Analysis
-
max time kernel
143s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 10:16
General
-
Target
b50de72b13b1d2d7b06a02187271eeeb681a7e0ad97a4709b092a710787a0c68.exe
-
Size
6.9MB
-
MD5
4fb9e599cd28dc35526ee068f959cc2d
-
SHA1
a3976d0c7b969742f5d84b2a9a226a42358b5093
-
SHA256
b50de72b13b1d2d7b06a02187271eeeb681a7e0ad97a4709b092a710787a0c68
-
SHA512
507e8531b22fcaf723a1cc58b2c2f437d7e5405cfcf7119fdbb55e7eef04d626749785c22aad7872060a6ae105a03a3b335601f7b851f9efe108d2b53f3091db
-
SSDEEP
196608:OQDkgvnHYMCfgOCJxos0fs/i0+GLo+Pe:RDvnHYgPEsqfGLo+P
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b50de72b13b1d2d7b06a02187271eeeb681a7e0ad97a4709b092a710787a0c68.exe"C:\Users\Admin\AppData\Local\Temp\b50de72b13b1d2d7b06a02187271eeeb681a7e0ad97a4709b092a710787a0c68.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b7l11.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b7l11.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\S3w27.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\S3w27.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1f64U3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1f64U3.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2U5577.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2U5577.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 16125⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 16365⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3d39d.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3d39d.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4n578o.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4n578o.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4564 -ip 45641⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5a52a2c89cff6be3d1d22a0e67663af9d
SHA1318ccb2277cc0155ecd6638f30c4ac9f3f0cf296
SHA256b9151e19f4a1d222b4771f7838d9713a1601a180ea3a4e08f720e38341a64d29
SHA51219d2425bb2b8cc45ef02e293916ec85620273a3c2080660e782230005d5e7417c93b706e02d4b3d68736a175aca6f64253f8deb60db82226a3956948873a011f
-
Filesize
5.4MB
MD5582965834bb5ebc66c6d2e1dcad12ef8
SHA156496f7bc6f93b7e3eb08e4e9e278d3fa9dcf425
SHA256b34ced9bf733a3de8e7f9aa0400402bf3fda4ee3801d333b784d818e8817093a
SHA512a11e96c3df82ded86bcc0dd36e3c05a94b6b6cf077855587011dcd63fa29b7257e81c8cba3ed07dd525ef815f7a568410849593a84be43653dc54a628af6182e
-
Filesize
1.8MB
MD5877b6b8ab582a5213d3241c6da70d697
SHA1d48d31bd73cdd1f1adfb866d9b4f8c97927fe8bb
SHA256e7cb0fdecf83c232b549c0263413f274d4b637e0658dc780aed1d32ff3821c5d
SHA5123b361e2c1a5b3a7c0856893ce6b608b9794122122ad788ea2ab4bfeaf11cba004df222a3249b2a7c79ccd60f60517c18e2aaf19b061507e31e3c10290dd10bce
-
Filesize
3.5MB
MD5682e783520338767a253cc5280c4d786
SHA15d625836e3b935de62249d0cb491cf5d9ec21b3f
SHA256ac6b3cfb8721b824ee8a1d8f92c1add8f1bc766080ad3bcb218e678c9202ac35
SHA5120ee85229869f968c06639125be78739dd43b79b76eb751504a64a8c573260009a19d883fd44863893866c43a1d28731ab9a67f142310c06be7a792cb553fcb20
-
Filesize
3.0MB
MD5f918560684328ef2afdfdc8a1b30e9eb
SHA16ec9093af9bf97eb48a7be519c806540f3f9d6e9
SHA2562d4170efe9401501e4ae84ffb262414c39f92c311054424e324bc872081227fd
SHA5122861e45a5bf7d75adc0c698b3d3df81332dafe792cf2c1112daf789cb8b929e008b85dc7163bd643d1f64764d1d6c073f50345ad263013baa825146002b578b0
-
Filesize
1.8MB
MD55f72235805250396cf882628caa405a7
SHA1d244741a58e7064c4b889d62e9bfc5041cff71cc
SHA25693ea63a9575ce609e58934d997b0acbceabc9267d8999fc784ea4bca19f09d57
SHA512dee028759cecdf7a6903ee4c87bbf5570adf6aac5d5df93face1872fea40becbd5cb8dd58231a080472f96809d35d97896f0d90923454eff9b3ebc7d5050478d
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
4.6MB
-
Filesize
4.6MB