Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 10:24
General
-
Target
ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9.exe
-
Size
1.8MB
-
MD5
3c271702f5eebc60e590f6803d8d2238
-
SHA1
488b5450a017ab4f78d50a1c5adb1c5b54643458
-
SHA256
ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9
-
SHA512
de4dff6c44ebee7a5b3bc8060a39167343cc9e5fb7d6555ff72289c6ca7c9daf25bd8e19378430509329d20035f01f9d0d9a14b22e7d756621393b53233da935
-
SSDEEP
49152:kCSkkgCY8/d3hr9tWCT17LMUVgXHqUlOosPSYxtT972HXrKpaV4nEaEb:kmeY89DzGaUDsPZf97EXrR4EaE
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 62 IoCs
-
Suspicious use of SendNotifyMessage 34 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9.exe"C:\Users\Admin\AppData\Local\Temp\ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007634001\9cdeafd6e1.exe"C:\Users\Admin\AppData\Local\Temp\1007634001\9cdeafd6e1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe01b2cc40,0x7ffe01b2cc4c,0x7ffe01b2cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2324,i,16843585192975618759,10757527724160199642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2320 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1708,i,16843585192975618759,10757527724160199642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2364 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1988,i,16843585192975618759,10757527724160199642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,16843585192975618759,10757527724160199642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,16843585192975618759,10757527724160199642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,16843585192975618759,10757527724160199642,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 12804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007639001\d466d5a39a.exe"C:\Users\Admin\AppData\Local\Temp\1007639001\d466d5a39a.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007640001\67460405f2.exe"C:\Users\Admin\AppData\Local\Temp\1007640001\67460405f2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007641001\c0527cbd18.exe"C:\Users\Admin\AppData\Local\Temp\1007641001\c0527cbd18.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1864 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc477511-b58f-45ff-843c-bd35daa7a180} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ea57a67-1def-4823-80ea-091e982cf4dc} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3152 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf419e8f-ad58-44c3-9b16-3ced0888f878} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3740 -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3060 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a9a655f-99f1-4d0b-ac1d-f16b4ce433b5} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1620 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4344 -prefMapHandle 1628 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4769f3d-f429-4ef1-a7f0-22c6619c114e} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5140 -childID 3 -isForBrowser -prefsHandle 5128 -prefMapHandle 856 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a94084b-70bd-4437-a15a-805364a20cba} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5164 -childID 4 -isForBrowser -prefsHandle 5296 -prefMapHandle 5152 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d250feb-9fee-450e-b54d-c2792b1fac3e} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5484 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 952 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5ef4a5c-7af4-4cdc-a4d9-74a9c797c6b5} 5100 "\\.\pipe\gecko-crash-server-pipe.5100" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007642001\90e2b3d473.exe"C:\Users\Admin\AppData\Local\Temp\1007642001\90e2b3d473.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Frequently Frequently.cmd & Frequently.cmd4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3906415⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ConventionTroopsStudiedTooth" Version5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Accessing + ..\Entire + ..\Peripherals + ..\Et B5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comImposed.com B5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comC:\Users\Admin\AppData\Local\Temp\390641\Imposed.com6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 368 -ip 3681⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD5a1a7b82a3619674f5f334ce56836c289
SHA1fc7b0d519a05ab8af40d4f9447f12c143e95113d
SHA2568f69ca1cf9b118fe58e64add27733b91aef41b592966bef984f2c254930cce55
SHA51232877e18a09966ba36d828ea7a122dec4d369b9d8246cd79a10ac3883d927e7c0e17d40fff4b08661788ee88e6358bfe195b059a6ce30da8a04ad716edd6c3fc
-
Filesize
13KB
MD5d3ce19319112a1b8a34d899e8d4cabfd
SHA196ce1707f4cf5b7ac8bd1a688f3df66d848cdf42
SHA256336cdb5c153cfb4436b62b1c9ba52c520b225b563cd8e8665960c533aaea4eac
SHA5120e061cbcc5c78bf635c026b69de7699d0721e23626329fec50a51354691fd43875cf7a810dd1a6769ee808ba333ff2d179c04d5ab57e5227ee69373388ac2fa0
-
Filesize
4.2MB
MD5e0daf3617f84af41981769a31ed23565
SHA1e366c1340ba76460bbb29a86530bb855fbd2ffaa
SHA2563a312ae4537c6311d8d2a395f3ce7b1b7ba74280b84069c800ca9f81efa23eec
SHA512a33c985efd651dce9dcfcb84285485a01fa39c74ee593b1e68be83ebf8b8b29a1e7807e7b54f691b0c9db24bddc15a5bc6d376dfc8cb8994c2e5b754639e4039
-
Filesize
1.8MB
MD5c295093aa18965205a72349f476a9cf3
SHA1a6be2adb5b6cec99d08774cc16f97a0958e725fd
SHA256e17a1dea3206e9cd29badca66347857b796122e12ed6017f0889bf8e196dcfd8
SHA512697136ddf3e73f24ab10931481de27972679996d98ad73dc5376637696e40febed34f9ceda624725b5da58e4f65f435f49df2198b64c5502cd7cd0e1b16d02fd
-
Filesize
1.7MB
MD57a3b3989f1f3647dc9188a185b345d43
SHA1475a5d5e48c0f25f8083ff7657e9d6958e39d2ad
SHA256749a24775a9225dd27ed9d457d9a82ace5122cdcaaef5069ae3e802464e2c77b
SHA512a0709cbff8c8a4a55de37bb2829c1b7922b96d5e74e71655d932a7bc355d6ccbeba0ce84f89698439ff2e3831a671cea427785d0f0024731bc04a6390a48ac8b
-
Filesize
901KB
MD568d659f5943261e1ef96ef4bf5ee50a0
SHA17503ccd4b8cad67a68c335f3f6cf0ef0cce84780
SHA256dbf65560ef727cd961e0e0144e3a945c7655debfe059cc5a84e4e5069eeecc80
SHA512aeaf6e7c4de4416c3a481e9e58845482819be63ed7462ef52c59fca30ad8961f5cdf57d5a6419afe8c836215e8d70c950ddb2a06dc82554c385df2a53678118b
-
Filesize
2.6MB
MD517953500d9b941e5d42ea7121adaadc8
SHA1e98556a798deec4b705ede2908316aa337658904
SHA2567c4cdf4ff736598c7c4611feb1c4de1e845b3fd4e8708ddbb652b967e6722dd3
SHA5127f35e7651e60a558f1c4c08c4ae086a786b6ea86b16bf8fbb61f07f59512b957598ce7d3e35edd1ae39f53b79c886869e2d583b452a950a75e4ab8adb7820bbd
-
Filesize
741KB
MD5211dd0cc3da148c5bc61389693fd284f
SHA175e6bd440e37240fee4bf7ae01109093490ac5a7
SHA256645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe
SHA512628bb927b5a85674ed1f762d4c42e8e9f55859cd626ab0f01b7d47ee4c74ff5775ceafc4a45864344d5dd13e588fe60b6a121b00dac79276689d0a9970d12e89
-
Filesize
224KB
MD56aaa6156bca65c60437b9dcf21a8566e
SHA174c4917b5006a2af825ed9e9d3bdaff7884aa11c
SHA256fe153e9df223598b0c2bba4c345b9680b52e1e5b1f7574d649e6af6f9d08be05
SHA51202f8a158815b29cfbad62403b5177ea5e073d84103e640441d901e12b2fbc4f2cd113924d2b06b09cf045c99b58a5527f2c68e6a664d8015f646672c11567199
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
52KB
MD50487661a3be3e516ecf90432e0f1a65b
SHA1548f56668cdfde2d71e714cd4e12e3a1419dfc31
SHA2561dbfc503087ed424d8befd455c6554ba03aa4c4c5e77f7b388dc412b6a99a70e
SHA5127f9027e567876bae2302652a2d63b457bc39f439ec6cd4d7d170423c5f27aa5b0479113b7d8c436cbc08ac76450b0e56c2d8dd42a219c7ad3dbbf693f935cf77
-
Filesize
919KB
MD5c09756dea58e68a563c05c98f2ee5822
SHA190675ae3c1a7f575dee20ceee5cbf3d761aee432
SHA2560d43333d98724395292ff88d573ad31c6ff65a0ec117e3a605b1009478f91ac8
SHA512c5b0bff60c4b44f62e224a58dbd508efb20f1324c85c62de13134f909a1cfd63349402d7472940992b6447685fbb665fd28929dc6693a5f3f1222173a8c477c7
-
Filesize
82KB
MD509d17ffb85794728c964c131c287c800
SHA1a1d7a2dea5e0763de64fb28892786617d6340a86
SHA256f913264e2aa6be78dae1261782f192ae4ef565439c5ad68a51c0397b33ee1475
SHA512d174de399777b691443de3abff35dde5040d84ea06f252e86ec5b76bc2c02dc0c5c430f0ed9bab83a69e128a7cea989a1a24c6f579947e448db1cc393838b1d6
-
Filesize
32KB
MD50e9173e00715288b2d6b61407a5a9154
SHA1c7ba999483382f3c3aba56a4799113e43c3428d5
SHA256aa4685667dd6031db9c85e93a83679051d02da5a396a1ad2ef41c0bdf91baf66
SHA512bb13d5de52ea0a0178f8474fceb7e9fc2d633baceacb4e057b976cac9131152076544891d0959fa22fe293eeee942ae0f6a2fdd3d3a4c050a39549baa2cb5ecd
-
Filesize
8KB
MD5283c7e0a2d03ff8afe11a62e1869f2e5
SHA1235da34690349f1c33cba69e77ead2b19e08dbc9
SHA25638582d3231748a788012e4c27a5ac0f54f9cb0467d60ecc247a31ea165edeef9
SHA512b9ba42910d150ce9e07542a501c4134fb668f9b4af70db1ed8fa402066c8fb5025cf4bb29abd91c877571361e71c582e1e7c5350b28c7bda18d6bf184e85273e
-
Filesize
58KB
MD56337b4a0ef79ecfc7a0e70beea5d5b5b
SHA1904aaf86b183865a6337be71971148e4ef55d548
SHA256024ad40c289bfdbea25aa7c319381595c700e6e9e92a951bc2e5df8a21382630
SHA5129b88533915190062002702b2b632e648a94f086b987040d3f22f1bc718a2e58fbcb6d85a9ad17c8ee34018364cd9486d52bef91d645cfc3608aa3b592fca6b48
-
Filesize
1KB
MD551c0f6eff2d7e54810b653329e530404
SHA152aef28dab5ba3202341fe2a34f64744f268b991
SHA256a8f5d7c5caed37fa9f6dc432c1f854f32564d6cf0fec70f4bede96ba4df4dcdd
SHA512ae804726dabe115186e5ccaf7827912b48517a8a4dea8bafa2d35286bc60cb1203cbe71b6936cc269bfa82c7037bacd79d9dbb586e49909fcb1d84e99e6f3fe7
-
Filesize
1.8MB
MD53c271702f5eebc60e590f6803d8d2238
SHA1488b5450a017ab4f78d50a1c5adb1c5b54643458
SHA256ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9
SHA512de4dff6c44ebee7a5b3bc8060a39167343cc9e5fb7d6555ff72289c6ca7c9daf25bd8e19378430509329d20035f01f9d0d9a14b22e7d756621393b53233da935
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD582d2d6dac4764c5c6b13276dbf5a95f8
SHA15b147a8c265cdbb2ca34c2323b28b3846513c4ce
SHA2568b9677df357a86236c195ffb5a0037919336b94000f023823f204be558cf7a0d
SHA512894b2e59ec69fa7ef43fd7eb9fc5eeaa9537a7a4b5946b3cb08a696e1cc6edd06c58ec0db4fc990148daad70402843a3e60942ddc67cc36fecf8285580fa3d76
-
Filesize
8KB
MD517bfeec2cb5861d7c36c7a7ad136a574
SHA1648e29e3738db611c360d6f225cc1eef8f596178
SHA256073282fded9aaed9aaf744a60aaefdb1f6c7d7df7878a3d4d86268d79d095133
SHA512c096fe5b6cff1c88b82e2fb3dd7ccf54947e0d413c9f23d52d4499cd1bbdcc15d4466814ff6b095f7037f56a1127e9d6ad134b8a49a5d6c4a2a07e8c1e06cb7e
-
Filesize
17KB
MD54fad6728e47cd527211383bd32569cde
SHA1cc1f6d6d2e89b9ea5a69cabcb614e68ed5bd5887
SHA2569b5dd1ca2b534aae5d659d3a2487fa7a64eba9999a7ab59e85ba417f622b0c03
SHA512f9b373afe93ccaca864b9013808e44eaa9f1192ae9151c16e2ffd74b7ace6c3934c79032b5ccaf9b97e8ee19cb93cdb13bdc6abf995490b4ca3e91810dc962cb
-
Filesize
29KB
MD52ddb917d08f5eeb89659c2150f37bae4
SHA117fce5a51bd515023aea46802a1828bd577e3016
SHA256260b4740e87fb9b5c5247b1c3ccf3b8caa9331ef86cc066c1bdc5d51d0376838
SHA512c39b609d744728b637cab39d18bff376540f1519ec8eb23febef409b5e234129d23ac9213fdfc2b5cdef52094252289bee95542effad79049cc585b6001cb402
-
Filesize
29KB
MD59f2a61ff1151a83a5c97970514b08bf5
SHA1a65d73b391d7cd782298a6969fde7492d904edc9
SHA256a496dc03e1ac58232076fe8ccc37d95a453b45e11fc9d66f3b3df669f901535a
SHA512d8068ccc9ccdfb2ea9c391be5a9d8a1048f29caaa96c1147f5ce000de0e5b2b6983918b28dc2d3e5757e249467ad7834fd2628912f9f99b37e7b816fa943f8bb
-
Filesize
5KB
MD5bf102398c3553aa35d0d343a414f2604
SHA18ad67672d3b9576ea3de09553a71f0295cfd3be7
SHA2569c9442d0a3fa8ecfd43ede91c43cd3e6b7eda2b5c2b870e4ceb9811e077eb73f
SHA512d14b1b8f0a99f608bdd2bea5a767159e650d242963b72b93a9bb431f336bfbc0cf2ec433001c949452b8a42eec1171ddf4f3c5eea2c7287c2b723addef34f3b0
-
Filesize
6KB
MD5ad2b719976609dde0e5f9374d3321a9e
SHA11b74c5304a93868076ea89b264a37e582ca6747e
SHA256b67198ea566e3e52b8819f20c480bc5af07e7fbd9e7582721e8229bfacdaa64b
SHA512f3f32197723d28f589f535d5eacb3701088be02a9bc20bf1ee0e8cf75155522803a167540985fb0acfbf127310104e7b742f3c5b5bd219925b8b34a0670b6476
-
Filesize
671B
MD5b82006bd1fcee760496e384fc25e30b6
SHA1ce6643589607d36181e15200b057ce8f0c64ff66
SHA256a80de4c9e591e777aae6201c8fa89a631845147706a037391419538c20175d69
SHA512d47d6529580498ccb5c72f9d8ea9bdae04180d189ecefdbf6a9bdb527fccf03976218ae4d8a72d5d40dd2c1ebeaf55f2aa8f6a18ac3abb3b9d4805e65cab3eab
-
Filesize
982B
MD59b40266ae55089f45e5d6c80fec5224e
SHA133d7c1ccc951d31b17ffe58917f7ecad649e93e3
SHA2564ae70b97727623eb8040556dfdebd7cc7b0a81d3829b293984fdd54eff387c47
SHA512c6ba3096db039443bde85a2bf0064b7da003e97a6d1cfee0b436dabca639bffee2aa4c4c990d49b6ad2e6823001b1150cffcf82aa42998daea436b99b03761b2
-
Filesize
27KB
MD549f50859159eb16809501c1340d79676
SHA160647ad5ac7500d8570e968045a0d1688d940c9a
SHA2566203f290e1b91f06fe7716eeb4d6f2c68b16ed078c52f0fafd0e434dc2e5c1e0
SHA512962300f17aa0bce7750590aaec16d5ebb74a03b3dbdb20ff00873c390f2b6d43dec838e9c1d10079697965eeced7f9edb36e2a308c6b67dc39ee85d976389368
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD536e5ee071a6f2f03c5d3889de80b0f0d
SHA1cf6e8ddb87660ef1ef84ae36f97548a2351ac604
SHA2566be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683
SHA51299b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e
-
Filesize
12KB
MD5ebbd17212dbfd206cd3e081c87904c1c
SHA1a63b2dd879bcead0cbddeed4aac02d5d8c315408
SHA256477789b801bf37fbf0d749ddb438fb500b81dfcf7228308dc73dc87233d8b7a8
SHA5127e559cea6798008563bc62b3fdc7f600e5cc1c30f1ec496d783867ab10d6f39f11374a4f20ba1fb6feeb30f9d2dc4ea86935507ea895139b47586daba2ecb599
-
Filesize
10KB
MD52f47bc13930daf6cacc642620a314d4d
SHA1b5140360c04161e6820918e045b5a9e415ff8e49
SHA2562cd0ae02783e6d8292376977f17743a33261b9a582c2d28d580563b1421c00f4
SHA512a0c9c3d2274605ffb09b873b5d16c7b5bffb3a95bb7937c6116b7bd67989779b87d9e021d2dd39a0a92948328fe9be1bf2bf651dec71ebc958aa8b5b12697eff
-
Filesize
10KB
MD5e4d4b07409f05b162104d412ec1df9fa
SHA16bc0b432a0a93a43675d1672052578f11e5cfc27
SHA256e661a7835171f1c30ab97df720fc2aa13b2b954247bb85f1ad068146098ae6d5
SHA512553277f695919b859696d35f9a4cf32bcd82b1b2a380879866cf0eafcfa59c23f4b3bb7d9355debd55318989fae8c93925323b2ffd1e1076cad0c00c67e0953c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
2.5MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB