Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-12-2024 07:01
General
-
Target
d37e3994f004204d01a939e3eeb60d90ec9c8af55af21d811b6464b3b357f8e4.exe
-
Size
6.8MB
-
MD5
9b73316458bc53975afcc242bed9d9df
-
SHA1
a7de5cfae404e5a2af16381a448b28ca578d8cde
-
SHA256
d37e3994f004204d01a939e3eeb60d90ec9c8af55af21d811b6464b3b357f8e4
-
SHA512
e8d2d26aa53cc84b16e95bfd2d81007d0ae048c6914e8ec2fca5aa6ae3fb4437e274bf68196b3ff4cf76395a4f681b3803c2ecdf3252d36cce2b8a00818d9ea3
-
SSDEEP
98304:7eR6L3s6OVw4/OwyZYZdIuMkgkQTn56JAHIVJrobVUpEa07eh7qd9T7LRKJU5r8m:iR6TDOVLuYZx1gTmAurH7a57p9
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d37e3994f004204d01a939e3eeb60d90ec9c8af55af21d811b6464b3b357f8e4.exe"C:\Users\Admin\AppData\Local\Temp\d37e3994f004204d01a939e3eeb60d90ec9c8af55af21d811b6464b3b357f8e4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X2x66.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X2x66.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1X29.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1X29.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1u96j2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1u96j2.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2L1753.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2L1753.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3F54m.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3F54m.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 15564⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4d491R.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4d491R.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1556 -ip 15561⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5013db3c73039bea48df5c6ab86275484
SHA171e214e423515aa756f3c849620418e838b03281
SHA256d0fbcdd2497b2c0e9978c1cf2e82f9a547c84980e5e1e3839b01be39351f0118
SHA512d3a61939be3ee180a4c73c2c82724bcf5b8d1c983b728c88902be2d63c50242d521b251c0c0a0185a789b7bb99005b34c03e10eae6560cf9734d76a45ec96af4
-
Filesize
5.2MB
MD51771923f892e8d4e74d671cb3491b44a
SHA12dcccef8ee2ed708d4770c306f83f3863bf2b869
SHA256e575637afb7eb6c38c3b2334a64cb3ec82292744e42ad21aa9bde0dace9ecb5e
SHA512b8a5e7298e7f786af43ce1b6645aa350505cb96b4162bb84df7768220c1205f60c5219fa4bbe9dbbb435c4b5dbe235c8f3b6c87fc23c1684d96ce5e74cd79644
-
Filesize
2.7MB
MD531c6811614e6b7a92d67610651f5a98a
SHA177ef9f47c7f5898e8a9726425c9052fff2305b19
SHA2569dec0dc2187f00a04677d49d7da3ad45be58142f62e68e3195192465797e9506
SHA512107ab76eebf4c3fa9608786a0545f88e6c4ba083b0869a2e4cd76eb3161530beef228a4c0788ffcc6b77f852442c256908cdf5fc52aa464c2a22ba7bc558338d
-
Filesize
3.6MB
MD50fa521e45aadd75a98d89ab5584e4317
SHA192b832de68499ff2f7ebf2d0697da67333d58749
SHA25628df7cebb11c235c8542ce4637065789f04a4a7e695236792f1cc5d119b63718
SHA5128875109cfab7e16ea53e7e311efda47cbeab88d01946c0b6f7d217f3f9605c6e3336bd44417c2f4e5f1b0f8d12c3f2fdb8ca6ade9c9ddd38aabdd3f5ebd97a5e
-
Filesize
3.1MB
MD59d3631f02f26cbdbf698c1ebc413b8c7
SHA15ede33c95f78378dba678ad134a4b23b578e828c
SHA25606fb943c62de5f353ee50cd798ff026da5836df20fdb154780ce1e011df07265
SHA51241c015707db1107a273cbd1eb3042ca076ea3115a718d1dd68194adf685226b7281990c7f66eaddc942693a35b4f9d5be0eb69af762b429d755f0b41f40de851
-
Filesize
1.8MB
MD5259cea876b4ff788ed27fab1f9a978ce
SHA197928786646a7187c2a02c4acb9fb5b863dc1721
SHA2567d6d42d07947b28756c4c28821f090b28d8f5f1262d355cd0a6d8ec02b49e81b
SHA5125c9b2adbae358aed3f6efdfaf1ebc0c5dba3e755ba5d9cc35fb0306079df621a5b168feb945054dfeeb0c898d069d5948a53ea0728996bc7218fb4dacdfc1c2e
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB