Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe
Resource
win10v2004-20241007-en
General
-
Target
35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe
-
Size
3.6MB
-
MD5
88b7a5f36122e73a0a5c426f488e74e1
-
SHA1
abaa6377b2cc04aedfa0c7522d255820a892cb6e
-
SHA256
35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42
-
SHA512
27f9236d2ff551e955ba664fb5412c25ae57423dd85267669478937ea0ab575739c65111706a0d5a48dab68eae48872a42be7c274ffb9a0a5402d26117229dfa
-
SSDEEP
98304:23Mz0metiOJBX9jnPtgjyhMI2ZyDTqgKoqOo3l0KjUf:GHmetiODBcE2QDugKLw
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1I16g6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2i3336.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1I16g6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1I16g6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2i3336.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2i3336.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 1I16g6.exe -
Executes dropped EXE 5 IoCs
pid Process 1556 1I16g6.exe 2988 skotes.exe 4732 2i3336.exe 1912 skotes.exe 2560 skotes.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 1I16g6.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 2i3336.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1556 1I16g6.exe 2988 skotes.exe 4732 2i3336.exe 1912 skotes.exe 2560 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1I16g6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1I16g6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2i3336.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1556 1I16g6.exe 1556 1I16g6.exe 2988 skotes.exe 2988 skotes.exe 4732 2i3336.exe 4732 2i3336.exe 1912 skotes.exe 1912 skotes.exe 2560 skotes.exe 2560 skotes.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1556 1I16g6.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1556 2156 35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe 83 PID 2156 wrote to memory of 1556 2156 35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe 83 PID 2156 wrote to memory of 1556 2156 35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe 83 PID 1556 wrote to memory of 2988 1556 1I16g6.exe 84 PID 1556 wrote to memory of 2988 1556 1I16g6.exe 84 PID 1556 wrote to memory of 2988 1556 1I16g6.exe 84 PID 2156 wrote to memory of 4732 2156 35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe 85 PID 2156 wrote to memory of 4732 2156 35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe 85 PID 2156 wrote to memory of 4732 2156 35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe"C:\Users\Admin\AppData\Local\Temp\35c2562c1b12ee26865ae06ebb43c86b6075f120db59fd3076a3a62b808a6b42.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1I16g6.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1I16g6.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2988
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2i3336.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2i3336.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4732
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1912
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5b84371667cc2b0c8b42151c2aee1f648
SHA157d7b401b45efa5f7c7c80d3c03162958d6bfecc
SHA2561dc9ae77de12441b9fc1f777cc678f444260bdc2ff95e184446edbe89507fdf8
SHA5125bc6f8aecec1e8aeb34261d05c6da5198e53e31387ef586f71b0f658486301be83ec70933c52beb272229d83003ce4d6185ff899eea3c538b61f85504cb97f33
-
Filesize
1.8MB
MD583385cf4f0b5d001fb57e65ffb58b6b7
SHA10167d3b5e041b8d1d9f29550c6411716c03f21c1
SHA2567db1444199ec8bab33051ded3d215a9cc7d5dc0f9546ae64c868b898f45f83e3
SHA51298b93cf57e8b58378d32e91f3301d5d4f21e16daf03ab33399b597935e10783bc2596be1c247defb83eaac700f3443abb7e771e19276bb100207b4616611de43