Overview

overview

10

Static

static

3

2df513e280...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2024, 12:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2df513e280f0f7db763e4c3a2c13e984240991e565f06972feabbbdd4b6901dd.exe

  • Size

    7.1MB

  • MD5

    40df460f6b8f9bd43677d5205612e43c

  • SHA1

    88f398954b15732bf03fb31d81b74876fef4164c

  • SHA256

    2df513e280f0f7db763e4c3a2c13e984240991e565f06972feabbbdd4b6901dd

  • SHA512

    96f301985eeb5a8d9511343ba8c306b551c4cb9f75ffd98cb8259d60fe98f91216dc93701903f81755dbd3dbcf63f6251086d310c8fadd58939bcf2da35451f0

  • SSDEEP

    98304:rqvOLVHbyr6dilKumH9YR4506seVhF5O2l7bQ8hK1o6cm48KV92Ajhm8KokVDmZn:+vO9ymI0tU40rG/4M701rbjVm2

Score
10/10
amadeylummastealc9c9aa5marsdiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://preside-comforter.sbs

https://savvy-steereo.sbs

https://copper-replace.sbs

https://record-envyp.sbs

https://slam-whipp.sbs

https://wrench-creter.sbs

https://looky-marked.sbs

https://plastic-mitten.sbs

https://hallowed-noisy.sbs

Extracted

Family

stealc

Botnet

mars

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 16 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Identifies Wine through registry keys 2 TTPs 8 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2df513e280f0f7db763e4c3a2c13e984240991e565f06972feabbbdd4b6901dd.exe
    "C:\Users\Admin\AppData\Local\Temp\2df513e280f0f7db763e4c3a2c13e984240991e565f06972feabbbdd4b6901dd.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7P91.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7P91.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:808
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\X9f77.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\X9f77.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:408
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1c58u4.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1c58u4.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2420
            • C:\Users\Admin\AppData\Local\Temp\1009881001\223d4c20d7.exe
              "C:\Users\Admin\AppData\Local\Temp\1009881001\223d4c20d7.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:536
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1544
                7⤵
                • Program crash
                PID:3964
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Z9297.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Z9297.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2984
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3v46K.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3v46K.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2900
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4x526k.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4x526k.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 536 -ip 536
    1⤵
      PID:3088
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:996
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V4KZV1MD\download[1].htm
      Filesize

      1B

      MD5

      cfcd208495d565ef66e7dff9f98764da

      SHA1

      b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

      SHA256

      5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

      SHA512

      31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1009881001\223d4c20d7.exe
      Filesize

      1.9MB

      MD5

      b2d9e9b305c92045dfdf886cf0287182

      SHA1

      f983caca99ef85aae37d6fa602bab335f99c91dc

      SHA256

      ae564d1f04bda2b085436a00ff9a1a210360748e313994297cb4718b11e9bf92

      SHA512

      cdfc38b48f730a258381a83a9eaaa9bee38dbce95ac97fe60d0ded1419b288dba9f779796af4342d6fced67f7cd6b01568fa4e4f6f4115ee8351d84ad0bcae13

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4x526k.exe
      Filesize

      2.7MB

      MD5

      fe6b345ced53686b16f87f834af9eb17

      SHA1

      4d70ba2e5f890c6b3e5b723c3de82fa14fb0b13a

      SHA256

      172a34ccd02e38fc58a929884c68c1b51e9d995901cc6128538a04792a7d06ae

      SHA512

      63f38c5e6b0a84cfe9818e5bab77452b7b485b699d55d7e15b29fdcabd3d60ea00845f77318440b1c9b6daa6edd4103cb10bd21887d0029239b81ea680fe150f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7P91.exe
      Filesize

      5.5MB

      MD5

      102d6abfebb1bce647e8cc6869061feb

      SHA1

      8c593bb304cbe83bad7bc9e964f2d524f6f70617

      SHA256

      293d3027a3e112bf0f2d8f270ce6d668349c97595c4bca5ea800a1be5b625957

      SHA512

      789be7787611f504d1e8b126f2ed9c38dc4e6416c971cf704cfee71a87f4ac02a6bdc5f239656da893eaf702486b3d6426901a392fd002d073d995599e4fe9eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3v46K.exe
      Filesize

      1.7MB

      MD5

      eff725edfb37ab797a338efab7f09c76

      SHA1

      9a1d9acc84b66da5111b21dd37b27d4d3d505a8e

      SHA256

      f5310d2651b5565f1bdf48d30b6ed328e4e831914e03945a0981a4b990b12ade

      SHA512

      45fc7cc9de1a00303b9c33f1df57940cedd77e849937a3c11a6888b968b66af259662551b9c5433747a84e5b6eb0cefd6acd5385ef13b2bbf2854c934fafbb3d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\X9f77.exe
      Filesize

      3.7MB

      MD5

      88fefb9aebb96ec822e07ed2c4987004

      SHA1

      b2aea74b9bcd7c6401cb25003894f377f5175816

      SHA256

      3144a0bef23db5cc5efe30ee83522f8f9e3dc7d2d83bcdc4d38db08fc5b34ab7

      SHA512

      7d18d4c404f68d7933882c676471e9e49e09dbf7a58bdb030e3efcfca861dac76950677cc2320baab5056281c95931f66ca245908b7dccd6a68b005d7ec00a26

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1c58u4.exe
      Filesize

      1.8MB

      MD5

      a93b02d857db3b12c32bd765b83825ab

      SHA1

      137f12047a081e6581e1d1a83c939d98514c3ff3

      SHA256

      553620b236b58004ed19556a8e380ea9c17f542d16986f0c88e9e7efc64670fa

      SHA512

      aab2bfd4090c77b87784d0110f5ee2dd24554fada9bdf9c2e8e08ff01a9025f5d8a7dfa2d4b89bf35cb037c162292a04f1084b87727b1bd201a9b5ab1b367bcd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Z9297.exe
      Filesize

      1.8MB

      MD5

      d4aadd87af5fd4945bcbc76ff3d44e06

      SHA1

      55022b47287c2adef01bf8a5de17d320e3a507df

      SHA256

      d9afff60a7ef435234176904e6490409c99acd991a9cafe856f59b7e2064b486

      SHA512

      a89a6d0667d78e02b40f6e20868e7142a1c0866121daf22c1a686264b263b1467e1b4d377266d8a701ea93433fa0cda36307b0eba452e4c5a66c7a76ccdf7984

      Download Submit

    • memory/536-90-0x0000000000400000-0x00000000008C3000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/536-71-0x0000000010000000-0x000000001001C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/536-97-0x0000000000400000-0x00000000008C3000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/536-104-0x0000000000400000-0x00000000008C3000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/536-83-0x0000000000400000-0x00000000008C3000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/536-66-0x0000000000400000-0x00000000008C3000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/996-108-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/996-109-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/1484-118-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/1484-117-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-67-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-93-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-75-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-114-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-113-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-115-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-119-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-86-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-120-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-112-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-121-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-34-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-105-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-111-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-107-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2420-110-0x0000000000A20000-0x0000000000EE6000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2460-21-0x0000000000CB0000-0x0000000001176000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2460-32-0x0000000000CB0000-0x0000000001176000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2900-44-0x0000000000C40000-0x00000000012C9000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2900-43-0x0000000000C40000-0x00000000012C9000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2984-39-0x0000000000570000-0x0000000000A27000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/2984-38-0x0000000000570000-0x0000000000A27000-memory.dmp

      Filesize

      4.7MB

      Download

    • memory/4440-82-0x00000000008D0000-0x0000000000B92000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/4440-77-0x00000000008D0000-0x0000000000B92000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/4440-50-0x00000000008D0000-0x0000000000B92000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/4440-49-0x00000000008D0000-0x0000000000B92000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/4440-48-0x00000000008D0000-0x0000000000B92000-memory.dmp

      Filesize

      2.8MB

      Download