Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 00:35
General
-
Target
ce49f2085ca6e01511919aa57073260b3d0367014967ca0f378705ada6a877d4.exe
-
Size
7.0MB
-
MD5
5aa8039823a4649532de27a588ea0c40
-
SHA1
691ef9ea12fd2896f029ce0d915be4ffbc61fc22
-
SHA256
ce49f2085ca6e01511919aa57073260b3d0367014967ca0f378705ada6a877d4
-
SHA512
402b9008ec9954fb39729060c9acc272239257fa515aea9cf4007d017af32400e5d90a07805897cf8582dd97a0a567627a5a471774f547332268ef2ee3df0018
-
SSDEEP
196608:QQxCihyKvHuLKasogv03fUrCsvobBRJ8bdH3sjQUHTSx0:QQxCihxO0v03myDJux3yQUzSx0
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce49f2085ca6e01511919aa57073260b3d0367014967ca0f378705ada6a877d4.exe"C:\Users\Admin\AppData\Local\Temp\ce49f2085ca6e01511919aa57073260b3d0367014967ca0f378705ada6a877d4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6e99.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6e99.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t1E40.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t1E40.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1A05a6.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1A05a6.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007528001\936ffb9604.exe"C:\Users\Admin\AppData\Local\Temp\1007528001\936ffb9604.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffef7cecc40,0x7ffef7cecc4c,0x7ffef7cecc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,2340582890693211788,2514662958028409055,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1784 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,2340582890693211788,2514662958028409055,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2136 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,2340582890693211788,2514662958028409055,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2272 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,2340582890693211788,2514662958028409055,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3460,i,2340582890693211788,2514662958028409055,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3476 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4524,i,2340582890693211788,2514662958028409055,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4540 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 19447⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007537001\e543625d9c.exe"C:\Users\Admin\AppData\Local\Temp\1007537001\e543625d9c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007538001\f504dcad9c.exe"C:\Users\Admin\AppData\Local\Temp\1007538001\f504dcad9c.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007539001\bdc80d0621.exe"C:\Users\Admin\AppData\Local\Temp\1007539001\bdc80d0621.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2072 -parentBuildID 20240401114208 -prefsHandle 1996 -prefMapHandle 1988 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6a757f5-f8b3-4121-ae6b-f15972643625} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2504 -parentBuildID 20240401114208 -prefsHandle 2496 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82151d68-cf23-423d-9257-b4c933655d12} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=912 -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 2860 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d4103a5-34bb-4a77-a0a6-8a09e40998e6} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4008 -childID 2 -isForBrowser -prefsHandle 3964 -prefMapHandle 3996 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8702b62-13b5-49ff-9332-f0de26a80585} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4508 -prefMapHandle 4540 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {700ead67-ed8c-4d6a-b87a-9bb0f10aba42} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5340 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {077a507d-9c75-4072-846a-d4167d8ee0af} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 4 -isForBrowser -prefsHandle 5524 -prefMapHandle 5324 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ecd7bae-962a-4d30-b2bf-0f54e2865cac} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 5 -isForBrowser -prefsHandle 5824 -prefMapHandle 5820 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1048 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66893b25-b2e3-40c1-9638-ac6df030afe5} 2436 "\\.\pipe\gecko-crash-server-pipe.2436" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007540001\585144a1ea.exe"C:\Users\Admin\AppData\Local\Temp\1007540001\585144a1ea.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2j3155.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2j3155.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3R80I.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3R80I.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4e955b.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4e955b.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3684 -ip 36841⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD527fe9af5e2487477d0ec3afc991643f3
SHA1bc93e295eac224aa646194f71fba5dd0d59395d0
SHA256e7886326204fbb97314cda7736be6d8bd7b7bdcc47b801e48d13ca7fe0d86290
SHA5129b9b4dd5064d0a85ed3b060ba1a28235475832e7bc5d4c30962463bad2bcc6789bc9ad48c6806ebf956337fe4fb61e4ee637e810f530549eab5e3a2281a4f4e3
-
Filesize
13KB
MD54039b9509409e26ae9b1f3ad91b600fc
SHA10062a2b12d004d6cc09bbbe2f91697a2c089342c
SHA256fadc58fe2715a158ae90a38b92ea8b68c3d92dc62eb5bec2528617444429082f
SHA51274b678f44870c820fa03fd7e3a6479f5a135bb775120d135d730a81e38923cdc82eb30d2573bb86d57d383943ceed6fa6fe80d5742f58947421fc9bc367c5041
-
Filesize
4.1MB
MD5eeafcff9019f6db830551b94ded6ec31
SHA10177b0c665ce005f1a82cea394af45fcc798331e
SHA256b51c39f9a5b2176d0e3a06036460db52d19a94cb4827cf523c00a2e567fd586e
SHA512b37a82d84d1573d908cbbb57422bb4965329204f84452083bfdaa346feeca77db147eae51528d292c7ed477c3c97b0a88d48c23cde522208d200db768f6ecf55
-
Filesize
900KB
MD5b02583abf5640a7b340e3856d1d97b7a
SHA1aaa40e9fea46884fc01d20a2072d915e0ba413cb
SHA2564ade4fbaba2bb171fe05f150f8376c3daa7d7c79e0ecebcaa0a15aaeb1d31632
SHA5126621203ffa697fabe3e986f033e6da5534d233557d709f9529d485636e0cb4254da760cbb72562523526195f4e4ba6042acfce842a0fea338efe14943b02bf4c
-
Filesize
2.6MB
MD5a0b198a5fd53cfff7e90ad121b4c40a7
SHA191ffbf7e61f3fe5b8fea9edc95c0a07eac19d842
SHA25654fba3007a5aa7435b178f3ed61e22f3643c9fdd49cb845290ff15be84dc58b3
SHA512da04642e10465d16a44ba12d4262804bbf4a7ac40591cadcc550c7d6008c6acaeb6a5ef5646bd0dfdbb071ce66929bd1d6cb65be8df2a538740e8ca196e7297c
-
Filesize
5.5MB
MD5de35fdd810dcca66025a7cf610dadbc4
SHA127f5b031954c821929107c492b59947484225556
SHA256197df9aae5d05ce40a3cf1c4492d11ac89b9a84085b61a20cd5f037d147ce232
SHA51212f2e654d1f93e1f2a417861ec8e1912b371cef3d622f8c5d5c367e298b5b9c74715bd96f88e7993d3ca6c8f0423f61b809755b7b5d55b705e8550de2ae33689
-
Filesize
1.7MB
MD5ed06943d9d911219cd6f78939799044b
SHA150aa51c40a252a5ba8a387413c469fb110ca13be
SHA2563f6b3352787de33b73d5248a1a21575fb674094cd80082665ec9a3894d312aaf
SHA5122f05d1b8328bf6178dffaa6941106496e1dfd53a8ad793ac236d3aa98f5332c5cc4250552a10f566af563e072bb0e7506007f6aac26bf44bbfab963269500ce2
-
Filesize
3.7MB
MD52323bb30459e787a1e7338e0f07830ff
SHA1bdd2801171646abe74b63e883e6d395ef5cff4f5
SHA256d9b6d81b2a29a55e96d65085827753e4690bf3aa6bf3a2c9732f78bba51b7dce
SHA5125fba0d5fd5b939a198afef040b3d4c23eecca63a7d1365cb2cdc6c3ab6e9badef24acc96d3c2380d5738792aa3a7b3794317909ef8595fe5fae70613d3ac58c7
-
Filesize
1.8MB
MD568c848d7232e6525935d7e337f37d624
SHA16cef0f74d1fbb478d975eaf516a881c3fd833b15
SHA2566a2a807045211bc2015ebcb5c40940f3111084d1a97b8d12560ee4f140825cc3
SHA5121aac64871ab488cbf1ca2c17c591fb9780291435a7464a956e19d9bf78a58d3800b7955a8fc7d9c7a2efd7f83e2bd65d05bf0ecfcbdce9c1e0bbb847eac79310
-
Filesize
1.8MB
MD5de0479866482075eead948de5ed353ef
SHA1817c54ba06830e3fa579bb53b21d95ce2af37e80
SHA256508dc6038db822c21cce37bc9aac1694637abe532b5edf89942a829074639e0d
SHA5129bd2cf13a30cdc2836fa82ec056db9ca0c9f94ce7e1d0446d0a72e1d3b985c09ba2aeaf5099ad79eb8450c68e76c01aeca03cf6a1715d5cad6eeac7280b7f2f3
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD5b50c16b5264b781d7d31dd8cc5cd0041
SHA1cab228714bbc809f137cb858ccb3ef9793df831e
SHA25638e4bdda6714edca05e45f0ce6e74b4672f9edf970580b7e3c5554ddc336dfc4
SHA5123bc2f5f5ec6d04cd9d9ee81052dcfa3e2726b6838cf0b55c7ffce5bbf8d8735982ea33fd2c9c33e3623e36dc04516aaeeeb22e4813d870975a79eeb63077a6ca
-
Filesize
10KB
MD518d83a7a564b7ce6276cf9f721611905
SHA1e56441bd59fdcbfefbf9a219adbd96cde56867d4
SHA2563de637c991989c33f254de2810579f316836d7b6e6de6e745c70af76dac22093
SHA512a3e60c06d1ac15a07172f78f85f21014d7a25e3870b146cec4004e146005f71694a954694f65bfcbe64030e3f8df1f68e1ba7fdfe46b5011d304cbe5e312a3c6
-
Filesize
23KB
MD5cbaec4fe77fb0174cde37a4a030ab8ca
SHA187a2f273d5eca8181aeb84ea56c80619e3dd1fdc
SHA256969aaad622f65bee5feb84f79d6f2c4bdba98e0d2dafad5ed2cb416a844b0915
SHA51257109301f89767c333467ce165a38b23d502e039cbbebf5e49e232739379616a582a282da3170fa0b0aad11ec694c5d920c60845a5fdb19f6a5ada8d5c104ef7
-
Filesize
24KB
MD5ce725e6fe66d938e06344479d4271235
SHA1da3f94b25629e3263b7695668289861f562c0428
SHA2565db594d2f31618ad5ae5e6077f12fca78f311b0acc40006b9fbb3a158c36bcbd
SHA512b15eefc32c2c93d737bd826391a3081ae2994426cd598c8df218c28872b001910385e0545c961c855fac0554ce2fc84a23e520fa50d5de0d672cba660fa59fb6
-
Filesize
25KB
MD56d22a75fe15dbe024e4ee8707d9ec7b7
SHA1c376aea0e826d22b3380a159562d22fa5a7bb46e
SHA256ebebc48b93a3ec6bc25432fd46d8cd37ec74322c9511943d87046a3584da3f26
SHA5128a7c39c7d685fdd7a92fb5c5debd50ae32527e564e5d4e9ee43ca820736785db6b7cbb5b4a81ea9a269fb37dee807e71a4dcfa7bf57df80a42ac73cf45db00de
-
Filesize
21KB
MD5ab7de62661e38f3eb8be6d9b33dbfccc
SHA16fc6e8e1b371dde57c7582fed734c2db89223a8a
SHA25631a185199de8008789f913533765f599a9fa37a6e0795fea57e972b5361e4ac6
SHA5127f7db978f347f779e8af7c1ed82ef05ae2590ae6a1383b10c78c7474e8bcbe362d6b633f7f8df8cad5471dc76dddc9dcb59e8bb25fe29ec07ceab3e1873ff802
-
Filesize
25KB
MD56f9e62c26e2207c4c4192eb43efa68b0
SHA11730957875e71f8a93b6baf824cdb4385d437d73
SHA256160043b8c9bfd8701ec6cedeb96dae8a59e33be03a72e16beac858095becf2fb
SHA5126d0fe3d30ed80bd5f7ae2d0b1cd83c0465404a3b56575102a753970e87998626ad6716d215dc62e1045c4b89192e30cd36857fb801c425f17ffeb8daea3c64d8
-
Filesize
25KB
MD56afe7ea33ae9d74995322f7e62faffc0
SHA127f91cd484012837a8623dcc35ed0ee269cc433e
SHA2561fafa1d93d656028d552bc732127bf2f484bae1707b76158f407da2a982c1e10
SHA5121265e0df1c7fe5ad6cad22b4e4b83100abf3b528c2b196453ad3e55b52bf54f93a7d17df683e916893744b91073274192e044b0e6fc9454408dbe5c8882b0779
-
Filesize
659B
MD5fa5bab43144ea3edf1c21044ec656ad6
SHA17e3bb1bdf3b35ab4ea45096a58ea3d39f5485e89
SHA256fbebbc03fd6f002626d8674ab708a75939a2e002ea0c592d3bd22b22560cca5f
SHA5120cea76c13bbd9f275dcf1d42efadac3df27ffb9b79645304ad586ce8ec1830ed8627dfa15d193c836a8c0c715b80d548cb2e7c18595d017ab66214d40e829b33
-
Filesize
982B
MD5076ff13e16ad9f43c6bf0be160f89957
SHA1535d6ee38375bfb7706305c006e440e7b6afef5b
SHA2562ce492495ea7ec0ffdd1d16829b0af13b2fb0dec3bbb875a0687b2a24b1a9036
SHA512da708a06d2ece577e93a0996c9f33afe87a884a5bb22fab182ef1809342606697cef6d5fa98138c7cb5867bab329eb349af62afc8314fadad4f317fe8fb36d73
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD50215ad37100f15e5a8712e7c4c585d32
SHA197d5ae281176af39bb3ef926a6bc9c418f9777ec
SHA256cfad73f00a5aa38c58641b877ced113ac221d0ea42aaf1dd24c1518d38af74ee
SHA5124737dd8e9df399657711f65d70ab4e081a79da4e6667855748ae32e69ac6b99d40f54cab7e26d8213b419fed0bef3271296ff2195706f8c00261f95bd134bf37
-
Filesize
12KB
MD521320baa74d97ea2166cf89dcb7db38a
SHA14a3970ce19111f106b3a1845eff2c398001e156a
SHA2566c54185fda280bcc6ade6a0212d93cf18fdc8d900f8604e43535eb84d25cd711
SHA51262a2f41ed011b8e881a07c9748200faf144d743d832e079ddbbce3753f73a54f6f2a2fca48d3e90c0703994e07c2bc2ada9b5a51e1a996a06ba38247797a2e48
-
Filesize
15KB
MD5fc63737a72e4db87a6ae5004a83950ac
SHA19deef4a74ad13a1a308ebf84ce8e55b748291594
SHA25676b44568d24e245e183a766719d2c29c8897c6e5d67bd87afa2e2eb4392bee77
SHA5129bedf7f0cd46732993b2553a088c28ab3cba89089339c88a1a79fc09654e58e833dd6592514ebbb60ea01c80fcbfd23b23b6d9e149567053083d678c236f1ae5
-
Filesize
10KB
MD5df256f33e492412750667155a2f068a5
SHA145e5246d49bc152d474bce1727174e74b72f0e30
SHA25656398b5caea32ebb30a212e1ade8f257bfa181acad7b0691a10c80ad0cdf49d0
SHA5124b6e28d0bee381067083123a3ccd4d44c06867099100bde50468341c779e56fe5068157d1f167fde2f1bf08b9afbded37378cf46b534be4be569c5a87e3816f4
-
Filesize
1.9MB
MD598aab346a402d00b0c379d7b9e20208d
SHA1464dea1d62c5b2067693d3cc686ea46d5cae91b1
SHA256c883921582f4f3195f5d799ecd20b8504c41c23297faf1035e0a4e48a321b082
SHA51252d339400aa4f5718b46d3ae5b5d634553f502cf07992e333aa2e02c5a49d1d72b4753d8f65cb41a064e68706d18af27780bd24f1a3755961f90639399f5b471
-
Filesize
2.5MB
MD51314c0b257d176375c72f58632c5b039
SHA17909e6f136df56e1b9b3caef16c08b25ee85ac17
SHA256f56585fd78bd961df90d00b4d9f4ba39b212d7fda2965c75be13ffa40dd59b45
SHA512c8844bcc0ead3ccbadc8fe5cfef1dc9a450e364ba01e179e0e505be5ad652e6606e327e719b85786f26ad13ece2d471876467acc469564770249ebdf25f1107b
-
Filesize
768KB
MD58de11263235e26ab958b198435042008
SHA1e11d020484ecb453dacc9504febfa50eb13edd0a
SHA2565368f36ce68ba19e68fdd5523f6f018a8861ac7060c22e91a15e060934c395c0
SHA5120ee6358c1163f5df888fbaf388f25ef012f4a57057832f7642a6f7a89e344f183597dfde52e88f0b30944c2e992112fb218e9af7466af79c7ae886b1f1e29124
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
12.2MB
-
Filesize
10.4MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
72KB