Analysis
-
max time kernel
143s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-12-2024 06:28
General
-
Target
32427aa0af7233c3b86db132323dd97889de40ea06b5e531d1c6dad3591d15cb.exe
-
Size
6.7MB
-
MD5
c5fd3fcc6491c27b6d3097d45beb395a
-
SHA1
4260ef42519ad5397ebd2a881563cfd16b476dfd
-
SHA256
32427aa0af7233c3b86db132323dd97889de40ea06b5e531d1c6dad3591d15cb
-
SHA512
96fa44fe806a8993e65544fe91c544998f500f5c5d4cebb1c2e9cd5027046c0c093679571cc4b79f6c22bf0065b220a398cde109274cf4c120c2f3720aa91a8b
-
SSDEEP
98304:BpaIk47RLDjxT/mlT8TVG0iDu9z3u68VgjVheGyp3CxlR4VPFemTVf:Bm41flTaT4zHokNjxl6Vb
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\32427aa0af7233c3b86db132323dd97889de40ea06b5e531d1c6dad3591d15cb.exe"C:\Users\Admin\AppData\Local\Temp\32427aa0af7233c3b86db132323dd97889de40ea06b5e531d1c6dad3591d15cb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4L85.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4L85.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i7z90.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i7z90.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1h63Q1.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1h63Q1.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2H9440.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2H9440.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w69V.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w69V.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 15884⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4V623A.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4V623A.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1620 -ip 16201⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD52e40a2eae302afae7d758a19a17ab944
SHA11394057cadae6a6892ed8abf696f1cfedd188d73
SHA256a0fc6367e44beb0690f3241afb0ae42518af51867b70c1f839ab55657d50b443
SHA512c1a9ac4fea58f0bd233d90faf2a9ba43292ee5fb133c16bbade6dbc3e718ee2dfd55793ab097bfdb50615ec41897867f56841fe912e46621ad72d18fa510167a
-
Filesize
5.2MB
MD54c6c4bb8d8e85d89453020c3ac2ac879
SHA1476aeda198699300e5e07c35249207d4d553c912
SHA25624e3b689d639e68131db476179dfd63c30c62bce4dca2cc67c4eb7334bcbf6d5
SHA512a15052c6028d622e834471887610fd9deac9338866c66141b9c220191562441e3e6ab37d1e1a618a33a81d8993855670ed08a471962ff6ad56256d9af7d03f88
-
Filesize
2.8MB
MD51ba71e6ac42d53bd5272efa4776e5b37
SHA1bd3526f61226508c54321ce57b04ada2e0b8847f
SHA2560a3e1ccdabd62cca6ee7b8a13d6090cf89aa8505162736f844f263b163ca7619
SHA51275ad779fb631cdc9fa906949e45ad006d15863aa8a6d4f5e6a8dae51a5e4a81d192ff5f4666e2d443fb11308e29534728300774a9bc8c602d3563636074f5d3c
-
Filesize
3.5MB
MD566015f8d17c6926c3e9892a6e83cced9
SHA13798461deca7b686ae936deaf764d291ab3faaea
SHA256d0fa9c53f16ae9d3723994d0068798f5d7c4f8091bfd7ac4e5773d81dc513456
SHA51265e09ff4acd7851d86ac2bff0ec3ffe9716ab3cfce0a02fd10e51941dc5265360268f9d999b50b47888883d12feca44f11df188debea1a3d4d243373ac731bc6
-
Filesize
3.1MB
MD5b54cf9188652a3bfe166d33c542f8ac6
SHA14335fa4d75ab3ba85613d163f8f930d9adf087ce
SHA2560f1d1aed639362ce37edde5b4c278555bec835b1a5d3d5b90a7b8bbce0d83b86
SHA512b6ef0f5c0db58bed81c3c8c5f506942503c00d7c97099ac52b290567fe2578b88b8d5589715583b1b7b80f6a30e344e870f416eda0a241ed002b8fea0171892f
-
Filesize
1.8MB
MD599e7fa90ed2f0668e8928a0bd9e4d37f
SHA1cb40bccee3c04b5c992fad18039dbedd4e59b5a0
SHA25606f71451ac6bc586a8e4a4f62a70669d2d0684d610fe4aa3197dbf053accd49c
SHA5126c5c15daeb6b621dc803c9d23e30b89c8bc4e88f07bbbb09cfceead76d5c777b7bbbe810c6a38d7ce0aed71776e46de817ccef591e806c43e13e4fd3a6fc4516
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB