Analysis
-
max time kernel
113s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 02:45
Static task
static1
General
-
Target
980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe
-
Size
5.5MB
-
MD5
1d5bb61f71fcb19e89d1fa10a1c343f0
-
SHA1
b84f8d6940908d284339839c275b0dc90dbdb94a
-
SHA256
980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102ed
-
SHA512
17ae6dd1ecf556f4eccb57d0a325c35d3bd0a58df2d1bafbb160336145578c8f384e517be71d2406f63fb32d00decd815056fb9923a9f5fb4a9e4e48d763bb39
-
SSDEEP
98304:eZi9LOgBDVkvrs6Olhmh7jVdLPZqqn6AE3uAeWm6b9I3QfqV3n3enE2eFoC:QdgBDVkvrUhmRjXd1n6AEIWxbAXunE73
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
https://dwell-exclaim.biz/api
https://formy-spill.biz/api
https://covery-mover.biz/api
https://dare-curbys.biz/api
https://print-vexer.biz/api
Signatures
-
Amadey family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2m0202.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3A73M.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1A09z7.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1A09z7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1A09z7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2m0202.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3A73M.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2m0202.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3A73M.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 1A09z7.exe -
Executes dropped EXE 7 IoCs
pid Process 3264 l3T89.exe 4944 1A09z7.exe 2272 skotes.exe 908 2m0202.exe 116 skotes.exe 2392 3A73M.exe 3916 skotes.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 2m0202.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 3A73M.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine 1A09z7.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" l3T89.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 4944 1A09z7.exe 2272 skotes.exe 908 2m0202.exe 116 skotes.exe 2392 3A73M.exe 3916 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1A09z7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5008 908 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1A09z7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2m0202.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3A73M.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language l3T89.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4944 1A09z7.exe 4944 1A09z7.exe 2272 skotes.exe 2272 skotes.exe 908 2m0202.exe 908 2m0202.exe 116 skotes.exe 116 skotes.exe 2392 3A73M.exe 2392 3A73M.exe 3916 skotes.exe 3916 skotes.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4944 1A09z7.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3448 wrote to memory of 3264 3448 980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe 83 PID 3448 wrote to memory of 3264 3448 980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe 83 PID 3448 wrote to memory of 3264 3448 980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe 83 PID 3264 wrote to memory of 4944 3264 l3T89.exe 84 PID 3264 wrote to memory of 4944 3264 l3T89.exe 84 PID 3264 wrote to memory of 4944 3264 l3T89.exe 84 PID 4944 wrote to memory of 2272 4944 1A09z7.exe 85 PID 4944 wrote to memory of 2272 4944 1A09z7.exe 85 PID 4944 wrote to memory of 2272 4944 1A09z7.exe 85 PID 3264 wrote to memory of 908 3264 l3T89.exe 86 PID 3264 wrote to memory of 908 3264 l3T89.exe 86 PID 3264 wrote to memory of 908 3264 l3T89.exe 86 PID 3448 wrote to memory of 2392 3448 980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe 97 PID 3448 wrote to memory of 2392 3448 980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe 97 PID 3448 wrote to memory of 2392 3448 980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe"C:\Users\Admin\AppData\Local\Temp\980f1cfa46112db3bb623a97a5cead281ce4e7c8f5ee860cd7e1f4c335d102edN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l3T89.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l3T89.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1A09z7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1A09z7.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2m0202.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2m0202.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 16444⤵
- Program crash
PID:5008
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3A73M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3A73M.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2392
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 908 -ip 9081⤵PID:2856
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5868914554c439b7a6b83049364992a6e
SHA125abe8a1a31431cdd953322af0f259b84dcdc1a2
SHA256f2b87185d453c7a71b472af472e1fdb3bf32147990de0b1b24cff92fa1379eea
SHA512467d51eee7390973af084fb4522871cbda0b99fa9531166f4cc92317ef7ca7969c37f8cdbfc0b27bb978becbde4b87f300ba5f3ad9958e3c3c19f6b95b331977
-
Filesize
3.7MB
MD5b0389cfecffd5eadf2bfaf26ca68089c
SHA14784bcb1b978f5a64a86bdfbf0d0fc46c43a9d2d
SHA2566ddb33d628e31532740d989d72f6b94f43e0b67053d0ffed0888b0f71ddca6b5
SHA5121932eb41fa46f1d78beb2361d5c550b5e3bc3d14e9431b2a74874257a50653fd45ed9745a199bb25c03f95ff8f183e98fa2cd27c663d66f7e4ab0fa6faf79c84
-
Filesize
1.8MB
MD524f49ffb121e1be75fb379d7feda6ba6
SHA1f5c11a11464c5d8596d14fda54ddcd27edfa9552
SHA256ce24d7881dc208db5f3143e25f74962e16e7961a399d97bf906a43851223c138
SHA512566a4780154d8fc736bc60fd76c144aaec504988137cfff1b5eb21f31bca7632eb70fe1a37ce2312fd6016dd8550cbaca1c804d5495721402f609d7e5043b695
-
Filesize
1.8MB
MD52426e5ac8ee0bbb03e63d7467cba1df2
SHA16cfd84d6f98b4a9d1b9d5bd724ec59cd4e8533c3
SHA2564b6f652aa6df9d8078f869655c18ac854262d94c3b3a547488a2ece1b184a7b5
SHA5125697de737cf9ee10433c57a1f0d214b0d8344ad33306b243624542ead2375e6c3a4ca5a8d4e3b806cb5bbad17b1612881b1f1064d03b18da01c5f96c57e9751c