Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 00:29
Static task
static1
Behavioral task
behavioral1
Sample
fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe
Resource
win7-20240903-en
General
-
Target
fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe
-
Size
3.1MB
-
MD5
301c3b816ce9bdb8b0be9b994bdad49a
-
SHA1
aa412e9293347168b248aff6e33f7ebdbb5ca3d0
-
SHA256
fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684
-
SHA512
85f51993ddc8dca34be60b1b55d430284f71ebb020b39d990d6b8634d80e5844ae1ebc5555cab013d1c3d87b6d4c79f4add8f0d5033e64c68e2b868f2dff1fff
-
SSDEEP
98304:pc+HaMg+Vt85V7PwN+4i6JVxM7dg/xmYR:pcTfuigxMRq
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bf899a5c9f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bf899a5c9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bf899a5c9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bf899a5c9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bf899a5c9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bf899a5c9f.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f5591e61eb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ acbc976b3f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bf899a5c9f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f5591e61eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f5591e61eb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion acbc976b3f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bf899a5c9f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion acbc976b3f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bf899a5c9f.exe -
Executes dropped EXE 4 IoCs
pid Process 2616 skotes.exe 1588 f5591e61eb.exe 600 acbc976b3f.exe 1796 bf899a5c9f.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine acbc976b3f.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine bf899a5c9f.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine f5591e61eb.exe -
Loads dropped DLL 7 IoCs
pid Process 2272 fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe 2616 skotes.exe 2616 skotes.exe 2616 skotes.exe 2616 skotes.exe 2616 skotes.exe 2616 skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features bf899a5c9f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" bf899a5c9f.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5591e61eb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004482001\\f5591e61eb.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\acbc976b3f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004483001\\acbc976b3f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\bf899a5c9f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004485001\\bf899a5c9f.exe" skotes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2272 fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe 2616 skotes.exe 1588 f5591e61eb.exe 600 acbc976b3f.exe 1796 bf899a5c9f.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5591e61eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acbc976b3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bf899a5c9f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2272 fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe 2616 skotes.exe 1588 f5591e61eb.exe 600 acbc976b3f.exe 1796 bf899a5c9f.exe 1796 bf899a5c9f.exe 1796 bf899a5c9f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1796 bf899a5c9f.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2272 fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2272 wrote to memory of 2616 2272 fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe 30 PID 2272 wrote to memory of 2616 2272 fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe 30 PID 2272 wrote to memory of 2616 2272 fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe 30 PID 2272 wrote to memory of 2616 2272 fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe 30 PID 2616 wrote to memory of 1588 2616 skotes.exe 32 PID 2616 wrote to memory of 1588 2616 skotes.exe 32 PID 2616 wrote to memory of 1588 2616 skotes.exe 32 PID 2616 wrote to memory of 1588 2616 skotes.exe 32 PID 2616 wrote to memory of 600 2616 skotes.exe 34 PID 2616 wrote to memory of 600 2616 skotes.exe 34 PID 2616 wrote to memory of 600 2616 skotes.exe 34 PID 2616 wrote to memory of 600 2616 skotes.exe 34 PID 2616 wrote to memory of 2532 2616 skotes.exe 35 PID 2616 wrote to memory of 2532 2616 skotes.exe 35 PID 2616 wrote to memory of 2532 2616 skotes.exe 35 PID 2616 wrote to memory of 2532 2616 skotes.exe 35 PID 2616 wrote to memory of 1796 2616 skotes.exe 36 PID 2616 wrote to memory of 1796 2616 skotes.exe 36 PID 2616 wrote to memory of 1796 2616 skotes.exe 36 PID 2616 wrote to memory of 1796 2616 skotes.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe"C:\Users\Admin\AppData\Local\Temp\fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\1004482001\f5591e61eb.exe"C:\Users\Admin\AppData\Local\Temp\1004482001\f5591e61eb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\1004483001\acbc976b3f.exe"C:\Users\Admin\AppData\Local\Temp\1004483001\acbc976b3f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:600
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\1004485001\bf899a5c9f.exe"C:\Users\Admin\AppData\Local\Temp\1004485001\bf899a5c9f.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5c6ceb0b1c07acdeb4ce256f33a8a2046
SHA1f462b5dbe00cebacf451adee6f95d2cea6b46f33
SHA2561fc6dc58d1ede8a6233ab45442d3aff565bd8c00493a2b299d95d4cced01f543
SHA512298e80c51ccd13e12f594523cf22fb0a8b3e785d84abf68c6381895d4c842c5e47f234323d61294eb11742d31acf22d40fc1e4b34bb9c1139b4855a39ba548ad
-
Filesize
2.1MB
MD5f82bddf6bb8bef447a5892271a88468f
SHA1dc2f4a6ce898d935280c42ba5c028bfc36a9644a
SHA2560e72d73bc0a75c69fb354fc9aa2a8ed705cbde8089e619c12bb0b6143f861c13
SHA5128aadcbaf73d17ffe38c6bfb047740f310a8eee0aad94260b7eb7d86408c4b63c97913db90cfd9700a74235453945474fc2eebe4ab79b220ed7d04f72ad5f714f
-
Filesize
2.7MB
MD5a61f4a4cede7f345cf087f43505e4159
SHA189f8f8a177a6f127d1b8f2d1c33ea6373f72c30f
SHA256dceb2bdf90d61c8bb31c100a2b56171ce476f70f9b085c7fe0fa36fa3a560958
SHA512a343ae73d26b89b1eb6cc9b3405cfb619efba86c83fd618781ca94ee48a8d8fb8399db7cb9951bbe19aff8bcea97f27f6e67ed54db6bab80b46ae395595bf529
-
Filesize
3.1MB
MD5301c3b816ce9bdb8b0be9b994bdad49a
SHA1aa412e9293347168b248aff6e33f7ebdbb5ca3d0
SHA256fc2c935d780a3cc92db2105f341c966b08f7a5e4ef09657ea2ad521c5b1ef684
SHA51285f51993ddc8dca34be60b1b55d430284f71ebb020b39d990d6b8634d80e5844ae1ebc5555cab013d1c3d87b6d4c79f4add8f0d5033e64c68e2b868f2dff1fff