Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-11-2024 20:07
General
-
Target
a54df74ebb8014ea3bfc6f05ecc3afdc409260f37a57d5d9bc1430ac6c211875.exe
-
Size
5.5MB
-
MD5
f9f0c48f061092e154bd50783d383ec4
-
SHA1
11060ec507eff5e7f9d08bef66ff0f8796ed1e31
-
SHA256
a54df74ebb8014ea3bfc6f05ecc3afdc409260f37a57d5d9bc1430ac6c211875
-
SHA512
c6fa367df2a0b7c0c605ecf251871f6776ada3709c65ce92da95622302d4f723d1c00dce6730f1658aad8539c523aafb3dff9fcd9bae8f7ba248d68b007ede61
-
SSDEEP
98304:5C6NjxwJS9BLBBGZvHKIVExE9/RH89zuNvoX4JpGAfh02eDhXn+5VbSdPyBxqTl:5C+wGLGthVX/RH89zgvoXO4002wXEOdV
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://scriptyprefej.store
https://navygenerayk.store
https://founpiuer.store
https://necklacedmny.store
https://thumbystriw.store
https://fadehairucw.store
https://crisiwarny.store
https://presticitpo.store
Extracted
stealc
tale
http://185.215.113.206
-
url_path
/6c4adf523b719729.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a54df74ebb8014ea3bfc6f05ecc3afdc409260f37a57d5d9bc1430ac6c211875.exe"C:\Users\Admin\AppData\Local\Temp\a54df74ebb8014ea3bfc6f05ecc3afdc409260f37a57d5d9bc1430ac6c211875.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\f0A60.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1M26j7.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1006979001\68ba752498.exe"C:\Users\Admin\AppData\Local\Temp\1006979001\68ba752498.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"6⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd3178cc40,0x7ffd3178cc4c,0x7ffd3178cc587⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,3157922637306466934,13806570057584767345,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1876 /prefetch:27⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,3157922637306466934,13806570057584767345,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2148 /prefetch:37⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,3157922637306466934,13806570057584767345,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2296 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,3157922637306466934,13806570057584767345,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:17⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3428,i,3157922637306466934,13806570057584767345,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:17⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4332,i,3157922637306466934,13806570057584767345,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4240 /prefetch:17⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 18806⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006980001\dfb086c02b.exe"C:\Users\Admin\AppData\Local\Temp\1006980001\dfb086c02b.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1006981001\284a20c712.exe"C:\Users\Admin\AppData\Local\Temp\1006981001\284a20c712.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1006982001\30b26382fd.exe"C:\Users\Admin\AppData\Local\Temp\1006982001\30b26382fd.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking7⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0948ad8-843d-4b11-883c-1180c32d3e9f} 3796 "\\.\pipe\gecko-crash-server-pipe.3796" gpu8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a434dc-1469-4d58-aa95-383893112bfe} 3796 "\\.\pipe\gecko-crash-server-pipe.3796" socket8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1500 -childID 1 -isForBrowser -prefsHandle 1492 -prefMapHandle 3224 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1c13c16-371f-4ba8-aabe-58212404d728} 3796 "\\.\pipe\gecko-crash-server-pipe.3796" tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2820 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb397559-9b8a-4bb9-8d41-f601cbe0da54} 3796 "\\.\pipe\gecko-crash-server-pipe.3796" tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4472 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4480 -prefMapHandle 4476 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b3addf0-a289-44ff-a6be-72d807d767a1} 3796 "\\.\pipe\gecko-crash-server-pipe.3796" utility8⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5284 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95815f99-b05e-4841-8cce-dd89ec475445} 3796 "\\.\pipe\gecko-crash-server-pipe.3796" tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5472 -childID 4 -isForBrowser -prefsHandle 5480 -prefMapHandle 5376 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {696c26fd-e2a9-4076-bf5f-ffd2b86762d6} 3796 "\\.\pipe\gecko-crash-server-pipe.3796" tab8⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5668 -prefMapHandle 5672 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8abbde88-394c-4ce7-9503-ec7fbf341d01} 3796 "\\.\pipe\gecko-crash-server-pipe.3796" tab8⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006983001\5aa7d9031c.exe"C:\Users\Admin\AppData\Local\Temp\1006983001\5aa7d9031c.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2n6965.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3f60z.exe" & del "C:\ProgramData\*.dll"" & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2724 -ip 27241⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
676KB
MD5eda18948a989176f4eebb175ce806255
SHA1ff22a3d5f5fb705137f233c36622c79eab995897
SHA25681a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
SHA512160ed9990c37a4753fc0f5111c94414568654afbedc05308308197df2a99594f2d5d8fe511fd2279543a869ed20248e603d88a0b9b8fb119e8e6131b0c52ff85
-
Filesize
1KB
MD5df832fed6874da79c839288c7fdcfe05
SHA1bc5b4ecfa9045457ccc51de55215511e01d1bca9
SHA256e5ac696d939d04ee93fa5bc9af7578cab2bc7a81de70509ff511aff66bce373f
SHA5127b9a971022392eb491793df7cdb1737bc28d62a7787a83809af39a36b6c55ded0e817a6580209ad70e3afe607c9e7dfa91ca0583da7efc19e70e206332651ac4
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD56251017ef66e94b89f5d98f4e9720987
SHA193ab89638530cb7bcab8f727906a606b1b05e318
SHA256aa90fcc4bac35b647bbc422df9cf772c5227fa8d17947c68f2ef00f6d6692810
SHA512034ad9a82dec037056f978db31cb07d636965fb1d3d18028e1c1bbd898ae26e2740d34585d9c5deda9bb4bee39efb4260e38a8bff25ea2d2c440df980fae766c
-
Filesize
22KB
MD530090102fd69fecec54930640fdf1b92
SHA13f9d73945cacba4e27d1523fef67ce9edbceeece
SHA256dddeae91e1e6e92bd0261f9d601a7805707aaf7914ea7f96495721aec64ff4b2
SHA5120d43e5726d4be53065fe9e0c095f6dbd20476e3d42985192c3af6096cbdada1475df917920ee3c40d9d520641a9e4c9b33ff2bb077ed353b566ee89f2f99cb4d
-
Filesize
13KB
MD545a042c0f946aa99badb5b2433597183
SHA1812f0d07290831ebcdfd43803513b6abae4faab4
SHA256075e64f7f92910818865cee385f46274bb8d11af94c7522c94084f5524e3563c
SHA512b7bef2e6240b560f1d7c7c245b0f5654715c5899236beaeb9d36745bd55fa31a2dcdfddb44969fcb5b92e6c92d5944e2a50aa04380271c466e20515df537015a
-
Filesize
4.2MB
MD5ba8a76d8f6d92b38766df5cea014b76a
SHA19da75fe4e75b7e2b3707e655f6e08f9f884267e5
SHA256e315015d4858a0d26297859a30aaf1526d1c066acc6384937a3568c0571fa21b
SHA51261c739e26f0f9ae87ac670643249aebc15f0ac8bb3e9f9fde7fceca52dba147db1760aa381e2a70fd16f39479ca4c3d1b3065e7ae949cddbbe7667ca742a8be1
-
Filesize
1.8MB
MD5054f51597fdea53aeabe7221bef8f4ed
SHA14ac7f3f2620c0599508199a9831cc5b881690901
SHA256e9e61e8d998bd126741766cb0958833ba53f5cf4e6893dcbd7fde68800d7e194
SHA512595241781f363bb8cb1a2ead54dadfb4b63e2b709285169e3eca7f53916225efaec48f4e2974abb6cc8e1ae1075eb2ab457547f4464d24428500735f516b9f0b
-
Filesize
1.7MB
MD5eb23b9440cdf9c98ca59cb2ac64b8f5b
SHA11ef3b7de6db8c5d31707fa7a577889256f42e9d7
SHA256e1b2645165b4fed7644b88a50c40961129ff2e117e0a7a086612170c00ab2fa4
SHA5121a627314395dfe5686f4f2839f75d7f36115316d477345c3d8fad0fb965a0a059b0748c709d2b09a8b51024ddd0972d84ed9fcf5a8c3b9b9c0cc3fe4963ad55e
-
Filesize
900KB
MD5ea78b59c28c1bd37d5c741be34b6d7cf
SHA1e449ca0ca08522ba3968a6eb1e4defefee88e89b
SHA2560afbb25b65ac3382f80db54880c75cadecc782c33bcf3c3ac05c36d5f7c7b19d
SHA512bc996052f715a3bf6810c9a62aa59f6c81ad045a266d5ff79f9a5e56ccaa6f4763c816e9bec67d3a4727dbbbcc1bff15fb49ce8379db4d9ec364db64846f39e1
-
Filesize
2.6MB
MD541a8f6c96adf5f9dd2283df14d3fe1a1
SHA188b60beb69d93ed490ca7c840ec4316b1114b01b
SHA256b72c2fe6a8f95089a370e176870d6fe8134f546528606aae267576a5264d0beb
SHA51229cad33ef531b4f5739c26961034c5751bebea4eab8a8c0aee90e6ba55acf7296aecd3d9e4007e2f1182d919f4300561672b4f15511519fc52714e548bd7fc05
-
Filesize
2.0MB
MD55f44f2bb693c50d1141aa214dac22796
SHA1aa3408aaf55c7fc92b90cdbb08075c2b59a7a6dc
SHA256184b2aee425e019ac00a1000a882e5d01e4175e90d84ca0e473db487d43add7d
SHA5124ea0f394a1ec64d7c97b726d7df92519ac87d053e3c1030b0bd8a3fd9b41beed1f48008f85b02b5de2f505e2283888e142dfb8dd3499440b3c00e28da9f23d4e
-
Filesize
3.4MB
MD5c3a949833a4a77388c9d278084868bf2
SHA1c1ccbe6146d98e96ee02adf0fd297cbc92237709
SHA2563021414754d72ad9d34ea792cef5362384325ff5b3ed75bb534b8618546e5d90
SHA5123ff6a290e51bdb7f781378b5d43eb6997cef9bfcb7de7f239d910f4d6fb1f44254679102c7fa08aa1445298d55477c26fd9fd64ea6d205e5e4930e497a568b26
-
Filesize
3.1MB
MD574ba48529515c95320f4a86fc42fc668
SHA1c33b2b0c5e43e5ac274206ae964cf85bb8718048
SHA256766282cfd30bca193b9e0863f0a994fefb694eb65fd3762461c07c299a5722fa
SHA51216f09889b08eb9a4c2176ccfb590e31007c0c49336ba7aef6d54f16c6133c36945b3281ff7a4ff0099a0cae1eae12be2846ab24dbe1f977000953eb2868e85f8
-
Filesize
3.0MB
MD5a8f20ad3d41973d7375370b0b7e0f206
SHA11e7775500a8838eb99511557a0a6b91001711e77
SHA256945c4e520925902102b0b7435d34ae82952150535847dbb9bae31e319c62ac00
SHA51274915dbf9abb08f258c5f64ec12b19bbbafb0a09a6f01b322cbb3594f9ce3469b352b6279e0b2dcb817ac5a2fc0635c0dd860bd649138326f164ea6193951891
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD5b8c1a3eb8dbddd491d2fa2d7fa66e1cd
SHA1f6aa2268bd018eb53642b7c8074e705af9275d1a
SHA256e7f300a6d9b4b249ba10de278c1c9d0667dcef57d8757053172ad926a33943b4
SHA512730867ed7bd95f36799d67012328c7601dd771ff40c6fd862aef6bfe67fc3c3bec1656cf73f5400526e02dc4840f3347257b1373727bc492b40be6c4f6e13e34
-
Filesize
8KB
MD51efad80f173af13dbcfc1a7054e6b35a
SHA124a887ead61275708b2cb9078f9509715a17cea4
SHA25650be5ecd1182cbfbb531f5ded8e9050bf82f0262bee1ff5ccaa038a4a8df2571
SHA512f52f30ec68c96a78a2275a3d5f685bb5d9998e35ee15da04e6e86ad4a939eb8c68dfea70a49ad6ad23bd70420a17cef2aa265ecd550a3d848b1587185c15a3e6
-
Filesize
23KB
MD5784daae39e651cb73a32e3bf20f1cac7
SHA1b5881b78f16c246dcb3c2481af72f89e7855219c
SHA25610999885c7bfee8eb9e606a17cd96935e242fd0c0014f9cd666ba796e23c04b4
SHA512ce5165a703789c3bc0351123cb8a6e609b0c32b63c3dbf7d72727c075272271fc7c625ea5d47f70c16143bcda4aac1c392744ab76fd9e53c478e11a13274b247
-
Filesize
5KB
MD5f4e9a2ed12bab5722bf1ded7cadf14d2
SHA1dd9f9684ab791dd98ddc89773b965c661eaa00c4
SHA2564031d00b336b968f01e6221e661ba2dc8dfa447b1ae9254b6cbe48719e5854df
SHA512c383682b19cfdb2acc8d72008f8088017859154be883efbb5f0805ec9e61e93640417e9266ebf0cd42b211f081fd21a8eb08f23489a2327d185b4363d7dc27f2
-
Filesize
5KB
MD5abb353c662a27ced975b5453b24a048b
SHA157b6b424c041e424c198fcf18f70b112b9b71f23
SHA2563a9887a394f2b8885f2c9da1b63c52ee92dde25436d11d17208f8a6caa4d82ed
SHA512816a25df1c767103b661d7b246bab102204b7aab191302725f47ce2aa9e6d072f162a17684cbb9a577d551f80e581b9e6167f6d9150ade5c3176c45c5cb0ad7e
-
Filesize
14KB
MD57695ea1f85f976ad6809dde1671d192e
SHA102e23a257c6068b23f3ea15112b1ea0681728646
SHA256d6b3593eef750ef96c3038bdbd70361cbdf0b88259c019f2dffc4dcd5b58e790
SHA5123ef5ac4882c02ba0271334b96894557fa7da1a2351e4bbed5370d9b0929fe03aca1af2f3984879e15150b9abac98fbdf155c31f0f32863b010a8cd8d6d263c81
-
Filesize
15KB
MD5bc59eae00ea6f0a3875b204607bd084e
SHA1c830f2b8c60f1699b5539323ad832f3564beedc5
SHA256827416e1a7489dc89804813662310449632bb4a48535819c30c672c5d6ddd46f
SHA5121d6b3969e28cae60c7bf15421a324136dc55833b8f3b50dac9dc246a82307b545d37496f20d15a26aeb88f0fe86763f9c49d4a8c37add95b6cb16097cb3b3fcd
-
Filesize
5KB
MD550de415ff0e555e40d561e6a0f6e4122
SHA1a72eea05306c0702e45420fc7ac08657a4711c21
SHA256e4cc8de5a5414af4a4344edc0878b1afc4150289b52939478fb5312212bd1ee4
SHA512b1e584da3b265b0236fd4b7c138da679cf2c9ef58a901ae8464236f53eeec416844a7a05f2aec27a4d727d0651100631f20960f87494313be2695fc6d441b302
-
Filesize
5KB
MD5a766e3b273e18c5991d82ff8c670d353
SHA1cfe954eebd90c14e8526640bb097067e4eb61a2e
SHA256b161c44856bf4a26e90ec44cd0fab2ff9bf2a75ca1d181f1d88b85d4f88b5f90
SHA512eac9da43b977dd25d2b5cc8989065ee62d2e3d8ff212b352c59f97f67d8eb6064cbc62ed17fc2e3af153811561563cdce5ae50199fab17abeed4c59b62b952b9
-
Filesize
6KB
MD548c9700dbef72150c8cae41f15123d2d
SHA12dc16acb2d540ef13c2a67e7c7937d281cfa2f13
SHA256a68453dc6325c8b0c88b5327b8f0bc28e3026f1b97daf9fa1391767264734f2b
SHA512de664e472bacf0e290f6e28cab807522081ae87823dbe83750bea7f0c0156ef815819dbbdae2211c5c2ca6d48f1293bb9b01ed87e5eb8656966cb6c4992d87b6
-
Filesize
15KB
MD583d207b50056b52030d2569ccd96155c
SHA19d543255291c9ef59d11b5b0cc2f3827bb9cd2e3
SHA256520376a98ff4f943572975789af4e9d6b499929e10d3460509f5583d30979c4e
SHA512fc811f175a67c443e19ac7c414a500a328ae4bdeaaf66eaa22dbeced1382e38cfbc2d68d5534accc81f6d6716a3fe2c4e5f65ad6aa75a531529b5904a120dbf9
-
Filesize
26KB
MD5a282ee4aaca9cf2f62a7ff6060e58f85
SHA192e81f4f5cfa87a88872070a51e0f9aeb7922012
SHA25615b7eb3cfb223ad88c710d7128ef8af64936dfe66d6736f9f5509fb86ea8068f
SHA51272eb2bdf3a0236b1292edb9a0cf6365d77ff2fbf09efeca2c2df42dec63437de264d4b36c0baea2370450a2bfeb1f820e44653d014800e11c6c21a3fbeb0fcb4
-
Filesize
982B
MD557e49a847dafd0a93e436ec4f3c786d6
SHA134088fbe7479c19f8188f0245d1a76357f1ec09d
SHA2564ca1e7f1e81806b25c3b4c5f5ee4e34ed8f8ce31273d3a6e21593939641ebb13
SHA5122273ec88f78c728c959f94b61ecf9641ba4b915b924a03079065300de4ed894724fcc75fac12e05e5abdab1d65950bca53cfa3f59fee7ba9150c2720560d4af1
-
Filesize
671B
MD526c343a597ce048229ecb39f5354df7c
SHA194a4c4988c43f52bc67b061bd5f0e7731d837afa
SHA2568acb91ea5d327886d50b9aa47799de4045d3757e9d1ae5790cbbc862f111cbe3
SHA512e6569a1ec86e170d665b9ed124cb538358c5000275aba95fc8cd899e425dd5e2f9c160d43097832839562f4f027a953bec96ea1b3fcf10e53bac205507195053
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD55a03948f182efc06d4358180e59554a8
SHA1ab3c9865d116cc21861fd4c87de41581cb5e92e4
SHA256587cdcd66428fbf126c9c6832d144e37ede577ec5d34e3a5445b99a3b9ac9373
SHA512731f5a8d7f2b6071fbf61d785d3bed8b7b02287d050c0eceb14389cbd52ff48246d56e8fe53440648242faa1ce3995d0786df3bd70f7765268d8084dc1eb476f
-
Filesize
12KB
MD5deba4f2c07fd985250f8f2c7253a4fac
SHA183e1d41c3d5355a33e1f48c17855d60d4f0c3cbc
SHA256ecd643881a9cf29dd02c1b1d9dbc64ac83c06310de0e8281d0cc117ae622ad5b
SHA5121a1f1936adb9b6b2eeae4dfdbf2f2016bdae664a089a915962410e3609521db1b2d45a56f6830fb69908cd717b3837e5983d428108957aa611bb5c8d90fee0b9
-
Filesize
15KB
MD5c8164bd04e2b0e21ff36baee54b9409b
SHA125e5d798475ebb320cd8436fdc96a94d9b5fbe4a
SHA256633da3759d2f7597e211486e4472a5c14d0b4d61830b20b12ecdb1ebec0477af
SHA512626ade0baf7e56cd364fa3d48b5a6c9b4a1c2784827eeeb87f6a2d07da09e194332f9fac528506182f7a58faa64f7200db74a0f2d85b292a2074a73ba83d9916
-
Filesize
11KB
MD5ec7b83049ed8a1bc773cf5d5dcc3c116
SHA1e503526327ad3479e19f48cba9b4d731bf6b7dfe
SHA256f063e8389009b6382a2179cd47f582c309e017e281853c657abe5f3dbd6b6c15
SHA5129182cb8759451548d4380dd9f2f99b7478fd3654308eacfbd39ad4dc5426fe74fe1b40cbc103714c7bacc7df1261e6b76ba5529b5b12eca8c19f292e87aa35f8
-
Filesize
2.9MB
MD5adc29df4136dec48db85e880374f32b4
SHA19aa64d7e6b21a0c82f14db8624a1e765439f8b53
SHA256de84aea68906493e0a5bbc6c9d27c17ceee6c8259a6d7f144dc341a58555ee99
SHA512da78d86eab933267341f9d1ed95ed884b0362d7985f3da89efbb4b751a6685459a00128d0105dc69910330f259b6a6f42ebc3f016d1cdc6461bab3767f4f99d6
-
Filesize
72KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
11.6MB
-
Filesize
10.4MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
11.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
416KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
72KB
-
Filesize
1.2MB