Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 11:56
General
-
Target
d6afe0a1651d13022bbfd6a54272cc997aad2127c62350cd9345168df0104181.exe
-
Size
1.8MB
-
MD5
612686def674a807fd8dd6da2efc38bb
-
SHA1
2294bae8b7c455213ab75ce51b4b6fe855c0f509
-
SHA256
d6afe0a1651d13022bbfd6a54272cc997aad2127c62350cd9345168df0104181
-
SHA512
fb33f924ed6dc31e9fa2c5fdf8df73fd3b104d1be2ea2d44d795ad4b4adf3407ae648cefe0190c07f4d7455c7f6f7a2527f6e17625d864d3bc815cbb055881bf
-
SSDEEP
49152:wxAANzx8U5B12i6+cectpO6Eh9Cr0x93Z/UBKJs520Bx13:pAlu7HpO00DJ/UQs2W
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 62 IoCs
-
Suspicious use of SendNotifyMessage 34 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6afe0a1651d13022bbfd6a54272cc997aad2127c62350cd9345168df0104181.exe"C:\Users\Admin\AppData\Local\Temp\d6afe0a1651d13022bbfd6a54272cc997aad2127c62350cd9345168df0104181.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Frequently Frequently.cmd & Frequently.cmd4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3906415⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ConventionTroopsStudiedTooth" Version5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Accessing + ..\Entire + ..\Peripherals + ..\Et B5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comImposed.com B5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comC:\Users\Admin\AppData\Local\Temp\390641\Imposed.com6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007653001\beacaebc91.exe"C:\Users\Admin\AppData\Local\Temp\1007653001\beacaebc91.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007654001\2aad136026.exe"C:\Users\Admin\AppData\Local\Temp\1007654001\2aad136026.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007655001\e640009f31.exe"C:\Users\Admin\AppData\Local\Temp\1007655001\e640009f31.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1924 -parentBuildID 20240401114208 -prefsHandle 1832 -prefMapHandle 1824 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d7287da-f205-4402-bb17-e65704d86e05} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92f4ae67-4fcc-48e6-bbd5-d52f72251533} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 1 -isForBrowser -prefsHandle 3436 -prefMapHandle 3504 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9d97068-2a96-4fcc-a5a8-00d17b137652} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3152 -childID 2 -isForBrowser -prefsHandle 3176 -prefMapHandle 2964 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aff7552-5c1c-4836-b8be-93d9ed52f28f} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4648 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4636 -prefMapHandle 4656 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2957c858-634f-4b19-9a2d-34403a0f8221} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 5460 -prefMapHandle 5428 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ca52933-b20c-414e-9202-d875cbaf0c58} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5604 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5616 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {346f50b6-fbc7-45a7-8d7b-da8c790a7254} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5876 -childID 5 -isForBrowser -prefsHandle 5800 -prefMapHandle 5804 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4f19b5b-713e-4ac6-aa32-6ce7286823cc} 2980 "\\.\pipe\gecko-crash-server-pipe.2980" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007656001\ca8e6755a9.exe"C:\Users\Admin\AppData\Local\Temp\1007656001\ca8e6755a9.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1007657001\7ccfbb3cfa.exe"C:\Users\Admin\AppData\Local\Temp\1007657001\7ccfbb3cfa.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbb5d7cc40,0x7ffbb5d7cc4c,0x7ffbb5d7cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,16765046144996761274,2027926160073325880,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1944,i,16765046144996761274,2027926160073325880,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2064 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,16765046144996761274,2027926160073325880,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,16765046144996761274,2027926160073325880,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3448,i,16765046144996761274,2027926160073325880,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,16765046144996761274,2027926160073325880,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 17964⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5244 -ip 52441⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD5d1dbc2b926b4e56c70dd9a7ee18c32f3
SHA190d721884c7d2801c3f076bd9472b8b6e8011c8a
SHA2560cced2aefb62bf924c82ba6ea9031e944e7bbc5331d57e35e639478a4420b624
SHA512136ac4c1c6dabe7a3133628148c373d2ad010ec491a271b9adbf7b8a85a58d4652f461114de4790219591820b242947eedb99c3ff09a1226d7b9da1be56cba87
-
Filesize
13KB
MD5c6da04613c667ef6516018d9fd06ae25
SHA1b7d058b17cfeafdea4f4b695bf7cf45f78814a37
SHA256dd4d5a2e9bc1e3ed867d4e52219de691c3195810e4f9d36b0a507518e2692797
SHA512b255733f09cfdf7de6ad755915b0f512b552397ffefdd5abe6a7f2a033255d6b0dad1eef9490592d273d3f80266364b22c7b9eece36665c8af0aefb908ac00f4
-
Filesize
741KB
MD5211dd0cc3da148c5bc61389693fd284f
SHA175e6bd440e37240fee4bf7ae01109093490ac5a7
SHA256645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe
SHA512628bb927b5a85674ed1f762d4c42e8e9f55859cd626ab0f01b7d47ee4c74ff5775ceafc4a45864344d5dd13e588fe60b6a121b00dac79276689d0a9970d12e89
-
Filesize
1.8MB
MD5da6f4dd65914c67347f3db2234602578
SHA1c83a4f830eb6cfc28569dc04ed990394af7edcc7
SHA25618910cb7826a44f2521c58dc2a4db4340b6b3fbc555e9dda6072436f543bdb41
SHA512b15d4421000f84c81f0a7e25ad60375b646c66a9d2de96f9318a361bf028c9b60d4652c1c21dce136a95acd8b5430498465506f718140e271a4c7fcbf0e0f1ca
-
Filesize
1.7MB
MD54b517665a74a84df87d5360aa6560efb
SHA18e2981eaf255f7e1cc90da8b494148281769bcb4
SHA256462b590df7f786de4cb422be74146d935f45d47008a25fe26979f3737f3dd972
SHA51298bd7c367a1c98eb8bacc975f5cd1a9302d68f6661af529f173fa9f2433ab773aed7c9a6fc8b41b654fffd3514443ec1804b86b747baf9b0d9381ce7d6b388ee
-
Filesize
901KB
MD5ebe0be1900764175f9f6b4c7f4f09e26
SHA152e8ed3644e361cb28f38d5f3023120f46bfeadd
SHA256560787853414698af69a47fc1d1969039d4f36890b84073e82cc37be36ad9676
SHA5129327af6e96e614b091c116fd70641571c024ed88f0df2b181f7487a64410de1fcf4f74cc29585967dcdbed33b57116fa23946752597477fb12b25b0425c5e19b
-
Filesize
2.7MB
MD572c14b3785a58d2193792d24910b48ca
SHA1c3a14fe31913d26ab7c565c71a7d7dc99e8936b0
SHA2564198f3f3a8b80b86d7f66bcfaf98e6c42caedbdb31eb2ae21c0f3340195b70c5
SHA512ed479cb7ca48b02d8af3dddb29942028a9f9b0f395cf49431603383b592eb0b1ceca22821d728ee07e48a9371a71729b3509ed188f655ebd557e1d3c576ac739
-
Filesize
4.2MB
MD56c252bd0d2276c27af37629d8cf891db
SHA177a8f28e1594ffdca929e0f7528ce578a2758282
SHA25679ba6f438dc061cd67dd554bccb6a3a8c7263615565d324b48e92d5a3e4a82d4
SHA512520ce00369cb202da14840354dee1df7695f303008cd517b1e9a43a7f5be3f576b60d457e43f9df9733dbbca081ca6fe7df0a233f33659c8db5ea4f95566e604
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
919KB
MD5c09756dea58e68a563c05c98f2ee5822
SHA190675ae3c1a7f575dee20ceee5cbf3d761aee432
SHA2560d43333d98724395292ff88d573ad31c6ff65a0ec117e3a605b1009478f91ac8
SHA512c5b0bff60c4b44f62e224a58dbd508efb20f1324c85c62de13134f909a1cfd63349402d7472940992b6447685fbb665fd28929dc6693a5f3f1222173a8c477c7
-
Filesize
8KB
MD5283c7e0a2d03ff8afe11a62e1869f2e5
SHA1235da34690349f1c33cba69e77ead2b19e08dbc9
SHA25638582d3231748a788012e4c27a5ac0f54f9cb0467d60ecc247a31ea165edeef9
SHA512b9ba42910d150ce9e07542a501c4134fb668f9b4af70db1ed8fa402066c8fb5025cf4bb29abd91c877571361e71c582e1e7c5350b28c7bda18d6bf184e85273e
-
Filesize
1KB
MD551c0f6eff2d7e54810b653329e530404
SHA152aef28dab5ba3202341fe2a34f64744f268b991
SHA256a8f5d7c5caed37fa9f6dc432c1f854f32564d6cf0fec70f4bede96ba4df4dcdd
SHA512ae804726dabe115186e5ccaf7827912b48517a8a4dea8bafa2d35286bc60cb1203cbe71b6936cc269bfa82c7037bacd79d9dbb586e49909fcb1d84e99e6f3fe7
-
Filesize
1.8MB
MD5612686def674a807fd8dd6da2efc38bb
SHA12294bae8b7c455213ab75ce51b4b6fe855c0f509
SHA256d6afe0a1651d13022bbfd6a54272cc997aad2127c62350cd9345168df0104181
SHA512fb33f924ed6dc31e9fa2c5fdf8df73fd3b104d1be2ea2d44d795ad4b4adf3407ae648cefe0190c07f4d7455c7f6f7a2527f6e17625d864d3bc815cbb055881bf
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
18KB
MD5a0b91c8b99d1e0ec06e5af2feb79d30c
SHA1c53d0bb2d2e01613ea64830c6d96f6e5736e27cd
SHA256cda2cc8a0e9624ec4cf6cab36476325df6fae68f0ab3ae9fd7efba9e501b765f
SHA5124e60164a4a5ee98e4cf5cf9d90a3cf9a791dad1721175d53a2386f2ef7b7d1a7f0cd8dcb5c891f58a78e2351147ba871640fd7e2b8d2d15c8bbffccca0eaf469
-
Filesize
6KB
MD53e86955c00619ccd2453ad989ebb4235
SHA16642790dd2807240d87af49e2e8362951c8bef96
SHA256252d5e01d2105fb03f7bb15cbbe50afd6c952de5486f84ba056ce715f67402d9
SHA512d67f77cc9673aa0a031c08a768035f8f27ea2bb676363946599c8355734a1f5c5e3d815bbed6dee9edeef379a8657d815dcd87c84959e4d8638148f39ba075d0
-
Filesize
8KB
MD5a30971e3e1d3213d20317220297fac9c
SHA166e3b548c098910f4a48e46c7c90fe85af5fa317
SHA2564262702f92a52d8d2d3370e55673587b1509c28cd7fe5c4f6f896ded7ab7d346
SHA5123f3bb24a897bb0e283d0d7b31f139350789a0858e0a0ca484bc9d6424341369d0fedba7927f6480c6b8e0b1035bfd8be811fc303e8d67dbf28d09acf2c4b505f
-
Filesize
13KB
MD5ca5d97493259a6a4b32d6704be032a96
SHA11e186ea449c5e298851485d171a5965f78893021
SHA2569a68c01630cd0a9971cee9dde6f7f973f40ff8edbb1e7f8063c63b1021d132cf
SHA5127dd7fc63cd602a8e27df5ae2c75ee5f2f042e5f19eb41f7d532c3cad84215a43ae5f85d4822a12b5d0b197555ce02872e228216678fe550716e321a1a059a464
-
Filesize
5KB
MD5dcecd158c57f8f6701bfd29d5597d4a5
SHA14068d9d55ce221580ec3f5a3c962c32c6017488f
SHA2564b2ac6dddde763c4e6ff008d7073ba429ec578add85c6b54c815e2595db6aff0
SHA512270ec749e2c2414eb2d15931ed60733b8a7c4380cd3e4e958618ed4132c51cb06529b6ecda6866e4c53e8886f9634d43a75431925fed0df273d4c1b7754ee062
-
Filesize
15KB
MD55d6686a9f68fe463c36ad470cef819b8
SHA1d9d2ce2c60bb92d324373226e47f4b503d84047d
SHA256eecc6d27f0ca5ef75f80056759bcc6207d75c58425834e2a34bb73536002c833
SHA512d48e0e3c4035823e405212f93d696215a6de62cc2034d59195c6a534b78f480f0f0c3d9ff91b69f4a2bca3b5bf6de10626977d1280d4a448fac531c677cba9bd
-
Filesize
15KB
MD57d1a8984ebe6bcede549ea5c846a81f8
SHA125fe2d1c61ef217b34f5b6fdc2a0fdf9ed94aa2b
SHA2562e765db00383db9e0ed328d6e25e9cc36c4dd9a7dfc7392cb8fb71cbb72dc0d1
SHA5129989398d12b05362e32473810e8c00a66cd9faf7d577428020faf9f374c56da9760404262431301e579089290fd2c24d1a03b082eb675a416fb098868b23293f
-
Filesize
14KB
MD570b6d64f0f06cb00d9831968e089be19
SHA1e473addea36f292efbc50c17b8bb3f59c5aafc3f
SHA25644234454e0971a4b2758f82cfa0f7f1d76112eceeaa517d489d5bf51c5670532
SHA5128bf5067bf1aeed019710685395d389463fdf14abe0589e5be3bd3120681b5ab657d2af81157b5473de192e0619d13be765d346b376a70d5f31c05d45efed63fc
-
Filesize
671B
MD5f1e370475977bbf3b56b445ae61c93bf
SHA15c2072f968d862125682f040c2da545a2d415a5a
SHA256cd0b218cc0793b3fb05f8f235d92dbe11131626c86d5c1da4a6703c59f850df1
SHA512df05da922fe87498c822b596b338bc111d6bdf3ff4c521ee4d28f92fcc11f4cc10c224ccd7780b4e560d0445e2d4346d6c7797d7e67ebe7ca223aa04d4c091c4
-
Filesize
982B
MD5462c98c32460b165b393c14703a3001b
SHA1837e283f08fe4bdd1d1dd53a6706db698ad9f6b3
SHA256535e8595233a91c980fc1f55c0f1fc9a89cbfdb37b3996c623ca3be8cb4cbd45
SHA512c310436221265f5028b5ad5407d1eb1f0f0c9bb09d000d91a08cf1a8b962bd7ee700c950abb0e521dce2927e9e672ae96fdcc1b5e42c935c64f3c33ce8250c63
-
Filesize
26KB
MD5e887dd659ebd02dcfc92bd56e08420c5
SHA1b84bd32f5cf2ae48c9fed7b1264a92e21f6a3926
SHA256eb4ce0700f2ecaa7255678ae916d2f859e8a84b69a369aa9397d9e2a7af34387
SHA5122d3a4d06f71abb9e0da363d81942eae2014701258c1fd4afc87887f5299302519a88545db5847287e0154f67ba59cbd9f50de2cfbf709f29dc550f87302d017a
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD568626d7ef2bd0ddf5e23dd60b084e317
SHA148fe31694459497c6a14d80d68fc4f34d0f09966
SHA256568fe1a5f179906ae2cdccfee7b96f758dae5f118b1451d5246bb652079784a7
SHA512a418be9915ceef8b4558148c18d6947dd066f76b0cecde0ada6ea863f93f43c6a14e1f9d450a9edcfbee23a8dfae8e528898364f35ca4e52992c8f3ad3f75138
-
Filesize
10KB
MD5412cc8930ca21e147d3b76c09d271e02
SHA150ad7c4e92dc40e7accef4415cdb46076711892c
SHA256d5a7e01b5b04e4e155db348c787bdc4391bd7bf450775bfda1fdef3dda547d8e
SHA5129d9173185617a0c0e12d22a2d47828507cc39e4b6918374d16f755b37ddeebe581f0fdaa6d0925930b25d822b652442d19e7050e9dd1f0f399735a143dd466a3
-
Filesize
11KB
MD59a6ea4de983b9bc3cbc0351a10222b48
SHA1d671f438715040736abc0f62cf16a208458ff810
SHA256758db53ec018c61454c1769b1a1f78e3fb1dfc11be679ba656d343ab90fca653
SHA51299debf3bd86a3f67cbc8ee7f39eb18d4705711809472a9cd7f85e23e0c83dd20f04bb461d304209b2fa4d558d97a0e529e796e49029b29d60a002ec00188ac7b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
72KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
10.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
4.7MB
-
Filesize
4.7MB