Overview

overview

10

Static

static

3

191d113401...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    191d113401af31884b55a8db94126e59338e2e10d0b212b6fd0a2d7f55d1656a.exe

  • Size

    3.6MB

  • MD5

    3bc888b63247898f10e270e0711ccca2

  • SHA1

    342efb0b96606ddbe130fb362c24aa1661a72f33

  • SHA256

    191d113401af31884b55a8db94126e59338e2e10d0b212b6fd0a2d7f55d1656a

  • SHA512

    0684c613bbbef78ccd2c127e305ad9115a4623e8a3617a1a2d88c925725fb1817674f7f5b9c5394e60759c655660a5723f8a07d80bd369e5951970e1b3d5f5a1

  • SSDEEP

    98304:b5TOfP9BOxle7zesk/WLKmLNi4ZBjUYnFVzkBhOZOAj/P:YQlEesaJmLNFPj9r4uOOP

Score
10/10
amadeylummaquasar9c9aa5office04discoveryevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://impend-differ.biz/api

https://print-vexer.biz/api

https://dare-curbys.biz/api

https://covery-mover.biz/api

https://formy-spill.biz/api

https://dwell-exclaim.biz/api

https://zinc-sneark.biz/api

https://se-blurry.biz/api

https://atten-supporse.biz/api

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

45.200.148.155:6060

Mutex

4b3820e0-d123-49d9-b51e-3c4daa4f6874

Attributes
  • encryption_key

    F8879E9B26846C57C99B6F152F74703E1CC15B8B

  • install_name

    SecurityHealthSystray.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SecurityHealthSystray.exe

  • subdirectory

    SubDir

Extracted

Family

lumma

C2

https://atten-supporse.biz/api

https://se-blurry.biz/api

https://zinc-sneark.biz/api

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

    stealerlumma
  • Lumma family
    lumma
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 6 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\191d113401af31884b55a8db94126e59338e2e10d0b212b6fd0a2d7f55d1656a.exe
    "C:\Users\Admin\AppData\Local\Temp\191d113401af31884b55a8db94126e59338e2e10d0b212b6fd0a2d7f55d1656a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p76f5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p76f5.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:516
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Users\Admin\AppData\Local\Temp\1013267001\kelyBT9.exe
          "C:\Users\Admin\AppData\Local\Temp\1013267001\kelyBT9.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3600
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "SecurityHealthSystray.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\SecurityHealthSystray.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:64
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2c8776.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2c8776.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3856
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1608
        3⤵
        • Program crash
        PID:404
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1556
        3⤵
        • Program crash
        PID:3480
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3856 -ip 3856
    1⤵
      PID:2336
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3856 -ip 3856
      1⤵
        PID:3320
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4004
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        1⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4680

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1013267001\kelyBT9.exe
        Filesize

        3.0MB

        MD5

        25ae2a8e59da886dbc3192b12e000ffa

        SHA1

        c384fbee5a29be18571d293c1e20a36d044bd86a

        SHA256

        d951b4352f6e4f9ef63cbbabac6cae41d3de37d26dee4b4890d60b52d51ddbb4

        SHA512

        246a2948f880231fe597a4c6cfb1f8acbbc7173f73752532dd2049697cd4165c6d1e966a1a598d260053e1f4aeebf0472ffedc4aec56c8233899c965c7fc6736

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1p76f5.exe
        Filesize

        3.1MB

        MD5

        c0d113d521f4055ce2d25ba430f7789d

        SHA1

        7a9e6c9ca301b9bbc363b615a6f8c9ea3f199758

        SHA256

        0cdee686d940e327d736172dbe61168063bfaf253cca8ad0b37ec2097bc20fcd

        SHA512

        c9567a7b02758846c8aa4e201a01cc807233fdbbfc63ebe2d350388682935ca98313531aff4c026c31b2ffbb6302e220cd6e68bdd42e1e42475400aa6608a084

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2c8776.exe
        Filesize

        1.8MB

        MD5

        e0933ae8e72f7faa74c26e20098c6279

        SHA1

        61edd92c5d8a5416a556b6a822bb7e7cef73068a

        SHA256

        8c60e2eb2504988a8b4d55b0b5d9b430896e04c8b40547efd5e5930b168a7beb

        SHA512

        05ad0f15d4b78581bb7b2f2df4f9c8e38cf83825fdc963d9d8bf633030418bbd01e2330eb411d2c42f78acf3ffe7e9cf6f492cc68316630763fccf811bf8fb3b

        Download Submit

      • memory/516-22-0x00000000002C0000-0x00000000005E0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/516-8-0x0000000077174000-0x0000000077176000-memory.dmp

        Filesize

        8KB

        Download

      • memory/516-11-0x00000000002C0000-0x00000000005E0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/516-7-0x00000000002C0000-0x00000000005E0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/516-25-0x00000000002C1000-0x0000000000329000-memory.dmp

        Filesize

        416KB

        Download

      • memory/516-10-0x00000000002C0000-0x00000000005E0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/516-9-0x00000000002C1000-0x0000000000329000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2532-90-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-82-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-96-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-92-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-24-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-88-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-84-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-94-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-54-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-80-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-78-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-76-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-67-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-59-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-74-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2532-69-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3600-58-0x0000000008D30000-0x0000000008DE2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/3600-51-0x0000000000F70000-0x0000000001706000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/3600-64-0x000000000A250000-0x000000000A2B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3600-63-0x000000000A1A0000-0x000000000A1DC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3600-49-0x0000000000F70000-0x0000000001706000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/3600-50-0x0000000000F70000-0x0000000001706000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/3600-62-0x000000000A140000-0x000000000A152000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3600-57-0x0000000008AC0000-0x0000000008B10000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3600-56-0x0000000008F20000-0x0000000009538000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3600-55-0x0000000007D10000-0x0000000007D1A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3600-53-0x0000000007C70000-0x0000000007D02000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3600-52-0x0000000008140000-0x00000000086E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3600-66-0x0000000000F70000-0x0000000001706000-memory.dmp

        Filesize

        7.6MB

        Download

      • memory/3856-30-0x0000000001000000-0x0000000001495000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/3856-29-0x0000000001000000-0x0000000001495000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/4004-72-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4004-71-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4680-86-0x0000000000880000-0x0000000000BA0000-memory.dmp

        Filesize

        3.1MB

        Download