Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe
Resource
win7-20240903-en
General
-
Target
1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe
-
Size
3.0MB
-
MD5
9c5d114ce9d0008f2f10b8065b0f3bcd
-
SHA1
bb55eae46c7c5df146693981498e0c4bf22ee9e5
-
SHA256
1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d
-
SHA512
8dfe5e1369fc5b9f9518c50b9e64b460127905ac1eb81ddd592af4e3891a3f41c39057323fff965f8039464acd55da632d354d252ab25bd8d9377b5535623a30
-
SSDEEP
49152:zbqzGqEs/TRMr4ydSGWr3epgIrLvOUcCx9SUMK16dLeavoT5XJjlk0N:E0s/TRdydArkgInvcCx9vMKIdqavgxd
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Gcleaner family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a8c3b6306e.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a8c3b6306e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a8c3b6306e.exe -
Executes dropped EXE 2 IoCs
pid Process 1652 skotes.exe 900 a8c3b6306e.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine a8c3b6306e.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe -
Loads dropped DLL 5 IoCs
pid Process 2700 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe 2700 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe 1652 skotes.exe 1652 skotes.exe 900 a8c3b6306e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2700 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe 1652 skotes.exe 900 a8c3b6306e.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a8c3b6306e.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2700 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe 1652 skotes.exe 900 a8c3b6306e.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2700 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2700 wrote to memory of 1652 2700 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe 30 PID 2700 wrote to memory of 1652 2700 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe 30 PID 2700 wrote to memory of 1652 2700 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe 30 PID 2700 wrote to memory of 1652 2700 1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe 30 PID 1652 wrote to memory of 900 1652 skotes.exe 32 PID 1652 wrote to memory of 900 1652 skotes.exe 32 PID 1652 wrote to memory of 900 1652 skotes.exe 32 PID 1652 wrote to memory of 900 1652 skotes.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe"C:\Users\Admin\AppData\Local\Temp\1658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\1013760001\a8c3b6306e.exe"C:\Users\Admin\AppData\Local\Temp\1013760001\a8c3b6306e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:900
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\download[1].htm
Filesize1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
1.9MB
MD5b16a303612f8717a90851727a25fdf61
SHA120281be28ae8c170b6dff5939fabd5616e9b7d23
SHA25614a7faa5a16cbc6e031beb668ec24d78b04d8fe4959766cf11722932b93317dc
SHA512c1c83b89a760997dc6740d940628fb7d68e3d82018b55c428ac1fcec0cde4b81ca943ef3dfd247212a14dd5b0eac20e4b4ba7f55b6154ea33a75920be032e196
-
Filesize
3.0MB
MD59c5d114ce9d0008f2f10b8065b0f3bcd
SHA1bb55eae46c7c5df146693981498e0c4bf22ee9e5
SHA2561658f0e2c9dfe87a46080d606c06ebbfd93f4d85b92a00c0da651f756cf2d04d
SHA5128dfe5e1369fc5b9f9518c50b9e64b460127905ac1eb81ddd592af4e3891a3f41c39057323fff965f8039464acd55da632d354d252ab25bd8d9377b5535623a30
-
Filesize
1.4MB
MD5a8cf5621811f7fac55cfe8cb3fa6b9f6
SHA1121356839e8138a03141f5f5856936a85bd2a474
SHA256614a0362ab87cee48d0935b5bb957d539be1d94c6fdeb3fe42fac4fbe182c10c
SHA5124479d951435f222ca7306774002f030972c9f1715d6aaf512fca9420dd79cb6d08240f80129f213851773290254be34f0ff63c7b1f4d554a7db5f84b69e84bdd