Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 17:36
General
-
Target
1caeaf2b1d05e17d6402c0a7f7bb3025c095ba2b71e8881ccc088fe82315c3db.exe
-
Size
7.1MB
-
MD5
da4946a960b84cd9769c0020e13be4af
-
SHA1
c936e833c056e8068dd3a3779b30915d30ea4bc1
-
SHA256
1caeaf2b1d05e17d6402c0a7f7bb3025c095ba2b71e8881ccc088fe82315c3db
-
SHA512
d352421d0ebe1700f7200fdf5324fce7452bfa91d85a7bf1a84a04dabf81efb7eb8687b808a0f61054938c0e4d0345df0e5f480d60a2714d47eeb9fd0b53f079
-
SSDEEP
196608:4GeCgD3C9BD0xzf7Je1XCEVupKJPRVxlQyhaAvNoHB:4eL0xr7J4zukRR2yhamNo
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://processhol.sbs/api
https://p10tgrace.sbs/api
https://peepburry828.sbs/api
https://3xp3cts1aim.sbs/api
https://p3ar11fter.sbs/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1caeaf2b1d05e17d6402c0a7f7bb3025c095ba2b71e8881ccc088fe82315c3db.exe"C:\Users\Admin\AppData\Local\Temp\1caeaf2b1d05e17d6402c0a7f7bb3025c095ba2b71e8881ccc088fe82315c3db.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4U46.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4U46.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1o26.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1o26.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1T32K8.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1T32K8.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007459001\00ed70ca6a.exe"C:\Users\Admin\AppData\Local\Temp\1007459001\00ed70ca6a.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffee8d7cc40,0x7ffee8d7cc4c,0x7ffee8d7cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,7913046312931029613,1572964145289124014,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1948 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,7913046312931029613,1572964145289124014,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1796,i,7913046312931029613,1572964145289124014,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,7913046312931029613,1572964145289124014,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,7913046312931029613,1572964145289124014,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3824,i,7913046312931029613,1572964145289124014,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4288 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 13767⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007460001\514d487431.exe"C:\Users\Admin\AppData\Local\Temp\1007460001\514d487431.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007461001\edd343ae67.exe"C:\Users\Admin\AppData\Local\Temp\1007461001\edd343ae67.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007462001\35ebb2b815.exe"C:\Users\Admin\AppData\Local\Temp\1007462001\35ebb2b815.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2072 -parentBuildID 20240401114208 -prefsHandle 1984 -prefMapHandle 1976 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea1caac0-9ed5-4921-ac73-d4d295216878} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2476 -prefMapHandle 2472 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f80db042-10ae-440b-b4a8-f5f9261519fe} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 2988 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3317aa1c-022d-4891-83e6-48c270d30c54} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3740 -childID 2 -isForBrowser -prefsHandle 3712 -prefMapHandle 3728 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8105c32d-717f-4301-bff1-bf7615ab3eb3} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4220 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4080 -prefMapHandle 4124 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dbd015f-3475-46a7-8ee7-0e6d66d081aa} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5612 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {453ed2ac-f11a-49b7-96ab-912096141764} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 4 -isForBrowser -prefsHandle 5372 -prefMapHandle 5244 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e441e6a-1212-4766-87d7-53f99858fc72} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6032 -childID 5 -isForBrowser -prefsHandle 5952 -prefMapHandle 5644 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f5a417a-aef1-47fb-9859-b2806f443ead} 1908 "\\.\pipe\gecko-crash-server-pipe.1908" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007463001\bd71750c64.exe"C:\Users\Admin\AppData\Local\Temp\1007463001\bd71750c64.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2s4602.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2s4602.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3X97f.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3X97f.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4B631K.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4B631K.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2576 -ip 25761⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
21KB
MD52a83afe9e255f0a1a0ab78c1ade320eb
SHA1310490a8e660a6c1e328a4471e0ab1b30a3db25c
SHA256f702eec8d173d13b7c599fa5bc7e0410d8222cac366a637d589a36a9b0723ec9
SHA5121a8551f7dd1e61b8d4f834163308c4d49b1530588d72e6a51461691db16a129fb7412f07eba8074f1f92238304840f4939a6cd5a7323132e498fe7330890ec14
-
Filesize
13KB
MD50d413b385f3d93cec1147220aaba8c2d
SHA195f827a863e9b997a7d6ec3efbd9306cf3a416d5
SHA2569b2000398ec60671e2e6aa777a8c2611458fad9d2ed0ce2e9ae92f8ae568af1f
SHA51226b43299067c76a9fb5bc564c3af5f0ef979ffa35096343c8a25587bfdf5498489aaa4fd20da682e4d9474ed792086e2f96a03cc5e8aeb8983c7f03c97170acb
-
Filesize
4.1MB
MD5ca00d6c5903f68cf43e74774d7b08a52
SHA165e2318a24492c149eb66865f5f3bd4ee09e88bb
SHA256de16ea07d8934b7746f20ee895293e48e49a7264a589518f04a4c8b8e2bafe8e
SHA5120ce810baa5f5284c030cb38c9f3057cb5a5973e38ab677177b9f5cde452a6f894bcf42ef16229c497d2fd2f720872803fb121f2ee4264123aa2fe087a9295c8b
-
Filesize
1.8MB
MD5f6df237f8dc7d584d8836042966a0943
SHA18749f7bd027e624de82cfff581962b2eeb6a7dfb
SHA256e0ba78bf9b945f75349fd5a76290b9b8ff746abd24f15896a277676261499f55
SHA512a01d4fe202be936549f6a1d465234164a0e315c4725efa85569ce957782ccc904e833db3b2015b173288bfa353b155d649dcff1f2e371e8d010fc197d138f629
-
Filesize
1.7MB
MD58427e384ea4951ee4a5f0b425fa5ad02
SHA108f6dd97b593d0bc86339e1a1b7dd405f7798d4e
SHA2561498a63ecb4dab164c1b8287ea274408379e317874d7d05f41bc6209060326ba
SHA512b62cea071d32ce26c8542fd718ccba61995a7807d73281c7ec066858052d3f7d3539baabafa5e2b0df42c1976f61fece4a7259c92282a3494f7a406c727eaf52
-
Filesize
901KB
MD5ced448790328e3105c0cfc739ce1c049
SHA14e5d7352b4272867394b9a2c8878c108d833662d
SHA256b5aa55ab7b1267b5e806ab6a306816d8198655a7dd68c2af43e11d06e695fb62
SHA51274a181ce8cdef058a0637231822446ce0c7261f7bc9f0a52db90c357ba9d0046676308370501b925d4a039b0ab7540b21c6b08e963de80f1ec2494add6deee4e
-
Filesize
2.6MB
MD5233f648404abf3a913b830957f8bd1d5
SHA17dd39c8b950694bb87303aae1fc9e778b525a7e4
SHA256e6524526950e9fca8f5a7d001a678ca62cca94ff03491e8d45d58df263d6381a
SHA512dc9170603b2f4190496883ec7769c5dc6f1520ebe7be6b2f9b790047a6c92589a71d914887e7f2101807ab7ed1d3fb021ffe339f0e6ec38542df88c22d25b7b5
-
Filesize
2.7MB
MD540047b9af24cdadf0bf710e0a06983f8
SHA119e1fb8ed92f2d42618382c46f4929e3a5fb6be4
SHA2564296e14ce1355f9bbfaf5295a5f070c54f713f0e8a878d4a34041d9de8e47a75
SHA51238d91861705625381e123c00b6354498286d27254a0e6c27e688f139ae7593c2863c1e2f45b65d49ec47497bbf1996b29e4965321bd435ad1cb0a4d88b569e26
-
Filesize
5.5MB
MD56d2fc2066ae18608b93c0003183f4aad
SHA16bfdfe5a469ac9abb33abcab6b61f531b038f892
SHA256f5d7aa4be4581c6baf3ec665e9d73168df0be208647019db5e0889c9bab72c96
SHA512707497fba00fc2e0346a8f037e92cd7fb205f6b09737a9f3bb9210639b33b2179094d74c547f69f75fd39ec7eb9435f6fc16d36464db3510bcd459f4173a1a0c
-
Filesize
1.7MB
MD5402f181bac324729b6fdfc930ca9970f
SHA17e4d80a8653ecf443132ae1b1ce4c1200302850b
SHA25622365d3502b4eca87da0dc2cd1c74cd7a0d757b38ba1790affc6d1485a6c3c8b
SHA5128c8fbf70df0f3de53b0b69818cc917c52c4ee15d6f4d5b7e592b8a7e891630c2155b461cb4ecd75a73cd945a473c7091f3c88f73ea094d9388093146d6f59fc6
-
Filesize
3.7MB
MD56963806f1c8862192b2df6438c0056bc
SHA12c5135e8a6f39995cd5b1bd0bf6f8a97f852d9bf
SHA2565ac84200211da17c3812e8897ff8f9ce723e6fbdb32898c7bbe2744025193880
SHA512aba912897dbee1d260bc594d76d7f58908ccf0d270e50fe44bfa2232dad71c1295a4dca0e60a983f7a260c243285d106be2483a9eb937c1d265d6e4f3fd27c8b
-
Filesize
1.8MB
MD577b74d811a921f3feafe6143482a93fb
SHA12302257c7693519586bcb783b3d958ed48001e3a
SHA2569fdac22c258cb6e7426e553df54bf2f7b6269dce5b10e539a746aee4671e6196
SHA5127fda02922af9b056d278950085ff64ef90ae66492265f22b609fd338cf2991459cf43db6913a33437f335957863e3e54145b995f0c3a69a745ecf58a21e5e082
-
Filesize
1.8MB
MD5a7044f38627da01062ae36f15e718939
SHA129be2dcb48f5a90bd3c1352af7561162850ac586
SHA256d623fdd56568c03045f77f203486abcfc7f43665989d4b144a52a76de855eaa4
SHA5126e090b62db099351a97df9bd0a78f6f3f17f63f721cefe6215226c7b0bbea0de571c67b6123387752411abd9509ec543dacbb83b026d7f5d5b36f26a8b19f517
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
18KB
MD518dca6c354b529d81c3717b70713bb10
SHA1c628589dd4b8ef168c06903f3ab20d0d3557d187
SHA25634ca906d12d2e3e95c4b0f25e0403c69d84abc2be5236b77d97bab3c99120379
SHA512c6aa88b57e3772eea7935d2d251bbf616f8f52d23e639143efb5d48afb5af49bbc9499ffb4f71d78892af8c959b525e4b4d1fc041d053e127fa1c6190911c404
-
Filesize
6KB
MD5571709d0bbc24015026a3861c605e592
SHA1a1e7c774017b4e974718964362be0fc8452c08b3
SHA2568fe662f9e4141f6e51572cc0c5ac0e7d185a02d245a6c7fb8c44d2cde257612a
SHA5121d9b6d15b8a9dbc9bc6a53130f7fe3ee47abc73d714164a251a7de8c3f88940fe4a4e3621a17845cd357cd54f73486cf21ab667ffb76e7720179ba14a907e257
-
Filesize
8KB
MD52e5577955271f0d7448ca07b5f465881
SHA1b596f204bc302d17102111aaa5738a3708f326a9
SHA256e9f2faf90f94329ebbf392463a8b78015c4936925c7a390dc44be52d01cbe9df
SHA512ba72797fe6e8cf1684bb8b09d205d3a3fd43eace8933bb92de3b4f4da8bc01d61289130554d92f6da9438425af45b2de893f2fa0339c2723fdf16946e6769623
-
Filesize
22KB
MD5d7b397b9803e78ce345a6764005fb841
SHA16adf851653eabb55411c709cdd54c48ddfcb1129
SHA2563c2ddc95d1864a92ee6f585cbdcd23794d73f33ca87675ee7dec0078e9470544
SHA512b81da553fcb3d22dc65f75939d375ed0793c5bedf7dd22ce4eff60fcc9359e7bfcbecd7d47ba00cee3bca052c9b11743192cd0b946e493bd3c582e317731390c
-
Filesize
14KB
MD506fcf7836edc8d533838ade5e378c5c4
SHA146e2803271b17f205c6e5258fbdc1dd1ecbd69b4
SHA2562137f1abfdc37d3c35eb99f39b16e9a5f64a7d83ae3286a3a447b4dc3a93edce
SHA512976cee31671093b77f0f78ca36e9be6427963e14b7517a4a94cd65f24933ea09087c50684b1fae1420b455bca4c3e94b087e1628c72044054cc6fe1d3e977e12
-
Filesize
5KB
MD5697c4657379d4ad8b831ca5d1fa5dd7c
SHA1d4cfce206ac9dbebf15ff493349741bc78f94474
SHA256d04ccb969dfe59605c7d748fb961cd536365863a7c3a4b0fe0903a47f484cae8
SHA512239ede3162e37cf3409d037f37fca25a129beeb7c5ebc77b37a5fc43b5c9a575e51a809798db911d7a80d4e02fcd90f7d4d926ded4cf040600b82070bb246664
-
Filesize
6KB
MD57501cd4573eb451317b6fb070e16ab9a
SHA17b4ed1422a6c81d92c3c9a9e8202524d1284091f
SHA256ea12db8187b7b33b3323bcdfd59dd1957bba6b9cf82d2ff3e04070da36d0a3b8
SHA512378bbf16fda278447243105deccae52238bda56d91354de5a21165d0dfbece5736aea6fd5861ab6d1dc8d7fd21dd5b8fb677796213444af6a654bacf74298277
-
Filesize
15KB
MD5d2458ef011c9020f787dcdf20c04f98d
SHA1952af3607f6f33d0184ec41f0318df8301a204ac
SHA256c9cadda052b276fb23f91435b134cb792925b8ecac0d6c68a8192abc47db333c
SHA5122a95067566ddeb1baed95444938dabb99bdd341e5d24b6b24b23c5112b6241e44bb207fc7e9a467aeccbfe72b26933164b5643ce9e8ff2bdc4a2503c9917bcbe
-
Filesize
6KB
MD5f48c7778e50df8b48fd999d989ce066f
SHA1677fc96e693c2dbf6448ac58b7f8114617017960
SHA25671ed424c8911b1d5519d36ce404622a70b8a0f7ec99ce2f7f7c87b4b86263407
SHA5125bfb6bbfd8e0703553cf81feea34d875f3b42c1b955044eee313abe29bdec2ac5f804270e8f76881aa68a0b74e58868e1d4b4b51628e86317fd804a6f2ffac33
-
Filesize
6KB
MD5b096889abbb5178bdc5316ab2daba4b6
SHA15d7a3b75f50ddc38209f4257dce769b1a6b2b46f
SHA256a0bd4541c5493478795642753b3ba56d7a597f565b28c0b2bf696ab251903425
SHA512a06089ca91bbaa19a2396a5ecb3202b9bfe7a746d58272e5e7972bbf8bf29f90fc72525587063ce8693100a2610444ad8838562f1c78833fbaa2bcd09ced6c4e
-
Filesize
15KB
MD524c9cb8360731a1a56ba3c1f1b4ea6f2
SHA19d12aff8f50fb75d1a274ddf60e210b9bdbc286b
SHA256d3e76327e454a9fd85250b71c54f919f0dedc1bf50b4b603d11937ba4e332988
SHA5120100d7f010178840a8552e974b0ccbb78c8aa4ed92ca34294b9e28cdd44ec590b5b616ca7cd25859dda6135dd306889832d72f97918cb0335cb83485369afa3a
-
Filesize
982B
MD54e5a316bbbec0259a978216aeb37695a
SHA19e18349fa6c2622068ae704a7e6ca6b89c7456e9
SHA256b09be5848d7927b4e71c3f8c09eb77a38185926771552f33493bb775736a7f87
SHA512111694a712a6d8e141de468b1028b6b73a0569ac80b104cfdf6ee16706cc9feb645dc8d7c4a550432247124ebbab026121a1d853c51f624eba395bc4b5401312
-
Filesize
25KB
MD52d451b700514cf89ffe7d3c563aa2e39
SHA19d7d2b2b341a1447ceb1fcf5f758225b76eddf22
SHA2560c6c2fec24e450774968d7587c948e2befc23f504e687be26f21b48091fd1078
SHA512c12525894a898190f8efb0363d0775240ac97430f3c1668a23989682820c9ccddaab51e0d250c0c69cd47f591fd2aa36512f9e6df9bff36b703dbbe9007b23a2
-
Filesize
671B
MD5a5073c5d7d5fb504d81e870227ceed6b
SHA1c48da97328aa460824d14a18b8d4dfcb0a03ea8f
SHA256b05435afb4d18d27a66e1ea13a4564d777233ab6dc766d91271fd71f66ffd6e8
SHA5122a64d36e8844b289104d1d84a9746e18c253c1d97ba516e9f412afb86cc1442b139b9207813d7df6f18656f5a2e91e64d0bde222b1fedba6a76c654a47af1aa5
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD54906bd6f78bdde238e7448d66ff966fe
SHA1837c71f886fc6c63b0f2f91e94475731e707ba67
SHA256898d41f473ca0529f3750e8c71a0eb65cd6a3e0d34f8f59febc951db467058d1
SHA5126a91e4022fed53b44a2ba12403525e97a2fd847e0a99768f2f3557893ebb4d43599ce1accf9a58e13325ad556f8b764bdcb866d1ebd61e962ea2b76a7988e34d
-
Filesize
10KB
MD5631dcf14643fd81572883b7a08ade942
SHA1f150b63f529b71c623e4f9c71185f8f86a69de00
SHA256c1003874d3290d5bd35e4d83c062c85fb5c31dc6d138e29f4d0a67f88ca3169e
SHA5123f5988e5efe32c863950c9607b8c5293e500218411a9d1a12dcefca9ace61fce9605690b70badce4648dafc94c937fdbc03afcdf731a44aadafbf4ee4fe2b99a
-
Filesize
10KB
MD5f29f3418132dbaaeda98752647bd29cd
SHA1997a42bac1c0cce1cf4473a3d2492984f50d7a19
SHA2561349bfd723d9a88dd0081222ea4849423b25ea8751cccba40d49083c4f1b85c7
SHA5120d6fd231f95d607110c0c1fe98ea03ffe3a48c3c650dc00840d586bf20274861517eb55a2216ebe4dec1f6ac7b45fc59226067983d16d478ee11ec26a0fc682c
-
Filesize
15KB
MD5ade1fdce419f6fab803544815bcff2aa
SHA1ddfdfedb02be3a82351dfd2944d85780f3cfb274
SHA25621e489be083ab5f940318a5f8b5bf7916529d4d55561c76ee2dd52dfd31e75ba
SHA512f6f52e25d8059f73053b13c0205b795c3fd7cb00f5df13e61a5f3a0c672a920fed67d5c970bc50b10569d5d11f257a7af5a96cbde4f39aad9f934e5ae37809d9
-
Filesize
768KB
MD5b98b9ca9bac65feaf20f0eac856ec839
SHA1bef7750830e76c15bc5e82a44d40495793186c64
SHA256ae8aaca5cc4eaa02bc954a0b4b67202f47694485da752a34c3e51e6bb4495760
SHA512c07e3160bcc4c4a50979ca6852db582c3abe5bfcf9e1215fc7c3e08141cd4c9c7c18b3fdb270355135eb33fbbab505a03371bc26b2a6986ee4808716367de1cd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
11.4MB
-
Filesize
10.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
72KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
1.2MB
-
Filesize
72KB