Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 09:13
Static task
static1
General
-
Target
c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe
-
Size
6.5MB
-
MD5
96ce3bcfff31fe24a9017e5fe640eaa1
-
SHA1
09b22771d448bfe6eeda920146e2acf8760ff1df
-
SHA256
c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858
-
SHA512
27aec165a967546df409943a2d969b402a80bcdb3c9787084589c3d4d7dac6c8abb687451db04ef22e6b3c6f2806c06cb107e0cc7a14df3d67dcefa3cfe6c053
-
SSDEEP
196608:rRUbeijhOzbp/Mh5RAe1M19m2WVfwCvYDRt13EGwEJh:reKijwVMh5yecs2gS1t17wEn
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://fancywaxxers.shop/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/1344-50-0x0000000000940000-0x0000000000BE8000-memory.dmp healer behavioral1/memory/1344-51-0x0000000000940000-0x0000000000BE8000-memory.dmp healer behavioral1/memory/1344-57-0x0000000000940000-0x0000000000BE8000-memory.dmp healer -
Healer family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" 4U613F.exe -
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 4U613F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4U613F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4U613F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4U613F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4U613F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4U613F.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4U613F.exe -
Modifies Windows Defender notification settings 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" 4U613F.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender Security Center\Notifications 4U613F.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2F5631.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3e88f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4U613F.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1E08t1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2F5631.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3e88f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2F5631.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3e88f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4U613F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4U613F.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1E08t1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1E08t1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 1E08t1.exe -
Executes dropped EXE 9 IoCs
pid Process 4960 f4F38.exe 3468 p0t55.exe 3760 1E08t1.exe 1900 skotes.exe 1980 2F5631.exe 1972 3e88f.exe 1344 4U613F.exe 3476 skotes.exe 3504 skotes.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 2F5631.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 3e88f.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 4U613F.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 1E08t1.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe -
Windows security modification 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 4U613F.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4U613F.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" f4F38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" p0t55.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 3760 1E08t1.exe 1900 skotes.exe 1980 2F5631.exe 1972 3e88f.exe 1344 4U613F.exe 3476 skotes.exe 3504 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 1E08t1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4U613F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4F38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p0t55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1E08t1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2F5631.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e88f.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3760 1E08t1.exe 3760 1E08t1.exe 1900 skotes.exe 1900 skotes.exe 1980 2F5631.exe 1980 2F5631.exe 1972 3e88f.exe 1972 3e88f.exe 1344 4U613F.exe 1344 4U613F.exe 1344 4U613F.exe 1344 4U613F.exe 3476 skotes.exe 3476 skotes.exe 3504 skotes.exe 3504 skotes.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1344 4U613F.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3760 1E08t1.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2616 wrote to memory of 4960 2616 c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe 83 PID 2616 wrote to memory of 4960 2616 c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe 83 PID 2616 wrote to memory of 4960 2616 c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe 83 PID 4960 wrote to memory of 3468 4960 f4F38.exe 84 PID 4960 wrote to memory of 3468 4960 f4F38.exe 84 PID 4960 wrote to memory of 3468 4960 f4F38.exe 84 PID 3468 wrote to memory of 3760 3468 p0t55.exe 85 PID 3468 wrote to memory of 3760 3468 p0t55.exe 85 PID 3468 wrote to memory of 3760 3468 p0t55.exe 85 PID 3760 wrote to memory of 1900 3760 1E08t1.exe 86 PID 3760 wrote to memory of 1900 3760 1E08t1.exe 86 PID 3760 wrote to memory of 1900 3760 1E08t1.exe 86 PID 3468 wrote to memory of 1980 3468 p0t55.exe 87 PID 3468 wrote to memory of 1980 3468 p0t55.exe 87 PID 3468 wrote to memory of 1980 3468 p0t55.exe 87 PID 4960 wrote to memory of 1972 4960 f4F38.exe 89 PID 4960 wrote to memory of 1972 4960 f4F38.exe 89 PID 4960 wrote to memory of 1972 4960 f4F38.exe 89 PID 2616 wrote to memory of 1344 2616 c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe 90 PID 2616 wrote to memory of 1344 2616 c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe 90 PID 2616 wrote to memory of 1344 2616 c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe"C:\Users\Admin\AppData\Local\Temp\c352f8fe100c1ee9b86ff286a038c9616c8dc15e478b125ebefd188c9d089858.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f4F38.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f4F38.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0t55.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0t55.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1E08t1.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1E08t1.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1900
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2F5631.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2F5631.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1980
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3e88f.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3e88f.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1972
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U613F.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U613F.exe2⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender TamperProtection settings
- Modifies Windows Defender notification settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Defense Evasion
Impair Defenses
5Disable or Modify Tools
5Modify Registry
6Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52fdf7327f55ae4fd20f9907d43fc3426
SHA1a9c1cfb68f6ff567fed3ebddd39bed60514d1254
SHA25699ce074354b7517e7bbffe9f74667a918e9608e419c30609e9278c900250986f
SHA512afb064aacc37f312218e6c903f0f72ad2d771460948b735da496b4a918ca039fed3da7b56feeb61059a164a67595aabc61f222b9a2bfe26e25c78313eedef0e2
-
Filesize
5.0MB
MD5099fd0d6ef6f81edfebee4d288bf0a62
SHA1989b5dba51c61ff270f75d971dc5c0452f987bfe
SHA256b9e7d06e04515e3ba03bdd6d208c1794e9c58bfd7b1b8da15c432e43dce40cf4
SHA512b8c984b0107b4aebf20f7b738bf6afb3e51c021be5cc879dd868df4105a66daf753cec738cf17467166ef4eef2d05a742ef0ab27df6284c4977408974fbcadb5
-
Filesize
4.9MB
MD5aa349bf5e89768c2f61ce231222c1bdc
SHA112951a4c87b6b4d589ad2564dbfdecf68d07c399
SHA256b409c259b6308389411a0a7bab322f23ea832a5d4e8862754487acb66704cad9
SHA512107e625924daffa359ccb18ae8525e9848428e172458e1f6717f99b4b474354ea5a9a8e6b8be48b44881059f01ef5784e2dffe3cff164add55fb8493f9a56e4f
-
Filesize
3.4MB
MD52485a200707f9f8b86888eddb92b6169
SHA1d4bf004f0a5e34a09230538343193d6b2e8bff4f
SHA256a8918fa8e322f31aaf1200e19e875d227d046793b4c2015302975344a44b15f3
SHA5129da870355f5bc17eb400cadf7e43020b7110d0c724944ce80be160721848c62064ad96a4f194a23fcb5870628ea0c82acef0f75e6121b1688cc06fda1ae1a876
-
Filesize
3.1MB
MD574dbde08d67a621bd124be4c921d89ef
SHA193d7df92c163376eacebfe5c25694f702a720c9f
SHA256af84996ec7e8c74ecf91148ba7cca1e2d4f29562b0fd5885fff65445658da49f
SHA512db7df2491e6e079cba64a39432025f9de45cefb3709b9eef35c9dc153bd12bd1cfd0f0bf088086373aa074265a07bc2b605252cc6852a98ff240b5e4a40a2ef8
-
Filesize
2.9MB
MD5b1e1958f18941aaefe2021e7b032910b
SHA19b3ce7ba5964cd1a2050979ce23bf926c6799fd8
SHA2566861fd2b6aee5b0c53ed8ec89391b22aa830e19c398d0ea3f6787d10c9e28c6d
SHA5122bda446a24e9cb7bd843a5fe4ed06f6c8298964196c94a3205512b889d7ebe9380771664c4a0256d9e0af35d7fd1129497ed4e3b91a4d5669347d286563e5a70