Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-12-2024 16:41
General
-
Target
04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe
-
Size
6.9MB
-
MD5
fcc5c005c3ccbddee8bee4dc5ca441e2
-
SHA1
d597f7ec6f9309af338b0bbb2234f9a0a5ca1a92
-
SHA256
04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d
-
SHA512
f9f2ac3fa052093f622989ae40bd4c06871853e507064fd92760b54e0e4973b0cc77339bf4dda99959c083bb34c2a557a701b8161cd16340a4f6fc8d3340ff3a
-
SSDEEP
196608:qZjdOmZw7qclSdCdbM8evA0U4YJtJq8Y4KM:Ej1ZwOcniTA02Bl
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Gcleaner family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe"C:\Users\Admin\AppData\Local\Temp\04ccac472e7f9760a547e7bbb721c713f00021fcc74a59637c198f4bbee06c2d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f4R43.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f4R43.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e0b81.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e0b81.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1J17n3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1J17n3.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1013473001\71d6be49bb.exe"C:\Users\Admin\AppData\Local\Temp\1013473001\71d6be49bb.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 7727⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2U9131.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2U9131.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 15885⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 16165⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w55K.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w55K.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U637G.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U637G.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4780 -ip 47801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4780 -ip 47801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3644 -ip 36441⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
1.9MB
MD5e96cd9e1c8cbc927c9c445e155d5bd75
SHA16c8d7a80cb4635fda0f7b799ace942dcd10b3700
SHA2569f1169888c4c2acd65e79928bb27a686204fa3b622b921a7ee56c7a735924eb6
SHA512419cb0650a718f7356335745a64d441d8693c48181692bdfb22da508fa993e93772f5ee89ae5085e5ae3d04f28936b57e12e6704291be6acc45041744ba7f413
-
Filesize
2.6MB
MD599cff6034a2010e18f19281afa021aec
SHA16b045ce6bc1d26d244c083dbc4381c1d38539700
SHA256bda24b571a92286e33963d7790a6cada3b23b2d5b8c4099eb7f4922d41df113e
SHA512eed961481c0678c7777e79d5d9fd3fad71d6af44fa74a704018ce5dd5290945fd28e5220ffc8b6ab8aca5497d2dd9f8f062f61ffc9a8e77aec62d525f1dc41f2
-
Filesize
5.3MB
MD5777d6a67707876286fe17d655c830ebf
SHA179867f542222556a1e256d800495f471d0c958f0
SHA2564280ed645ef5b31060f54161c295196fc3ea72407fc1c466f43d21a96ffb133b
SHA5123824620a7fbf59927bf61ed4cb0844a97e94e2f3d8c768b2530eea4b957212d81cb8364f7b1ce5e01f1c980f396bcd9df079ace9fc1bfeeec55f0a2c39167dd1
-
Filesize
1.7MB
MD582b70cb96dc208843a0380d75ff08f9b
SHA1d6d8eeabc5868e73a39ff5c9fd86270bda3a48b5
SHA256697d7f31a1d5adab597902ceb9228a77b6e84d776be1f49a610b04de25d87801
SHA5127c33eb7aea7854aade6aa7c94b1ac5fde978e57904dd344bd4405edd6d7652d8c28cd3075c87e37306a89d333a740f7552d7f4ccdc42c0d64a008449b5bdd39d
-
Filesize
3.5MB
MD5dec11b3cc0ee1492fbf2c3f8f5e21497
SHA10fbe6977002f563e309b75e36a89db3a33060254
SHA2569223019e435ac3deb348e7ae211abe23c5f7bbccc4d2b9765a5cd1b7be82c06b
SHA512c569ef71e1738da249b0efb35542f414392e7c3a620f4b7ca4f42498a32a2f87b5b1d39eb41b866ff6660f32082fe09c5b2d6bfe31ea73b8831b9370336dc04f
-
Filesize
3.1MB
MD511c23f104d7ecfcb5b535f22214c5dbe
SHA10899ffd81ea3727de16614c5f9e84749f8182552
SHA256c5741977022e908fbe2c233df25c5d5c6b0b88af01a026acc6085f30793708ef
SHA512eca9bf13c3f03db9508a83dc3abef5268a9fcd8ffc3307a832fd871196dfc4e09bc1c1416ff5f66c49b153cad22c22e14bd7eb3da11ba848641d88a984764388
-
Filesize
1.7MB
MD5ffbf4dac7f1ed0ade66186644f98132c
SHA1dfb1a1993b0de0922174dce31e80df9508cd162a
SHA256ea3d6a813bfa00a6fe5888fdb841e24063e24bf7723ac233df33d1e07129e23c
SHA5127bdcbdc172e4b7fc1d1d072f3258e4a5144b065d4b2d327bca306eada4f70bca5fd9ee603b3e1d1f4c98b298e4032bcd83dfbf9eb2b85b5abce649769645e856
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
8.4MB
-
Filesize
112KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.5MB
-
Filesize
4.5MB