Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 10:50
Static task
static1
Behavioral task
behavioral1
Sample
091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe
Resource
win7-20240903-en
General
-
Target
091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe
-
Size
2.9MB
-
MD5
657b1d5bada53a94c7eb16a8f6780aef
-
SHA1
3f913ed5ca66f8d29d2ea004792ba71fd3b157bc
-
SHA256
091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade
-
SHA512
7d3c5072fd4f5a3d542028798dddce15d0cf8c4a682c897d9075a8a825739842320bea82592ff9fbdc977519e5f933e8e78ac203b2c8d67ae5de62ae414cb4a9
-
SSDEEP
49152:zG+JsK+1+7eu5B7x+DBPdkR/QkQJYVHgwLrNIX:zG+Jskeu5nknkNnRHNI
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
cryptbot
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1372 created 2996 1372 5b375ee085.exe 51 -
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF c44673a8fa.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5b375ee085.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c44673a8fa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c44673a8fa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5b375ee085.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5b375ee085.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c44673a8fa.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 10 IoCs
pid Process 4512 skotes.exe 1372 5b375ee085.exe 2188 93d1ebe82d.exe 4336 93d1ebe82d.exe 3596 skotes.exe 2516 c44673a8fa.exe 4324 8fd9317161.exe 2568 8fd9317161.exe 3248 skotes.exe 4572 skotes.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine c44673a8fa.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 5b375ee085.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 2680 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe 4512 skotes.exe 1372 5b375ee085.exe 3596 skotes.exe 2516 c44673a8fa.exe 3248 skotes.exe 4572 skotes.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2188 set thread context of 4336 2188 93d1ebe82d.exe 105 PID 4324 set thread context of 2568 4324 8fd9317161.exe 114 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3360 1372 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93d1ebe82d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c44673a8fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5b375ee085.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93d1ebe82d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fd9317161.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8fd9317161.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2680 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe 2680 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe 4512 skotes.exe 4512 skotes.exe 1372 5b375ee085.exe 1372 5b375ee085.exe 1372 5b375ee085.exe 1372 5b375ee085.exe 1372 5b375ee085.exe 1372 5b375ee085.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3928 svchost.exe 3596 skotes.exe 3596 skotes.exe 2516 c44673a8fa.exe 2516 c44673a8fa.exe 2516 c44673a8fa.exe 2516 c44673a8fa.exe 2516 c44673a8fa.exe 2516 c44673a8fa.exe 2516 c44673a8fa.exe 2516 c44673a8fa.exe 2516 c44673a8fa.exe 2516 c44673a8fa.exe 4336 93d1ebe82d.exe 4336 93d1ebe82d.exe 4336 93d1ebe82d.exe 4336 93d1ebe82d.exe 2568 8fd9317161.exe 2568 8fd9317161.exe 2568 8fd9317161.exe 2568 8fd9317161.exe 3248 skotes.exe 3248 skotes.exe 4572 skotes.exe 4572 skotes.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2680 wrote to memory of 4512 2680 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe 83 PID 2680 wrote to memory of 4512 2680 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe 83 PID 2680 wrote to memory of 4512 2680 091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe 83 PID 4512 wrote to memory of 1372 4512 skotes.exe 97 PID 4512 wrote to memory of 1372 4512 skotes.exe 97 PID 4512 wrote to memory of 1372 4512 skotes.exe 97 PID 1372 wrote to memory of 3928 1372 5b375ee085.exe 98 PID 1372 wrote to memory of 3928 1372 5b375ee085.exe 98 PID 1372 wrote to memory of 3928 1372 5b375ee085.exe 98 PID 1372 wrote to memory of 3928 1372 5b375ee085.exe 98 PID 1372 wrote to memory of 3928 1372 5b375ee085.exe 98 PID 4512 wrote to memory of 2188 4512 skotes.exe 103 PID 4512 wrote to memory of 2188 4512 skotes.exe 103 PID 4512 wrote to memory of 2188 4512 skotes.exe 103 PID 2188 wrote to memory of 4336 2188 93d1ebe82d.exe 105 PID 2188 wrote to memory of 4336 2188 93d1ebe82d.exe 105 PID 2188 wrote to memory of 4336 2188 93d1ebe82d.exe 105 PID 2188 wrote to memory of 4336 2188 93d1ebe82d.exe 105 PID 2188 wrote to memory of 4336 2188 93d1ebe82d.exe 105 PID 2188 wrote to memory of 4336 2188 93d1ebe82d.exe 105 PID 2188 wrote to memory of 4336 2188 93d1ebe82d.exe 105 PID 2188 wrote to memory of 4336 2188 93d1ebe82d.exe 105 PID 2188 wrote to memory of 4336 2188 93d1ebe82d.exe 105 PID 4512 wrote to memory of 2516 4512 skotes.exe 108 PID 4512 wrote to memory of 2516 4512 skotes.exe 108 PID 4512 wrote to memory of 2516 4512 skotes.exe 108 PID 4512 wrote to memory of 4324 4512 skotes.exe 111 PID 4512 wrote to memory of 4324 4512 skotes.exe 111 PID 4512 wrote to memory of 4324 4512 skotes.exe 111 PID 4324 wrote to memory of 2568 4324 8fd9317161.exe 114 PID 4324 wrote to memory of 2568 4324 8fd9317161.exe 114 PID 4324 wrote to memory of 2568 4324 8fd9317161.exe 114 PID 4324 wrote to memory of 2568 4324 8fd9317161.exe 114 PID 4324 wrote to memory of 2568 4324 8fd9317161.exe 114 PID 4324 wrote to memory of 2568 4324 8fd9317161.exe 114 PID 4324 wrote to memory of 2568 4324 8fd9317161.exe 114 PID 4324 wrote to memory of 2568 4324 8fd9317161.exe 114 PID 4324 wrote to memory of 2568 4324 8fd9317161.exe 114
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2996
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe"C:\Users\Admin\AppData\Local\Temp\091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\1016876001\5b375ee085.exe"C:\Users\Admin\AppData\Local\Temp\1016876001\5b375ee085.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 5364⤵
- Program crash
PID:3360
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016877001\93d1ebe82d.exe"C:\Users\Admin\AppData\Local\Temp\1016877001\93d1ebe82d.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\1016877001\93d1ebe82d.exe"C:\Users\Admin\AppData\Local\Temp\1016877001\93d1ebe82d.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4336
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016878001\c44673a8fa.exe"C:\Users\Admin\AppData\Local\Temp\1016878001\c44673a8fa.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\1016879001\8fd9317161.exe"C:\Users\Admin\AppData\Local\Temp\1016879001\8fd9317161.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\1016879001\8fd9317161.exe"C:\Users\Admin\AppData\Local\Temp\1016879001\8fd9317161.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2568
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1372 -ip 13721⤵PID:944
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3596
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3248
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4572
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5914bc5e4ca51b1218f63a8539614dcbc
SHA15edab3b12041e423a1321bd656b55f7f6a3c76f9
SHA256e77eb409d5ab219632439eddc1019746c132ca68cbdbf3f63deda117f010bb01
SHA5127d301c0e284ccff3694108e48e027784a7292dd17b9c9746822b64d0415f26cc3d737d6f19a8bc912b4a44c9b262aba00bae5cd484c3e0b9b8dc63ac889229fb
-
Filesize
747KB
MD58a9cb17c0224a01bd34b46495983c50a
SHA100296ea6a56f6e10a0f1450a20c5fb329b8856c1
SHA2563d51b9523b387859bc0d94246dfb216cfa82f9d650c8d11be11ed67f70e7440b
SHA5121472e4670f469c43227b965984ecc223a526f6284363d8e08a3b5b55e602ccce62df4bc49939ee5bd7df7b0c26e20da896b084eccab767f8728e6bf14d71c840
-
Filesize
4.3MB
MD53287ce2d6be3f77c5d1e7cc351f4ad5f
SHA1d9f04b9c1d610402c10c27772169d9e911d9adf5
SHA2567619900af0011cd2b40be259c52acf7e7415532d002a09267bcfb823ea1f38c4
SHA512f3f99e918f412a511c1324e89359645a37933f855b3da5214611906b861203ae6aad20dab6e04ee5bae3fa134ae604ce61c08f9de3cd2718fb1090f193477d95
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
2.9MB
MD5657b1d5bada53a94c7eb16a8f6780aef
SHA13f913ed5ca66f8d29d2ea004792ba71fd3b157bc
SHA256091bc5705ea1f8127db8f1d53c883ba04b79afb04bece4f90c73d1311c546ade
SHA5127d3c5072fd4f5a3d542028798dddce15d0cf8c4a682c897d9075a8a825739842320bea82592ff9fbdc977519e5f933e8e78ac203b2c8d67ae5de62ae414cb4a9