Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
06-11-2024 17:33
General
-
Target
3f5a0e5921dd0df6d005556a63b4d711ff1301846d570b6d6a094b3a2b71bcf2.exe
-
Size
3.1MB
-
MD5
c0eb69c029d2b0e48a7a5338fc4e4fc1
-
SHA1
473e4b3cb7abfba1589ac422d5282145773867b9
-
SHA256
3f5a0e5921dd0df6d005556a63b4d711ff1301846d570b6d6a094b3a2b71bcf2
-
SHA512
671cfde8d99a8ab4a4516eaa803af07a00e3465df9c568c76c9a59286bfd7892305567290c4a31003d939fa65d0d244e875d2c61a6fda926cdc62b413908ce75
-
SSDEEP
49152:P1YODj8LPGFC7ZUkeVr2978jf85H0NjKIezrW8Z9L8N:9PIb97ZUpVr+784HUjKRN7
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 35 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f5a0e5921dd0df6d005556a63b4d711ff1301846d570b6d6a094b3a2b71bcf2.exe"C:\Users\Admin\AppData\Local\Temp\3f5a0e5921dd0df6d005556a63b4d711ff1301846d570b6d6a094b3a2b71bcf2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1004354001\sxqnmytm.exe"C:\Users\Admin\AppData\Local\Temp\1004354001\sxqnmytm.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{D17A9111-9250-460A-B53F-EC75CCF8A23A}\.cr\sxqnmytm.exe"C:\Windows\Temp\{D17A9111-9250-460A-B53F-EC75CCF8A23A}\.cr\sxqnmytm.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\1004354001\sxqnmytm.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1884⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{2D4E8891-1A69-41C6-B98C-F9FE11AD7180}\.ba\ActiveISO.exe"C:\Windows\Temp\{2D4E8891-1A69-41C6-B98C-F9FE11AD7180}\.ba\ActiveISO.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\remoteFastzq5\ActiveISO.exeC:\Users\Admin\AppData\Roaming\remoteFastzq5\ActiveISO.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe7⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DriverProtectv1.exeC:\Users\Admin\AppData\Local\Temp\DriverProtectv1.exe8⤵
- Loads dropped DLL
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004409001\build.exe"C:\Users\Admin\AppData\Local\Temp\1004409001\build.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\1004410001\9e786c1360.exe"C:\Users\Admin\AppData\Local\Temp\1004410001\9e786c1360.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1004411001\70fe84a1b9.exe"C:\Users\Admin\AppData\Local\Temp\1004411001\70fe84a1b9.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1004413001\72ef5bc37d.exe"C:\Users\Admin\AppData\Local\Temp\1004413001\72ef5bc37d.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.4MB
MD5155422526c81faf880ec711b7044ef44
SHA167b6a590e3aac3cca79d849ef1ac9f51f4e6702b
SHA2563bf4932e6121846f3303818932219f7984ac60196b65e4f62a796156923d556a
SHA5120a53e0b00e5c32782be998a082cc33bf5b19d162f81e39104f6fd6f64b1ea4947e69298493dcb49a1386904cc345c63395044c01be2d49c89647d7890522dbdc
-
Filesize
2.4MB
MD532bd212358faf07219b8aee96bf42a78
SHA1c3bea0bcc2b04cda2bb1551a2f61fbd695ae538f
SHA256582cd56afe40a1e49d91486e40c4d5a27d1a890f451e5ba5d0d948511cde3987
SHA51268b8f7578b2a8762ff165cea2e0158e0e884708c0cfe49cb6320d62572f03e0a91b0dd2bfd6162982ddb6544a3511cf05f6fd60b49eed4b8d1546403d9f632f1
-
Filesize
3.0MB
MD51e89027e4db2c2f57e9b4db8b00200c7
SHA1435f869057bc76c9e7596d7740deb51f4ba59260
SHA256b2dd3033c8dd8bf7218e42ebb0684c416b63748398c1bcba039e8a37c54bb9fe
SHA512562c1f65607b95d05ce3c55bdb9a15a9c4a3752c5bc92a5c36fd5aa7846f06d437f6f39adb1b8322583c7d5008ea88ce9d842ad9648f79c5fa4f60bbc3bc70a8
-
Filesize
2.0MB
MD5fa6b75ebc4cf564a1055c63db94bcd64
SHA175325bd377846c171213b10261d640b33c4a1d7f
SHA256e6ca41bc8e9972f791ddc6bb97e6247d0c7f1d0a18f02ec97d2d63dc1f3e3451
SHA51226084e3abba1f9e37ceb4ab858045b33efea12c81699e7ceab34459d2675cb57a906db6728dad64213bdfc52a1843c733e750ed1eba75f3e73acbb15df170679
-
Filesize
2.6MB
MD5aab7c507c52a9b9532fc31454860cfc8
SHA1a38831597a5c0afa67d85bf4c393a01ac8dfe330
SHA256bd4ea0df7d7122f577fdebd8cd2c25766b45fcffe9e0e57db8823efc35b49085
SHA512967e583bdd4ae827966ae2c397df9b1f81d3978ec390ce038baed6ce184e1846864175be03b87c6de0862f940fecd6ffbbd5e026257dda081623c93a21a187b5
-
Filesize
3.1MB
MD5c0eb69c029d2b0e48a7a5338fc4e4fc1
SHA1473e4b3cb7abfba1589ac422d5282145773867b9
SHA2563f5a0e5921dd0df6d005556a63b4d711ff1301846d570b6d6a094b3a2b71bcf2
SHA512671cfde8d99a8ab4a4516eaa803af07a00e3465df9c568c76c9a59286bfd7892305567290c4a31003d939fa65d0d244e875d2c61a6fda926cdc62b413908ce75
-
Filesize
4.3MB
MD566f309482f529590cf5ad56549effbef
SHA176c9117e6356203daed79c1caecb4808436aef36
SHA256d704f5f01487ca3340454240868515de1a43a1b65e5b4a97a74ab409c8441f82
SHA5129b2068943a6f6db6b9e885a3b3b7ea6da9f7a9971767780e02184e10674395b3dd7f3b539c04d9acbacf8f39042fdb90f3c9cb5986c2076846626ea5decb3d01
-
Filesize
21KB
MD565ced4e3e5b641b3fee1e135e3604a1a
SHA1860173020684e54f4eb9bc9e4fdab348b371214d
SHA2561a5991a30e9d339cbb0143d4bd134509cf4effc7fead7f4f7dcc059990efd669
SHA512cc4ec199a58a20d2c4543fd247b329422ce3ad15695c74d2aa4fc89dc780a274527b020157e6c23f8a2a4839209f5d742694881768dd12c9b80c622da17f31e6
-
Filesize
1.2MB
MD5b84dfabe933d1160f624693d94779ce5
SHA1ac0133c09708fe4a3c626e3ba4cdf44d3a0e065f
SHA256588cb61b36a001384a2833bd5df8d7982ca79d6ae17a3d83a94e01b1e79684bd
SHA512eeaeef8d6b5fa02dedf9818babaa4b5ffdb87300521883aa290289dcc720b3d543279085ed3fc649b74654143e678502e56eb3f92c4baf53c075977de33c1b0e
-
Filesize
1.4MB
MD586b7452f87b5c7f79f8b8a3ad326035e
SHA1a81ba71c0b3f93c6bcdc004ede3f98f205dd31ca
SHA25658a6b1fe90145f8ae431d05952d1751e705ae46a81be1c2257f5e1e0ce0292c7
SHA5124c0e8166a8ee81c9e851fe7d25915b1d85bbe3b274e88160ff948ddb8a15f67122a52ba3906da6a090f8ba064915c8df1780103e474bf8e6f3dd673fc304ce7b
-
Filesize
5.8MB
MD56e8bfe548ca4de868c82279e5d127db0
SHA1120cbd2177493859c40b943bed3d124555cc5bd9
SHA256f7bddcd19a740e179827a99c23cc045d6f4ab8d5b6699592b1a1e8fcb6ddc22f
SHA5129f4736a432ea496c010a5a37a87da1fcee6bafb2c6600eacaa8a0b0e9d47eb8bf0b044cf34d6212d871d4b1bd93339d148b67c72a8226145929d117756ece6b0
-
Filesize
6.2MB
MD534893cb3d9a2250f0edecd68aedb72c7
SHA137161412df2c1313a54749fe6f33e4dbf41d128a
SHA256ca8334b2e63bc01f0749afeb9e87943c29882131efe58608ea25732961b2df34
SHA512484e32832d69ec1799bd1bcc694418801c443c732ed59ecd76b3f67abf0b1c97d64ae123728dfa99013df846ba45be310502ef6f8da42155da2e89f2a1e8cb2c
-
Filesize
1.3MB
MD5fe5ed4c5da03077f98c3efa91ecefd81
SHA1e23e839ec0602662788f761ebe7dd4b39c018a7f
SHA256d992aaeb21cb567113126c2912cf75e892c8e3ead5d50147a11abe704b9e2e2b
SHA51222514732a0edf8fc2b8770139599132429080b86d2844143d21bb834cbddaaa077d763969960e39e2050a69493c1aae191600e5df6107bde90fae589a054f071
-
Filesize
316KB
MD5d0634933db2745397a603d5976bee8e7
SHA1ddec98433bcfec1d9e38557d803bc73e1ff883b6
SHA2567d91d3d341dbba568e2d19382e9d58a42a0d78064c3ad7adfe3c7bb14742c2b1
SHA5129271370cd22115f68bd62572640525e086a05d75f5bc768f06e20b90b48a182f29a658a07099c7bc1e99bf0ffcf1229709524e2af6745d6fed7b41c1addd09f1
-
Filesize
5.3MB
MD5c502bb8a4a7dc3724ab09292cd3c70d6
SHA1ff44fddeec2d335ec0eaa861714b561f899675fd
SHA2564266918226c680789d49cf2407a7fec012b0ed872adafb84c7719e645f9b2e6d
SHA51273bef89503ce032fba278876b7dab9eac275632df7a72c77093d433c932272da997e8fbeb431a09d84baac7b2ab2e55222ff687893311949a5603e738bfa6617
-
Filesize
1.4MB
MD541e19ba2364f2c834b2487e1d02bb99a
SHA16c61d603dddfe384a93ad33775b70681d0a396d9
SHA256c040a25377028b0c28db81a012de786c803a0e9d6f87ce460335a621d31f5340
SHA5126ebf4a9e80f16c6a03ff357d2da9a34a4227bfd65eb66d1d335349a77ba066d069ba0d47d46229b3c77b59052c42d388678662f970b418d8cc3cfb1223427d8c
-
Filesize
557KB
MD57db24201efea565d930b7ec3306f4308
SHA1880c8034b1655597d0eebe056719a6f79b60e03c
SHA25672fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e
SHA512bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
37KB
MD575e78e4bf561031d39f86143753400ff
SHA1324c2a99e39f8992459495182677e91656a05206
SHA2561758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e
SHA512ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756
-
Filesize
14.3MB
MD573e9ab1674c64f040da642b6a4690356
SHA1e5a508bf8a7170cbacd6e6ab0259073a2a07b3cf
SHA25604bb4867d35e77e8e391f3829cf07a542a73815fc8be975a7733790d6e04243c
SHA512f1df00e8f0b7b1c577429028cd550788dbf4f1da1e8aa97b8ab845e68c56663c350c562f26237a278a0b44b33f06dcb9667a50db4ddaf747da71053e4189afec
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
2.9MB
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
4KB
-
Filesize
5.3MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
1.7MB
-
Filesize
1.5MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.2MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.2MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
5.3MB