Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-12-2024 20:04
General
-
Target
45400639f60d98c903e3942bea79413d9779bb1a62d96ffe1ac621de8dbd3800_Sigmanly.exe
-
Size
2.9MB
-
MD5
a916c16724e4aa3eef3839f1647f2b0f
-
SHA1
981069c2d4254ca1b9cf41bc5dab8db5bfda1558
-
SHA256
45400639f60d98c903e3942bea79413d9779bb1a62d96ffe1ac621de8dbd3800
-
SHA512
dc4949109a56e0b177a266e3b30d7675a6af578af31e103dc5ca9a3e26da42c01b472b64cbe0b17c4c64890f477bfffc1a95bc256159ce7e112da20971448980
-
SSDEEP
49152:XYcTFPtXwQoLZUBwsfBvrDtWM2ztzbHm2HCoQVQBhm9vOVTU:vho9UBwsfBTDtW1ztHHmToQycvOVT
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 9 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\45400639f60d98c903e3942bea79413d9779bb1a62d96ffe1ac621de8dbd3800_Sigmanly.exe"C:\Users\Admin\AppData\Local\Temp\45400639f60d98c903e3942bea79413d9779bb1a62d96ffe1ac621de8dbd3800_Sigmanly.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1018676001\systemsound.exe"C:\Users\Admin\AppData\Local\Temp\1018676001\systemsound.exe"3⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 6124⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018820001\20261eb00c.exe"C:\Users\Admin\AppData\Local\Temp\1018820001\20261eb00c.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\tslcudfqob"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1018821001\d50b5e9ad2.exe"C:\Users\Admin\AppData\Local\Temp\1018821001\d50b5e9ad2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5fe9044b6b71ab4f7ee9475891acbb2ca
SHA117539df3e0478729b61b1f6e82426ad47f05391f
SHA256366abe07779080156c246b2e63efe87895d00c7ef76853aaa5fa4e0c9af0d993
SHA5124558c1dc662efa4096a7e4e7affabc97cbe364d39c0aef0c45f6a7b2ae48c80108c291887c5581daea066bbb5f9566097ad38900f3f81a8f7f5e2ed1a6cda5eb
-
Filesize
1.2MB
MD5b5c16c628277965fd1fb8fead07b149d
SHA1cf25269a9896c550ae73eb4c71c2080d0273553a
SHA256fbaf4ce60142ad358be5fcbf6545462d24053982161606e5212203ecfc733d27
SHA51235a92b04c2e7879d0c7605f173a86b7cf83689f8fa2cf9ccda6cb236ec10f845c9626f6028858e23cc7240fabb860538da25b40eb415151eae13a1b116ad278b
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
1.0MB
MD57622bc8aafebb69b7ad6c9a4a17e11c6
SHA1a9ceb928cb0c7618870c23b07bfdba059da53f48
SHA256d2c8cd3c2a42968d9c92932810bb762fb02be4cbf1641b0918ee8e5b0171d845
SHA5126b15a5274348599a286b80e97cccc4fc79a3b4853b388995ab93d8393737d3e8f4783037de9776a0d8345bc73b0c1cd15e19a6d05222d181470335c900230160
-
Filesize
2.9MB
MD5a916c16724e4aa3eef3839f1647f2b0f
SHA1981069c2d4254ca1b9cf41bc5dab8db5bfda1558
SHA25645400639f60d98c903e3942bea79413d9779bb1a62d96ffe1ac621de8dbd3800
SHA512dc4949109a56e0b177a266e3b30d7675a6af578af31e103dc5ca9a3e26da42c01b472b64cbe0b17c4c64890f477bfffc1a95bc256159ce7e112da20971448980
-
Filesize
7KB
MD5b8e896755216745634cf2d0fd435908e
SHA17e693072272bece3cfef7a68b34ccf3c0e420720
SHA25669f712eed175ea96d9f1b767de1bb2d6c580f5c5a7d7a15e3a59ee34f38c290b
SHA512fc31c61798841d0a8cd8f2f5c61a0438fba19924b9343abf24e0a6182f2c7a6336b65a97a2ef4880721b6697980e7465e9381304137f2bb632d92e53afc7c78f
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
336KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
304KB
-
Filesize
552KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
184KB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
184KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
48KB