Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    112s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 15:50

General

  • Target

    35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe

  • Size

    3.6MB

  • MD5

    88b7a5f36122e73a0a5c426f488e74e1

  • SHA1

    abaa6377b2cc04aedfa0c7522d255820a892cb6e

  • SHA256

    35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42

  • SHA512

    27f9236d2ff551e955ba664fb5412c25ae57423dd85267669478937ea0ab575739c65111706a0d5a48dab68eae48872a42be7c274ffb9a0a5402d26117229dfa

  • SSDEEP

    98304:23Mz0metiOJBX9jnPtgjyhMI2ZyDTqgKoqOo3l0KjUf:GHmetiODBcE2QDugKLw

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe
    "C:\Users\Admin\AppData\Local\Temp\35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1I16g6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1I16g6.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2988
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2i3336.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2i3336.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4732
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1912
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1I16g6.exe

    Filesize

    2.8MB

    MD5

    b84371667cc2b0c8b42151c2aee1f648

    SHA1

    57d7b401b45efa5f7c7c80d3c03162958d6bfecc

    SHA256

    1dc9ae77de12441b9fc1f777cc678f444260bdc2ff95e184446edbe89507fdf8

    SHA512

    5bc6f8aecec1e8aeb34261d05c6da5198e53e31387ef586f71b0f658486301be83ec70933c52beb272229d83003ce4d6185ff899eea3c538b61f85504cb97f33

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2i3336.exe

    Filesize

    1.8MB

    MD5

    83385cf4f0b5d001fb57e65ffb58b6b7

    SHA1

    0167d3b5e041b8d1d9f29550c6411716c03f21c1

    SHA256

    7db1444199ec8bab33051ded3d215a9cc7d5dc0f9546ae64c868b898f45f83e3

    SHA512

    98b93cf57e8b58378d32e91f3301d5d4f21e16daf03ab33399b597935e10783bc2596be1c247defb83eaac700f3443abb7e771e19276bb100207b4616611de43

  • memory/1556-7-0x0000000000BC0000-0x0000000000ED0000-memory.dmp

    Filesize

    3.1MB

  • memory/1556-8-0x0000000077E44000-0x0000000077E46000-memory.dmp

    Filesize

    8KB

  • memory/1556-9-0x0000000000BC1000-0x0000000000BEF000-memory.dmp

    Filesize

    184KB

  • memory/1556-10-0x0000000000BC0000-0x0000000000ED0000-memory.dmp

    Filesize

    3.1MB

  • memory/1556-11-0x0000000000BC0000-0x0000000000ED0000-memory.dmp

    Filesize

    3.1MB

  • memory/1556-25-0x0000000000BC0000-0x0000000000ED0000-memory.dmp

    Filesize

    3.1MB

  • memory/1912-33-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2560-42-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-34-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-39-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-47-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-35-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-36-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-37-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-38-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-46-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-40-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-23-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-43-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-44-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/2988-45-0x0000000000550000-0x0000000000860000-memory.dmp

    Filesize

    3.1MB

  • memory/4732-30-0x0000000000EB0000-0x000000000135E000-memory.dmp

    Filesize

    4.7MB

  • memory/4732-29-0x0000000000EB0000-0x000000000135E000-memory.dmp

    Filesize

    4.7MB