Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 03:04
Static task
static1
Behavioral task
behavioral1
Sample
766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
Resource
win7-20240903-en
General
-
Target
766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe
-
Size
3.1MB
-
MD5
74ba48529515c95320f4a86fc42fc668
-
SHA1
c33b2b0c5e43e5ac274206ae964cf85bb8718048
-
SHA256
766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa
-
SHA512
16f09889b08eb9a4c2176ccfb590e31007c0c49336ba7aef6d54f16c6133c36945b3281ff7a4ff0099a0cae1eae12be2846ab24dbe1f977000953eb2868e85f8
-
SSDEEP
98304:XmP6PUaaDfBgWBPTrdEdsgxYC2JyLce9ebFyZgk6TR:XcqZexyV6T
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://founpiuer.store/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 5685e027dd.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 71b8acff7f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e1ae7b97ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5685e027dd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e1ae7b97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5685e027dd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 71b8acff7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 71b8acff7f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e1ae7b97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5685e027dd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 7 IoCs
pid Process 2628 skotes.exe 2748 skotes.exe 1296 71b8acff7f.exe 3740 e1ae7b97ca.exe 4252 5685e027dd.exe 3296 skotes.exe 1660 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 71b8acff7f.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine e1ae7b97ca.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 5685e027dd.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 5685e027dd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 5685e027dd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\71b8acff7f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004745001\\71b8acff7f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e1ae7b97ca.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004746001\\e1ae7b97ca.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5685e027dd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1004748001\\5685e027dd.exe" skotes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 2628 skotes.exe 2748 skotes.exe 1296 71b8acff7f.exe 3740 e1ae7b97ca.exe 4252 5685e027dd.exe 3296 skotes.exe 1660 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4572 1296 WerFault.exe 105 2896 1296 WerFault.exe 105 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71b8acff7f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1ae7b97ca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5685e027dd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 2628 skotes.exe 2628 skotes.exe 2748 skotes.exe 2748 skotes.exe 1296 71b8acff7f.exe 1296 71b8acff7f.exe 3740 e1ae7b97ca.exe 3740 e1ae7b97ca.exe 4252 5685e027dd.exe 4252 5685e027dd.exe 4252 5685e027dd.exe 4252 5685e027dd.exe 4252 5685e027dd.exe 3296 skotes.exe 3296 skotes.exe 1660 skotes.exe 1660 skotes.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4252 5685e027dd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 540 wrote to memory of 2628 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 88 PID 540 wrote to memory of 2628 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 88 PID 540 wrote to memory of 2628 540 766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe 88 PID 2628 wrote to memory of 1296 2628 skotes.exe 105 PID 2628 wrote to memory of 1296 2628 skotes.exe 105 PID 2628 wrote to memory of 1296 2628 skotes.exe 105 PID 2628 wrote to memory of 3740 2628 skotes.exe 107 PID 2628 wrote to memory of 3740 2628 skotes.exe 107 PID 2628 wrote to memory of 3740 2628 skotes.exe 107 PID 2628 wrote to memory of 4472 2628 skotes.exe 108 PID 2628 wrote to memory of 4472 2628 skotes.exe 108 PID 2628 wrote to memory of 4472 2628 skotes.exe 108 PID 2628 wrote to memory of 4252 2628 skotes.exe 114 PID 2628 wrote to memory of 4252 2628 skotes.exe 114 PID 2628 wrote to memory of 4252 2628 skotes.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe"C:\Users\Admin\AppData\Local\Temp\766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\1004745001\71b8acff7f.exe"C:\Users\Admin\AppData\Local\Temp\1004745001\71b8acff7f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1296 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 14684⤵
- Program crash
PID:2896
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 15084⤵
- Program crash
PID:4572
-
-
-
C:\Users\Admin\AppData\Local\Temp\1004746001\e1ae7b97ca.exe"C:\Users\Admin\AppData\Local\Temp\1004746001\e1ae7b97ca.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\1004748001\5685e027dd.exe"C:\Users\Admin\AppData\Local\Temp\1004748001\5685e027dd.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1296 -ip 12961⤵PID:3584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1296 -ip 12961⤵PID:4652
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3296
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1660
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5dceb05bdd62c6c55ab493ccd4d6ca445
SHA1236ca65f1dbfdc4a06140af7871cd4aa8d2ba1d1
SHA256e293319a6bb1415044af45cf66026b591dc5f72c8e83c39e35af8c5e6579c7e5
SHA51259d9ea396546a2b8ca2de08a791f7954c1286837c6effa24ec858f79af0464c4e20136bdc7d7acb7655e2403e1377fe3615b9d52bc75bc9bb8161007922783c9
-
Filesize
2.1MB
MD518c1fe0a3db9ac8cf9bae44f3d261a2c
SHA1cd3a1f06db593e00e03a43bf2ba1732897c94721
SHA256d33bf5ccd141c26d9e218fb573b078cdcd54eb890d2a32306a0eea649750aad8
SHA51260f9cc29f296a828828d278512128ceadc90618cc204774539037293c628018c5d1dfb9d5ced3819209c644116a9cf1b4bb0f7b5b680d45aa779c42fb5010735
-
Filesize
2.7MB
MD50388e2b7bda529ad2e2c828e347c50ff
SHA11810d53c0c9a63e27bd0d41b1dfd0ad92910e8e0
SHA25652e24f63eb5333c50be7274f75f8bd2672abbebacded171bb597f7a941f80c3a
SHA512d7120812ac04c355cafee1daad4d0599ce181f6f29017ba61654ba22295449e5fb1cadd19b175a6cb57045e3e4832cdb6056f0ae5788bd1534e6bc13275bb84b
-
Filesize
3.1MB
MD574ba48529515c95320f4a86fc42fc668
SHA1c33b2b0c5e43e5ac274206ae964cf85bb8718048
SHA256766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa
SHA51216f09889b08eb9a4c2176ccfb590e31007c0c49336ba7aef6d54f16c6133c36945b3281ff7a4ff0099a0cae1eae12be2846ab24dbe1f977000953eb2868e85f8