Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 20:06
Static task
static1
Behavioral task
behavioral1
Sample
dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe
Resource
win7-20240903-en
General
-
Target
dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe
-
Size
3.1MB
-
MD5
ebf55eb4c7b5fca83338793ebb9ec03a
-
SHA1
40dc766067545343481cdf8180dbcf73b5199bdb
-
SHA256
dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3
-
SHA512
7284d6bec7babefd6fe5fb40f20b11576edd7e3043c4994579151a4e9bc14d9b8b232fea8731db62cacc212a0a88a55938ae0f9bc7616926946b95972ee0e871
-
SSDEEP
49152:XYtjLv3Obz2AMgy4AGul7HdzmbfTx4feH:I/3Az2AMg1Anl7HcbfTx42
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 3b77f8121e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 3b77f8121e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 3b77f8121e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 3b77f8121e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 3b77f8121e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 3b77f8121e.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 33a9f8b191.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 595fc108c9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3b77f8121e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3b77f8121e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 595fc108c9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3b77f8121e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 33a9f8b191.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 33a9f8b191.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 595fc108c9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 6 IoCs
pid Process 2076 skotes.exe 4176 33a9f8b191.exe 3624 595fc108c9.exe 4012 3b77f8121e.exe 2628 skotes.exe 720 skotes.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 33a9f8b191.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 595fc108c9.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine 3b77f8121e.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Wine skotes.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 3b77f8121e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 3b77f8121e.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3b77f8121e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006509001\\3b77f8121e.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\33a9f8b191.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006506001\\33a9f8b191.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\595fc108c9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006507001\\595fc108c9.exe" skotes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 844 dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe 2076 skotes.exe 4176 33a9f8b191.exe 3624 595fc108c9.exe 4012 3b77f8121e.exe 2628 skotes.exe 720 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 595fc108c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b77f8121e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 33a9f8b191.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 844 dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe 844 dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe 2076 skotes.exe 2076 skotes.exe 4176 33a9f8b191.exe 4176 33a9f8b191.exe 3624 595fc108c9.exe 3624 595fc108c9.exe 4012 3b77f8121e.exe 4012 3b77f8121e.exe 4012 3b77f8121e.exe 4012 3b77f8121e.exe 2628 skotes.exe 2628 skotes.exe 720 skotes.exe 720 skotes.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4012 3b77f8121e.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 844 dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 844 wrote to memory of 2076 844 dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe 86 PID 844 wrote to memory of 2076 844 dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe 86 PID 844 wrote to memory of 2076 844 dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe 86 PID 2076 wrote to memory of 4176 2076 skotes.exe 94 PID 2076 wrote to memory of 4176 2076 skotes.exe 94 PID 2076 wrote to memory of 4176 2076 skotes.exe 94 PID 2076 wrote to memory of 3624 2076 skotes.exe 98 PID 2076 wrote to memory of 3624 2076 skotes.exe 98 PID 2076 wrote to memory of 3624 2076 skotes.exe 98 PID 2076 wrote to memory of 888 2076 skotes.exe 102 PID 2076 wrote to memory of 888 2076 skotes.exe 102 PID 2076 wrote to memory of 888 2076 skotes.exe 102 PID 2076 wrote to memory of 4012 2076 skotes.exe 103 PID 2076 wrote to memory of 4012 2076 skotes.exe 103 PID 2076 wrote to memory of 4012 2076 skotes.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe"C:\Users\Admin\AppData\Local\Temp\dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\1006506001\33a9f8b191.exe"C:\Users\Admin\AppData\Local\Temp\1006506001\33a9f8b191.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4176
-
-
C:\Users\Admin\AppData\Local\Temp\1006507001\595fc108c9.exe"C:\Users\Admin\AppData\Local\Temp\1006507001\595fc108c9.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3624
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\1006509001\3b77f8121e.exe"C:\Users\Admin\AppData\Local\Temp\1006509001\3b77f8121e.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2628
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:720
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD57077b7b13ce8ca24f10e0945cbdfdd50
SHA1256e13e4fe8ef32118b6075e10a7ac137e91b5c9
SHA256d112e1a1b302c9399ea0c4dbbcd59826cb62b63225db82cd240416e7803c8822
SHA512caa35c0844cb838f14c3269b4bc6c05795a4bb16ec1960ee74a75017046ceb6e47eac7586921795f64eb96bcc357a7c2bb6725041257ccb6ee3d43ce0b7d0bf9
-
Filesize
1.7MB
MD59283604ddc7e5c68fa4517188d92f382
SHA11d8653a6284c0d2ddf056965f99c28e4d074faea
SHA256383ae1b4238cff538eb9b18dca92222c95a54d5b3de5e6ada7537d14716e6c9f
SHA51289d3ecdff5c2f8e89bd55f62f6544a78c91968183f39f1341d02c0ff8ea5d89ab703594c23c41c9598e10d244c7575e6aec2077622a01f6bc97582c600a5f3d6
-
Filesize
2.7MB
MD572e2b4c2571a52134880415a416a5d35
SHA1d9e94651404fe63b3dadb414f896d2e8a77e41e7
SHA2564617aa0d270aaacf64b8a17a219882b58b87ac746680acef2dd32bb0f62be125
SHA512de7d98a56cf2ee92e3ad63de1be34734b472d92a61b855815c52871d0f47599c5fea2298e6d62e661b90c78f9cfbf4c006493345eca84a368342588f988f5cb2
-
Filesize
3.1MB
MD5ebf55eb4c7b5fca83338793ebb9ec03a
SHA140dc766067545343481cdf8180dbcf73b5199bdb
SHA256dcde2a73b6f201582bc32d96780a29ea227f488b7436754e6e709bbe755920f3
SHA5127284d6bec7babefd6fe5fb40f20b11576edd7e3043c4994579151a4e9bc14d9b8b232fea8731db62cacc212a0a88a55938ae0f9bc7616926946b95972ee0e871