Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06/12/2024, 06:51
General
-
Target
16f12b1dd6e15d8620e688d8f2a6ccdf495cb39e3c2a3f7000cdf44b4a7dd518.exe
-
Size
6.8MB
-
MD5
c897141881dec59b8fd32eaa27ce2c03
-
SHA1
ad2b54f4929061bb1c409690d24e3b9548f18fe7
-
SHA256
16f12b1dd6e15d8620e688d8f2a6ccdf495cb39e3c2a3f7000cdf44b4a7dd518
-
SHA512
e51dc6a096c0a5653bd36b7ec48f3567d6e999b9b36b384c941b08724000c3f8a899a6f9c12291e4fa4be7203c2e2597cafd17ef42058d7a6d1094529463fb23
-
SSDEEP
196608:4msmE5QBX3qd+OVm+AZO+lZuSNbIwheVnIIb8CvOAY:t9E5gQPmVZOslhepl4CvOAY
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
drum
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f12b1dd6e15d8620e688d8f2a6ccdf495cb39e3c2a3f7000cdf44b4a7dd518.exe"C:\Users\Admin\AppData\Local\Temp\16f12b1dd6e15d8620e688d8f2a6ccdf495cb39e3c2a3f7000cdf44b4a7dd518.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W6R31.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W6R31.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3Y74.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3Y74.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1x91J5.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1x91J5.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2d7377.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2d7377.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 15925⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3k94T.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3k94T.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4o430m.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4o430m.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3972 -ip 39721⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD54ef653b7c0b2083049ec369bf76276e6
SHA1b1531fcfa3c4744449a3cc0444fd9c1c1053f262
SHA256db1b5f45b4d394d73c28fa37ea9e2b096238587892667e7d574a7b907de3304f
SHA512c9d9ae3f1125529f2bb7b35e7f4685639843ab5a681d4b13feab1951cbc417ad22042576456124e6a64682b4eeb83a9167cb700a75f605cbd1705888d2e081d6
-
Filesize
5.2MB
MD559a30322c3aa3c98cbb66797cb720d58
SHA1938e66ceb323ddb3e281d4ed323b75856a59ec5e
SHA25649c128b2ff23db5d654a7747938d941e7590ea17bbd64389aa29d24297e7e0b5
SHA512700093f6e89eb1ef47ab70f2fd131f766877975fc767a88717b353b14d0f2be03e4717a6e7f632b1a8f69b2eef12abdab1cdc477bdc2fee32329afb6c90bb11c
-
Filesize
5.0MB
MD500813aa6b3272ebd7d363865fae1370e
SHA13ca507112f3ea766e7932e54e29e51f60e20c031
SHA256ea011a2eb689e17035978da04cb6d7babc0e641be71fb4c25be260e72b0b283c
SHA5125e36c4178734f5d4e910e24ac267699ce997fcaf7ab51f0f41d671aa854e7d2cf039c3f77bb90939ace0d1355f362984265c9522c5c367765ced6029976c1176
-
Filesize
3.5MB
MD547b4c336832554f3afa47a5361b7fd73
SHA12d6f90b7079ba3533f1a06e4cc50f598885b7167
SHA256abfe4e6a6404e5cb76f30b8054118e1040a9dc9c9971ed0fe0faf895d541b7d0
SHA512f08d46e6cafacc07c564a2c8a1d640d6a4d82e7a748209433bf497237f1951e0443f252eb1df0aaba2dbe009351df1db9123661a0a012136993677911787dced
-
Filesize
3.1MB
MD53e7bf0e6ad4a50ed23dc8a48ac9d5efb
SHA15ae53d6260f8657be302ffafa5421c8da7f56f20
SHA2561f577d7ad715ac84ad9d4db1d6d55f513ed6e55525ca2de0615d12ba438b857c
SHA51267c0cb6fcb8a2946fc403d170606bc1c8eb226c080c96ad484afee475bcc6c0944846125c8afdc49dd312cdb6d19899d977b0ab26c3a2a3b2cb3f2e2328dc80b
-
Filesize
1.8MB
MD5ab2846940eda92ca740e2990160f8aab
SHA1e74f75e6cde1a9d74631a5bd2397a2de7ae3758c
SHA2566456310ec737b7c6e008cfb8e21db0178fc1704d37f6abf414d1c6f81c104ba0
SHA512f15970c49d26e91269ae46bd0d28b78e03493154cb4b91d2893915def6a69014fac305af20bace4a4091764e8f99940e094d0fd4f628712cd166d1f0561ec193
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
3.1MB
-
Filesize
3.1MB