Analysis
-
max time kernel
143s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-12-2024 11:49
General
-
Target
bcbe3e7106ce092a031aa188c1eb17f65f86ae60a6cbfb149fe4751a757c2b70.exe
-
Size
6.7MB
-
MD5
f93841a9a1a82b4aac879bc2461843ad
-
SHA1
c6ee0f75fe27ac995a6bb7b0c4cb2cd96c0e8844
-
SHA256
bcbe3e7106ce092a031aa188c1eb17f65f86ae60a6cbfb149fe4751a757c2b70
-
SHA512
aa5005aaf14663955ad4b871f076549809f54b57eb5468ddae7121b13698a64e3bdebb4439a226d1657cb4b0f6cba3fde8cb80f05b1d8152cf58f8d76ea1d985
-
SSDEEP
196608:FM/EA45/12xDxdpx0rgtMO/FXYlZnZeKiQ54AV:FMMAwKDTpSgtMAFXMZeKT2A
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcbe3e7106ce092a031aa188c1eb17f65f86ae60a6cbfb149fe4751a757c2b70.exe"C:\Users\Admin\AppData\Local\Temp\bcbe3e7106ce092a031aa188c1eb17f65f86ae60a6cbfb149fe4751a757c2b70.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6s92.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6s92.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s7K77.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s7K77.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1r84W5.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1r84W5.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2b9050.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2b9050.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w82D.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w82D.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 15604⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4c989C.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4c989C.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1764 -ip 17641⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD53416a6d791189b939881f448c785e633
SHA1990bdeb64e3af9fcb769932927ad4ce1fa7a386f
SHA256f96dfe13d91cb7d10d1d001da6449ee446650b0f0c252dba1e38ebcf8643ac6b
SHA51271dbb20706361de879754d2587eaee6cea14d845cc1efaadd9064e2b24515b556d3be0c9519a962cb88893c85c0cdab311372735091f53784abefb6f7c649367
-
Filesize
5.1MB
MD5cbf340e4ea3fbf7c6739c33c28a55aa6
SHA1e02b67300d61be009182d34d897facf41e017876
SHA25687ccd03f7cb1f2515a3b487ce81069058545d1f974e1821953041116293f1fca
SHA512e63fee06ed1793c3cd15f29f0d88420b6e91f628e7a0e7b57e87fd7117777c8a224554224e60a92aff276a66fe9287b70ba84142e577a3d50d0aef0045710515
-
Filesize
2.7MB
MD57443bb38e90dae43396dd59b203154c2
SHA1c0e7e78ec238500f9f42d7c1826d3a3a89bd4bbd
SHA25653036028d463806b42004f8af8b6773b1b5ce779e66367a6e3963674676fe382
SHA5123fb08eb7f82a0880102496f4bbd46f9a766046b51484e3ddc1a780884827dcabc5fdd06f8def73512788f300bcc5e671e94be8bf47357771fb2482543812c502
-
Filesize
3.5MB
MD5abdb211e9cf5430e93ab029fe35c299d
SHA1b7a6d59157aeded9591e5b8f6e62d9976a4094a7
SHA256f8000892c4615fcd1800f3bd877d74943c28decb1702c25823328b2f15407f13
SHA512f4edc6d8d8678a84b68ce50f5869d319b08a9ed0d64c7443c5c69e4ed68d5c434952acb987a9ffb6a5832eab38e772f75156534e14776a3d4ed8194fdd6c4a61
-
Filesize
3.1MB
MD5313e87fdd8cf27d989d528f9f8157d72
SHA143d2f75979712df2d2ac7ac2c3748976b879a130
SHA256196e5daaf4f7c1bed0fad54b7472505deea1cc93556be3e400ec5ab4eadf85d8
SHA51226f05e453f21233fc5cc864e5a3cf203d8043f0524d19f353667d742ec9c49cb1aba439f1736e031f56ae08f2ae30a5dca68409ff94b32a5b432ab432b9332af
-
Filesize
1.8MB
MD51a464ffccb48c9eb4725dff74971ca2a
SHA1ed212c76b9d5743874da852caeb4452f0c48fc65
SHA256a9a38bbfef394b17980ff1026dd2e51f6a2f701bb79eeeb9d166626c1ca8a800
SHA512628a61d38aa2a3249341d413f586f7f5dad21ef57839bccf4c51e7717d6a233bf17b05df782b53c9fc61d3ae574bc6c3e4e9729a62d9ebde5b51618976d557ea
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.1MB