Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 21:13
Static task
static1
Behavioral task
behavioral1
Sample
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe
Resource
win7-20240903-en
General
-
Target
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe
-
Size
3.1MB
-
MD5
5414a4ee71faf061656cf6e5799f6814
-
SHA1
131d118f0a2a8b8347f81dccf232c1126581a48e
-
SHA256
aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a
-
SHA512
ab30851216dde32626a62ecaeaab6289d2239a4b8547726fece82c3a744e6deee7ce9886cd1cf8d03ffb95d05a02386a6ecf583099cc803a87517ed20b5d3b87
-
SSDEEP
49152:2z+UsTxH00MQH4F6yyqG0pQKvH4uKtBbD1ajFa:2z4H5MQYF65GqKwfrbpajFa
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
resource yara_rule behavioral1/memory/2396-162-0x0000000069CC0000-0x000000006A71B000-memory.dmp family_cryptbot_v3 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 3ce8e05094.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 3ce8e05094.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 3ce8e05094.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 3ce8e05094.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 3ce8e05094.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 3ce8e05094.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3ce8e05094.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 31f4238348.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 08358133df.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 534a13ae21.exe -
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1740 chrome.exe 2180 chrome.exe 596 chrome.exe 2880 chrome.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 31f4238348.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 08358133df.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 534a13ae21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3ce8e05094.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 31f4238348.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 08358133df.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 534a13ae21.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3ce8e05094.exe -
Executes dropped EXE 12 IoCs
pid Process 108 skotes.exe 688 crypted2.exe 2764 crypted2.exe 1772 aefce41067.exe 2452 exploma.exe.exe 2396 31f4238348.exe 468 08358133df.exe 1808 534a13ae21.exe 2228 3ce8e05094.exe 2056 service123.exe 1836 service123.exe 2300 babababa.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 31f4238348.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 08358133df.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 534a13ae21.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine 3ce8e05094.exe -
Loads dropped DLL 29 IoCs
pid Process 2148 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 108 skotes.exe 108 skotes.exe 688 crypted2.exe 2740 WerFault.exe 2740 WerFault.exe 2740 WerFault.exe 108 skotes.exe 2212 cmd.exe 108 skotes.exe 108 skotes.exe 108 skotes.exe 108 skotes.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 2684 WerFault.exe 108 skotes.exe 108 skotes.exe 108 skotes.exe 108 skotes.exe 2396 31f4238348.exe 2396 31f4238348.exe 1940 WerFault.exe 1940 WerFault.exe 1940 WerFault.exe 2056 service123.exe 1836 service123.exe 108 skotes.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 3ce8e05094.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 3ce8e05094.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\exploma.exe = "C:\\Users\\Admin\\AppData\\Local\\exploma.exe.exe" aefce41067.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\aefce41067.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1005824001\\aefce41067.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\08358133df.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006051001\\08358133df.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\534a13ae21.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006052001\\534a13ae21.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\3ce8e05094.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006054001\\3ce8e05094.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2148 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 108 skotes.exe 2396 31f4238348.exe 468 08358133df.exe 1808 534a13ae21.exe 2228 3ce8e05094.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 688 set thread context of 2764 688 crypted2.exe 34 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 2740 688 WerFault.exe 33 2684 468 WerFault.exe 46 1940 2396 WerFault.exe 45 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08358133df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 534a13ae21.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ce8e05094.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crypted2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31f4238348.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2124 cmd.exe 2212 cmd.exe 1868 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 31f4238348.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 31f4238348.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1868 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1156 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2148 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 108 skotes.exe 2764 crypted2.exe 2764 crypted2.exe 2764 crypted2.exe 2764 crypted2.exe 2396 31f4238348.exe 468 08358133df.exe 468 08358133df.exe 468 08358133df.exe 468 08358133df.exe 468 08358133df.exe 1808 534a13ae21.exe 2228 3ce8e05094.exe 2228 3ce8e05094.exe 2228 3ce8e05094.exe 596 chrome.exe 596 chrome.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2228 3ce8e05094.exe Token: SeShutdownPrivilege 596 chrome.exe Token: SeShutdownPrivilege 596 chrome.exe Token: SeShutdownPrivilege 596 chrome.exe Token: SeShutdownPrivilege 596 chrome.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 2148 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe 596 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 108 2148 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 31 PID 2148 wrote to memory of 108 2148 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 31 PID 2148 wrote to memory of 108 2148 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 31 PID 2148 wrote to memory of 108 2148 aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe 31 PID 108 wrote to memory of 688 108 skotes.exe 33 PID 108 wrote to memory of 688 108 skotes.exe 33 PID 108 wrote to memory of 688 108 skotes.exe 33 PID 108 wrote to memory of 688 108 skotes.exe 33 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2764 688 crypted2.exe 34 PID 688 wrote to memory of 2740 688 crypted2.exe 35 PID 688 wrote to memory of 2740 688 crypted2.exe 35 PID 688 wrote to memory of 2740 688 crypted2.exe 35 PID 688 wrote to memory of 2740 688 crypted2.exe 35 PID 108 wrote to memory of 1772 108 skotes.exe 36 PID 108 wrote to memory of 1772 108 skotes.exe 36 PID 108 wrote to memory of 1772 108 skotes.exe 36 PID 108 wrote to memory of 1772 108 skotes.exe 36 PID 1772 wrote to memory of 2124 1772 aefce41067.exe 37 PID 1772 wrote to memory of 2124 1772 aefce41067.exe 37 PID 1772 wrote to memory of 2124 1772 aefce41067.exe 37 PID 2124 wrote to memory of 2212 2124 cmd.exe 39 PID 2124 wrote to memory of 2212 2124 cmd.exe 39 PID 2124 wrote to memory of 2212 2124 cmd.exe 39 PID 2212 wrote to memory of 1868 2212 cmd.exe 41 PID 2212 wrote to memory of 1868 2212 cmd.exe 41 PID 2212 wrote to memory of 1868 2212 cmd.exe 41 PID 2212 wrote to memory of 2452 2212 cmd.exe 42 PID 2212 wrote to memory of 2452 2212 cmd.exe 42 PID 2212 wrote to memory of 2452 2212 cmd.exe 42 PID 108 wrote to memory of 2396 108 skotes.exe 45 PID 108 wrote to memory of 2396 108 skotes.exe 45 PID 108 wrote to memory of 2396 108 skotes.exe 45 PID 108 wrote to memory of 2396 108 skotes.exe 45 PID 108 wrote to memory of 468 108 skotes.exe 46 PID 108 wrote to memory of 468 108 skotes.exe 46 PID 108 wrote to memory of 468 108 skotes.exe 46 PID 108 wrote to memory of 468 108 skotes.exe 46 PID 468 wrote to memory of 2684 468 08358133df.exe 47 PID 468 wrote to memory of 2684 468 08358133df.exe 47 PID 468 wrote to memory of 2684 468 08358133df.exe 47 PID 468 wrote to memory of 2684 468 08358133df.exe 47 PID 108 wrote to memory of 1808 108 skotes.exe 48 PID 108 wrote to memory of 1808 108 skotes.exe 48 PID 108 wrote to memory of 1808 108 skotes.exe 48 PID 108 wrote to memory of 1808 108 skotes.exe 48 PID 108 wrote to memory of 2940 108 skotes.exe 49 PID 108 wrote to memory of 2940 108 skotes.exe 49 PID 108 wrote to memory of 2940 108 skotes.exe 49 PID 108 wrote to memory of 2940 108 skotes.exe 49 PID 108 wrote to memory of 2228 108 skotes.exe 50 PID 108 wrote to memory of 2228 108 skotes.exe 50 PID 108 wrote to memory of 2228 108 skotes.exe 50 PID 108 wrote to memory of 2228 108 skotes.exe 50 PID 2396 wrote to memory of 596 2396 31f4238348.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe"C:\Users\Admin\AppData\Local\Temp\aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Users\Admin\AppData\Local\Temp\1005561001\crypted2.exe"C:\Users\Admin\AppData\Local\Temp\1005561001\crypted2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Users\Admin\AppData\Local\Temp\1005561001\crypted2.exe"C:\Users\Admin\AppData\Local\Temp\1005561001\crypted2.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 924⤵
- Loads dropped DLL
- Program crash
PID:2740
-
-
-
C:\Users\Admin\AppData\Local\Temp\1005824001\aefce41067.exe"C:\Users\Admin\AppData\Local\Temp\1005824001\aefce41067.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\exploma.exe.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\cmd.execmd /C "ping localhost -n 1 && start C:\Users\Admin\AppData\Local\exploma.exe.exe"5⤵
- Loads dropped DLL
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\PING.EXEping localhost -n 16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1868
-
-
C:\Users\Admin\AppData\Local\exploma.exe.exeC:\Users\Admin\AppData\Local\exploma.exe.exe6⤵
- Executes dropped EXE
PID:2452
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1005956001\31f4238348.exe"C:\Users\Admin\AppData\Local\Temp\1005956001\31f4238348.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:596 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef69e9758,0x7fef69e9768,0x7fef69e97785⤵PID:1260
-
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1156,i,2843522659355677068,10907956029448711796,131072 /prefetch:25⤵PID:2012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1156,i,2843522659355677068,10907956029448711796,131072 /prefetch:85⤵PID:556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1156,i,2843522659355677068,10907956029448711796,131072 /prefetch:85⤵PID:1128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1156,i,2843522659355677068,10907956029448711796,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:1740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 --field-trial-handle=1156,i,2843522659355677068,10907956029448711796,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:2880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1372 --field-trial-handle=1156,i,2843522659355677068,10907956029448711796,131072 /prefetch:25⤵PID:2788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1252 --field-trial-handle=1156,i,2843522659355677068,10907956029448711796,131072 /prefetch:15⤵
- Uses browser remote debugging
PID:2180
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 9524⤵
- Loads dropped DLL
- Program crash
PID:1940
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006051001\08358133df.exe"C:\Users\Admin\AppData\Local\Temp\1006051001\08358133df.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 12124⤵
- Loads dropped DLL
- Program crash
PID:2684
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006052001\534a13ae21.exe"C:\Users\Admin\AppData\Local\Temp\1006052001\534a13ae21.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\1006054001\3ce8e05094.exe"C:\Users\Admin\AppData\Local\Temp\1006054001\3ce8e05094.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"C:\Users\Admin\AppData\Local\Temp\1006055001\babababa.exe"3⤵
- Executes dropped EXE
PID:2300
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:860
-
C:\Windows\system32\taskeng.exetaskeng.exe {C03A92F6-5D03-40A0-8AC0-6A79E151C85F} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1836
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Discovery
Browser Information Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
2.7MB
MD5ab265fae6a5178c617b3d82dca1e16f0
SHA1f5cc6a78b3186239bdb492a37668e6e22f827aec
SHA256d9fba27655b90106c566310bbaaabfca48c0d74db5c29cb6eb075fa105fd24a9
SHA5123e201eb104a0a1913d8ea7a45300a6a75dcbd4979dc47b0ec07e8186e3de61c7f3314461e504d3ed833fc34114193542669fca44d4f8338fb8c2cd32427981de
-
Filesize
3.5MB
MD5bcd58bf1a969740fd1e8329f851bb0cc
SHA11d553e9014146260847ab8c28496f07ec8bf4d49
SHA256be40f0f232d87663f189587f4809bac6d0394009c520d245092cef93a61ba7b1
SHA512378d912a45aa54dbee8f153f87b1eb171b834faf44c5a5322baeb076dc4d458b19b2176083eee8828827e3922a471e3773d921178b09907e77315d51f3f7f331
-
Filesize
4.2MB
MD59b7b17c5d8b853b977c3323d185f46ae
SHA1324d24034035435358667fe62f401b6554f01709
SHA25615061c0865ab309233a84c072583620ae04cd8ecfe4d1a0d9df052e740166f95
SHA512bdd412f6df6bdfec58856dc11d45fe9e3ee022fabbec6a1b7c140beac1a27ba41a4f8a39f7cc04696dc4fa904f17dd4aae2608096bad4c2f70db5043aaa773db
-
Filesize
3.0MB
MD51679847fc3d6173b33c5bc2b2edca142
SHA18e76660cbe31c9ccfd9d43aebcff9e0c9150660f
SHA256af2c8e421a858c0cf7f416d78c3beba9cb0d53808ab4492fe2a2a747aa7bb0e7
SHA512c0ffa44a2b2ed196bf3022b053f7a6f2ec03299997535e1069e505e20446ee61d31dbd124fb9e4582c5f71d0fc39a84e6e72fc182716504e097b6a18f95de5b7
-
Filesize
1.8MB
MD57496ab59ffb86bf1c658489ca7128933
SHA14b5aff93958a89d2778de9a17918b2df96cf8807
SHA256bd7faaaf7173bc1fb80c8d60df889957e073407939b3f2aed28a62f61f8ad3d4
SHA512050db57d5aedd88b1f38c0a1c216abd383f272225710e7ca3aae2f546d061aaddf57701f3e098b545f9a5a984d86750fcb90acede70e3b65f423c284964305cf
-
Filesize
2.7MB
MD52786f43899bd5d2876cd6591848f9b13
SHA12b5d7dec2e55d9bbc30deaa8b7dfcc9d2686e057
SHA256ea665102e0e2ca7b45bb70ccaef20fc995403d09d75a820e8bbf969a161d5143
SHA512aa50a04a07e45a74c373a92f00aa4c750b2fd35fc76c6b70a64d932b23e785d7193a7a6ac1cf8db6e51bb419e4c6ff77fdf85ddf7d7655e92600a667bc609be9
-
Filesize
33.3MB
MD58fb77810c61e160a657298815346996e
SHA14268420571bb1a858bc6a9744c0742d6fd738a83
SHA256a0840c581f8f1d606fdc43bc98bd386755433bf1fb36647ecf2165eea433ff66
SHA512b0d0aea14bfbb5dfa17536b1669d85fc1325140f6a0176ae1c04870efa3adc902d5755f0df00d305f01120960e95bfc40c37c7519ec2827797ebaa95097cfeb2
-
Filesize
3.1MB
MD55414a4ee71faf061656cf6e5799f6814
SHA1131d118f0a2a8b8347f81dccf232c1126581a48e
SHA256aa8fd743b218ec89cf0d2f273026dec78b9ca5e76aacc472d0f87cb48057a00a
SHA512ab30851216dde32626a62ecaeaab6289d2239a4b8547726fece82c3a744e6deee7ce9886cd1cf8d03ffb95d05a02386a6ecf583099cc803a87517ed20b5d3b87