Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-12-2024 14:08
General
-
Target
2f9add3e7c70d47b7e5bcf17aadc98c18f81b025efd57fd06fde76a37ad2c5b0.exe
-
Size
6.8MB
-
MD5
d6f0c53051f545ee4a6703078d36583e
-
SHA1
54531fc75e243655a2046d6c60e277850ea10bf6
-
SHA256
2f9add3e7c70d47b7e5bcf17aadc98c18f81b025efd57fd06fde76a37ad2c5b0
-
SHA512
1a59f2ecabbef4f81836ceb9285a91d2a7bc7d05fc7e50fb3a91599b6f82435608a9d0b255d9e6f835d110c9e9d40569f28f381ae93e4163559f65ba69aa4f8d
-
SSDEEP
196608:LQjwjfFpRxYL8FckFCTVmWsNBASWVbpWyA:ZpT9ckoVmWsNBVWV4y
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f9add3e7c70d47b7e5bcf17aadc98c18f81b025efd57fd06fde76a37ad2c5b0.exe"C:\Users\Admin\AppData\Local\Temp\2f9add3e7c70d47b7e5bcf17aadc98c18f81b025efd57fd06fde76a37ad2c5b0.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\E2i93.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\E2i93.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4e36.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4e36.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1b59w8.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1b59w8.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2p6750.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2p6750.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3i95l.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3i95l.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 15884⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4c063C.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4c063C.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4928 -ip 49281⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD552deacb2607521ad88e05bee89c9437d
SHA1da926b7a4237edb82bb5b3413b2df95e6b4c6d1c
SHA25612d4775f81800515735b2caf92acc6136bcd4bca3b659fc488bede2223223d7d
SHA512e61a3ab6686f315cb2d7571b322fbda6a95533bc80be5d3348f83aa21f90eac3c89aa744a955a396e966ca81e12bec744c169f9e4ce42766dd775d632a243d95
-
Filesize
5.2MB
MD5661e336fb9466f5b8eb6cb707e1b58a1
SHA197704314ef983ca76d7e27d7b79e97f541373ea8
SHA2566e35ffc02366aa82aca958c602cf786f3b058337ba7939b6746573dbce43eaad
SHA512c2271fe7d36c7558d8b00093eeb10fa7c0fdda966ec4ac805431c7fd14986255f14401066f04b5f56b1a83bc5a8c0314aba37d768b1dc86252959a3c43aa8b29
-
Filesize
2.8MB
MD54b15ec703f2ecacc825f842eee718652
SHA1c65b5b23075058412300a18485f46e8b5ffd3145
SHA25645412de2869fd156e91e372335f89819dd2ccb1a9f4de0772aa69f73f1889dd5
SHA512dc824e5ca55b022b6ed3646fcc39ba64a90f799c63f8f39639974dd4505ab62aa04d787a4a1089f7d9d60a10ce925af74bcf7bab36c62e2249304a099e25e238
-
Filesize
3.6MB
MD5ebae3003ef5fb48d3dc9db9a96d9bb80
SHA162b4f2b3a8b028c3794374f33d4d3acfaa6cfb3e
SHA256e9c5871ace99c84ae2fab602b3045338047d360ab16b03742ca414e357e8a6bb
SHA5124ebbfbd5b3a81031f00929de832ae3c11fd7ee9eb9330fe92f332277e474213b4aea4f5e6e08e9d77d1884294ede2436ecc9520809053f6257c484baff5165de
-
Filesize
3.1MB
MD56a10ecc330fd0b35dfa8e46144f7bff3
SHA129291d2fe144caab85d565975b2ce3249efd26b4
SHA256e1f8802b6eb2b3dd14e875ee4b5ea1ccb5ad1a2d6cb190fcce6645e7a39dbdca
SHA51218c2bff1cabb4a2c7c558bdcb4d064dc85cbabd158a43eeff13579f833550230b8687e4b675e597015cbe27fa935f961451eb28cf59cb3c7b404b349f1cdafff
-
Filesize
1.8MB
MD527f96b23f81772a72de57368993824b3
SHA120befb7f8e88d3511e0999b9e8160bc3d5cfe42d
SHA2560d5701c30702bf5bc6ffb586108b9ae7d89b6223d0c5710e9c69585b562f68c7
SHA512f143661c9f0e2b9ebc954cc301b91af266d87f2bc14bac963347738f14627699374b893448a45f59ac794111e2efe74af3cdff110da244fa8ccc0bc1ad3ec6ab
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB