Analysis Overview
SHA256
67fadf8ac3d2ead9432d3872c87715b12dbe6974bf28a20622a9e75c555dfa61
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Stealc
Stealc family
Amadey
Modifies Windows Defender Real-time Protection settings
Amadey family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Uses browser remote debugging
Unsecured Credentials: Credentials In Files
Loads dropped DLL
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Reads user/profile data of web browsers
Windows security modification
Reads data files stored by FTP clients
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-12 05:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 05:22
Reported
2024-11-12 05:24
Platform
win7-20240903-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Amadey
Amadey family
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
Stealc
Stealc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\DocumentsHDGIJJDGCB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Downloads MZ/PE file
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\DocumentsHDGIJJDGCB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\DocumentsHDGIJJDGCB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\DocumentsHDGIJJDGCB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | C:\Users\Admin\DocumentsHDGIJJDGCB.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\DocumentsHDGIJJDGCB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\7ab237dff4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005695001\\7ab237dff4.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\d8ceef5873.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005697001\\d8ceef5873.exe" | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\DocumentsHDGIJJDGCB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1616 set thread context of 1700 | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\skotes.job | C:\Users\Admin\DocumentsHDGIJJDGCB.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\DocumentsHDGIJJDGCB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\DocumentsHDGIJJDGCB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c99758,0x7fef6c99768,0x7fef6c99778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1376,i,14633955198061483646,9219514893746727161,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1376,i,14633955198061483646,9219514893746727161,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1376,i,14633955198061483646,9219514893746727161,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1376,i,14633955198061483646,9219514893746727161,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1376,i,14633955198061483646,9219514893746727161,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1472 --field-trial-handle=1376,i,14633955198061483646,9219514893746727161,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9229 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1300 --field-trial-handle=1376,i,14633955198061483646,9219514893746727161,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3468 --field-trial-handle=1376,i,14633955198061483646,9219514893746727161,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3616 --field-trial-handle=1376,i,14633955198061483646,9219514893746727161,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 --field-trial-handle=1376,i,14633955198061483646,9219514893746727161,131072 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\DocumentsHDGIJJDGCB.exe"
C:\Users\Admin\DocumentsHDGIJJDGCB.exe
"C:\Users\Admin\DocumentsHDGIJJDGCB.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe
"C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe"
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe
"C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 172.217.169.42:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 172.217.169.42:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.43:80 | 185.215.113.43 | tcp |
| RU | 185.215.113.16:80 | 185.215.113.16 | tcp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| N/A | 127.0.0.1:9229 | tcp | |
| N/A | 127.0.0.1:9229 | tcp |
Files
memory/2884-0-0x0000000001380000-0x0000000001A1B000-memory.dmp
memory/2884-1-0x00000000775F0000-0x00000000775F2000-memory.dmp
memory/2884-3-0x0000000001380000-0x0000000001A1B000-memory.dmp
memory/2884-2-0x0000000001381000-0x0000000001398000-memory.dmp
memory/2884-4-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\??\pipe\crashpad_2320_LETTDVXMETCSRNZN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/2884-80-0x0000000001380000-0x0000000001A1B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
memory/2884-91-0x0000000001380000-0x0000000001A1B000-memory.dmp
memory/2884-100-0x0000000001380000-0x0000000001A1B000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\Users\Admin\DocumentsHDGIJJDGCB.exe
| MD5 | 4ebddc2f0f80354c7d3ff3d8ab59f97d |
| SHA1 | ad56198f2cd24912ef529d0af2a6083f2d1f55e6 |
| SHA256 | 85501a3d5ed2f918336affd99eb1d15953609b2dbc16aa8f0c5b254fbd09686d |
| SHA512 | 8651e29161de7d6178f8196230dda3e618591d24d89f7b8981039fd656b680c98a2575d4d7724d43dcd34f78c71f47f62a72b1730a52afdcdf60392e372cac8f |
memory/1884-138-0x0000000000A80000-0x0000000000D90000-memory.dmp
memory/2884-140-0x0000000001380000-0x0000000001A1B000-memory.dmp
memory/1616-152-0x0000000000BB0000-0x0000000000EC0000-memory.dmp
memory/1884-151-0x0000000000A80000-0x0000000000D90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1005695001\7ab237dff4.exe
| MD5 | 2878cc9a985c0fb2e09a37a43f3d99ae |
| SHA1 | 41fe91f926c0f82e16454d9871c72776bfc5f104 |
| SHA256 | 67fadf8ac3d2ead9432d3872c87715b12dbe6974bf28a20622a9e75c555dfa61 |
| SHA512 | d74fb363e5c544d643f2e1e73fb837ad1c74b829fa98d056e8cb4d22f4aaf34d5f06099d2ba52bf20453766ff5ba87d14cca5367f087330a4a8542827810e1da |
memory/1616-170-0x00000000068E0000-0x0000000006F7B000-memory.dmp
memory/2420-172-0x00000000002C0000-0x000000000095B000-memory.dmp
memory/1616-171-0x00000000068E0000-0x0000000006F7B000-memory.dmp
memory/2420-174-0x00000000002C0000-0x000000000095B000-memory.dmp
memory/1616-175-0x0000000000BB0000-0x0000000000EC0000-memory.dmp
memory/1616-180-0x00000000062C0000-0x00000000065D0000-memory.dmp
memory/1700-181-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-183-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1616-185-0x0000000000BB0000-0x0000000000EC0000-memory.dmp
memory/1700-186-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-189-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-190-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-198-0x0000000000BB0000-0x0000000000EC0000-memory.dmp
memory/1700-197-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-195-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-194-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1700-192-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-201-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-205-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-208-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-212-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-199-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-215-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-214-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-213-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-211-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-210-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-220-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-209-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-216-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-217-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-218-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-221-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-222-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-219-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-207-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-206-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-204-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-203-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-202-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1700-200-0x0000000000400000-0x0000000000A9B000-memory.dmp
memory/1616-254-0x00000000068E0000-0x0000000006F7B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1005697001\d8ceef5873.exe
| MD5 | b9e7f5643e8ed276a27f154c12f9d029 |
| SHA1 | 66269d92921ee899446220899628336f6daf7e63 |
| SHA256 | dbbfe2ba0868f38a3eab5ffa3543170f22b8f044789f6e8026d46aae3e83dc33 |
| SHA512 | 34fbe09c36b690a3d63ba128f56d1bc14f0a02ad37c31e01e0a6c38bf87e7a5f6967683de919553867d7bc705f287be05555735770572068387b7dfa82d597cf |
memory/1820-269-0x0000000001250000-0x0000000001518000-memory.dmp
memory/1616-267-0x00000000068E0000-0x0000000006BA8000-memory.dmp
memory/1820-270-0x0000000001250000-0x0000000001518000-memory.dmp
memory/1820-271-0x0000000001250000-0x0000000001518000-memory.dmp
memory/1820-274-0x0000000001250000-0x0000000001518000-memory.dmp
memory/1820-276-0x0000000001250000-0x0000000001518000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 05:22
Reported
2024-11-12 05:24
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
144s
Command Line
Signatures
Stealc
Stealc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 185.215.113.206:80 | 185.215.113.206 | tcp |
| US | 8.8.8.8:53 | 206.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
memory/2528-0-0x0000000000630000-0x0000000000CCB000-memory.dmp
memory/2528-1-0x0000000077BB4000-0x0000000077BB6000-memory.dmp
memory/2528-2-0x0000000000631000-0x0000000000648000-memory.dmp
memory/2528-3-0x0000000000630000-0x0000000000CCB000-memory.dmp
memory/2528-5-0x0000000000630000-0x0000000000CCB000-memory.dmp