Analysis

  • max time kernel
    113s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 02:45

General

  • Target

    980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe

  • Size

    5.5MB

  • MD5

    1d5bb61f71fcb19e89d1fa10a1c343f0

  • SHA1

    b84f8d6940908d284339839c275b0dc90dbdb94a

  • SHA256

    980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102ed

  • SHA512

    17ae6dd1ecf556f4eccb57d0a325c35d3bd0a58df2d1bafbb160336145578c8f384e517be71d2406f63fb32d00decd815056fb9923a9f5fb4a9e4e48d763bb39

  • SSDEEP

    98304:eZi9LOgBDVkvrs6Olhmh7jVdLPZqqn6AE3uAeWm6b9I3QfqV3n3enE2eFoC:QdgBDVkvrUhmRjXd1n6AEIWxbAXunE73

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

stealc

Botnet

drum

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

lumma

C2

https://atten-supporse.biz/api

https://se-blurry.biz/api

https://zinc-sneark.biz/api

https://dwell-exclaim.biz/api

https://formy-spill.biz/api

https://covery-mover.biz/api

https://dare-curbys.biz/api

https://print-vexer.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe
    "C:\Users\Admin\AppData\Local\Temp\980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l3T89.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l3T89.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3264
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1A09z7.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1A09z7.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2272
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2m0202.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2m0202.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 1644
          4⤵
          • Program crash
          PID:5008
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3A73M.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3A73M.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2392
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:116
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 908 -ip 908
    1⤵
      PID:2856
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3A73M.exe

      Filesize

      1.7MB

      MD5

      868914554c439b7a6b83049364992a6e

      SHA1

      25abe8a1a31431cdd953322af0f259b84dcdc1a2

      SHA256

      f2b87185d453c7a71b472af472e1fdb3bf32147990de0b1b24cff92fa1379eea

      SHA512

      467d51eee7390973af084fb4522871cbda0b99fa9531166f4cc92317ef7ca7969c37f8cdbfc0b27bb978becbde4b87f300ba5f3ad9958e3c3c19f6b95b331977

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l3T89.exe

      Filesize

      3.7MB

      MD5

      b0389cfecffd5eadf2bfaf26ca68089c

      SHA1

      4784bcb1b978f5a64a86bdfbf0d0fc46c43a9d2d

      SHA256

      6ddb33d628e31532740d989d72f6b94f43e0b67053d0ffed0888b0f71ddca6b5

      SHA512

      1932eb41fa46f1d78beb2361d5c550b5e3bc3d14e9431b2a74874257a50653fd45ed9745a199bb25c03f95ff8f183e98fa2cd27c663d66f7e4ab0fa6faf79c84

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1A09z7.exe

      Filesize

      1.8MB

      MD5

      24f49ffb121e1be75fb379d7feda6ba6

      SHA1

      f5c11a11464c5d8596d14fda54ddcd27edfa9552

      SHA256

      ce24d7881dc208db5f3143e25f74962e16e7961a399d97bf906a43851223c138

      SHA512

      566a4780154d8fc736bc60fd76c144aaec504988137cfff1b5eb21f31bca7632eb70fe1a37ce2312fd6016dd8550cbaca1c804d5495721402f609d7e5043b695

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2m0202.exe

      Filesize

      1.8MB

      MD5

      2426e5ac8ee0bbb03e63d7467cba1df2

      SHA1

      6cfd84d6f98b4a9d1b9d5bd724ec59cd4e8533c3

      SHA256

      4b6f652aa6df9d8078f869655c18ac854262d94c3b3a547488a2ece1b184a7b5

      SHA512

      5697de737cf9ee10433c57a1f0d214b0d8344ad33306b243624542ead2375e6c3a4ca5a8d4e3b806cb5bbad17b1612881b1f1064d03b18da01c5f96c57e9751c

    • memory/116-39-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/116-38-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/908-40-0x0000000000A70000-0x0000000000F0F000-memory.dmp

      Filesize

      4.6MB

    • memory/908-36-0x0000000000A70000-0x0000000000F0F000-memory.dmp

      Filesize

      4.6MB

    • memory/2272-30-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-47-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-60-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-59-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-58-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-57-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-56-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-51-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-50-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-46-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-52-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-48-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2272-49-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/2392-45-0x0000000000F40000-0x00000000015DF000-memory.dmp

      Filesize

      6.6MB

    • memory/2392-44-0x0000000000F40000-0x00000000015DF000-memory.dmp

      Filesize

      6.6MB

    • memory/3916-54-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/3916-55-0x00000000002B0000-0x0000000000779000-memory.dmp

      Filesize

      4.8MB

    • memory/4944-32-0x0000000000A00000-0x0000000000EC9000-memory.dmp

      Filesize

      4.8MB

    • memory/4944-14-0x0000000000A00000-0x0000000000EC9000-memory.dmp

      Filesize

      4.8MB

    • memory/4944-15-0x0000000077664000-0x0000000077666000-memory.dmp

      Filesize

      8KB

    • memory/4944-16-0x0000000000A01000-0x0000000000A2F000-memory.dmp

      Filesize

      184KB

    • memory/4944-17-0x0000000000A00000-0x0000000000EC9000-memory.dmp

      Filesize

      4.8MB

    • memory/4944-18-0x0000000000A00000-0x0000000000EC9000-memory.dmp

      Filesize

      4.8MB