Analysis
-
max time kernel
67s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-09-2024 08:07
Static task
static1
Behavioral task
behavioral1
Sample
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
Resource
win7-20240903-en
General
-
Target
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe
-
Size
435KB
-
MD5
6005662a18ecbc23f89481cb5ae9be73
-
SHA1
bc4ec29220c54fe2cec779f738bae8f0fff91c8c
-
SHA256
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47
-
SHA512
e204c4b2f56616b5cbc222bf9bd111e4dd455ec32ad1d1dae833414e1945133f772f84a41cb0b48339245f6cc97bf1949523f4853fd42b96d5f77d8da62fcd1a
-
SSDEEP
6144:sLq9GFWzmKJaexGmG2ugpIRk71J4AE1oYMEW6GQ4NqffzymNSZQ5FYc5KYi:sG9Ggta2Lpik2lSPQomzymNSMi
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
save
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
9fedc44b36.exe5dd4e155bd.exea79e707c6f.exeaxplong.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9fedc44b36.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5dd4e155bd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a79e707c6f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a79e707c6f.exeaxplong.exe9fedc44b36.exe5dd4e155bd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a79e707c6f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a79e707c6f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9fedc44b36.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9fedc44b36.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5dd4e155bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5dd4e155bd.exe -
Executes dropped EXE 6 IoCs
Processes:
skotes.exe9fedc44b36.exe5dd4e155bd.exe9b67ca5fa3.exea79e707c6f.exeaxplong.exepid process 588 skotes.exe 2632 9fedc44b36.exe 1688 5dd4e155bd.exe 2084 9b67ca5fa3.exe 1296 a79e707c6f.exe 3036 axplong.exe -
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
axplong.exe9fedc44b36.exe5dd4e155bd.exea79e707c6f.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine axplong.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 9fedc44b36.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 5dd4e155bd.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine a79e707c6f.exe -
Loads dropped DLL 9 IoCs
Processes:
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exeskotes.exea79e707c6f.exepid process 2376 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 2376 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 588 skotes.exe 588 skotes.exe 588 skotes.exe 588 skotes.exe 588 skotes.exe 588 skotes.exe 1296 a79e707c6f.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
skotes.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9fedc44b36.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023001\\9fedc44b36.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\5dd4e155bd.exe = "C:\\Users\\Admin\\1000026002\\5dd4e155bd.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\9b67ca5fa3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\9b67ca5fa3.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
9fedc44b36.exe5dd4e155bd.exea79e707c6f.exeaxplong.exepid process 2632 9fedc44b36.exe 1688 5dd4e155bd.exe 1296 a79e707c6f.exe 3036 axplong.exe -
Drops file in Windows directory 2 IoCs
Processes:
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exea79e707c6f.exedescription ioc process File created C:\Windows\Tasks\skotes.job 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe File created C:\Windows\Tasks\axplong.job a79e707c6f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exeskotes.exe9fedc44b36.exe5dd4e155bd.exe9b67ca5fa3.exea79e707c6f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fedc44b36.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dd4e155bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b67ca5fa3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a79e707c6f.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
9fedc44b36.exe5dd4e155bd.exechrome.exea79e707c6f.exeaxplong.exepid process 2632 9fedc44b36.exe 1688 5dd4e155bd.exe 1920 chrome.exe 1920 chrome.exe 1296 a79e707c6f.exe 3036 axplong.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
9b67ca5fa3.exepid process 2084 9b67ca5fa3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe Token: SeShutdownPrivilege 1920 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe9b67ca5fa3.exechrome.exea79e707c6f.exepid process 2376 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 1296 a79e707c6f.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
9b67ca5fa3.exechrome.exepid process 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 1920 chrome.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe 2084 9b67ca5fa3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exeskotes.exe9b67ca5fa3.exechrome.exedescription pid process target process PID 2376 wrote to memory of 588 2376 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe skotes.exe PID 2376 wrote to memory of 588 2376 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe skotes.exe PID 2376 wrote to memory of 588 2376 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe skotes.exe PID 2376 wrote to memory of 588 2376 5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe skotes.exe PID 588 wrote to memory of 2632 588 skotes.exe 9fedc44b36.exe PID 588 wrote to memory of 2632 588 skotes.exe 9fedc44b36.exe PID 588 wrote to memory of 2632 588 skotes.exe 9fedc44b36.exe PID 588 wrote to memory of 2632 588 skotes.exe 9fedc44b36.exe PID 588 wrote to memory of 1688 588 skotes.exe 5dd4e155bd.exe PID 588 wrote to memory of 1688 588 skotes.exe 5dd4e155bd.exe PID 588 wrote to memory of 1688 588 skotes.exe 5dd4e155bd.exe PID 588 wrote to memory of 1688 588 skotes.exe 5dd4e155bd.exe PID 588 wrote to memory of 2084 588 skotes.exe 9b67ca5fa3.exe PID 588 wrote to memory of 2084 588 skotes.exe 9b67ca5fa3.exe PID 588 wrote to memory of 2084 588 skotes.exe 9b67ca5fa3.exe PID 588 wrote to memory of 2084 588 skotes.exe 9b67ca5fa3.exe PID 2084 wrote to memory of 1920 2084 9b67ca5fa3.exe chrome.exe PID 2084 wrote to memory of 1920 2084 9b67ca5fa3.exe chrome.exe PID 2084 wrote to memory of 1920 2084 9b67ca5fa3.exe chrome.exe PID 2084 wrote to memory of 1920 2084 9b67ca5fa3.exe chrome.exe PID 1920 wrote to memory of 1156 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1156 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1156 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1216 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1868 1920 chrome.exe chrome.exe PID 1920 wrote to memory of 1868 1920 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe"C:\Users\Admin\AppData\Local\Temp\5d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe"C:\Users\Admin\AppData\Local\Temp\1000023001\9fedc44b36.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2632 -
C:\Users\Admin\1000026002\5dd4e155bd.exe"C:\Users\Admin\1000026002\5dd4e155bd.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe"C:\Users\Admin\AppData\Local\Temp\1000028001\9b67ca5fa3.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d19758,0x7fef6d19768,0x7fef6d197785⤵PID:1156
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:25⤵PID:1216
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:85⤵PID:1868
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:85⤵PID:636
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2156 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:15⤵PID:2504
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:15⤵PID:1888
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3252 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:15⤵PID:2612
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1400 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:25⤵PID:1408
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 --field-trial-handle=1380,i,659298516237816222,12798015023229626716,131072 /prefetch:85⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe"C:\Users\Admin\AppData\Local\Temp\1000029001\a79e707c6f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3036
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:576
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2KB
MD561f4c8f9bbef8f3dd960043aa47d5842
SHA11e65de8ede719f5f2764259f6ebdb6b3246adbd5
SHA2567e03e0d390f7cde356686e9cd72cb9f50d9fc544ca370ac6e8dc4dab56c5a9c5
SHA512ff5e8ecfe68465a387409a486f3fabc69ca304a0fab9a1dd4ef8a312d16148a3ce719932e934588166b595f54ac037ba6666297549c5f00bef17a70d23fafbf5
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d9c6a296-1adc-4ba3-89e0-9b75f3eedcdb.tmp
Filesize6KB
MD528dd8170a0d23e83274150c39afbffa6
SHA1d81ec21c17a1faaeb46b43d101c0339d8e2d2430
SHA256b3273c0d4523bd68dcd1cb36b7c594ac85fc2e0c91bd82a4fc66550625dfe48f
SHA512bbd40381443ae82b42aea5e6b08e34229bdc61adc9223f782098809c3c8852aa2c1953ee0245b5cbf57a24073f3929640b80e0ccb92a9291de5f97bff3af4572
-
Filesize
1.8MB
MD52ff9d81435c7d755cb5a6b975ed50ce6
SHA1a588fbde21ac7335c3b516db6ccaa783eb2a088c
SHA256162e527a19799d2d3ace95ca315eba1ffa0fd4fd3eac247a26b41212033b2863
SHA51246688a8fb90c3b3bcb926e6b37129ebd45297283150e61450b685f792d20f7d5d2d88ea2487f73dd76d6e20b513f43ba143ff9d321b47f4f4563287e02a9e235
-
Filesize
1.1MB
MD5cda0b8ef0af532cf29045c06142ce1f8
SHA139b7bd4dadc3172152d727dd9633916ae1a8fd7d
SHA2563129cc8fa8430ac67ed710a05d4227d636612387b02125b8006117c40c79e5b6
SHA51240f6209a1b41e952eb5b96cadcfa87bdc5a9ceaf7f1f438beff20378d620eada3031485b179ef58920d23d6563324269206a2243d0cfb3ad58811827d39071f2
-
Filesize
1.8MB
MD52dbfc6089fd5e3b1aa8a004508a16a37
SHA120331e184251ff628c6e3593511fc6ab93349058
SHA25699bc61afdb7382ac8d7f9da3bb87ca552fe8596ded65bf39a81d2f7839bbc3d6
SHA51203f5390778ce28d28d6e4c60af50f0ee32f1e4adf1b0ea1958bd9897db919f63817f1a0df8b4b4ae03ac90d4e797a2a1db380f9fce9d6ef33575101c4a640629
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
435KB
MD56005662a18ecbc23f89481cb5ae9be73
SHA1bc4ec29220c54fe2cec779f738bae8f0fff91c8c
SHA2565d1a1cd27bacd3056147511b475f0953af2fba7dc50f73585944bbcb3bed6f47
SHA512e204c4b2f56616b5cbc222bf9bd111e4dd455ec32ad1d1dae833414e1945133f772f84a41cb0b48339245f6cc97bf1949523f4853fd42b96d5f77d8da62fcd1a