Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 21:55
General
-
Target
0c0acb1d42b4e8f9e95b7ac2435f7408d00800d1c2e68b29b34ffd6ce60b16eb.exe
-
Size
7.1MB
-
MD5
acd3bcd13039881226f31e23fba33f26
-
SHA1
b0fe8e1f2db3a202a51ebdf3f585463a4240920c
-
SHA256
0c0acb1d42b4e8f9e95b7ac2435f7408d00800d1c2e68b29b34ffd6ce60b16eb
-
SHA512
c5ff3fc5fdde3786e10df97e0768ee8124b7f7fd9865fa65ca579121213131bb3ecd4d486dfa8c9695b5e940fcfa5ee388c94589f3032bf63442e041099b962a
-
SSDEEP
98304:XYYOchM6PJwuqtzmlt+UozKTBPmyqyjxKOWhcg6FIQ2L3H0lKMHlhhXjRr7kycKw:Xo6ZGzmqrzMdH/6pH0l5lhhX1kaO1Ob
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 17 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c0acb1d42b4e8f9e95b7ac2435f7408d00800d1c2e68b29b34ffd6ce60b16eb.exe"C:\Users\Admin\AppData\Local\Temp\0c0acb1d42b4e8f9e95b7ac2435f7408d00800d1c2e68b29b34ffd6ce60b16eb.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\S5M20.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\S5M20.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\I9k04.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\I9k04.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1x96h7.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1x96h7.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007505001\08f9669f8f.exe"C:\Users\Admin\AppData\Local\Temp\1007505001\08f9669f8f.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007506001\adff5b5548.exe"C:\Users\Admin\AppData\Local\Temp\1007506001\adff5b5548.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007507001\021e30ba07.exe"C:\Users\Admin\AppData\Local\Temp\1007507001\021e30ba07.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2060 -parentBuildID 20240401114208 -prefsHandle 1984 -prefMapHandle 1976 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {424c746d-1311-4770-9a09-0788f77dca09} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2496 -parentBuildID 20240401114208 -prefsHandle 2412 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9944a584-beab-4aa3-85a2-087ae09d6176} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 1608 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec8414b7-ef5c-40cf-b6f0-c0cec1963027} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3956 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3952 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e5cdad9-d6f8-45bb-80c2-641820f1d2c4} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4788 -prefMapHandle 4800 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b13eee09-5c83-4b9c-be71-5bf6195be089} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5316 -prefMapHandle 5312 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59ae16b8-7f3d-4bb7-b860-ce964f334148} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 4 -isForBrowser -prefsHandle 5236 -prefMapHandle 5176 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9fc45cc-0239-494b-ad9b-8f32d34bde14} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 5 -isForBrowser -prefsHandle 5692 -prefMapHandle 5688 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65fa79b3-2226-4745-b020-77d9d13ecc5f} 4408 "\\.\pipe\gecko-crash-server-pipe.4408" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007508001\00d8194aa7.exe"C:\Users\Admin\AppData\Local\Temp\1007508001\00d8194aa7.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1007509001\b1e81b2fda.exe"C:\Users\Admin\AppData\Local\Temp\1007509001\b1e81b2fda.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x40,0x110,0x118,0x14c,0x104,0x7ffc8b81cc40,0x7ffc8b81cc4c,0x7ffc8b81cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,2850332893753351562,8265640309947857226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1852 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1900,i,2850332893753351562,8265640309947857226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2512 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2136,i,2850332893753351562,8265640309947857226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2644 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,2850332893753351562,8265640309947857226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,2850332893753351562,8265640309947857226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,2850332893753351562,8265640309947857226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 13847⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2l3336.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2l3336.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P17Q.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P17Q.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U328g.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4U328g.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1680 -ip 16801⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
21KB
MD5a337cd27e07eddd702ef87d8d18ad181
SHA160bc9f4b01e458f55a48000b6c0148d2d41d6451
SHA2561de46f1fd27d5a801afc86d37655471f330f92d14b1105889d707b610f86c62c
SHA5129c2cb0503c151106e899469fc9ba317b344b471b0dddc4bf55a5719d4d4a4c331d2493d0b118508c8f3541704e8baea092f51ced722737a6942901d886ec4072
-
Filesize
13KB
MD5c4d8d218805589fffa1cd3d1f6160aa1
SHA1187e0c6d55bfb306c8891057b59a8382ddcbd6ef
SHA256e839688f24cb063afc91a9fb55fc5b2b17cd2de1d0093b9a312a8d62857eed8f
SHA512703f8c6781d998a68d4def0b1a8bcc8f19bbb7b6267983f35a5e9220c2df6e7728606286865a8ed7fc131bfa3849e0851ad0fc848d24dc420a77b3deed482997
-
Filesize
901KB
MD58952118cbd8aac309af40b7ba020ac8e
SHA19eb96e51892c77f644997905d5a7b680558e0aa0
SHA256f896925d010797327e622e095fc75605e3cccf9c842577db3c3aa9fc1dec522a
SHA5124199640d12798c108f09d9007f29fd2f4f5a075986b5e257c5629dde340717d0199a92601262c020a55e6ab370c8f26e88c35d5a547fc02818244590502926c8
-
Filesize
4.2MB
MD5abf203dd0126ad56347d05e2c0f48322
SHA1b6efee54668e99435319d65f634459eb561c1491
SHA256987b2a963feaca33452ac5dda999e1447f2732014c71c3bc3f5ced7d3227886a
SHA5129c0f42d430a1df1b6b87cb3414dc0ac72524958b4cb4c080bac083ffef4948c011d26c20291ae2e5e46b1dbd20eb325e8657c067fffc9094ff5c0adf12a4e4e1
-
Filesize
2.6MB
MD5333b260426a661dcadd5c016ab149ecb
SHA10f87cec4227cf24cdea86a82b632d45488875e77
SHA256afcc403016c3fbbb10e732010bbc93854c1e1be63df48c91901acd7e05aa0e2c
SHA5129e53484a98183723e63359ea714dea7b48d0ef43ae26a426fb0889dc1320b3b57f3876546ed4c49284cc79ab52f0b240954eb16b8be3ca392570d7010872b458
-
Filesize
5.5MB
MD5de244e6968245b2d54861eed0111bf01
SHA15f7aa8325a9c7541219b9d3cd4d7537293d18f42
SHA256da6aaf568f01b8aa8a73f9743bff84350f30c37044cf1aab4073889dc837c2f2
SHA51285c1e4772cc243d4ca55f85d512ac55868ce94912e149302017661aca67adee16c1198d28035869713f1bf664f3cea6b4d6c7fd05cbd799a87d61efede814b85
-
Filesize
1.7MB
MD5b3cec29dfcc248bc4f4f33ff5ba14470
SHA1389dc1f719b34841eaa55c8e81ce0f773fea3acf
SHA256841e3ab686e632551e2229d68366490832987ab47d308c54f6817f3e13a5ff52
SHA51285803678ee823025990a8377b0b51335be58365bc1fcabff37e4ed1330b93438bbbb94e40908f3ccaea4631ba5d155d0391198ee3639630bd981cfedfdc5828a
-
Filesize
3.7MB
MD5761d5267fa40c42711cc78293067eb4c
SHA137e96c70d59dd21c56cb1cce31d92f9f19bfd4f9
SHA25660e340ac7c40046ee154282387e9f1dd54f8a0887adee006f8887e5b295ea339
SHA512a252fc7a281bda0b6f77296cf8afe30580d9560c994949141151365dffc95c5976f7987df77021df44ce19abbaa2fb1bd9fbcce7a18c97bad2d9a093d5672748
-
Filesize
1.8MB
MD56232a1aa692fe2b9f3f8e67d35c7dab7
SHA187dc7bd254cac48669668a1833c10b8aab3775be
SHA256a7cf50803925abf03bcd899b82745e472e99963b2cd8063aa44249bd6c75395f
SHA512c29f2e3b76fe7c2ef81370990b02ee978b81f8ceebb191cc218672184ad7fd5046d8088bcc954f62b05f72255ce15d89c909c99ca3d2ab6d097725d13736300a
-
Filesize
1.8MB
MD539056519241048010fba1480bf5d5cd3
SHA1f0283822716b9eedabcda608ed38bc5b0991b383
SHA256b81816637b651ac1f6790a8ae19cbf952951a656df586960a4227e568901d55d
SHA512d2b6d09560f28ca9ad1e5f04b175c769264058db53e1ef1f7a8909bb0374ad00bd4629e97ef1c3fa25b5d2728951afb0fa2f50a85527037e4f37b77457b2ad0b
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
18KB
MD53de479581a6b81774b37c0435bddfa04
SHA1f2e8a78174ef374045fb6d986636ae12bc63609a
SHA256a08301bd13ac4c5973d386e56c653821a1c11109e6db1677e93fbf4dedd1fb09
SHA5121714777a599f805fd90ea6c80a841864e1d13d54b998ea45d516cef0c75216a1805e8c05c9e79209754df3c337b7b3b321629342363e50e60fb2bb7283f0d68e
-
Filesize
8KB
MD5610536be0335e5f101276646e761aec9
SHA1fbfceede8abb17d84e4c987844f9e24da385d02e
SHA256594e5e2f577552660b38cc95296507818e5fc74cf6b4049f307aa1a5af52816f
SHA512d2fae262ef2550a45147df38918eb85a5a361249c22a54d089ea07e51b5a702e2c0d4bef6318400e9342e8a0eb065e0bed0ab264ba41cbc727b5cf8654e4426e
-
Filesize
13KB
MD5580a13e31e7651e3cffeed2fade653d5
SHA18f42a5b55c322c66fe2f91c04bf6845208f0cbbb
SHA256adfcc97ce213fc22366c58c6ecbbf61fe3644a2c75f435486e3eb1898f262231
SHA512cf440f4eb5e5be36a05239e3b997b0a46f5e11d5c48596ad57a5124c47d63dd6a78f865a621b4b40cf7b0aabcbfc018ec2402ed4e9cb32b28b7afef55b1e3477
-
Filesize
15KB
MD54d1d8039eaeb7c7c5fad346f1bcddb03
SHA1d3f87b09274f97a41524ba668184d47119fc83f4
SHA256dc95d88c331b3cca3ffe1f612a87802bd26366fcd6876b1088f2f21e67b2b42c
SHA512eb1d33af96b322554676bfafebe14e04d17ce3ba5f1708f17b1885a327d6fe88549d155266f15898c677d271bee776cf15f5c4b2f5451891eb53bec1e8b18e0c
-
Filesize
15KB
MD581f9a1415acdad1569bcf22dc4f24672
SHA1e472fcf5cfb63df4c1554ce2c37f1caf6b91801c
SHA256cc42dd85b37a9ca74f87960e33b9169f6ea57f9e61bbe528955bd13af0dd0dcf
SHA512281183fca4c08389be85993e6e4c3ffe36cae55cdf12d91834aef9e6954cd1e995d9c1d2c3404b8b3ef04390be839b13e6b208180a69f37d3a9908760decb3ef
-
Filesize
23KB
MD509eafd8456a5629967bcad930b2c4936
SHA1411def5b1304687fb2ed68558dd2cf84c64c647c
SHA2563d2d33bb0377776ab3e7188b8b42acc7eedea6dfd054438508debc79760bd8da
SHA51271db897444429c29c433d34ba523d8f003d462e7e043b66c7c6f2866c150fd27264b1668542d14f5235d2443ffb1cf426326a10294f83ef80848eda6d62a33a6
-
Filesize
5KB
MD5e46a6b08d2fe02935ed2a4da1d64d270
SHA183845823141fa4e7b275d55623f3a35edfa8a125
SHA256248c19af4a5cd5d13f0b0a0fa748354f7f68ecc6e16cefa1c28b094e768102d9
SHA5121512e6835fe5417b0ee1440736b17e64c087c815b1f1123876cac3a2b8e92d8a14cf4fd12d6687dc0c1cd9b316cdfa6048f66148f06e9ed9fb30e68bf538da22
-
Filesize
15KB
MD58f67048f1df3147bd5d013794155efdf
SHA166246d29e973aef96603c71d54fa1f630eda0c79
SHA25697c7627459b6664971b871670bfc09653508552dea2df9e748e1dcec5669b010
SHA51258c694d7fc79fa35ac550897b0313da55f5962e50978bbbfec5851df31ab447ade8e7507002c3b85c42713e9af20e2deda3e53590e558436304f9790707b302d
-
Filesize
5KB
MD5d763160647c12935a60af8de54c72a06
SHA1198983ea86d19ef53c62a0e992628230bb090404
SHA256b8bf64a13aade46d7ac37f7c44edda9b0619556e585a1612bb74830eea23cd25
SHA51268303953d16d155200a1cce74c7ba189349549b234ad7231c92bc1be5c6e25614c1464e08c84a7c189ea1951d5cea80ecd738f8ce8a5b86d09dccdeefac65942
-
Filesize
5KB
MD5b0e4e9598e48cd9b2f3e4a88bf95faad
SHA13d2c8acfba381ba5f76b82fadde6b9e4560c0d37
SHA2567bb5bbc2ef0b20a3bd577e2ccd5b984e6c1bf7af1795dd28d14cb9d8255b0e28
SHA512829c70518bd8a6b6c36cdab24c458cc0f2f321a6d5900aff00e0203f164006557bb54ae76b98058f36f8b26e7eb4315ff1b67e74af405b70c9e4e0161170a51d
-
Filesize
6KB
MD5f5e50467c0d8919b5e8e3dc72ae6c169
SHA1618f8b67eac03b54bfdd60ea9b99792f48d4bcd1
SHA2567b8a18873a3f60a25ec8e8296f0aa3776c016956e49d54f754cf2e680f821b04
SHA512234d24a1839ce3aff8787747435a531feef6755cc8da3989f7b4d5e90c908f0a546f238bf8015e979810b3b756be053101616d3f62f033b107ca29cfc65440ee
-
Filesize
6KB
MD52cf88b1d97878ec52da79928b3840fab
SHA10962ced5908c148bf9ff841c69af1e3c21c73ef6
SHA2568cbc1663977b1616eb5166560a5301f3c33e33a5284c315ef7c196c08b60f1ff
SHA512b0ab89b5ad6ed74b6a0fb34b9caec055aee89310a772554ca2e63bf1592b63d8e1c339de45c142a1525526d7e99e2fb72e09934c9f3ab14b6b1c2a2764f413e7
-
Filesize
6KB
MD5e5cab37b6885da1d09527eb5f2d616cf
SHA10c205ee689de1fcd7e9f6fdaf0025d37169fc141
SHA2562cfb1e12cab58d795c30db96e33d9cb69d0e1e6656223382a956abc1d099ec1c
SHA512563683096337d0f32723e572b8a30eaaea33f5a038db6e101016175be6421c5b69e626799d5e0a360a2e440ebc087d4ba1b5928092935d26ecaf42f6abb518a0
-
Filesize
671B
MD56edf5fbd0128a826d04776709b25d715
SHA1295d4023987e4ac46abcb0027d74041d9b76ac5a
SHA256ccfb822fbf92c61324726c9ce382433e13e610a698a65186f7a08f7cd6a0085c
SHA51233c918a13c2a819bdab6db8b98d0047c2175083a7d8ce13937646c8b0fc0c0adbb1e2dfced5a92aa6caa53a224532d8f18e6afe02befe44761234c8b92e5565f
-
Filesize
982B
MD5926e29140fc2e99d3d1bbb30545f7411
SHA16ef2f6441c1158ed7ee8d883a0bf81ea891e388f
SHA256514b2dbd16d168a264bcc7da5bd4db94d413acf1be17c05a0d5904e226e1732b
SHA512574634414e7600b200991979d44ed116c7c71a087eb277b910691f36cdaffec1593de46239d26d59125fcad7032909e9ee4625d51169ee2f951703498774ece9
-
Filesize
27KB
MD59bde6b9d4c0d4ea9a807c3e504e44b43
SHA10b731be7e27478e3597cebcf58f4dd2967e0a019
SHA2566c507348ad165f52728e0f30cacbc302d9269ca880107ad4116d314239fd34a8
SHA512b39ed0137eca737e70ddda84ce75415c058b427f6ebfd13c9479af5a491150e137e15d87156e843ebb46766560fbd8b9227a2ca2fa4ba0db658c0b36893f4c40
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD583d490de471bfd53e860e8605258051a
SHA13cd9a251a2eb672700755f20a3f168ea9e231ffd
SHA2562d5ceb973e40ef0da53fb45f0716f3f0087a70f0fc69d6dd05ba8b470fdd2e76
SHA5129a5e320d86345e3be87bd86a3265b6189303485500113b11eac6b94bbe056890e86e4530d2f1d9eebe836b39c3c83b53c480e64a5e16719c84f2dfb8dfdd0f79
-
Filesize
11KB
MD5933365af964d69738f629ac7af638bbc
SHA13e7466183e95833f97e96e1b1c8e52fffbe02f5e
SHA2568d5397f6df976b8e911249bc527065562e21f7fa04de61e5e71080cca85c9026
SHA512ad8db6c11f178b652d2500c50d7693d25ed7eaeabc94fac072b1d2dfa1fdba37c08aec0092b5ef81b59ae9ecd1c4fe0e1bb6b0fe8a3ef21deb8796aa0ccac0fb
-
Filesize
15KB
MD5794615f561677fe44a2653bb847a5101
SHA130e8e60325a06612c267ac4eb6228be311dcb58c
SHA256d5bcb6003c918b3eb7689f0718d50c99c4d83fd7cff018ffc73f73946f65e613
SHA5127bd15f4a7870fb098adaf3f5298ff622c4da8ba6d2e7fcbc2139efc68bee8c3554380b14b277ec10c5cc76df2ad15939e86dd5bf40d82c98ddfe867a127e06e5
-
Filesize
10KB
MD59cfb6ddb0ff818ba97b7a805aff8ec27
SHA11c14efd6764acc9fcdeecdd99f3635ec8cd9acb5
SHA25649c886e6abace8dbb89c71963f8b3042a274ffa15259cfb9ab6878ccc0c91aba
SHA512a75d43e778aa1ec0d9930a224f1c70ebfcf746ee38bb9d29211eb99689571a54145b43d9f031b3da98c6d8ac146fcc22a4aa178f82f34798e1ef908ad32cc422
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
72KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB