Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241010-en
General
-
Target
file.exe
-
Size
2.8MB
-
MD5
8487b3f80d4a1d6db6d0268b17b66b8b
-
SHA1
16ebd2a072305b3432b0f1348c94e90899225e71
-
SHA256
b2f8caea1c0425e7cf69d729262dfeede6df2a415803a7b497359f0124db3ad4
-
SHA512
fa961e40f5c40dffbfc0eeec88eef0622acc0103191ec16c3b5a679464c0cb54f16d762918cec20db36b603752d563ad438305ccdf317e1fd4e1d18f085da451
-
SSDEEP
49152:vjiYy8ijVHr78ghs32AITsqe52cGs2UFv3lwhCcmy:Le8ijVHv8ghs3z0bgFGsB1whC/y
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Executes dropped EXE 1 IoCs
pid Process 2636 skotes.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine file.exe -
Loads dropped DLL 1 IoCs
pid Process 2492 file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2492 file.exe 2636 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2492 file.exe 2636 skotes.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2492 file.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2636 2492 file.exe 30 PID 2492 wrote to memory of 2636 2492 file.exe 30 PID 2492 wrote to memory of 2636 2492 file.exe 30 PID 2492 wrote to memory of 2636 2492 file.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD58487b3f80d4a1d6db6d0268b17b66b8b
SHA116ebd2a072305b3432b0f1348c94e90899225e71
SHA256b2f8caea1c0425e7cf69d729262dfeede6df2a415803a7b497359f0124db3ad4
SHA512fa961e40f5c40dffbfc0eeec88eef0622acc0103191ec16c3b5a679464c0cb54f16d762918cec20db36b603752d563ad438305ccdf317e1fd4e1d18f085da451