Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 18:50
General
-
Target
3fc4db3173d1b66e0491240f24ac5917ed077b77939498c60b2d0ef9b5249b7d.exe
-
Size
7.0MB
-
MD5
55e53232bd799cadbf2b33963cf621c6
-
SHA1
2b036582d4879b0bef521d195845f094f8e7654e
-
SHA256
3fc4db3173d1b66e0491240f24ac5917ed077b77939498c60b2d0ef9b5249b7d
-
SHA512
649d6303b2354e743db2dae1905309b92b0530f6f3ce8b45e18fb0a105617a0c152e33d4809a46fb26cf8d9e8e4328b0e76f5650926433d1f968ddb1338e745f
-
SSDEEP
196608:JFIh3NZ9An36ho/oWZbUluf2nGv8rYCZgCUxw6n:Jw9aKhrWOw2nGiYC6C+9n
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 18 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fc4db3173d1b66e0491240f24ac5917ed077b77939498c60b2d0ef9b5249b7d.exe"C:\Users\Admin\AppData\Local\Temp\3fc4db3173d1b66e0491240f24ac5917ed077b77939498c60b2d0ef9b5249b7d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O8L06.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\O8L06.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s9S53.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s9S53.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1e53T3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1e53T3.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007474001\39841cd4ef.exe"C:\Users\Admin\AppData\Local\Temp\1007474001\39841cd4ef.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff83c25cc40,0x7ff83c25cc4c,0x7ff83c25cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1732,i,3326309152747382557,2282363876781172089,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1976,i,3326309152747382557,2282363876781172089,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2016 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,3326309152747382557,2282363876781172089,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,3326309152747382557,2282363876781172089,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3296,i,3326309152747382557,2282363876781172089,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3388 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,3326309152747382557,2282363876781172089,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 13607⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007475001\66214fab35.exe"C:\Users\Admin\AppData\Local\Temp\1007475001\66214fab35.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007476001\16e2c157ce.exe"C:\Users\Admin\AppData\Local\Temp\1007476001\16e2c157ce.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007477001\6272160f08.exe"C:\Users\Admin\AppData\Local\Temp\1007477001\6272160f08.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2036 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c6854e1-fcf6-41c3-886c-3be73a237e6a} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7c23f3c-5776-42dc-a638-397aa1bae148} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3332 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3292 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81798543-2931-4f5e-84e7-ff8632ffdc35} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4256 -childID 2 -isForBrowser -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {919d4edf-1fd3-49f7-8e7d-5a08f69292e9} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4800 -prefMapHandle 4784 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0945239-c38d-4bc4-a7c0-eca17310c8d1} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5176 -childID 3 -isForBrowser -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b13b422-b4ae-4e03-bcca-01b9b8ea1be5} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5368 -childID 4 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b82af884-cd2d-44ae-a638-4f6e7ab2b62b} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5588 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c87ce9ee-c582-4e9d-a90c-6a4b60df7eb8} 3640 "\\.\pipe\gecko-crash-server-pipe.3640" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007478001\3cec43cf8b.exe"C:\Users\Admin\AppData\Local\Temp\1007478001\3cec43cf8b.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Q9502.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Q9502.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w83a.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w83a.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4C220K.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4C220K.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 232 -ip 2321⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
18KB
MD552a9708b4021be4a1cf7b8b57dd0be82
SHA1b3b9ce3824106899d05762f6862bf5f8bf94bbcf
SHA25667e0da8e21732dec61964a05677c4720ff7eafb2c9aebb8f71aa8adc96fce08c
SHA512404fe45d02fbcba93f4f58f3a094fbf43ab18a33ced643e2d852e22789857b74927b69848f0b7d66659b66fb74e0905520b21f6e85cf70a94f8367ee06fcb55d
-
Filesize
13KB
MD53d34241ec2c9043c7fc187ccc9c4973f
SHA1ebc59061e34003b20851e941b50175686e51747d
SHA2562432e1f0983372ec272ebe8baffcf51dd7096a9d30abd8a3d0989b507cc931d2
SHA512eb9cc4dd8b2b01eb5f692e77c5321b3f881fdc04f6deda1f52884305fbddb83e8a0ddf40bd5e5c48cc490be898d7b7b817d759214d924445dff7b78ba749ba2a
-
Filesize
4.2MB
MD51b352e12943c9b113607e78cdf7f1e88
SHA12978dd75e9ad8aa608d41f430e2391ac94661cfe
SHA256e14efbaf799412719eebbbad024b9fe3fae5aa665e7b885cbc05466ee04f4c07
SHA5125265e205a86ac37348a7b09fef6b92355da07e9aa01ebd973f482eac0546b82350ae86cba6f629dec1b454b26c72df6256d1cf69fb1b0ab01930f734b575aa98
-
Filesize
1.7MB
MD5888242c19537f0f114634d771ce4a9cd
SHA1e0e86e160c2c465c3c49b31cdfbbb67ecd5a9366
SHA2560ddd13cd233f81153d8d558297ba09317867797db7d87e7758a51e4131e587d6
SHA51208d552edae0404a8d25af25ac86cdce98d6e59a32d99fae4e0be5b8085e838aced0c1bd464fc5f6f4c41dc0c5160452d35760ebf0bf702eefcb0c6b7b5560199
-
Filesize
1.7MB
MD5e218c3b8301592ed017608e81df8c33f
SHA11c953abe9acf0e759116d61c32d14c2b70cd65fd
SHA256d5bf9e1a3af167866dd104e9aaa4db76b172101abd31a893adf503032ebd80b9
SHA512173646bf3063c6185527e3acf2ad78d0fde734101226cb50004b943d6417a5d842fd381bacf78021ae7dbf8fe1537a1ed8edfc07cd82d5a2da778807b56d3891
-
Filesize
900KB
MD5c202b9fb5ed13afd406eb71e5cdc8570
SHA124620f327145a676c230e8b7a7096f9736f353c4
SHA25664fe0184720def98b06de5cdb4289dbe9357670a973028de21645ada7934e52e
SHA512c6d9e48c16d6b505c06cae84e83bbd9ca185a67dbddacda19de38ff4e0db5d00b8f18e7876050a45255ec4feb1d9558c221204d26cd4d04e837584f0687be4f0
-
Filesize
2.7MB
MD5b1428cca95bff0b76ab62397d02df9e3
SHA1a5b0ead9e190ce4f64c8ab23ecc412ef8dd7a52b
SHA256329ec550d7912b296ae2936bb392f56d16ac2dcde22a9101a1332e119a164c99
SHA51234b3391f0a24e42c908f2497031096ad7174f2d9e54d155b128bc1fff2922d2fb1f0688393a4a59f3087186eea19f8dc5576e9bc1e8c001ecc3eb888b805b0e5
-
Filesize
2.6MB
MD5233f648404abf3a913b830957f8bd1d5
SHA17dd39c8b950694bb87303aae1fc9e778b525a7e4
SHA256e6524526950e9fca8f5a7d001a678ca62cca94ff03491e8d45d58df263d6381a
SHA512dc9170603b2f4190496883ec7769c5dc6f1520ebe7be6b2f9b790047a6c92589a71d914887e7f2101807ab7ed1d3fb021ffe339f0e6ec38542df88c22d25b7b5
-
Filesize
5.5MB
MD5ec2d29d5856f41d23b08ac062b98ca3b
SHA1f8a0c289ff60478c0c272a5919268c1525c6e874
SHA2568d38244ff1a0f7fcd527e4f5dcbb996a14c350b8942623c2d494d757fe8ddcdc
SHA512aca94d483aa82d4e46409bd6e28a1a29edd8255dd31c2ba1d0af5f80a78d5dbe59e6864f45020853c3794008ad43685a84160c7c3d9d3aec9d05e10ee5032a9e
-
Filesize
1.7MB
MD58427e384ea4951ee4a5f0b425fa5ad02
SHA108f6dd97b593d0bc86339e1a1b7dd405f7798d4e
SHA2561498a63ecb4dab164c1b8287ea274408379e317874d7d05f41bc6209060326ba
SHA512b62cea071d32ce26c8542fd718ccba61995a7807d73281c7ec066858052d3f7d3539baabafa5e2b0df42c1976f61fece4a7259c92282a3494f7a406c727eaf52
-
Filesize
3.7MB
MD55d9f1f3d4d9f608cf4b976a6627e3cec
SHA150bfb5c9eb906becdfe4da87e18f9ab75273bcda
SHA25689df9d2bf9d4e04061e8f57491da4b20bae73df6a7d637188195fc6291013b88
SHA5122ed0d082edab8bf4d567359f3041ec59f1e7ea40ce111039d90a0734d0509ffed5927a49e2502738b2a88ca52270fdf6934d15898302d35881c2b3d32f36dc10
-
Filesize
1.8MB
MD573897c497394d9f83b016e6377594c5d
SHA10243a0aa886487a7e9911aaf1ed5ddb28d983b71
SHA2568ef6cd5928d602f0011ba38eaada3c2a5a8e26930c9064400f81e7e182bc7aaa
SHA512e809ebb44765c671c703a61bb28e20f0383c8405a543b94ad88778e5c14682d57c5ffe866e690032b3b85cc500c4270be8452c5ac4a7b8ecca90440b9d4a736e
-
Filesize
1.8MB
MD5f6df237f8dc7d584d8836042966a0943
SHA18749f7bd027e624de82cfff581962b2eeb6a7dfb
SHA256e0ba78bf9b945f75349fd5a76290b9b8ff746abd24f15896a277676261499f55
SHA512a01d4fe202be936549f6a1d465234164a0e315c4725efa85569ce957782ccc904e833db3b2015b173288bfa353b155d649dcff1f2e371e8d010fc197d138f629
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
10KB
MD50fe1623fc042b3ba0b7965f20305cb8d
SHA1e2da3ed724d43e8f9e7202c645202e4ca1627f50
SHA25630a719492b0199d343a4e51bf4eeccdb3cbde53fd1eed4b2943dd03ba6ff6bb0
SHA512196f381a2323bf4ff26766128a02bd64d12f3bc55255932b62c54da880761382c5d7504c731f3713b31268d7f525bb4090f71e1fc6642c65bee2d679431b4d00
-
Filesize
22KB
MD59f5f64e197efc54fe88f9d7a1fffc72b
SHA1e890136bcc64e79bb6068691e0a5cdfd62c1b840
SHA2565140a0ac8b020216550ea9fd9a82ea4c96d7656c19314cf7a410d6b12b381c8f
SHA512846d0567af2f31fce036144121bc0524a3812008350258bdf6dd0e6ff190b37bb3e50266ff4deea339351fa165bd8c1c15d8329955219acf00fcbae74eec3976
-
Filesize
15KB
MD5ae77618aaec0f133a81e8bb19e0ea4b5
SHA1cac10df20418af1d4763beafa0d18d0de7444437
SHA25637477e82abe1e89d0122c4dea4d422fbfb5a001b76420c91b73c89720b46f5d8
SHA5121301c4bbf0432d7b08ffbae6c8c813d46cc3c09418c989b2f4350044e885d54efc379b706494a2cc2f7041191817e8dd8b31068b42474416a07859d17f9395b4
-
Filesize
5KB
MD5c7e4a7cdaff4bc5f6226e57dc1cdd5c9
SHA14f606966cc7efe32d88e171493b0b5a87c1e8768
SHA2569e1b9bc161648798344353e261f37d920ae97b52bb2011684a6a5ac124a5a7f5
SHA5126f83c5af468dde7495b291d999a3f482f2454ed3fc52554d95d8946602fe52104064689b2b4ceddb3a373a5e57a46ea21b1f3397a50d71ffbd94f50ae3db50d3
-
Filesize
15KB
MD5f4c807059ed4cfc99be1f614dcfe4a5d
SHA12c07256ebf1dbe1132bc269014c47464291e4893
SHA2569f0072a0f53fe665c7b0bb308464f3fee9301e3bbf042d6b4f7821addd496f68
SHA512a4f591749c5d4cfd4722f702939f3336226e499eeab8ebf38daa989c60c67839cc2b01404a2f4145e90b87327f39321f19f9a68a187cbf076bf46b7c6b4029d5
-
Filesize
5KB
MD571a0031e2079cdebf4180be945f55a5f
SHA1271de1d4dcfccb0108bfe77512e5b38131960e99
SHA256f1d833b1a86d1eda1966b8af45389632bfa46d36ec9cc8fb36c0141575d1c5ea
SHA51230c65d5d638b47abb35984d54ba34d6cfc565c9ab53a65c8b07be58361bc2939e8ba0466185a2d170d215e64157d954c5384bb9414d3310c3763ba662c93aa23
-
Filesize
5KB
MD5eba264ada6925cd1361e2c218c93605d
SHA14f8e6405088ea68dc757531345ac8d4839d915f1
SHA2561b31113380c9fdda68d655b35793fe9892790c551e60946df2e600e5f578ee2f
SHA512d291935d60e2cccc8859fa922afdf6d97369356978a99f113b14f95fc0d9686bd00415502154870db44440e960e0f6bb8db4376d0f27291c8eebd57f14329415
-
Filesize
6KB
MD5c646e45ef83f6b9263f95b8396de4786
SHA13a4d0f40be4e734ebf923eab34653f8579c2bf18
SHA2569f9805c70fa71e3fff33a9b5b3881d1b62a049bebfcb191c55e1bc0cc47cea0d
SHA512858dd769673f0e9b46037dfa407e1d31235de415c4cd2e8a265a36bf0c0df2f6a47b43c2436a5ebcca0224cbd5cf8a005fb5870e5daaadfd640458c31b06f30a
-
Filesize
25KB
MD5b510b379f2d84a160ee79503a5fb6f41
SHA1b91a12dd99867cfa045229c518233d1163096445
SHA2563d346d0decf2f8d2e1739c2d02df2a9ae93aa20b5e384194966eed281a40d173
SHA512e563d31e0eac31668d6929873767d4b1a3263a6a62d4c5435b568cbcc3fddbcab393e0cd8f13a2229023284ac8ea2e2d103a07bf12225f63d2e96ca337e1e819
-
Filesize
671B
MD51fb909c42dd500b7b8bc89c2826443f3
SHA18fb3cfe68c5206a908fc72c9a164e227e7c14d7b
SHA256c58a9bdfd82f18051d714559895d9337711c65810464ebfcaeec45ad8522d560
SHA5128c389b1334adce59c8e2650448817ab78350e6e4e28d82377357d49de26f220c5c593f721bb13c85a06a8eca25d31f0c61ff108cda2d775b43c2b1276e194a87
-
Filesize
982B
MD584eb7ac9d682ed737e58e99aa3b9754b
SHA1be880c93f2cec39badf35ff95c814fa038b6a88b
SHA25628cb67c549128b90e36b6f5ff09cdbc0a3e34e92ea4aae3194673722264a80a4
SHA512223c2578f1f0ffb1b048367d4f75ffb5e529788b8958d1f5cc626531bd6386efeafd3e12328ea8736be072b6aef9f9a086b30e65cdd850a8e43fd04fbaefa76e
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD545b850b7b7216331beb97e78ba1501e3
SHA1d77e2121b8600c7616a7e6c4958f726fa352ba7b
SHA2561ba765b0edd4a1c8c0be622ddf57ed09c78fe51b566d9dc51d54b53795743891
SHA512015734c2c83f07f2e1ab1c64de72ae4d379a5a340b68e460793521ef594ccfae8be4a01f1ee1ba8115f9846a2b11b61356b0c0e344a8713eef877582a9b8645f
-
Filesize
15KB
MD505f2276214735f19842438711b133ab7
SHA147844df19a517a9d9fc6af18b22950c1b1fa27d0
SHA25628576ea19c2765e1292b45a8a5b1b107e202cc0d07050eeb9d763236493e2777
SHA512e958d9e2a5455ed3a1435597d9d1442ade420a4344db590b6ad3437aad39f9dda157c9bb836ce22d13553f0004432aedff9c25e14f27080bc5dcc62810593ff4
-
Filesize
10KB
MD5e2f47c27d066c789a9a528df38c9e6e7
SHA1aa7cf5b160bfa808d2e280272003e9383e896a80
SHA25618cc016d12a3236b0d40140c1b366324031625c6202b2427856aa7513cad25bf
SHA512dade478669ee9162fa9a3112d77658284c2dda2fdbc4bf9b924ee3782d94bc9a67110d67be73919a9825c19c49bdfeff25b6c98803c2fb0b4b772619c90e4604
-
Filesize
10KB
MD510de392ee3c9164ef3fe8f394baf516a
SHA1f5b2dcc3a44fdbd3a68fa7b64277be583e12534a
SHA25648ae67c42cb24a2404e438e71ceeeba894ed315af2d9d229d32ddc582002ea18
SHA5125c388a73af421336e77156a8cb5c543b3bb0ebe9e97f9b2762e18a6c7d2ebe875a33cfb524085b3e5ef1e211af7496a2df4e05e8622ef4081acae34bd7c9b736
-
Filesize
15KB
MD5fb7eeb89bae89c3688ef0e7464d52147
SHA166c150ab3c80898cb7e928819bf72b3ac4503148
SHA2569045c0eb49e17739e07bad29913ea42e63994308d595152ed33ae5653766a9f0
SHA5128ebf5d25424033444e483daa4795c6a4e0e870261517a6eafa88ab588cc477d559795df84bcf32dbc142bcd1de3f6fe330f77e0b39cd31571fa0f1f23c6c12f3
-
Filesize
568KB
MD53e5069ea06247fbdc8b6187f22f39e05
SHA18ec098a286c1f41691c4e62d25e0322e322aafa7
SHA25685417400c2c4f41b545051a06844d9ec28285e65ec379121a47d77efa2ab25c9
SHA51236fe1219034247a3d20c64e4b7b22337aa06397bb3ace215765abdfe3f8aa4f1179aadfa7edf5a4162b9040b2dc6eebefb2926386a2643c7a20f9e56d1f018bd
-
Filesize
936KB
MD591326026eb5ebce73d11060b49b72557
SHA1360cfe7815f888d4835a7c3012bf2c3b7bfe8b53
SHA256fc986b12ef4d76b4d9e674e59b5de4d7de6ef816cbe7e5df97e21a45af939a40
SHA512d07a7dea89e03df3ac68f2841bdc9ba207f8cdf6f50e20ebf43151a9988f0fbca37ce2103fa4a2206789d10c0a6f48c48eb9d901c1e04b8d7470f9151817db43
-
Filesize
2.4MB
MD5831e72eaf8079a86c5e560adb3929010
SHA16ad7491d684d294034ac311134eb8410c86e18d8
SHA256def1a2108550272c9a34ef9d833bd03ac035c5ac3759ba6976a18401b8256669
SHA512486f793619e0539949b160256bf3ecb544d59ca4dd4cc38bc4cd70a0c7d4595b3d3593169fb1ce2a679e9dca14cb17ed74a18b08064b04e9d46333464e66feee
-
Filesize
9.4MB
MD5317e4748221a41bc1e3e90014c53dee8
SHA1dcbbfb6be077eb5ef1fda80f60321e1cbb8a9d12
SHA256507d8625cce7f1f91f197fc3e63cc82a970a647591f0ce79dcb749a1afb27409
SHA51248d16abbee05c8e9ad346db2e8987edcc07537b93d2d7961c63303f30deb484e16d5e989c75e5a77d306271738e1f99f77f5f8795082c973c7de215cbd466283
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
72KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.8MB
-
Filesize
72KB