Analysis
-
max time kernel
112s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-01-2025 09:24
Static task
static1
General
-
Target
89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe
-
Size
3.5MB
-
MD5
b3e58c669b1086e68b831e0be4c63360
-
SHA1
15fda1e1f04727f0c1f1f373757c6aaf3c8e2cce
-
SHA256
89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0
-
SHA512
4334cc75c68bcc76c3f97c95d89540a89a7c871c82186c1ac763449961e1acbb04a7311e914701d9ac2007d04687b27de2a0002f390982c0975b811c985a8775
-
SSDEEP
98304:Wg26LqqLz83YWkoAji54c4bUWbVHWr+iEBoBxJURRtN:s6mqM3YXFc4UgVc+bBoBxJUR1
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1t86f5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2c3099.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1t86f5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2c3099.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2c3099.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1t86f5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 1t86f5.exe -
Executes dropped EXE 5 IoCs
pid Process 3532 1t86f5.exe 4520 skotes.exe 1808 2c3099.exe 5004 skotes.exe 4952 skotes.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 1t86f5.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine 2c3099.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Software\Wine skotes.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 3532 1t86f5.exe 4520 skotes.exe 1808 2c3099.exe 5004 skotes.exe 4952 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1t86f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1t86f5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c3099.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3532 1t86f5.exe 3532 1t86f5.exe 4520 skotes.exe 4520 skotes.exe 1808 2c3099.exe 1808 2c3099.exe 5004 skotes.exe 5004 skotes.exe 4952 skotes.exe 4952 skotes.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3532 1t86f5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3860 wrote to memory of 3532 3860 89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe 83 PID 3860 wrote to memory of 3532 3860 89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe 83 PID 3860 wrote to memory of 3532 3860 89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe 83 PID 3532 wrote to memory of 4520 3532 1t86f5.exe 84 PID 3532 wrote to memory of 4520 3532 1t86f5.exe 84 PID 3532 wrote to memory of 4520 3532 1t86f5.exe 84 PID 3860 wrote to memory of 1808 3860 89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe 85 PID 3860 wrote to memory of 1808 3860 89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe 85 PID 3860 wrote to memory of 1808 3860 89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe"C:\Users\Admin\AppData\Local\Temp\89a17c7e1f6a2bb674179c230f5de7fdc67f91de9d7ce3858c7d08d7a5fbd6b0N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1t86f5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1t86f5.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4520
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2c3099.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2c3099.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5004
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD51dbe33532cd06a93b0c6eaa9ef460f64
SHA16ac157f2d2fb52ade2e92dedcfdc6d6d3fdfce80
SHA256bc3662aa42c1007ae1512f2f33962ebd5dded955aaf77996764e4459c1ed254e
SHA512094e74d171f73664d03174e1c3eb69c299d4df364dd35357f14ccf5a0fccd79eb36a267706e2cc4ce8f848518f61d0808901692725d860ea0987ca217b3f3bb2
-
Filesize
2.9MB
MD59a47339660ba9b8e7b97918c6b29dfdc
SHA11e89fdf2332d60973d615138b23eff5224d5591e
SHA25699b59a76d7c2a5c48ec905e31e729a65c7f7622473c59435ec68944c11a0bdda
SHA512649289a94c87d33c268e64cc988bc27a660084a267594b50e58f3871bf470f95ad112985f7ef14bb4c777d7df97c960df1677063e594dcfe6b162a42ea47c814