Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
24-06-2024 11:31
General
-
Target
9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe
-
Size
1.8MB
-
MD5
69138b3117d495b2d3b97f35decb70ec
-
SHA1
e9a1b39e9f303fe2fda9da6638a05b714f5c97c8
-
SHA256
9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9
-
SHA512
1c8c4c24ff4e7e526367f31bbfc781c0325f864a8640432f131a56e351a16c28ab7f383d95d6b3939eea5f4cc177484c3a7ba8dfe01962fe191b5c68db14216e
-
SSDEEP
49152:AKtQNbj6jZ0K5ggUqcirkNbl7s+eDEOpawrQ:AkRUqcirkN57epawrQ
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe"C:\Users\Admin\AppData\Local\Temp\9335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\9a6864d771.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\9a6864d771.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\8f6af75b82.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\8f6af75b82.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffae8db9758,0x7ffae8db9768,0x7ffae8db97785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1888,i,18005341398466342250,14877511660655004821,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1888,i,18005341398466342250,14877511660655004821,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1888,i,18005341398466342250,14877511660655004821,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1888,i,18005341398466342250,14877511660655004821,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1888,i,18005341398466342250,14877511660655004821,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4608 --field-trial-handle=1888,i,18005341398466342250,14877511660655004821,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1888,i,18005341398466342250,14877511660655004821,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1888,i,18005341398466342250,14877511660655004821,131072 /prefetch:85⤵
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5734c90f04671524471b05077eb34e1fd
SHA1b51d62c6f4147a8f49ef38ba778b27eb18bdefa6
SHA2564208c54dbd2fa0d5192b80ed2bdf9e59843c7553c74dcf149bbff6d4b9ce48c7
SHA5125fe0b5583bb464eb21e15bf516a5ea21d0914f371eafb1860f4304696cc37d3042b01c67006da3e73acd52e74cf65e0353c2389109d152ce75338da8c0f9f962
-
Filesize
1KB
MD53aa4abe88111c67b35e763099104fdee
SHA1cf7a4eed20c67c283cb61b8e5cc6dcc4d607cd19
SHA2563523b1085631e90b14426959fc836f3f4c877b9b3fefc1432017a47ec10714e8
SHA512c2b5e5b1becc663aec62b899b98a0ce9e7d06a52f76337954d4bae95a10ec0521b1481d3935906e05ef725f9fcc1afa85ab15eb28fb5d6cb7632bd514b1edcc8
-
Filesize
535B
MD57e2087b42e37dd4afd4dfe7073e80aae
SHA1140335bce8d25f43f62ea67a7f531fd0d8b04b29
SHA25660d765884a864b61ff3688e3d26dfc98c1755f78c2c70822c3bcd56525aa8194
SHA5121ed8db040ebbe63918bc71b6c360b873f3eff8015a06222e3f8a3f52c631b29f2645a8fc4f145220d08dfad9531e222eb8157ce08ef884427ae701d5a08c32d2
-
Filesize
6KB
MD5586d76f9395845d1ed3df7ac5317af23
SHA11d1777f5a7dfaec17cdea7fd0ddbdc2c1be136ad
SHA256bb5ced20d6590a2981e9fa129a8aa7cea17fab2d5c4783920a75ead2fe90ba46
SHA512908abf86f518e00329e0a345e51f3525ea7d4a41fa13846b6ad7427b863428710ad1b29d9a626b5286e1688c2e3253f9a194db8bf648c7d7bed643057996e4c3
-
Filesize
6KB
MD52ac6d3d4a72bb606a209f02f81953203
SHA12cb11472afc2b6ddf8131e9368f89846488e7d05
SHA256071bd74a47fa1dc573ca8f3b8b2c6e4bab476ff44b396dabf73e0dd30c49a83d
SHA51240f544e743a61ac6fca492f5807ea50b33b322e5a92d7cf413400e91644f9cf6b6cf208d0b5034b78c48f99a0956e18cbd5574b3b34413cc561b6d1ea7167980
-
Filesize
6KB
MD5d7e44b251117329f6f94f9a603d6579e
SHA121a29fecda8250c88f503985e92126ffbb27d5a3
SHA256d5ff3aa83b5db1c39f92481db775c85f57f92bb2728f67c548eaceb242d84486
SHA512b217e9561b7c7a4c96bc027429bad03d16bfb0d6e27ee660284f2a42ed08922869b033baeb53552f546acdb8999ea525e30ef4b201ff6562f9ac364236245d54
-
Filesize
280KB
MD5e7ed67b6008072b6de3159a642d26897
SHA174174637f8372bc4216863ca93112f9277b94e39
SHA256e68ac0c8bcef0141356e940007d20a9010a724c01da83a3742e22cd4da94f3e4
SHA51274142346e253bfb47e6eef6e03b9709129cbc21638365d8d6fe59316dec64cafaef06f9c4deb7730e9eee51a16ee56f4e4a49c054b61e3b632aa70704cb2da8f
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
2.3MB
MD577fb57b1c35671a0986d7e8e1d5a51eb
SHA10b9af09349f8dbf16c668ab55359975495503c39
SHA2560243fe8ce7517ff691de5073c7b7b3be9ceaa92efdf2e54077cdd611a5786e3c
SHA512e0791ffe0a80069830dd4aa0db22d112b1d43a0cbe6da6edd0e3039c953f40d74f9476a2f87d6f05c06fc04524bd4cfe9acfef6e89e81834d3f17ee2595d9007
-
Filesize
2.3MB
MD5953b8938c04ee98cff07c2166018f1f2
SHA15a46c65bafd3562c7941fe6a40c4e1916213fafc
SHA2561d63459cd2ad475f96f1c768c93b3781a3cfefa9a766c7c4d1dde3afc560d080
SHA512d0801d00c8caa9138d210623cb62c350760132977f74d2440a46215bcf2c61d297dd7a312378f29c201d08bd14cbcdd34ba99359ed0656796068b60f74fb4fbe
-
Filesize
1.8MB
MD569138b3117d495b2d3b97f35decb70ec
SHA1e9a1b39e9f303fe2fda9da6638a05b714f5c97c8
SHA2569335518bdebd925efd0d4eb74316b0306115eefef14586e043f23cbd35c046f9
SHA5121c8c4c24ff4e7e526367f31bbfc781c0325f864a8640432f131a56e351a16c28ab7f383d95d6b3939eea5f4cc177484c3a7ba8dfe01962fe191b5c68db14216e
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB