Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-10-2024 00:57
General
-
Target
a5bd7899aa10cbdc6fe54d890f2be4fc6f5397f1231cc51fd5cdeecc5992d33b.exe
-
Size
1.8MB
-
MD5
a359113458b37da999c3dd72d1933391
-
SHA1
de4c51dd690c8a227336a1044a9025fb330c51f0
-
SHA256
a5bd7899aa10cbdc6fe54d890f2be4fc6f5397f1231cc51fd5cdeecc5992d33b
-
SHA512
c30fa98fe8773426e7c14cc73816c5c42c46ffb88dd5a174d9c7be12e2b684fbb02e1a79f4c89d3645c0d1859509b35edd9040d5d9f9d203605db04f644ca6db
-
SSDEEP
49152:zkXoTqjw/3mkB/JkYq0e+YfsjuVcXDn9sARtKX:ybjw/3mkB/JkHkccXDn9rR
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
lumma
https://drawwyobstacw.sbs
https://condifendteu.sbs
https://ehticsprocw.sbs
https://vennurviot.sbs
https://resinedyw.sbs
https://enlargkiw.sbs
https://allocatinow.sbs
https://mathcucom.sbs
https://clearancek.site
https://licendfilteo.site
https://spirittunek.store
https://bathdoomgaz.store
https://studennotediw.store
https://dissapoiznw.store
https://eaglepawnoy.store
https://mobbipenju.store
Extracted
stealc
default_valenciga
http://185.215.113.17
-
url_path
/2fb6c2cc8dce150a.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
redline
TG CLOUD @RLREBORN Admin @FATHEROFCARDERS
89.105.223.196:29862
Extracted
stealc
doma
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
amadey
4.41
1176f2
http://185.215.113.19
-
install_dir
417fd29867
-
install_file
ednfoki.exe
-
strings_key
183201dc3defc4394182b4bff63c4065
-
url_paths
/CoreOPT/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 13 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 26 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 31 IoCs
-
Identifies Wine through registry keys 2 TTPs 13 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 34 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5bd7899aa10cbdc6fe54d890f2be4fc6f5397f1231cc51fd5cdeecc5992d33b.exe"C:\Users\Admin\AppData\Local\Temp\a5bd7899aa10cbdc6fe54d890f2be4fc6f5397f1231cc51fd5cdeecc5992d33b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\gold.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 2964⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\legas.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\VUlkg9gNpJ.exe"C:\Users\Admin\AppData\Roaming\VUlkg9gNpJ.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\GHU2dhddba.exe"C:\Users\Admin\AppData\Roaming\GHU2dhddba.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 2604⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"C:\Users\Admin\AppData\Local\Temp\1000066001\stealc_default2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000354001\a9cc8cfbfe.exe"C:\Users\Admin\AppData\Local\Temp\1000354001\a9cc8cfbfe.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1000355001\2ddc41737b.exe"C:\Users\Admin\AppData\Local\Temp\1000355001\2ddc41737b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"C:\Users\Admin\AppData\Local\Temp\1000336001\num.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1000349001\9494e54a71.exe"C:\Users\Admin\AppData\Local\Temp\1000349001\9494e54a71.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\1000350002\3f792ae61c.exe"C:\Users\Admin\1000350002\3f792ae61c.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1000357001\c228bc242f.exe"C:\Users\Admin\AppData\Local\Temp\1000357001\c228bc242f.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"C:\Users\Admin\AppData\Local\Temp\1000399001\MK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"C:\Users\Admin\AppData\Local\Temp\1000406001\Nework.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1000084001\JavUmar.exe"C:\Users\Admin\AppData\Local\Temp\1000084001\JavUmar.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"C:\Users\Admin\AppData\Local\Temp\1000407001\processclass.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start context.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\context.execontext.exe5⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"6⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"7⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "InstallUtil.exe"8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 18⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"C:\Users\Admin\AppData\Local\Temp\1000409001\splwow64.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "InstallUtil.exe" && timeout 1 && del InstallUtil.exe && Exit"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "InstallUtil.exe"6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 16⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe"C:\Users\Admin\AppData\Local\Temp\1000424001\app.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA0ADIANAAwADAAMQBcAGEAcABwAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADEAMAAwADAANAAyADQAMAAwADEAXABhAHAAcAAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABzAHEAZABxAHMAZAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAHMAcQBkAHEAcwBkAC4AZQB4AGUA4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 696 -ip 6961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3260 -ip 32601⤵
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exeC:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exeC:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
566KB
MD5049b6fe48a8cfb927648ad626aba5551
SHA19555d23104167e4fad5a178b4352831ce620b374
SHA256b78402483c46cd37e2c204d95690aa2a213616a1f904d779ceec0e22fcdd6531
SHA512ed787f90966ca1ea4b1e67c4026dd44393c7d312cd52e376f4ba5e5c49616938ec9e913044def29b40b441eb4c913a5134bb78317a179f62067bef3f9d913c7e
-
Filesize
1.4MB
MD5e6d27b60afe69ac02b1eaec864c882ae
SHA1a72b881867b7eaa9187398bd0e9e144af02ffff4
SHA256aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75
SHA5124f11fc2b36589fc9ff7dc5afd27cb91614f6a89bfd60942baebef025f53cb56ed7413abeff57fc7c85b3a2a4b0feec2649d5c5a856d3e2e9c13f6a0d8c777764
-
Filesize
307KB
MD568a99cf42959dc6406af26e91d39f523
SHA1f11db933a83400136dc992820f485e0b73f1b933
SHA256c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3
SHA5127342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75
-
Filesize
6.5MB
MD53394808f2d5c141b86e33a51ace8a577
SHA12bb0408fff0e02cbe8bd35cf0fe12e63d5bd08e1
SHA256277eafa55c929bc4c805bd1d540d2385922ddcc26ad360af7b947987ca45e758
SHA512b125c00020afdf9ea17f49e01120bafff27cd10752a018dcdf3d064fa371991654a18d86cbe1accbec67e3f05ff0d6d0b2f4237c093acea43cef4fd206b7ad6a
-
Filesize
307KB
MD5791fcee57312d4a20cc86ae1cea8dfc4
SHA104a88c60ae1539a63411fe4765e9b931e8d2d992
SHA25627e4a3627d7df2b22189dd4bebc559ae1986d49a8f4e35980b428fadb66cf23d
SHA5122771d4e7b272bf770efad22c9fb1dfafe10cbbf009df931f091fb543e3132c0efda16acb5b515452e9e67e8b1fc8fe8aedd1376c236061385f026865cdc28d2c
-
Filesize
1.8MB
MD5c835b3829e2ad7dc5328fef966de774d
SHA11875535dfaa2b37c1f79e78119fd7884825d3cfc
SHA256a51b56091167bcddcaa9a742391d5bd9df1ebbfd6b0453bc13de9022173b067f
SHA5122f941c9ab363333a5ea77f865363baf6a27a9cb3fa118732dbf04ab62ede0d58a7b89ef7a47253dbd6bd5fa7a845b800b35e17d5735fdd879b92c8a25ca07bf0
-
Filesize
1.8MB
MD5db621dfa3fbe8d0eef863a6f8a098a22
SHA171161861bbf2ba5bc3fbbcbb7d9249d7bc5d9483
SHA256590e62aee1fe727034148ad4ef00b8ee7e27310065f5b5fe41ba21d503e2abe4
SHA512ad651d9e9ee79a4113c990cefc18b280b4150d0071e7be3cfd102beec46b97c216af96c3bde923822e7be58633ff5c87fc50060f198c430c93a15dea5b40a802
-
Filesize
1.8MB
MD571c580d3178541cae696bf7201f86967
SHA132d3dbb64fbd806f9c596a15f3f78675c8614a06
SHA256cb05ee3354e709d37ae5d53f64026bdcb809ecd3063b75a0fbe2acc2206b21aa
SHA512736a07dc82c915f62b8482058d8f3754f5dbf21192b209102196c48e063909facfc58b416edffe94927fbb09311930720ff706aafce91d5b4a683cdcbd3b19ae
-
Filesize
1.6MB
MD59f875cd80ee26b55a71c2f795eb01c33
SHA1e71f7e13477c83c59c50cb975c3d893dae12d2ff
SHA256a599f8e501bc4a1a7f1ed10b05b5b6fe4c6f13c40c1065af952740880123bfb9
SHA512811ab159ef2868b6458f53784e639020eff3411f5063d76497d91a519ed78976e139d9deb726aef6acf2c6cc06838abf302875905dc9d4c1ef4f5e8802602394
-
Filesize
314KB
MD5ff5afed0a8b802d74af1c1422c720446
SHA17135acfa641a873cb0c4c37afc49266bfeec91d8
SHA25617ac37b4946539fa7fa68b12bd80946d340497a7971802b5848830ad99ea1e10
SHA51211724d26e11b3146e0fc947c06c59c004c015de0afea24ec28a4eb8145fcd51e9b70007e17621c83f406d9aeb7cd96601245671d41c3fcc88a27c33bd7cf55ac
-
Filesize
416KB
MD5f5d7b79ee6b6da6b50e536030bcc3b59
SHA1751b555a8eede96d55395290f60adc43b28ba5e2
SHA2562f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
SHA512532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
Filesize
6KB
MD5c042782226565f89ce3954489075e516
SHA1256dd5ba42837a33c7aa6cb71cef33d5617117ee
SHA256a7b63cd9959ac6f23c86644a4ca5411b519855d47f1f5e75a1645d7274f545a6
SHA5129f0771c66ea7c0a2264b99a8782e3ab88a2d74b609265b5ce14f81dcc52b71e46248abd77767018711d72a18e20fe3b272513bfd722fff9043f962f7c8ed93fd
-
Filesize
1.1MB
MD5ed9393d5765529c845c623e35c1b1a34
SHA1d3eca07f5ce0df847070d2d7fe5253067f624285
SHA25653cd2428c9883acca7182781f22df82c38f8cc115dc014b68e32f8b1cdbf246a
SHA512565f66ef604b10d5be70920d9813e58f5bde174d6a6d30eb8654f467775da8a665c555b7e4127fc22f8a5a5b54466137bde228fd932335517dd017d0ea51f3f8
-
Filesize
20.4MB
MD57172ee8de6490094d4a5112eceaaaa90
SHA146a82d7628f31d91fb883056dfbd4d15d26bbd77
SHA25611cabbb368deb30bc1f45feb6509b222c2b360707ff31c8b1e056c617477f28e
SHA51291e2da0921f8d2596ac2e99e91b108e4d7dba6a97800c775bc9d9b4411fae3b7f0d811f48b107054664aff69c7cdd2c052220960cec9c525470f7266de5780d8
-
Filesize
79KB
MD5682fe57b91ddb52d6abc52f8df35ce28
SHA19e6f726515782d8773cd641e653ec3bbe9df8d33
SHA2566314671a0ddc1bda270b4e13d0f7e0d44c8b10c26c478da7a4aeb43e3b3a9794
SHA51216969bfc654a2d5cc0b27b8185203df22f6cd4ac62b8f43b10230d3b9c162d16d5bce831bff4ec297cf6a5b47c55f9ef1331269c8738b92e4208ac3a861838db
-
Filesize
1.8MB
MD5a359113458b37da999c3dd72d1933391
SHA1de4c51dd690c8a227336a1044a9025fb330c51f0
SHA256a5bd7899aa10cbdc6fe54d890f2be4fc6f5397f1231cc51fd5cdeecc5992d33b
SHA512c30fa98fe8773426e7c14cc73816c5c42c46ffb88dd5a174d9c7be12e2b684fbb02e1a79f4c89d3645c0d1859509b35edd9040d5d9f9d203605db04f644ca6db
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
393KB
MD57d7366ab79d6d3d8d83d13a8b30de999
SHA175c6c49a6701d254c3ce184054a4a01329c1a6f3
SHA2563d66fed04c76d055c6149b33dcfda544b509c57087c57a861e1d6256b59f8465
SHA51264f4551b3be1c21ce7c2d49608463e5aec4166e3e6893883c33a5b7d1109ef0fc8ab6bd15c70d9d606e2706f12a937c2d90d5bc8f6c629ad6f30f212dc25f022
-
Filesize
70B
MD51c5c0d2105718982915d88e1e34b7c24
SHA1ecb11df5274a3a37c81fc19b95ec316d39bb6f03
SHA256b5fd05a1a23d90dee32a1f61158a1e0859fde6882b289267c90845bb995b0c09
SHA5129e1f86ca561c034078acbce22e6b3b2dc938a883f4897167c96ad7c61f28d30075d66557335825c18a00f96467fbd1dee067bb756388ba60b21443ba964ba331
-
Filesize
602KB
MD5e4fc58d334930a9d6572c344e5129f6b
SHA1d38fbd0c4c86eee14722f40cc607e2128c01b00f
SHA256973a9056040af402d6f92f436a287ea164fae09c263f80aba0b8d5366ed9957a
SHA512a69f5da8de8c9782769cca2e2fc5b28bbeba0c0d0027954dbe47b15610d82277abbe912f0e5921a18000f1a3a3c54eb5922f70c773537a22f4b35ff926d17a59
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
396KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4KB
-
Filesize
416KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
32KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
336KB
-
Filesize
5.6MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
584KB
-
Filesize
6.1MB
-
Filesize
328KB
-
Filesize
472KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
320KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
40KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
452KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
1.1MB
-
Filesize
664KB
-
Filesize
336KB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
304KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
20.4MB
-
Filesize
1.1MB
-
Filesize
6.7MB
-
Filesize
6.5MB
-
Filesize
1.1MB
-
Filesize
528KB
-
Filesize
2.4MB
-
Filesize
972KB
-
Filesize
2.4MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
240KB
-
Filesize
472KB
-
Filesize
624KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
216KB
-
Filesize
68KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
3.3MB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
752KB
-
Filesize
936KB
-
Filesize
376KB