID 1984 wrote to memory of 5116	1984	ddc011057d.exe	86
PID 5116 wrote to memory of 2280	5116	chrome.exe	89
PID 5116 wrote to memory of 2280	5116	chrome.exe	89
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 3860	5116	chrome.exe	90
PID 5116 wrote to memory of 5072	5116	chrome.exe	91
PID 5116 wrote to memory of 5072	5116	chrome.exe	91
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92
PID 5116 wrote to memory of 1520	5116	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe
"C:\Users\Admin\AppData\Local\Temp\5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
  "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
    "C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
    3⤵
    PID:4804
- - C:\Users\Admin\AppData\Local\Temp\1000016001\4bb9af0e5b.exe
    "C:\Users\Admin\AppData\Local\Temp\1000016001\4bb9af0e5b.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4824
- - C:\Users\Admin\AppData\Local\Temp\1000017001\ddc011057d.exe
    "C:\Users\Admin\AppData\Local\Temp\1000017001\ddc011057d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      4⤵
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8f4aab58,0x7fff8f4aab68,0x7fff8f4aab78
        5⤵
        
        PID:2280
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1804,i,16095220375408360374,18394312339636180377,131072 /prefetch:2
        5⤵
        
        PID:3860
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1804,i,16095220375408360374,18394312339636180377,131072 /prefetch:8
        5⤵
        
        PID:5072
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2152 --field-trial-handle=1804,i,16095220375408360374,18394312339636180377,131072 /prefetch:8
        5⤵
        
        PID:1520
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1804,i,16095220375408360374,18394312339636180377,131072 /prefetch:1
        5⤵
        
        PID:4452
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1804,i,16095220375408360374,18394312339636180377,131072 /prefetch:1
        5⤵
        
        PID:804
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4228 --field-trial-handle=1804,i,16095220375408360374,18394312339636180377,131072 /prefetch:1
        5⤵
        
        PID:4656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4248 --field-trial-handle=1804,i,16095220375408360374,18394312339636180377,131072 /prefetch:8
        5⤵
        
        PID:648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1804,i,16095220375408360374,18394312339636180377,131072 /prefetch:8
        5⤵
        
        PID:1812
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1804,i,16095220375408360374,18394312339636180377,131072 /prefetch:8
        5⤵
        
        PID:1444
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1804,i,16095220375408360374,18394312339636180377,131072 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2872

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4968

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
78d4467e7d9b6d792a08a45d7e709c78

SHA1
9da357b50ae2d44936763954b612b5f1185004d6

SHA256
66d9a018f8ea0d0b3717d39da9d4e77a043f2a37f9dbe1ff52819910d8f3c757

SHA512
a8b7aadac0852771ceb23cde34091fd6c05488e555c8c8dc905f4505e60a5ae702bfb8fbfa0b278fa30abda439017d123be7d2e30f7854c651974afde1b5908d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c7ccfa1fa2cccc3255c609345a6042d1

SHA1
2a6e3b825abef7ad47dcc583922d86b79eb86abb

SHA256
571036c7e002b5e07301e9fb75009e8dc7a4a226494d0a20c9f16ccd6f6b06df

SHA512
eef805a6ca27b2ce3c23facd6f2888cef84486c87db92e1748e46a8998393e203d31e9e3cff9b31a347981089bbbfe62759dfaf94428a03c2d3b789253816229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
661938bcc0647f9184c93af9f4e62531

SHA1
835856855b7dc67abff122e4df40065f3fcab93d

SHA256
b954537c4a0f54339cdde7758c202cd0fdab716c81aec9acb0fdb95aed293a66

SHA512
55fc53e5653af8fca5cae12515ead0b925594840a00eb950954b1b4c3a3367f10cb06fab01eacedd3c00d97f1dbfaf01bafbdf5a87f56ded6705bda0fc657ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
c8c8ffbb949f6d82b3ecffe27f473d32

SHA1
49ca6e1cfb038b778207762a3415637188ae746f

SHA256
0f753e5608284167919e7529292cf02d002725c7cb843acb2a9450dccaec6caf

SHA512
f0e909f97a2b71c5f5ba9e5a7c2e0e78d9dd9f1e96941d50a08a336c1928497866d4afe220d69993b193ea9737373af45d4a757ca87474e3d8a10d5f77b1430d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e2b57db1c62577cf877a14671bd7b1f1

SHA1
4cf6ff8f5f78ec393be1b6f11f4a882cc12f7e3f

SHA256
f29229ba0dab464a8e6a660d4004ec9064880e619179c893245b824262de7fa5

SHA512
8ad9165adeab0832d15d8d4704c63db49bd9ddb7ba5255b50afe68e9f896f2e73210461f69e5e22dce13c7b7007301459a26d81b8851560fb76fb3217fb57191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3abca035225bdbeea49af1368fffe7a0

SHA1
5c95a14f5952123550f41a4558f8a325b30aa3ba

SHA256
0a245066d6552a54b7636002d81756ed391736977cd82810abd77a4663c0ac15

SHA512
85ab033b587bea9910bf5e511b8f4c9fc64eeb91220f07cdf5f24b5189fce48300a84bb01f1019d164fe780d4c8570e5064e03514cb744f5d0b2de275bd0f155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
280KB

MD5
845b4e3b7adba8ab4b3ae2567d83d619

SHA1
0a0ec160a6ce508fe24cb8201d5f340cbe955e0e

SHA256
d0e5784c775aab9a540434f221d01466282bd13352d2301f92c195a6117a36c6

SHA512
3855677e6dc9d2ff0fb5b2c60157c20aae9d87190c5ed6e89e8d890ef9db8cabc60e865c0ee37b743b8204483958b900d9fe5f1c8cb1f614860848fd42031ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\4bb9af0e5b.exe

Filesize
2.3MB

MD5
06d91f9f90d2f1114149c2c1d147a119

SHA1
ab867b58b6866f926a684ce5c6cac254578aace7

SHA256
a0c7887947f74e96b5ead5f118a1983d5ef832c5c1bb28f5c687280d643c909c

SHA512
903a5adc5a4460e6c4aa4d6009629429d0fa70b9f2864b1255f3018fc5df046695c4ef7e7ae6ab8c6baf9d58a457d5914c98e3e45aebb6b95f631b41b0e9ea9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\ddc011057d.exe

Filesize
2.3MB

MD5
4b1b3eb8f30cbe71e5268a9cab180156

SHA1
a3377a1c2037740bf4ce1e27b281af7a40c70075

SHA256
1d4297af7cdae0e82469c41619bf84f7b20d4806721254495b610756cb198e89

SHA512
fb87b5b90eb3899d6b2990fa70fbff3fe24f8d1210c7462d4724c5dd3c9fffae55f4a5f5c5a18d97fef59b1e031bf7e64f1981d66df4d8a71d65fc65f73bf228

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe

Filesize
1.8MB

MD5
57417c027a4140c3e5def85c31b40a17

SHA1
250b272d82e258046f49df98b076d181b87fee0f

SHA256
5ce30c60f0e801d4483edd2a783e761d1e523a0e4e5c199a06745cbe9bc3ba00

SHA512
48f25aea42c92753d380c97a81ba3b3838ba65b6a48a97ff01bfb359e8c673bf94f68c196ce3b834f9f510edad95fae7829131557a9a464e63fa7adb9b7a086b

Download Submit
memory/1316-144-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/1316-145-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/1984-148-0x00000000005E0000-0x0000000000B4C000-memory.dmp

Filesize
5.4MB

Download
memory/1984-60-0x00000000005E0000-0x0000000000B4C000-memory.dmp

Filesize
5.4MB

Download
memory/1984-155-0x00000000005E0000-0x0000000000B4C000-memory.dmp

Filesize
5.4MB

Download
memory/1984-115-0x00000000005E0000-0x0000000000B4C000-memory.dmp

Filesize
5.4MB

Download
memory/3144-17-0x0000000000500000-0x00000000009B6000-memory.dmp

Filesize
4.7MB

Download
memory/3144-1-0x0000000077C76000-0x0000000077C78000-memory.dmp

Filesize
8KB

Download
memory/3144-2-0x0000000000501000-0x000000000052F000-memory.dmp

Filesize
184KB

Download
memory/3144-3-0x0000000000500000-0x00000000009B6000-memory.dmp

Filesize
4.7MB

Download
memory/3144-0-0x0000000000500000-0x00000000009B6000-memory.dmp

Filesize
4.7MB

Download
memory/3144-5-0x0000000000500000-0x00000000009B6000-memory.dmp

Filesize
4.7MB

Download
memory/3324-196-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-200-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-133-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-18-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-19-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-20-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-189-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-113-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-21-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-116-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-154-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-132-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-218-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-157-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-207-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-168-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-194-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-170-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-198-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-173-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/3324-106-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/4540-220-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/4540-221-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/4824-114-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-169-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-193-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-222-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-195-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-174-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-197-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-171-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-199-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-146-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-201-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-158-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-208-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-42-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-156-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4824-147-0x0000000000640000-0x0000000000C24000-memory.dmp

Filesize
5.9MB

Download
memory/4968-192-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download
memory/4968-191-0x0000000000070000-0x0000000000526000-memory.dmp

Filesize
4.7MB

Download