Overview

overview

10

Static

static

3

SecuriteIn...70.exe

windows7-x64

10

SecuriteIn...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.Evo-gen.23397.3870.exe

  • Size

    3.1MB

  • MD5

    1a81dffb83d8e7ff3adf172aaadaf388

  • SHA1

    8cedfd2a864c409afef1cb0a8ad002f8a5f0ef8e

  • SHA256

    447fa6e76e1f5060cf82af86a9f8f4a7916d77a25ae28214f9469c3f66c6ba66

  • SHA512

    77289ebb8ff65befc192ff32cd123b2bda303dc48b5e1738bd689ad71139a7dbced09a65ff2597264137b7d11e855af9cdef715e52a8c0c4bac71baa8ae9f8db

  • SSDEEP

    49152:Kw9BGhpTLZmp4ZIM/HPsWydHLGLO3pz85Z5Yis7:Kw9mLZmpIP/HPsxLhp45Z5Y

Score
10/10
amadeylummastealc9c9aa5talediscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

tale

C2

http://185.215.113.206

Attributes
  • url_path

    /6c4adf523b719729.php

Extracted

Family

lumma

C2

https://founpiuer.store/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.23397.3870.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.23397.3870.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Users\Admin\AppData\Local\Temp\1004582001\92cca8d3f5.exe
        "C:\Users\Admin\AppData\Local\Temp\1004582001\92cca8d3f5.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3500
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1492
          4⤵
          • Program crash
          PID:1776
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1512
          4⤵
          • Program crash
          PID:4892
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 1532
          4⤵
          • Program crash
          PID:4404
      • C:\Users\Admin\AppData\Local\Temp\1004583001\f8192ac623.exe
        "C:\Users\Admin\AppData\Local\Temp\1004583001\f8192ac623.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1748
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        3⤵
          PID:3968
        • C:\Users\Admin\AppData\Local\Temp\1004585001\7853d716d2.exe
          "C:\Users\Admin\AppData\Local\Temp\1004585001\7853d716d2.exe"
          3⤵
          • Modifies Windows Defender Real-time Protection settings
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Windows security modification
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1188
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3500 -ip 3500
      1⤵
        PID:5064
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3500 -ip 3500
        1⤵
          PID:1608
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3500 -ip 3500
          1⤵
            PID:888
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3500 -ip 3500
            1⤵
              PID:2416
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3500 -ip 3500
              1⤵
                PID:212
              • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                1⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:5080
              • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                1⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:2132

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\1004582001\92cca8d3f5.exe
                Filesize

                3.1MB

                MD5

                e17e79621707b33deebbb062396a7cb5

                SHA1

                8f525636a1320a50c51312de1981d53d9e545599

                SHA256

                ef85019d3696285f9a0d5c9b4c4134a68713b6294cb77a9dc41e0223ea7bede9

                SHA512

                5150c7af1b0565d2b975e550d080db0e8253a1847a0ac0aeadc11d091c02b128941caeb5b6b1bd9d60a878165b1aab7b38a37dd7f07ca2e9aecb0b90c519d9b0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1004583001\f8192ac623.exe
                Filesize

                2.0MB

                MD5

                11d426c888db116423f5b98a68f128e7

                SHA1

                b1130e91da13796704eed24164d53b537d5abe09

                SHA256

                086d33d97dacb90e333a023aae5df67812e44c25fb1492775936ed12a8245e43

                SHA512

                37d2ce2eb090af5c21b3c72b1e0ad72aad527cc7ac6f5d6f0bc5c0e46390c90923378b69c25ff4137deba52819f552cfe82d851eea6fa4e2007fe5320b0a45d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\1004585001\7853d716d2.exe
                Filesize

                2.8MB

                MD5

                cbfc105b9cb7dced3c04bd59923d1dbf

                SHA1

                5b09cd4133bdeea3682049a90585038c0fc4c5f5

                SHA256

                5cb7b346c8782f4ac5dd3f286493cdb0a810bcbfc521c495775105f9831348a0

                SHA512

                c6d2277d8a873a2f2115d863d1899d5e5f558d68fe35097fc740ffaf13e0bcae47983f3bd8a94c9f2cc6640a0ca317a837442e9de5e24264bd46562df7b542f5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
                Filesize

                3.1MB

                MD5

                1a81dffb83d8e7ff3adf172aaadaf388

                SHA1

                8cedfd2a864c409afef1cb0a8ad002f8a5f0ef8e

                SHA256

                447fa6e76e1f5060cf82af86a9f8f4a7916d77a25ae28214f9469c3f66c6ba66

                SHA512

                77289ebb8ff65befc192ff32cd123b2bda303dc48b5e1738bd689ad71139a7dbced09a65ff2597264137b7d11e855af9cdef715e52a8c0c4bac71baa8ae9f8db

                Download Submit

              • memory/1188-97-0x00000000007A0000-0x0000000000A6C000-memory.dmp

                Filesize

                2.8MB

                Download

              • memory/1188-94-0x00000000007A0000-0x0000000000A6C000-memory.dmp

                Filesize

                2.8MB

                Download

              • memory/1188-91-0x00000000007A0000-0x0000000000A6C000-memory.dmp

                Filesize

                2.8MB

                Download

              • memory/1188-90-0x00000000007A0000-0x0000000000A6C000-memory.dmp

                Filesize

                2.8MB

                Download

              • memory/1188-86-0x00000000007A0000-0x0000000000A6C000-memory.dmp

                Filesize

                2.8MB

                Download

              • memory/1748-65-0x0000000000620000-0x0000000000D54000-memory.dmp

                Filesize

                7.2MB

                Download

              • memory/1748-63-0x0000000000620000-0x0000000000D54000-memory.dmp

                Filesize

                7.2MB

                Download

              • memory/2132-110-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2132-111-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-22-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-19-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-115-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-42-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-41-0x0000000000411000-0x0000000000479000-memory.dmp

                Filesize

                416KB

                Download

              • memory/2212-114-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-113-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-112-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-46-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-108-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-23-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-61-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-21-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-107-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-20-0x0000000000411000-0x0000000000479000-memory.dmp

                Filesize

                416KB

                Download

              • memory/2212-106-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-105-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-104-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-103-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-24-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-92-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-99-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/2212-98-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/3248-17-0x0000000000850000-0x0000000000B61000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/3248-4-0x0000000000850000-0x0000000000B61000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/3248-1-0x0000000077D14000-0x0000000077D16000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3248-2-0x0000000000851000-0x00000000008B9000-memory.dmp

                Filesize

                416KB

                Download

              • memory/3248-18-0x0000000000851000-0x00000000008B9000-memory.dmp

                Filesize

                416KB

                Download

              • memory/3248-0-0x0000000000850000-0x0000000000B61000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/3248-3-0x0000000000850000-0x0000000000B61000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/3500-67-0x0000000000C00000-0x0000000000F20000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/3500-89-0x0000000000C00000-0x0000000000F20000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/3500-88-0x0000000000C01000-0x0000000000C59000-memory.dmp

                Filesize

                352KB

                Download

              • memory/3500-43-0x0000000004870000-0x0000000004871000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3500-44-0x0000000000C01000-0x0000000000C59000-memory.dmp

                Filesize

                352KB

                Download

              • memory/3500-45-0x0000000000C00000-0x0000000000F20000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/3500-39-0x0000000000C00000-0x0000000000F20000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/5080-102-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/5080-101-0x0000000000410000-0x0000000000721000-memory.dmp

                Filesize

                3.1MB

                Download