Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03-12-2024 01:00
General
-
Target
1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe
-
Size
1.8MB
-
MD5
08d46090c22ff00bd53e843027e0dc26
-
SHA1
ec4d86baa8a294a18daf44fcb61eca03c3116c23
-
SHA256
1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215
-
SHA512
c9d9214076bd90886b52713287c771264f2a46a76d93b42c6a208bc95e0f5d58a4d41dafe7feadf114f27c1cd430fd90c571e5a30f078c1b9459a8212224b0ed
-
SSDEEP
24576:z2BoyWmAgwI0L6ul/urTQzxYtarKUKkpOb0A93R8S9D5pbgFqAKzeleH4W+:z2OFe0L6ugiKhxs6pqqAKzCeH
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 7 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 16 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies registry class 34 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
-
Suspicious use of AdjustPrivilegeToken 55 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe"C:\Users\Admin\AppData\Local\Temp\1ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1011233001\tpZOod0.exe"C:\Users\Admin\AppData\Local\Temp\1011233001\tpZOod0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1011308001\NK4PJqi.exe"C:\Users\Admin\AppData\Local\Temp\1011308001\NK4PJqi.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 6564⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011316001\DU1zDwm.exe"C:\Users\Admin\AppData\Local\Temp\1011316001\DU1zDwm.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe4⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe4⤵
- Views/modifies file attributes
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "MicrosoftEdgeUpdateTaskMachineCoreSC" /TR "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe" /SC MINUTE4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del DU1zDwm.exe4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe"C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c wmic path win32_videocontroller get caption4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_videocontroller get caption5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\dxdiag.exe"dxdiag" /t C:\Users\Admin\AppData\Local\Temp\dxdiag.txt4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dxdiag.exe"C:\Windows\SysWOW64\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\dxdiag.txt5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3944 -s 15644⤵
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D48DFA9B-9C46-4231-9ED9-57E051367DB5} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exeC:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdateTaskMachineCoreSC.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.0.1; del MicrosoftEdgeUpdateTaskMachineCoreSC.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
217KB
MD598da391545b4823ca67e6cc3a927dae9
SHA1d2f66837884d6d65dfe21372501cc7ba1d91ef29
SHA25612862b60140f019b0c251da7be59caf90d93eca6a30d016609cf2ff1da4652a7
SHA51259130547c169768310d57c075f2cec01a71704e9658955ef8eb1c6b2c30a24a801623f189eac14a84357aa597f5d5c96c5c9f8e96ee4ddf7bcf911dcf6bcb7b9
-
Filesize
1.5MB
MD503933b44701e2688a19b6fe5980526b7
SHA1456f586dffa20cc847b3a1f86c2fc958e9cea325
SHA25604510f9d11f433e48517273b05f3f800d73c16bca0b2b4a9afdaf3612550239e
SHA512bb1e6d2e1ffc8ab728295ac07512db3f6a08e0c7f9ec70e65ec75591bb9f697781d0df2096d7f9fc9a4b60b62d427acef46bd9105d713a84f91d33db3bec5d96
-
Filesize
2.2MB
MD54c64aec6c5d6a5c50d80decb119b3c78
SHA1bc97a13e661537be68863667480829e12187a1d7
SHA25675c7692c0f989e63e14c27b4fb7d25f93760068a4ca4e90fa636715432915253
SHA5129054e3c8306999fe851b563a826ca7a87c4ba78c900cd3b445f436e8406f581e5c3437971a1f1dea3f5132c16a1b36c2dd09f2c97800d28e7157bd7dc3ac3e76
-
Filesize
560KB
MD5197feb829312be2d9505c1492b6ddd16
SHA14e521c36e4fd6c7755d93f8281cc028a980b0979
SHA2562a08227ca39953cd8f967682f4f101f8debdc323b63b37aa1e9ddc38b9009a12
SHA512fa9b18fb32f2892a4844fcf3d29823c1375daca8b3c46ce2dd048e3b11ff2ba2acf6ef73c38e57d16712e75304c8961cf7f2dee4213dc10798f645f9d59c8cb9
-
Filesize
7KB
MD521a0359997ca8c8d2cb877bc2447a614
SHA1ef21f77aeebbe49a3b06ea5b62814c08843559b2
SHA2567080e62202f8b9306b3802cfe9e9a979fd0efaf055ca772baa39b58e8262fbf3
SHA5120343a1efc6456e71a1d7a6fd1d1389b3e81faa445e438fbbcf81e3996b2bdde1a281180301d5333c6afc789eab0544f2fad34ec9b18a70a13d1912507fb9e2dc
-
Filesize
7KB
MD5daa7cca280739dadf8e3ca4ff01abb65
SHA136b0593ca95894e1299b213b55fb7f97be2bc676
SHA256c36a11a53d271e277d7134e7d07702ebb3c430ec6ca4e610264b3d00f164babd
SHA51287d15e80d7e0615cabdddba3e879d1f61f9c175c66df621ec48b3be746960925b50ff066a2c50a8ede62a3931d17496929e96770d789c0a9089a000875c383f8
-
Filesize
1.8MB
MD508d46090c22ff00bd53e843027e0dc26
SHA1ec4d86baa8a294a18daf44fcb61eca03c3116c23
SHA2561ceab2ffb1eeba5856886c108f56de4f25bb0e15b7ff84d75cae17197f3f2215
SHA512c9d9214076bd90886b52713287c771264f2a46a76d93b42c6a208bc95e0f5d58a4d41dafe7feadf114f27c1cd430fd90c571e5a30f078c1b9459a8212224b0ed
-
Filesize
126KB
MD5b48e172f02c22894ad766c52303f087a
SHA161da0ff26dfc3759f7cd79696430b52f85073141
SHA256712e46f7a4f9da7fabd0b1acd5e848527bd70b6c4444dc92c8479ac108d71753
SHA5125b8a888a9d87a4ee34f57799d3d6baf69cd556a2d1336afb109adc488a5efa1c7cd094c3785cf9af726a0c41be3a56a0ffac933b7fa7fb5dec9643f3af08bdfd
-
Filesize
168KB
-
Filesize
368KB
-
Filesize
168KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
368KB
-
Filesize
40KB
-
Filesize
368KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
24KB
-
Filesize
256KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
728KB
-
Filesize
304KB
-
Filesize
336KB
-
Filesize
1.2MB
-
Filesize
1.5MB
-
Filesize
1.3MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
152KB
-
Filesize
640KB
-
Filesize
584KB