Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 14:19
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20241007-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
1daa3a0aa5ed7e06b400a47309ba5003
-
SHA1
8d475fd4be28ee701dbe5e2fe489fe9e9b3e826d
-
SHA256
c3d0427b8bc9d084ac65b881ec50f55be52650f60850ac05010ccc8d56e3d1cb
-
SHA512
bc671cd250579413e693d2a61c2873a776a7c39125addd78b7a39a268c508fb638cd7c552faabd3ac9a53baf4b97086173af09264dd68e2f5a7516b55a3f2ed8
-
SSDEEP
49152:PMGDMQEgEDs8SLI5GQ3+l1cxRGPfyJgSuOB3X:PMLZuIgQuxpSbF
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Executes dropped EXE 1 IoCs
pid Process 2720 skotes.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine file.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine skotes.exe -
Loads dropped DLL 1 IoCs
pid Process 2888 file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2888 file.exe 2720 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2888 file.exe 2720 skotes.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2888 file.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2720 2888 file.exe 30 PID 2888 wrote to memory of 2720 2888 file.exe 30 PID 2888 wrote to memory of 2720 2888 file.exe 30 PID 2888 wrote to memory of 2720 2888 file.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51daa3a0aa5ed7e06b400a47309ba5003
SHA18d475fd4be28ee701dbe5e2fe489fe9e9b3e826d
SHA256c3d0427b8bc9d084ac65b881ec50f55be52650f60850ac05010ccc8d56e3d1cb
SHA512bc671cd250579413e693d2a61c2873a776a7c39125addd78b7a39a268c508fb638cd7c552faabd3ac9a53baf4b97086173af09264dd68e2f5a7516b55a3f2ed8