Analysis
-
max time kernel
20s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11-01-2025 04:56
General
-
Target
7d4b3b7b052e2b296a24aadb95127191b717f4ba52853f21231241d8c0877bc4N.exe
-
Size
3.1MB
-
MD5
9c580391a930dd9a31ee8261b5d3cce0
-
SHA1
1239b6aa65563304efe387021eec0bc26290a7f1
-
SHA256
7d4b3b7b052e2b296a24aadb95127191b717f4ba52853f21231241d8c0877bc4
-
SHA512
54cf4fec7c756ee4dc7c7de194a86519a8ffe384cc944ed08dfe395e211e93f28d4feb404448e4db390583c4d36aed1cd8df7fce08927f3a91fc7f073db3865b
-
SSDEEP
49152:7crynO1MjEgjIsOzbrANo0ZQLkx5gNXcZ3BC/Uu+g4LeFTLTMQToPWAG:wr08vgjxOzgUkx0cPzLUHT7TLAG
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Modifies firewall policy service 3 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7d4b3b7b052e2b296a24aadb95127191b717f4ba52853f21231241d8c0877bc4N.exe"C:\Users\Admin\AppData\Local\Temp\7d4b3b7b052e2b296a24aadb95127191b717f4ba52853f21231241d8c0877bc4N.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD59c580391a930dd9a31ee8261b5d3cce0
SHA11239b6aa65563304efe387021eec0bc26290a7f1
SHA2567d4b3b7b052e2b296a24aadb95127191b717f4ba52853f21231241d8c0877bc4
SHA51254cf4fec7c756ee4dc7c7de194a86519a8ffe384cc944ed08dfe395e211e93f28d4feb404448e4db390583c4d36aed1cd8df7fce08927f3a91fc7f073db3865b
-
Filesize
257B
MD5328b36b361271e299371bf479f2b0071
SHA1d8ad63154146c558d8e029b912e70fd36e468dfa
SHA25613acd03482bc53b18a1a9b7278de32556d9d4bb56c0f41e0b26f1ebdeb208863
SHA5125dc32f7eb8b4e4aae2eafce2b88cd541f6a41a0ecdc96a8a6187b2e307454d6790e028cbe8f5e6d44057763164fe333b9a717eba8d888d22abecea36b2e58e2f
-
Filesize
97KB
MD520e144e434e4a9bca319e6e76bcfebca
SHA1890d6860ea2799841cfb5fcabad1e7c6b86a1580
SHA25626da0d67cd060af594c2d7d0977d9b4625aa9983b93ae7368e5e37a71b93e89e
SHA512456be929dca0e0e916d4ea03a326ed05c0678dbdb23c79156356699a4bbd007701eb06513922d3d2b5680db4fc94e6e3dcbae4fa09700c2dcb0e3e36ea483f1d
-
Filesize
8KB
-
Filesize
416KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
3.1MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
4KB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
8KB
-
Filesize
16.7MB
-
Filesize
3.1MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
16.7MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB