Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 21:17
Static task
static1
Behavioral task
behavioral1
Sample
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe
Resource
win7-20240903-en
General
-
Target
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe
-
Size
3.1MB
-
MD5
5414a4ee71faf061656cf6e5799f6814
-
SHA1
131d118f0a2a8b8347f81dccf232c1126581a48e
-
SHA256
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a
-
SHA512
ab30851216dde32626a62ecaeaab6289d2239a4b8547726fece82c3a744e6deee7ce9886cd1cf8d03ffb95d05a02386a6ecf583099cc803a87517ed20b5d3b87
-
SSDEEP
49152:2z+UsTxH00MQH4F6yyqG0pQKvH4uKtBbD1ajFa:2z4H5MQYF65GqKwfrbpajFa
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Processes:
c806b222cf.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection c806b222cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c806b222cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" c806b222cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c806b222cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" c806b222cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c806b222cf.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exeskotes.exe14821dc761.exe913cbe613b.exec806b222cf.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 14821dc761.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 913cbe613b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c806b222cf.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c806b222cf.exeaa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exeskotes.exe14821dc761.exe913cbe613b.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c806b222cf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 14821dc761.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 14821dc761.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 913cbe613b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 913cbe613b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c806b222cf.exe -
Executes dropped EXE 5 IoCs
Processes:
skotes.exe14821dc761.exe913cbe613b.exec806b222cf.exebabababa.exepid Process 2224 skotes.exe 1676 14821dc761.exe 2976 913cbe613b.exe 836 c806b222cf.exe 1636 babababa.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
skotes.exe14821dc761.exe913cbe613b.exec806b222cf.exeaa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 14821dc761.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 913cbe613b.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine c806b222cf.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe -
Loads dropped DLL 8 IoCs
Processes:
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exeskotes.exepid Process 2672 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 2224 skotes.exe 2224 skotes.exe 2224 skotes.exe 2224 skotes.exe 2224 skotes.exe 2224 skotes.exe 2224 skotes.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
c806b222cf.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features c806b222cf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" c806b222cf.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
skotes.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\14821dc761.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006051001\\14821dc761.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\913cbe613b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006052001\\913cbe613b.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\c806b222cf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006054001\\c806b222cf.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exeskotes.exe14821dc761.exe913cbe613b.exec806b222cf.exepid Process 2672 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 2224 skotes.exe 1676 14821dc761.exe 2976 913cbe613b.exe 836 c806b222cf.exe -
Drops file in Windows directory 1 IoCs
Processes:
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exedescription ioc Process File created C:\Windows\Tasks\skotes.job aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exeskotes.exe14821dc761.exe913cbe613b.exec806b222cf.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14821dc761.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 913cbe613b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c806b222cf.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exeskotes.exe14821dc761.exe913cbe613b.exec806b222cf.exepid Process 2672 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 2224 skotes.exe 1676 14821dc761.exe 1676 14821dc761.exe 1676 14821dc761.exe 1676 14821dc761.exe 1676 14821dc761.exe 2976 913cbe613b.exe 836 c806b222cf.exe 836 c806b222cf.exe 836 c806b222cf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c806b222cf.exedescription pid Process Token: SeDebugPrivilege 836 c806b222cf.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exepid Process 2672 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exeskotes.exedescription pid Process procid_target PID 2672 wrote to memory of 2224 2672 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 30 PID 2672 wrote to memory of 2224 2672 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 30 PID 2672 wrote to memory of 2224 2672 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 30 PID 2672 wrote to memory of 2224 2672 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 30 PID 2224 wrote to memory of 1676 2224 skotes.exe 33 PID 2224 wrote to memory of 1676 2224 skotes.exe 33 PID 2224 wrote to memory of 1676 2224 skotes.exe 33 PID 2224 wrote to memory of 1676 2224 skotes.exe 33 PID 2224 wrote to memory of 2976 2224 skotes.exe 35 PID 2224 wrote to memory of 2976 2224 skotes.exe 35 PID 2224 wrote to memory of 2976 2224 skotes.exe 35 PID 2224 wrote to memory of 2976 2224 skotes.exe 35 PID 2224 wrote to memory of 1608 2224 skotes.exe 36 PID 2224 wrote to memory of 1608 2224 skotes.exe 36 PID 2224 wrote to memory of 1608 2224 skotes.exe 36 PID 2224 wrote to memory of 1608 2224 skotes.exe 36 PID 2224 wrote to memory of 836 2224 skotes.exe 37 PID 2224 wrote to memory of 836 2224 skotes.exe 37 PID 2224 wrote to memory of 836 2224 skotes.exe 37 PID 2224 wrote to memory of 836 2224 skotes.exe 37 PID 2224 wrote to memory of 1636 2224 skotes.exe 38 PID 2224 wrote to memory of 1636 2224 skotes.exe 38 PID 2224 wrote to memory of 1636 2224 skotes.exe 38 PID 2224 wrote to memory of 1636 2224 skotes.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe"C:\Users\Admin\AppData\Local\Temp\aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\1006051001\14821dc761.exe"C:\Users\Admin\AppData\Local\Temp\1006051001\14821dc761.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
C:\Users\Admin\AppData\Local\Temp\1006052001\913cbe613b.exe"C:\Users\Admin\AppData\Local\Temp\1006052001\913cbe613b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\1006054001\c806b222cf.exe"C:\Users\Admin\AppData\Local\Temp\1006054001\c806b222cf.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"3⤵
- Executes dropped EXE
PID:1636
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD51679847fc3d6173b33c5bc2b2edca142
SHA18e76660cbe31c9ccfd9d43aebcff9e0c9150660f
SHA256af2c8e421a858c0cf7f416d78c3beba9cb0d53808ab4492fe2a2a747aa7bb0e7
SHA512c0ffa44a2b2ed196bf3022b053f7a6f2ec03299997535e1069e505e20446ee61d31dbd124fb9e4582c5f71d0fc39a84e6e72fc182716504e097b6a18f95de5b7
-
Filesize
1.8MB
MD57496ab59ffb86bf1c658489ca7128933
SHA14b5aff93958a89d2778de9a17918b2df96cf8807
SHA256bd7faaaf7173bc1fb80c8d60df889957e073407939b3f2aed28a62f61f8ad3d4
SHA512050db57d5aedd88b1f38c0a1c216abd383f272225710e7ca3aae2f546d061aaddf57701f3e098b545f9a5a984d86750fcb90acede70e3b65f423c284964305cf
-
Filesize
2.7MB
MD52786f43899bd5d2876cd6591848f9b13
SHA12b5d7dec2e55d9bbc30deaa8b7dfcc9d2686e057
SHA256ea665102e0e2ca7b45bb70ccaef20fc995403d09d75a820e8bbf969a161d5143
SHA512aa50a04a07e45a74c373a92f00aa4c750b2fd35fc76c6b70a64d932b23e785d7193a7a6ac1cf8db6e51bb419e4c6ff77fdf85ddf7d7655e92600a667bc609be9
-
Filesize
33.3MB
MD58fb77810c61e160a657298815346996e
SHA14268420571bb1a858bc6a9744c0742d6fd738a83
SHA256a0840c581f8f1d606fdc43bc98bd386755433bf1fb36647ecf2165eea433ff66
SHA512b0d0aea14bfbb5dfa17536b1669d85fc1325140f6a0176ae1c04870efa3adc902d5755f0df00d305f01120960e95bfc40c37c7519ec2827797ebaa95097cfeb2
-
Filesize
3.1MB
MD55414a4ee71faf061656cf6e5799f6814
SHA1131d118f0a2a8b8347f81dccf232c1126581a48e
SHA256aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a
SHA512ab30851216dde32626a62ecaeaab6289d2239a4b8547726fece82c3a744e6deee7ce9886cd1cf8d03ffb95d05a02386a6ecf583099cc803a87517ed20b5d3b87