Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-11-2024 19:41
General
-
Target
76e3697e31b7ec091c2fef6333947d82ef4bc5d6b2a604bc8ad43c195088fa3c.exe
-
Size
7.1MB
-
MD5
a07fc46d5686603c8f6f7e53d12c0e98
-
SHA1
ffa443a16d7a222d699234a852bb2273e6eb1603
-
SHA256
76e3697e31b7ec091c2fef6333947d82ef4bc5d6b2a604bc8ad43c195088fa3c
-
SHA512
38e196b2d6d2fd7493801eae48ea655c2f985099565362c6f7d9461417933f2e73f536fb56e172af5bb8f31cb77b57de4270bda47718411aa4156781a30e4692
-
SSDEEP
196608:QVqnibfTqbK3HbN/uis0NJVLcYDPjYkzcbWLg6p4p21dJN9:JOfWj0XTDP8kzcbWqp21dB
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\76e3697e31b7ec091c2fef6333947d82ef4bc5d6b2a604bc8ad43c195088fa3c.exe"C:\Users\Admin\AppData\Local\Temp\76e3697e31b7ec091c2fef6333947d82ef4bc5d6b2a604bc8ad43c195088fa3c.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b8H64.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b8H64.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\O5x32.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\O5x32.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1S35d8.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1S35d8.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007483001\724b98159a.exe"C:\Users\Admin\AppData\Local\Temp\1007483001\724b98159a.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007484001\06eb101e2b.exe"C:\Users\Admin\AppData\Local\Temp\1007484001\06eb101e2b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007485001\2389b2c757.exe"C:\Users\Admin\AppData\Local\Temp\1007485001\2389b2c757.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9f69b71-0e5c-448e-9588-a3fb5b5f53e8} 628 "\\.\pipe\gecko-crash-server-pipe.628" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2500 -prefMapHandle 2496 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb0b86ab-cc00-41cd-9f92-1977b686cfb3} 628 "\\.\pipe\gecko-crash-server-pipe.628" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3076 -childID 1 -isForBrowser -prefsHandle 2748 -prefMapHandle 3104 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6d332d8-0c79-450c-8879-448b9deb443d} 628 "\\.\pipe\gecko-crash-server-pipe.628" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4100 -childID 2 -isForBrowser -prefsHandle 4092 -prefMapHandle 4088 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {477db91b-a7f8-4aac-9ce3-884e1125da43} 628 "\\.\pipe\gecko-crash-server-pipe.628" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4788 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4560 -prefMapHandle 4764 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {135f2e25-0ac5-4ed5-bd66-1650d4a1ad45} 628 "\\.\pipe\gecko-crash-server-pipe.628" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4436 -childID 3 -isForBrowser -prefsHandle 4224 -prefMapHandle 5456 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90576dc6-ed07-4b90-bdae-30be2fc585c4} 628 "\\.\pipe\gecko-crash-server-pipe.628" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5696 -prefMapHandle 5692 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {867d807a-ca91-4adc-96b1-6141f82fca97} 628 "\\.\pipe\gecko-crash-server-pipe.628" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 5 -isForBrowser -prefsHandle 5832 -prefMapHandle 5836 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c27f01de-514e-432d-b2fe-9a0c55af020c} 628 "\\.\pipe\gecko-crash-server-pipe.628" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007486001\ef043eb60b.exe"C:\Users\Admin\AppData\Local\Temp\1007486001\ef043eb60b.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1007487001\d70c50f36d.exe"C:\Users\Admin\AppData\Local\Temp\1007487001\d70c50f36d.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb3e76cc40,0x7ffb3e76cc4c,0x7ffb3e76cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,1753730340064801257,2293827068966688126,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,1753730340064801257,2293827068966688126,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,1753730340064801257,2293827068966688126,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3220,i,1753730340064801257,2293827068966688126,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3472,i,1753730340064801257,2293827068966688126,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3484 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4320,i,1753730340064801257,2293827068966688126,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 19407⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2s9923.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2s9923.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w29v.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3w29v.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4O510S.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4O510S.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2412 -ip 24121⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
18KB
MD5505cc8d4eeb20d83be02137fd688e3ec
SHA15b0aaa31908f057f7d6fe45bc237ee7153861829
SHA25646e118bc4b563744eebd98bb9eace48c0c35f471e4bf8f73dab90d60a88703ee
SHA512b5bc849c397786f45032118b7fd81315859e26bfa4cdfcdd2f6654a4aad0680c5051bab71d8d3f3092b46864bcc53a4dd15907ae23b88f3504dcfc7608e1f549
-
Filesize
13KB
MD5aaab0f418fa62197cbff920cc21e1cae
SHA18428bc016bd0a654a577bbda0eb22f7f8dda9e97
SHA2563f8046f7f9cd9543df67b4f8706ea063e4d6041f15cfb42a8688402b70d67098
SHA51209c6803d0d508661c745ba81999e70f38fc320d39a3bd8e3a54e401414d2c1903efa8157db61377a9554bf51e3d3e67dd440ada6231b5c4980d10424be38444c
-
Filesize
901KB
MD5442e1bd5029d8a8ae5cf4ce12fc0169f
SHA1d80bb4ffcf8f4b99cb283ca0bdd2162d683b6713
SHA25684b64f4ec53292e435366265296829e7c62157ca5b857bdf1706da3b4bdec42e
SHA51286dd5ea3a56eaca5ea63fcc2cb9988e55c7add01c1937f0eefed2543468891ac4458f79aafce797e159f6b86ece5a5434ce3a2a53cc97823b96c98e6d8bf5ff2
-
Filesize
4.2MB
MD51b352e12943c9b113607e78cdf7f1e88
SHA12978dd75e9ad8aa608d41f430e2391ac94661cfe
SHA256e14efbaf799412719eebbbad024b9fe3fae5aa665e7b885cbc05466ee04f4c07
SHA5125265e205a86ac37348a7b09fef6b92355da07e9aa01ebd973f482eac0546b82350ae86cba6f629dec1b454b26c72df6256d1cf69fb1b0ab01930f734b575aa98
-
Filesize
2.7MB
MD556c46875035c77ec87779905e74ca141
SHA15e094c6364c6e850304f55bd1fb199bdfd423adf
SHA25601ed32593b780544599ccdac3eb728d9839e509a83d93a8c84fd9da0c111560a
SHA5124f08eaca10d9ffcbe24c2a63436d3bdb1d76a513cad4bbb57ae7b4980efc6ed3b4c1abf0ffc76da235725776b3ee0c134281a350c721a586912511d9b9d763e1
-
Filesize
5.5MB
MD5775f53d649aacaf8d18f41c73ff0f687
SHA1ba0cc5fca6e1716a9d5eb98b8acde9f478de051a
SHA256ef0bebeb7696c0ccc48668912afd5a4eca737caa73389849682e14c807a7f3a5
SHA51247d4b8aaaff196af732a86d8c2c19133580c6c6a6785237ae32a42ac150c397558c401db7461cd226c1cf0fdd83c70ca4ddbb267d33718410408c71f47254b19
-
Filesize
1.7MB
MD538a9ecc0994ecbddb16d6fb2d4a3e911
SHA1d4bd9f9c0b4dc11f8c4a2f5209ad4795fa4056d5
SHA25624f92db69d14575388d39cfbb065ff06b14fedc28fc9e1fedad851672ac6111f
SHA5123f9f7459007bb5af43c2dc11cf2d2b055572bb0b5dcd34d345eebe490a5a574d3d6fd76e822f308c1d7fa0766d29b5daa44b8ff9f622812497b55ce5948fcf0c
-
Filesize
3.7MB
MD5b0b71a42ebc79031ce898e8351f7d860
SHA1e50694a0fd7ae8e6914f1fa0247506c835c9634b
SHA25695ed79041ced897c065622434aa0a0338ba8987ef7bc0d42fc0053c509d67aca
SHA512e7213ab8aa0acaae20595404e52b29cd62ac901f3793b048f86c4f6af7afc60b05886806ec214dd88acc50c3040166e8dc6c3b916e811807cb6789510eaab5db
-
Filesize
1.8MB
MD53c271702f5eebc60e590f6803d8d2238
SHA1488b5450a017ab4f78d50a1c5adb1c5b54643458
SHA256ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9
SHA512de4dff6c44ebee7a5b3bc8060a39167343cc9e5fb7d6555ff72289c6ca7c9daf25bd8e19378430509329d20035f01f9d0d9a14b22e7d756621393b53233da935
-
Filesize
1.7MB
MD5888242c19537f0f114634d771ce4a9cd
SHA1e0e86e160c2c465c3c49b31cdfbbb67ecd5a9366
SHA2560ddd13cd233f81153d8d558297ba09317867797db7d87e7758a51e4131e587d6
SHA51208d552edae0404a8d25af25ac86cdce98d6e59a32d99fae4e0be5b8085e838aced0c1bd464fc5f6f4c41dc0c5160452d35760ebf0bf702eefcb0c6b7b5560199
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
18KB
MD5f3ae7d07d8988bac07891fa0bc437061
SHA1f98f335d88f7f3d54253b093bf50e390d3983c21
SHA2562613c1a109511e50e769cfa900dc19e95aae53b3979eaa3263c54b87719763a3
SHA512a52975f0cf7d62717e64625025be55382e7c35f166e4c15782056f4ede879a23a3bb08408f169816e2710430f3ba9c7a36b9a3fab66daeb7df6fd8578f3acde8
-
Filesize
8KB
MD5336edbb78133ab4f3f12bb2d1dbbb8e3
SHA172473096530dc215c9a6389740c4bb8b8fd04a49
SHA256a526ae0b4edd01e7089f64b8a88a70ec461e1aa46a7014e6b6861210d0d97184
SHA5124adba44880df64e11b5b3b2fd5a36ab97f6c87a2eca9ec15e16d0db835dadedd66ed2f600e1f170ae73d8b23aada870c8d64d19b427ddaca0afa3df8b971a0e8
-
Filesize
15KB
MD568b6eaffdb5f121385a41a7edb446b47
SHA1adb7b07a116f3fb8f405a2d7041a08fa972b9744
SHA2562f141150fe299f3ab0e2d706e9f90b34525c781879adf6a3ac4e7a2e32b82d05
SHA512ca692def9a1dd0b132e140e023f7a5292bf0c935a1c55c0a2828ce58e52942e2a55b659ffae7a69cb835406c2d8defd23b7524d38ff6107dc120c997a70ae6a0
-
Filesize
23KB
MD5c41d254b96288696f0e5c70bb8faf04f
SHA1ee84af3690b85f6485c70d9bc4f5120b43f6d84b
SHA256014e4218d1a5590bf02015cc11057d98e38f730ecc388fe32700fd7510163661
SHA512b442ff7211c5df0cc22d17cfbdd7f622c5ea76c89955018ecf411c3b0ba4c7fcfa5070b4407c01e2b0b35fe0d85085ef9cab5984584aaedf5be6d56e52ef2a8c
-
Filesize
15KB
MD500e7c9bdb5544dec99937b2f34c0b00d
SHA1a26fd7981cdfcd44480f420e0e71242c64514834
SHA256bea64ca5a1fdc0d01ecedfcad4f7db3038a12b7266d65593c978904eb9468850
SHA512bb133dbab061bd3ca10dc01d18f095b60eeb6b3d5f9bf7ee410959f44716c8d8f1eab080cdb79bbaafab7432f59536737804bbfa77576cd4a2c78249082594e9
-
Filesize
15KB
MD56cbda74b993a75eb5cd314c3917bbf6e
SHA1352a2f7a87a31b15438d7ea9cb609b7ee2c0cb84
SHA256b1ae333180cb218bfac6fad7c7679679eddf09e1c794d8d92f519d5ff42e256c
SHA512734be0583ac6eb616d91f794f7387766d1ec36c4aa981fa406b5d64053516a70e6ffe572c15d3451e4c14c3cc6a180897763f79f26e5ddc04af55dd60c7b8f77
-
Filesize
15KB
MD5e0a938187f9d9239c8a1aa63712d4854
SHA19e66dcd7412ae7e6ee3bcd08740151847dbe6400
SHA2564201219272a14e313f27c9dd7eddc65b77428a8ca4f7e91ad859bea596e1b665
SHA512998bf53d9bdcb7a8ad21fcc0f067bf1913f1b105bff91771e5436252b3ffedf33553b8cf72f52166738315f5b77601e8b1ba911b9e16579be9b3829dd27e9dcd
-
Filesize
6KB
MD55be2ff9411ca52ccb83fdd8ec19769ab
SHA1b94bde9654ae62d54f1c2395de380632072aa9e5
SHA256f646bc681fa53cc293de8c88e5a086746073d3fe6fc274f4f4fa1bfb4ad5509a
SHA5124db9ce55f9e55b4f776a5cbfa5d3d77f021cd94f329783ea23004cd69a3fd1f03e99e683e750d71ae3fd3b892a96a30cbde9e946e6b3956748a0da6c685d7366
-
Filesize
6KB
MD59ef1419a34f6293ec996e3ee65c3376b
SHA1aee6a3012841f8690d9c295d4b8bb041d05a99f7
SHA256d0c2c8bf105e303428ff99bcf59091e6c856135875ad9d243f81b7b17333dc3b
SHA512d75281e53debc15d082fb448f6f6636bb18718a6371fca0f0a335e9da032b6db4af7e8a95bb99c3283962daff09fb31cfeb033d222ef776bebc50a358a7a8bf1
-
Filesize
6KB
MD5ac80eb244a5a7dd00ceafe38a8069df5
SHA1f13eac07547124c1c32bbc36908b13d1885eb6f1
SHA2565198a26d1fe9d875e79662139c73783af700a6bb132da0dbcee1b8423e11211c
SHA51275a3b2dc693fda7ba63f91440011799387e99f3976a53c992ba38d2e969af8628fb4746d4ec62613504edec1849363cbb54c1f96904caad71907dffbcd3c0449
-
Filesize
26KB
MD5754fa4ecc5a146341c9a180b2c0017a1
SHA1b998bd460056a29c92ba40aef6e95f23e735feaf
SHA2569a55087311a545912e0fd15ad67006f7ad2b84cf9ca8d16a96903c1d51f277e0
SHA512bdac51f997dc86b75ab167ebe7c4b6fb4d416e8d5f27016b1a2934d748d0aa3b130130aab4656129fbe209db857101db5943348a736ef0e816307a3ef6441884
-
Filesize
671B
MD539945bc514489f1a1c358702a934659b
SHA1c4543a56e01c37fee388e99b3d0fbba20f5bc22b
SHA256dd9d8552a11c365217d04f1d1c4e2cb5af0ffe445be31bb2126edf0bd881409f
SHA512224311aab65894810ae2397674415018bad4462b5c238b90d994cff6b656fda67c65552f5512afa8cb21ee75d884f331f6b9fc101512b474c0d351d6ead0c98e
-
Filesize
982B
MD5683e5a452d07724a7a552d1e89e9e2d7
SHA12941dfadfb0df41010ab1ba9e0098361f014e01c
SHA256ecf5f030bd6e978dd6256c76445a435fe9e6df996b4a6c6cbc0005a1fdba2d00
SHA512f2f9bd5f245c1c48af10ee946c7abf674c096c2429ef528fa12f21733202653b0173a6d6502cb75b45c01243709f693812298c3a774c0ee14ebca9139caec7e6
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD508fd238cd1064c5cd17313097b246f9c
SHA16af9caaf4d780d8e01b687159b638feb3ed14cf9
SHA256814ab00cc796e38f0e66f4c7282bb8c1515d2f819e3af6afc7bd32c31a120fab
SHA51292edd6a778c2228813a7ed86cd6482fc7e3027e5008baf2d801677b7dee2ea2edec063d4fc8b1bc683441754f738b4205abd42507523320300fe22ba3545cc55
-
Filesize
10KB
MD5ae3826e21bce55071088170e797e0602
SHA1e03cc8e3e320bcd759a8145a1e9b34035f82433c
SHA25653c708c387e3e1551333bc7ad4066683a97f14fdfdf1e7b3685962122b2ce8bc
SHA5128a4cdb6fadd977bb799c39bff3ff6a5d3af1458c3941d20069192bcbdd76f4bfc2b32ec099e06b13cc88def0266082db804b5f154f702007e41c36789e12e440
-
Filesize
12KB
MD51fbb2c9914800f408cdb98f8c4a73943
SHA14c50c6f0ff1ab335e7e0bf0bfdad974b55f4e309
SHA2566c86995786e09f8b5ccc9beb67e83ba517807ee2d48151446dbd101e53ff598e
SHA5124d9c0ed81a72bd3ab4943520c948d411a4a551c939a5c46ed8590dac868064f5a568f08bb2b0bac6fc0d15ebb8fedfba7aadadc28a0af0527624b6f13b4ad268
-
Filesize
10KB
MD56111602cf218d11f06965fb08ab1c6f6
SHA11015dda8541271242ffeda8128343160ab149ce2
SHA2563420607dcac11c32d672e2881370ada2f8beadd4ceb0cce5958a1122a5638c6f
SHA512f9922b3b0d87dc6a81acbc3a629e479791d15b773b26ced5e74d58f0b9290bc08532c4645f1eca2d6f401084d68bd055edde2659c7e3ae9d00f30851fed18501
-
Filesize
10KB
MD5d18a4bd0490dc40edf15a6c6d8f67d4e
SHA1d1f69be5bd667e56fa3807f7e02905afa1093a86
SHA2563545a9120b0a48f2552afc4985eea19f7580cb88e2eb958e5bf468e05d6bd7ab
SHA5125bf53d77b84dbadd852efdec883a314c210feb9367ef282b23e8d535308fc036a01cd6d3833901ba910a55f3cb84996eee346e6d8c6b14ceb8e23f091125934a
-
Filesize
2.9MB
MD5c5244a8c2a31dd4828e148280eef8b3b
SHA10ac066af0a9832ae2ac3f01625d19293539835c7
SHA2567bc2328cbe46e0fff46c657d40d0bd0f29bee6758d85122580efd08b1b32a924
SHA51287f31b1fd5be8c2bc72f453babcb17313016b47c51d1335bf0c122291dff11dd60eb6af78312d74541f76350dfdc67dd352c37beeddcca601d91a1cf7a0eff4b
-
Filesize
2.0MB
MD588df913bc4860289d12e73964e520c67
SHA151c8a4ed258052584670d1c4b01974ccdb5cb261
SHA2566ce78a639a12419f3a930fa5742430ff8a1899677681f77fd1eb40a3333db5b8
SHA51280daab23057b177425d0664f8d1416662a0e5fa077c303d6c5f09d105d8ba29b50c305f8bf1b3ef939c8d49feb030ec4ce5e08db19156d789d09c8643c0f8460
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
72KB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.8MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB