Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 09:13

General

  • Target

    c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe

  • Size

    6.5MB

  • MD5

    96ce3bcfff31fe24a9017e5fe640eaa1

  • SHA1

    09b22771d448bfe6eeda920146e2acf8760ff1df

  • SHA256

    c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858

  • SHA512

    27aec165a967546df409943a2d969b402a80bcdb3c9787084589c3d4d7dac6c8abb687451db04ef22e6b3c6f2806c06cb107e0cc7a14df3d67dcefa3cfe6c053

  • SSDEEP

    196608:rRUbeijhOzbp/Mh5RAe1M19m2WVfwCvYDRt13EGwEJh:reKijwVMh5yecs2gS1t17wEn

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

C2

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Extracted

Family

stealc

Botnet

stok

C2

http://185.215.113.206

Attributes
  • url_path

    /c4becf79229cb002.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
  • Stealc

    Stealc is an infostealer written in C++.

  • Stealc family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 7 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe
    "C:\Users\Admin\AppData\Local\Temp\c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f4F38.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f4F38.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0t55.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0t55.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3468
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1E08t1.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1E08t1.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3760
          • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
            "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:1900
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2F5631.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2F5631.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1980
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3e88f.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3e88f.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1972
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U613F.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U613F.exe
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • Modifies Windows Defender Real-time Protection settings
      • Modifies Windows Defender TamperProtection settings
      • Modifies Windows Defender notification settings
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Windows security modification
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1344
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3476
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U613F.exe

    Filesize

    2.6MB

    MD5

    2fdf7327f55ae4fd20f9907d43fc3426

    SHA1

    a9c1cfb68f6ff567fed3ebddd39bed60514d1254

    SHA256

    99ce074354b7517e7bbffe9f74667a918e9608e419c30609e9278c900250986f

    SHA512

    afb064aacc37f312218e6c903f0f72ad2d771460948b735da496b4a918ca039fed3da7b56feeb61059a164a67595aabc61f222b9a2bfe26e25c78313eedef0e2

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f4F38.exe

    Filesize

    5.0MB

    MD5

    099fd0d6ef6f81edfebee4d288bf0a62

    SHA1

    989b5dba51c61ff270f75d971dc5c0452f987bfe

    SHA256

    b9e7d06e04515e3ba03bdd6d208c1794e9c58bfd7b1b8da15c432e43dce40cf4

    SHA512

    b8c984b0107b4aebf20f7b738bf6afb3e51c021be5cc879dd868df4105a66daf753cec738cf17467166ef4eef2d05a742ef0ab27df6284c4977408974fbcadb5

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3e88f.exe

    Filesize

    4.9MB

    MD5

    aa349bf5e89768c2f61ce231222c1bdc

    SHA1

    12951a4c87b6b4d589ad2564dbfdecf68d07c399

    SHA256

    b409c259b6308389411a0a7bab322f23ea832a5d4e8862754487acb66704cad9

    SHA512

    107e625924daffa359ccb18ae8525e9848428e172458e1f6717f99b4b474354ea5a9a8e6b8be48b44881059f01ef5784e2dffe3cff164add55fb8493f9a56e4f

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0t55.exe

    Filesize

    3.4MB

    MD5

    2485a200707f9f8b86888eddb92b6169

    SHA1

    d4bf004f0a5e34a09230538343193d6b2e8bff4f

    SHA256

    a8918fa8e322f31aaf1200e19e875d227d046793b4c2015302975344a44b15f3

    SHA512

    9da870355f5bc17eb400cadf7e43020b7110d0c724944ce80be160721848c62064ad96a4f194a23fcb5870628ea0c82acef0f75e6121b1688cc06fda1ae1a876

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1E08t1.exe

    Filesize

    3.1MB

    MD5

    74dbde08d67a621bd124be4c921d89ef

    SHA1

    93d7df92c163376eacebfe5c25694f702a720c9f

    SHA256

    af84996ec7e8c74ecf91148ba7cca1e2d4f29562b0fd5885fff65445658da49f

    SHA512

    db7df2491e6e079cba64a39432025f9de45cefb3709b9eef35c9dc153bd12bd1cfd0f0bf088086373aa074265a07bc2b605252cc6852a98ff240b5e4a40a2ef8

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2F5631.exe

    Filesize

    2.9MB

    MD5

    b1e1958f18941aaefe2021e7b032910b

    SHA1

    9b3ce7ba5964cd1a2050979ce23bf926c6799fd8

    SHA256

    6861fd2b6aee5b0c53ed8ec89391b22aa830e19c398d0ea3f6787d10c9e28c6d

    SHA512

    2bda446a24e9cb7bd843a5fe4ed06f6c8298964196c94a3205512b889d7ebe9380771664c4a0256d9e0af35d7fd1129497ed4e3b91a4d5669347d286563e5a70

  • memory/1344-54-0x0000000000940000-0x0000000000BE8000-memory.dmp

    Filesize

    2.7MB

  • memory/1344-48-0x0000000000940000-0x0000000000BE8000-memory.dmp

    Filesize

    2.7MB

  • memory/1344-57-0x0000000000940000-0x0000000000BE8000-memory.dmp

    Filesize

    2.7MB

  • memory/1344-51-0x0000000000940000-0x0000000000BE8000-memory.dmp

    Filesize

    2.7MB

  • memory/1344-50-0x0000000000940000-0x0000000000BE8000-memory.dmp

    Filesize

    2.7MB

  • memory/1900-59-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-58-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-70-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-49-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-69-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-33-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-52-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-76-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-68-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-73-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-67-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-60-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-75-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-74-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-65-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1900-66-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/1972-42-0x0000000000AA0000-0x0000000000F83000-memory.dmp

    Filesize

    4.9MB

  • memory/1972-44-0x0000000000AA0000-0x0000000000F83000-memory.dmp

    Filesize

    4.9MB

  • memory/1980-38-0x0000000000190000-0x0000000000480000-memory.dmp

    Filesize

    2.9MB

  • memory/1980-39-0x0000000000190000-0x0000000000480000-memory.dmp

    Filesize

    2.9MB

  • memory/3476-64-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/3476-62-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/3504-72-0x0000000000770000-0x0000000000A8A000-memory.dmp

    Filesize

    3.1MB

  • memory/3760-32-0x0000000000B20000-0x0000000000E3A000-memory.dmp

    Filesize

    3.1MB

  • memory/3760-21-0x0000000000B20000-0x0000000000E3A000-memory.dmp

    Filesize

    3.1MB