amadey | 6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581

Analysis

max time kernel
39s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe
Size

420KB
MD5

0ae8b048945c6ced85df3fb5afa2bc0b
SHA1

af1862013ba627e94fbfa10de4fc515fb42d91c0
SHA256

6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581
SHA512

5956f438dd7421fe2a5a8532d467e48b2132afefa65713f71f25c9cc5d38cf73a5f7dccd2c19734643bdfb52266b59fd2fdcc6937feb648fef23be0b6d86f7c9
SSDEEP

6144:GLRGetrMAw/3EMKdzVlUVBEtBDryn4Tz207FYc5Ri:G9VCAsSU4t5K4vLji

Score

10^/10

amadey stealc 9c9aa5 fed3aa save discovery evasion persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

save

http://185.215.113.37

Attributes

url_path
/e2b1563c6670f193.php

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ef7d4e8ca6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3ea537dc7d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9e73ce5ee6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ef7d4e8ca6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ef7d4e8ca6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3ea537dc7d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3ea537dc7d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9e73ce5ee6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9e73ce5ee6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe

Executes dropped EXE 6 IoCs

pid	Process
2784	skotes.exe
2640	ef7d4e8ca6.exe
2816	3ea537dc7d.exe
1352	0b27daf3ba.exe
2036	9e73ce5ee6.exe
2628	axplong.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	ef7d4e8ca6.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	3ea537dc7d.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	9e73ce5ee6.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	axplong.exe

Loads dropped DLL 9 IoCs

pid	Process
2220	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe
2220	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe
2784	skotes.exe
2784	skotes.exe
2784	skotes.exe
2784	skotes.exe
2784	skotes.exe
2784	skotes.exe
2036	9e73ce5ee6.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\0b27daf3ba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000028001\\0b27daf3ba.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\ef7d4e8ca6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000023001\\ef7d4e8ca6.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\3ea537dc7d.exe = "C:\\Users\\Admin\\1000026002\\3ea537dc7d.exe"	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000018fa2-72.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2640	ef7d4e8ca6.exe
2816	3ea537dc7d.exe
2036	9e73ce5ee6.exe
2628	axplong.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe
File created	C:\Windows\Tasks\axplong.job	9e73ce5ee6.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b27daf3ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e73ce5ee6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef7d4e8ca6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ea537dc7d.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2640	ef7d4e8ca6.exe
2816	3ea537dc7d.exe
2348	chrome.exe
2348	chrome.exe
2036	9e73ce5ee6.exe
2628	axplong.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2220	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
2036	9e73ce5ee6.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe
1352	0b27daf3ba.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2784	2220	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe	30
PID 2220 wrote to memory of 2784	2220	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe	30
PID 2220 wrote to memory of 2784	2220	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe	30
PID 2220 wrote to memory of 2784	2220	6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe	30
PID 2784 wrote to memory of 2640	2784	skotes.exe	32
PID 2784 wrote to memory of 2640	2784	skotes.exe	32
PID 2784 wrote to memory of 2640	2784	skotes.exe	32
PID 2784 wrote to memory of 2640	2784	skotes.exe	32
PID 2784 wrote to memory of 2816	2784	skotes.exe	33
PID 2784 wrote to memory of 2816	2784	skotes.exe	33
PID 2784 wrote to memory of 2816	2784	skotes.exe	33
PID 2784 wrote to memory of 2816	2784	skotes.exe	33
PID 2784 wrote to memory of 1352	2784	skotes.exe	34
PID 2784 wrote to memory of 1352	2784	skotes.exe	34
PID 2784 wrote to memory of 1352	2784	skotes.exe	34
PID 2784 wrote to memory of 1352	2784	skotes.exe	34
PID 1352 wrote to memory of 2348	1352	0b27daf3ba.exe	35
PID 1352 wrote to memory of 2348	1352	0b27daf3ba.exe	35
PID 1352 wrote to memory of 2348	1352	0b27daf3ba.exe	35
PID 1352 wrote to memory of 2348	1352	0b27daf3ba.exe	35
PID 2348 wrote to memory of 2316	2348	chrome.exe	36
PID 2348 wrote to memory of 2316	2348	chrome.exe	36
PID 2348 wrote to memory of 2316	2348	chrome.exe	36
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 2468	2348	chrome.exe	38
PID 2348 wrote to memory of 1648	2348	chrome.exe	39
PID 2348 wrote to memory of 1648	2348	chrome.exe	39

C:\Users\Admin\AppData\Local\Temp\6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe
"C:\Users\Admin\AppData\Local\Temp\6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\1000023001\ef7d4e8ca6.exe
    "C:\Users\Admin\AppData\Local\Temp\1000023001\ef7d4e8ca6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- - C:\Users\Admin\1000026002\3ea537dc7d.exe
    "C:\Users\Admin\1000026002\3ea537dc7d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\1000028001\0b27daf3ba.exe
    "C:\Users\Admin\AppData\Local\Temp\1000028001\0b27daf3ba.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefad49758,0x7fefad49768,0x7fefad49778
        5⤵
        
        PID:2316
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1256,i,14032182970367981803,16722659480529396063,131072 /prefetch:2
        5⤵
        
        PID:2468
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1256,i,14032182970367981803,16722659480529396063,131072 /prefetch:8
        5⤵
        
        PID:1648
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1256,i,14032182970367981803,16722659480529396063,131072 /prefetch:8
        5⤵
        
        PID:1520
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1256,i,14032182970367981803,16722659480529396063,131072 /prefetch:1
        5⤵
        
        PID:2564
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1256,i,14032182970367981803,16722659480529396063,131072 /prefetch:1
        5⤵
        
        PID:1456
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3276 --field-trial-handle=1256,i,14032182970367981803,16722659480529396063,131072 /prefetch:1
        5⤵
        
        PID:2736
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1332 --field-trial-handle=1256,i,14032182970367981803,16722659480529396063,131072 /prefetch:2
        5⤵
        
        PID:2312
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 --field-trial-handle=1256,i,14032182970367981803,16722659480529396063,131072 /prefetch:8
        5⤵
        
        PID:1604
- - C:\Users\Admin\AppData\Local\Temp\1000029001\9e73ce5ee6.exe
    "C:\Users\Admin\AppData\Local\Temp\1000029001\9e73ce5ee6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2628

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3372584e-c83f-41f4-8357-527a683e8405.tmp

Filesize
5KB

MD5
9f479413d7cdbd3f5bd828f2eb8c1904

SHA1
d9922e83199956c9c854486ccf6c703ddfa7360c

SHA256
5cf28c84c870a9724eb1ffb4876b1efcb5fce852339b56eea0997c871c9a9ee4

SHA512
f98e6cc8db5583d9e452ee609dca02e11c66179510a06b45f1fb7f87c1b229a33144b6e26542ca9c57fb9377555308a4fa3c1ed9322401484122b79086950933

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000023001\ef7d4e8ca6.exe

Filesize
1.8MB

MD5
2ff9d81435c7d755cb5a6b975ed50ce6

SHA1
a588fbde21ac7335c3b516db6ccaa783eb2a088c

SHA256
162e527a19799d2d3ace95ca315eba1ffa0fd4fd3eac247a26b41212033b2863

SHA512
46688a8fb90c3b3bcb926e6b37129ebd45297283150e61450b685f792d20f7d5d2d88ea2487f73dd76d6e20b513f43ba143ff9d321b47f4f4563287e02a9e235

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000028001\0b27daf3ba.exe

Filesize
1.1MB

MD5
4d4ce788750f2f654e42e6bfccde419c

SHA1
33f56a257b9af1d77c085413be668c5d24f9b2e7

SHA256
d8ee72c297423711a6580c3bbcaa8e335459fd111352cf024e662d363752097a

SHA512
68869a12fe7203c3a13391c6cdc6ca271477c00a42dce3ba1ae03cfb214099ec627e01c4416dcf3d63cb030345433b138a12770020006c497deb682cb4c5e516

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000029001\9e73ce5ee6.exe

Filesize
1.8MB

MD5
73acb4cc181aca9525ab9f599500b9ca

SHA1
46a29f8b0e10003f85a8eae8a46473d0344650df

SHA256
4bc8ab389044aabd25719e924300530feddae8efa8a485cbfd67de8f347132f2

SHA512
f84e777e3591e00a8c7ac53ad47554d100aec16f19e143dd69447cd2d3872975c5c673f2ab1a8c66a164d0dec73d8876a7d9064386eb90c0474e55c2187ce5c0

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
420KB

MD5
0ae8b048945c6ced85df3fb5afa2bc0b

SHA1
af1862013ba627e94fbfa10de4fc515fb42d91c0

SHA256
6e9637eeaf1ea43fc7850ad8ce3ac4bc2cfab054439680f3c5bf60e1153a3581

SHA512
5956f438dd7421fe2a5a8532d467e48b2132afefa65713f71f25c9cc5d38cf73a5f7dccd2c19734643bdfb52266b59fd2fdcc6937feb648fef23be0b6d86f7c9

Download Submit
memory/2036-175-0x0000000000CE0000-0x00000000011AB000-memory.dmp

Filesize
4.8MB

Download
memory/2036-146-0x0000000000CE0000-0x00000000011AB000-memory.dmp

Filesize
4.8MB

Download
memory/2220-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2220-18-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2220-19-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2220-5-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2220-3-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2220-2-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2628-204-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-246-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-254-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-252-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-250-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-248-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-210-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-203-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-244-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-231-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-227-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-216-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-225-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2628-176-0x0000000000830000-0x0000000000CFB000-memory.dmp

Filesize
4.8MB

Download
memory/2640-41-0x0000000000260000-0x0000000000909000-memory.dmp

Filesize
6.7MB

Download
memory/2640-44-0x0000000000260000-0x0000000000909000-memory.dmp

Filesize
6.7MB

Download
memory/2784-45-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2784-22-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2784-180-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2784-40-0x0000000003620000-0x0000000003CC9000-memory.dmp

Filesize
6.7MB

Download
memory/2784-21-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2784-145-0x0000000003620000-0x0000000003AEB000-memory.dmp

Filesize
4.8MB

Download
memory/2784-143-0x0000000003620000-0x0000000003CC9000-memory.dmp

Filesize
6.7MB

Download
memory/2784-42-0x0000000003620000-0x0000000003CC9000-memory.dmp

Filesize
6.7MB

Download
memory/2784-63-0x0000000003620000-0x0000000003CC9000-memory.dmp

Filesize
6.7MB

Download
memory/2784-121-0x0000000003620000-0x0000000003CC9000-memory.dmp

Filesize
6.7MB

Download
memory/2784-62-0x0000000003620000-0x0000000003CC9000-memory.dmp

Filesize
6.7MB

Download
memory/2784-64-0x0000000000400000-0x0000000000565000-memory.dmp

Filesize
1.4MB

Download
memory/2816-67-0x0000000001090000-0x0000000001739000-memory.dmp

Filesize
6.7MB

Download
memory/2816-65-0x0000000001090000-0x0000000001739000-memory.dmp

Filesize
6.7MB

Download