Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
24-06-2024 16:26
General
-
Target
4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe
-
Size
1.8MB
-
MD5
2f2bfd0f3fe0a2c5cc911e8d82b10581
-
SHA1
414dddc6938b5ffb6724fb940e4e6dbdb28e2235
-
SHA256
4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4
-
SHA512
64df3eced6dc8751f232b5df2e7cf5ce4e0ef12608f9aeca72223df469f612dcc270b6d20db2b0e6787f129e421717e013b934dd1672c2df508b50e432bb8b8a
-
SSDEEP
24576:CqbDisemYQkGRELN9Qoz1NcdXJEmXm4/kHVZcbHY6ACdOuJ37ek8G8NP6yf+vdrq:CcBKR9Qoz1N8mZmHQCYGX8hB+dq
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
risepro
77.91.77.66:58709
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 60 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe"C:\Users\Admin\AppData\Local\Temp\4fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000016001\3503ced013.exe"C:\Users\Admin\AppData\Local\Temp\1000016001\3503ced013.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000017001\405e58ce28.exe"C:\Users\Admin\AppData\Local\Temp\1000017001\405e58ce28.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffca0dab58,0x7fffca0dab68,0x7fffca0dab785⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1976,i,10034400324285963982,13962250373523138518,131072 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1904 --field-trial-handle=1976,i,10034400324285963982,13962250373523138518,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2096 --field-trial-handle=1976,i,10034400324285963982,13962250373523138518,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1976,i,10034400324285963982,13962250373523138518,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1976,i,10034400324285963982,13962250373523138518,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4316 --field-trial-handle=1976,i,10034400324285963982,13962250373523138518,131072 /prefetch:15⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1976,i,10034400324285963982,13962250373523138518,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3368 --field-trial-handle=1976,i,10034400324285963982,13962250373523138518,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 --field-trial-handle=1976,i,10034400324285963982,13962250373523138518,131072 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 --field-trial-handle=1976,i,10034400324285963982,13962250373523138518,131072 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
216B
MD5d0f57478c5ee1f1211c94d0d24f3f117
SHA19843735dea510af00a3ba43485c12c0fc7e2e3f5
SHA2567db8ba9dd7c2fcd7e7ef54ac7b75b6c74624f2f4082c35d9d75a93c6df31d432
SHA512b8e3f0c03d26525594fd0d5d86bc088bead6dedb73e25f3188c9a3afd6edc2fdb3dda8cc92de73e649862234af5f31e65e1aa5f24920e2a19a970449237d5dc9
-
Filesize
2KB
MD5680d478c4a5e035bde38740f29a485c7
SHA1ad90181adcb96cb7cff022bc9c03d858601236f2
SHA25621348a8c5f9e47ef3e43a688d171e6b008fcfc8b7e7e207a278238f3c5fefb19
SHA512ef4a7cff08ada39336e60b11c9738a8dbba24f7d41767b7e1a62b8bcc8b4894493eec6e348ea7999bc27d66e2504385a95de1817c5b490dcac0b273babfb4f63
-
Filesize
3KB
MD52e7ef22c5dce5852a2c4a18acb177b1f
SHA1d1c7ae8b2926d3a55123702f648e1f7754e3926b
SHA2565048405703ccb0dcf4a3f0603131c5cb76e662becc231155f3d297a6de1423fa
SHA512ca654b434729b2bb61395036db6ca8f6a9a930461a6a0cd294d1c5fee1923f71beb962ba84cafd62aa0342daa4a2cb72074cb4faa1ba4d50da3537f77f045b2a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD52aa89b2d87b6af22bfb0b2677b33fb51
SHA1e5d4d02ba3fc50005cbf26dd1ae1a63dba41afb5
SHA256295b8708e325c7299e888479f89ab8645024466dde8d7d96b41f2b6ac9346663
SHA5125fe9f8d99967530bc351d24eedc75865651ae43e11d3d86ffae9a142bb259b70fbfe2700a35589d3e7e0cb3ba894fb233a093564035199f0b955eed513c08797
-
Filesize
7KB
MD5a9454590f6873709c8d3ee6ea2810d2c
SHA18f56065906fd23504f76a6d995a1b19eaa6f7427
SHA2560d444196f6d84e58e997b0f1d6b2ec5ddf418823b2da35fbfd0d5b5c42e3c29d
SHA5126cb314065a41560b3d95b39a3ad3721d782caa18c549663270db6a4ea85c430635e030d94d18c0b8c6a683e810c0397cab0c844a7d4c7c1612aac982b749a543
-
Filesize
16KB
MD556e5884daedac0731c2f059ddc9d52b2
SHA1472c0217a47cb5606f5c02706a88e5d8b26a1cae
SHA2561e46b78e01d0c47da0022c960449c3dc595c194e578a1e92d4034105390e2df3
SHA512d8ad98acfa610f476ac19a3d8a345cc51c7c1ba69839727b5ece7a8f24f47758caf4628161597a6711e48c9e4181cd2e0f3b79eed407b3b1f2676e32b605e1bc
-
Filesize
280KB
MD547d1f4ac5575506682596852550e4417
SHA116888ac9c1ae10890768edc3e524b890cab726df
SHA256496424ba013bce3174589d082fe90be754b77436d9247f9a449ae09a66f7ac21
SHA512d27bf0414b98df5bb85b0cced730b6dd1f23191e47178406be3da75965984da866db0cb5e5b3977c5850d6275aa077f90db1858a44218e7d240aa9eb83516fd6
-
Filesize
2.3MB
MD59e88c3b9177bfb5f3272348c559ab0a5
SHA13bf98278fefbfbdb78578122fb47cda84864313a
SHA2564e18d688a5a00e517fe82e040a0d3e2607a2f51e8d2af25b46eed1a4f37137cb
SHA512c61ea9447b76bafb91497655d397c68da72ce47486fc2ed8431e985fb72d59983e3366dd528cb716abe6d56a2df8f52418f84909604812fb1c5a9a25b2cb85c2
-
Filesize
2.3MB
MD54973cfb4964ce6e263ca0479f8a7f67e
SHA18248bf51e43f9e7abd49620a33d178bcabf47608
SHA2560501ac876d99e76b23b20a227d8a8c7f986ec882e46cc52a81f9ca20dab755f0
SHA512a7bba2652a71795b9d48424760b9210f3c60fd3913702268a6b2ef1c48f3256033887ffb81b9b3b8f6ec6c38df29e1c3ebcc56180af24585671dc916f7861819
-
Filesize
1.8MB
MD52f2bfd0f3fe0a2c5cc911e8d82b10581
SHA1414dddc6938b5ffb6724fb940e4e6dbdb28e2235
SHA2564fea319a615adeea82534ab28a45e0b192a0daed7bbe6a58b63786b39fc10ba4
SHA51264df3eced6dc8751f232b5df2e7cf5ce4e0ef12608f9aeca72223df469f612dcc270b6d20db2b0e6787f129e421717e013b934dd1672c2df508b50e432bb8b8a
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.4MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB