Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
24-06-2024 13:50
General
-
Target
b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe
-
Size
1.8MB
-
MD5
7ade5c92fd89c372bd91584275c30894
-
SHA1
20fb933cf095d821190c488962e16318fc484917
-
SHA256
b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491
-
SHA512
1c9c90ff3febf6de92db54474f799f30c8ec9f97e2e4a5ac4bc6dd8977f7aa9c879442d9171d70754a5653702a00f9fb8bebe09f61462dd4642f993f05caf1c0
-
SSDEEP
49152:p2n93XqtLQh/PcGIOooAs0TjLQbHU2uZG:cnlXFBkGGoA7YHJb
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe"C:\Users\Admin\AppData\Local\Temp\b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\fc244a8bbd.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\fc244a8bbd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\434c177336.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\434c177336.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffd9c7eab58,0x7ffd9c7eab68,0x7ffd9c7eab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1904,i,2138200199499147567,4206091315857542500,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1904,i,2138200199499147567,4206091315857542500,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1904,i,2138200199499147567,4206091315857542500,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1904,i,2138200199499147567,4206091315857542500,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1904,i,2138200199499147567,4206091315857542500,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4048 --field-trial-handle=1904,i,2138200199499147567,4206091315857542500,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 --field-trial-handle=1904,i,2138200199499147567,4206091315857542500,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1904,i,2138200199499147567,4206091315857542500,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1904,i,2138200199499147567,4206091315857542500,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2684 --field-trial-handle=1904,i,2138200199499147567,4206091315857542500,131072 /prefetch:25⤵
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD54cc1d43ef4fa4d0e79880204c4a8879c
SHA144ca481b32e45f1b5b065f70dbb2082ff3eb3468
SHA256b2548ac99712906a260756e7f2172d79809c813d892b47be02debc567daa46a2
SHA512c3f42133a73c8d60f3e6752b51a46efb9f958543255fcd1cfa4e58b19995c18b17ef8f882c7f97783ab18ce32f43f9be07a0fdb68e1b360510f60ff950255fe4
-
Filesize
2KB
MD54f7939f94a219d9fae1356f2fe8a2e13
SHA19d72221d2749002a3b17a04ca04893e2f0dfea4b
SHA2561c671c4877904c973e365c5fe6977ff19fe041b7677046a84c824bb47f8c3355
SHA512cf2e4d62ebdc4aaa39a25dc66db19eb3bb681742adcd6a02db9bdd29470ba857117638e5c445f6ec3320e5dbaa75a859e62633993480124b63b6a100e66f863d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
690B
MD5b0d88423cd9895ae24f080fb213611ee
SHA109a856d5dee1d574e32bacd6d697b6efcf77e561
SHA2566177ddbab1315006f0bddf546da6479b496ea94c4177f8f7c982bb0d585147b9
SHA5127aced1a596027a7eb3a7124338eb5663b83902d91b6866e2183eac08586ee130f87a10eebedc6e2e75af3929ff1ff0a9e4a84f94a758be188998c502b0b16726
-
Filesize
7KB
MD5f944b5c780ee947d57331795f936d982
SHA15fab920e0dd8a25c147208f3b661dee4ed9dc49c
SHA2568050180614cd2792ac0154a0ebe9a993b972d8cf305f66ecf1fe5bacbf1f12d5
SHA512a3695ab0e01ef1f2850f1f49261cfde41a43185988b2cb90f50aa0984f37deba8155c87c75ebc8c041aca89f959f2b2b03f69decf7a335cad58a9e2388bdee4d
-
Filesize
280KB
MD5a7901d8a32ac62c2bba2d20be4228709
SHA1f030e62fdcdaccbba5792fb506797ae27f99e5eb
SHA2561ae3bfda9149d1c4063f4fc6699dadc198ab09ce06ec56741121f8fca00ab0f1
SHA5123371eefdb283c63ef41cad55603e37a91c4351a112e2be97c1f44eb9ab422fbdd05bed9dadc932a3a8a8559cdab01478e85d2739b9f60ef276999bd50247d516
-
Filesize
2.3MB
MD564468eae17c3452d9b97ead97cb91e1c
SHA19fc64c304486d27b628801a2fabace7d35e5179b
SHA256531685613d125dd26a39d130b68462cff67e918bbd3e5a3db99b39ef5239818d
SHA512f0a0009d1b9117d4fa49d7cbb45e525fb6a971672bcd33a3f6bc25f7fafecbdb2a66233ac7dfec413c7f57b4c67c1a7dabc0719b33de220e6ab241ec501e2af1
-
Filesize
2.3MB
MD5055ea0c584ab2311b5d10f3a746413ec
SHA1d4ae0286f19af5bc60673a966e57f98d2e27c51c
SHA2561a62b69d206393f20a690db53214a951c1ce24083103f9325f11181f8c3fa6f1
SHA512197c74df6aa2af102b95771c04aad47c6cc30a8f8d465dcc7889afd118d8343deec5e56eeba15767e317242f336f4ee82ce3ad0be8e4dcdf3987d64bf9221900
-
Filesize
1.8MB
MD57ade5c92fd89c372bd91584275c30894
SHA120fb933cf095d821190c488962e16318fc484917
SHA256b604b2158ddfc79ff8941c60a750d9995283d3bd21437e9efe2bb65cc163e491
SHA5121c9c90ff3febf6de92db54474f799f30c8ec9f97e2e4a5ac4bc6dd8977f7aa9c879442d9171d70754a5653702a00f9fb8bebe09f61462dd4642f993f05caf1c0
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
4.7MB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB