Analysis
-
max time kernel
142s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe
Resource
win7-20241010-en
General
-
Target
659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe
-
Size
3.1MB
-
MD5
362a4465a166f5d70e2ba682775650af
-
SHA1
33c190442e962c06b0824e9f264f49544bf94e2d
-
SHA256
659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a
-
SHA512
86030428139d02ae0bdde34fd3408a4c8f884aa8b624325f4a744e4c0ee43955e60d29c98669531fd8e3e97a40070e641470cc5bd2b188461b9bf53c3f978028
-
SSDEEP
49152:Md2Jqc3DQ1r/lkHFbNJyyEr2BxMzZ/yV8FHAZUzyl2iT5Oc8:Md2J13DQ1r/lkHFRJ8rN/yV8+Zce5Q
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://thicktoys.sbs/api
https://3xc1aimbl0w.sbs/api
https://300snails.sbs/api
https://faintbl0w.sbs/api
Signatures
-
Amadey family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 951205a35d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 951205a35d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 951205a35d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 951205a35d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 951205a35d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 951205a35d.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f8974f826c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d52e580a3b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 951205a35d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d52e580a3b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 951205a35d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f8974f826c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 951205a35d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f8974f826c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d52e580a3b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 7 IoCs
pid Process 1868 skotes.exe 1956 f8974f826c.exe 2016 d52e580a3b.exe 5112 skotes.exe 452 951205a35d.exe 3100 skotes.exe 4060 skotes.exe -
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine d52e580a3b.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 951205a35d.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine f8974f826c.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 951205a35d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 951205a35d.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f8974f826c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005796001\\f8974f826c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d52e580a3b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005797001\\d52e580a3b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\951205a35d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005799001\\951205a35d.exe" skotes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
pid Process 2560 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe 1868 skotes.exe 1956 f8974f826c.exe 2016 d52e580a3b.exe 5112 skotes.exe 452 951205a35d.exe 3100 skotes.exe 4060 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1868 set thread context of 5112 1868 skotes.exe 101 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f8974f826c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d52e580a3b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 951205a35d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2560 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe 2560 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe 1868 skotes.exe 1868 skotes.exe 1956 f8974f826c.exe 1956 f8974f826c.exe 2016 d52e580a3b.exe 2016 d52e580a3b.exe 5112 skotes.exe 5112 skotes.exe 452 951205a35d.exe 452 951205a35d.exe 452 951205a35d.exe 452 951205a35d.exe 3100 skotes.exe 3100 skotes.exe 4060 skotes.exe 4060 skotes.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 452 951205a35d.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2560 wrote to memory of 1868 2560 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe 86 PID 2560 wrote to memory of 1868 2560 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe 86 PID 2560 wrote to memory of 1868 2560 659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe 86 PID 1868 wrote to memory of 1956 1868 skotes.exe 94 PID 1868 wrote to memory of 1956 1868 skotes.exe 94 PID 1868 wrote to memory of 1956 1868 skotes.exe 94 PID 1868 wrote to memory of 2016 1868 skotes.exe 100 PID 1868 wrote to memory of 2016 1868 skotes.exe 100 PID 1868 wrote to memory of 2016 1868 skotes.exe 100 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 5112 1868 skotes.exe 101 PID 1868 wrote to memory of 452 1868 skotes.exe 102 PID 1868 wrote to memory of 452 1868 skotes.exe 102 PID 1868 wrote to memory of 452 1868 skotes.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe"C:\Users\Admin\AppData\Local\Temp\659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\1005796001\f8974f826c.exe"C:\Users\Admin\AppData\Local\Temp\1005796001\f8974f826c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\1005797001\d52e580a3b.exe"C:\Users\Admin\AppData\Local\Temp\1005797001\d52e580a3b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\1005799001\951205a35d.exe"C:\Users\Admin\AppData\Local\Temp\1005799001\951205a35d.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3100
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD56fddc2de16b4e52b683845b0de57d268
SHA179913b66c543fc2242de513e396bfada051ea9c1
SHA256df5d157f42f8ae124e54ff65eba0d51c8e4ffa8c74314ba2ca78ea0e7d18235d
SHA512d585321d10378ddfc341350c54b7643b2caf1be578d1b643496bfa3ec9529769017d015192c17791bd699b830e2fb2b5da626744d3a7cd970f8c0f803f28d2d4
-
Filesize
1.7MB
MD5a7a538f9209ff08114a5c40772fc0f9d
SHA1a7f2bdaa46a30fe022e8eec4be3d04cdae781ea3
SHA256b028bb36409238d9d8f25c5e7c7bcdec533719914ec6e1f66aff34ad04a535f2
SHA512905bd30e78d6f7826dbf89b76dca31466e2eb40ee0ca1f0b7d5830a8d449b82047ba032811cc762f1b50d78789d6fa243d665563c8f6fe92375b4b8632f66957
-
Filesize
2.7MB
MD570353d6edaabb73111998005887065a2
SHA124c11a3cc97d2c268590079b95313915094cb3f7
SHA25671ab44d451b7c3154b631e47e06a0c93df237b1e9e06de637f38546196e27cc9
SHA512a4b39e0a596cbda7d4658b47528f911c4582c35cdd8c578e676cac6e50ff81680779c95df265785e54dfe73e98d6f774dd7c6fdb385228cfc74dff94f2b32045
-
Filesize
3.1MB
MD5362a4465a166f5d70e2ba682775650af
SHA133c190442e962c06b0824e9f264f49544bf94e2d
SHA256659d7e5771dda39e290d348369a4435ca1fce155f4ca4046c2a99971977bed7a
SHA51286030428139d02ae0bdde34fd3408a4c8f884aa8b624325f4a744e4c0ee43955e60d29c98669531fd8e3e97a40070e641470cc5bd2b188461b9bf53c3f978028