Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20/11/2024, 14:09
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
333366f899b1211c3259144abeb6e7d0
-
SHA1
b0cd88a3cfb3153a6f40682143b7872ed7abb0a5
-
SHA256
f6b3275a6874dfae98dd683ff84c5d9894a17d86eb45c1cf0b621ad54a680580
-
SHA512
9697d94ef6f11fcee853bc3615fd3441bc39a529a9eb5a18f8ba81d719485ac3119f260e93b62f90f4f0521e23851c508e12ae258ba29cf914dd1b3f8d3cd1f5
-
SSDEEP
49152:nHFaJdOn16Mp9hamBcxdgirXtyBik8CqX/odohVgmaH:n8a16+3dKdgiAva/hVg
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 63 IoCs
-
Suspicious use of SendNotifyMessage 35 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Frequently Frequently.cmd & Frequently.cmd4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3906415⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ConventionTroopsStudiedTooth" Version5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Accessing + ..\Entire + ..\Peripherals + ..\Et B5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comImposed.com B5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comC:\Users\Admin\AppData\Local\Temp\390641\Imposed.com6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007680001\9b98b2c258.exe"C:\Users\Admin\AppData\Local\Temp\1007680001\9b98b2c258.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeadf0cc40,0x7ffeadf0cc4c,0x7ffeadf0cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2348,i,16529633722080980998,17617133504797633295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1752,i,16529633722080980998,17617133504797633295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2580 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1988,i,16529633722080980998,17617133504797633295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2588 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,16529633722080980998,17617133504797633295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,16529633722080980998,17617133504797633295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,16529633722080980998,17617133504797633295,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 13004⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007681001\d34826d171.exe"C:\Users\Admin\AppData\Local\Temp\1007681001\d34826d171.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007682001\dc230f6796.exe"C:\Users\Admin\AppData\Local\Temp\1007682001\dc230f6796.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007683001\23e785fbcf.exe"C:\Users\Admin\AppData\Local\Temp\1007683001\23e785fbcf.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1904 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3de383a-4c11-4765-855c-b6a739a7bd13} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc63fe93-0a6b-4a88-9c11-664a347260ff} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2904 -childID 1 -isForBrowser -prefsHandle 3104 -prefMapHandle 3012 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0b2a76f-79be-4859-b5d2-e01e25e0a1f7} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3788 -childID 2 -isForBrowser -prefsHandle 3780 -prefMapHandle 3776 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e20cfa0-c361-40dc-a599-6d20e6eb37e2} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4288 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4364 -prefMapHandle 4324 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffda7527-248e-4dda-9142-8045dd044427} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5436 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2736f630-8474-41e2-8290-52a548231702} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5528 -prefMapHandle 5532 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49084019-f7b8-4875-b724-4ff4ba48fbcb} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 5 -isForBrowser -prefsHandle 5736 -prefMapHandle 5744 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f891109b-0712-4053-9676-0a8c1fc6b8f2} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007684001\0d6ace2a1c.exe"C:\Users\Admin\AppData\Local\Temp\1007684001\0d6ace2a1c.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2520 -ip 25201⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD59f47696f750a0fa8264bbcb739393370
SHA1f2fd488b0567228b8333cb43545d2161647ada36
SHA2565977b9ab4092d6c3b7fccaef203ae8a45172aa7122359c1bb5ea98f2767016d4
SHA51272a86becf296c6763d117a49a7c36ddcccb09e9f0533984b1395aa750b8492d1f8c5aac75c8b64944190f46bbaf942af113bc737f3f6572b54e1e18bf3000f50
-
Filesize
13KB
MD57b3bc4c6f128d862bfb7ff340d3d4d21
SHA143b509f34c8bdc8c3102d481dc1848cc00dbb0f4
SHA2564b2b233af461423cf0ba7a8d46fa27665b1f71a8c3a90914cd887298da7d44ec
SHA5127f4ba2ef918710053edca62b6d47ae945724ac8a3c47c268cc67a2b6b02f705fb50a77eb32b990f4635961801ffcd12e096119fb0c819b107920e1b1bbe044ea
-
Filesize
741KB
MD5211dd0cc3da148c5bc61389693fd284f
SHA175e6bd440e37240fee4bf7ae01109093490ac5a7
SHA256645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe
SHA512628bb927b5a85674ed1f762d4c42e8e9f55859cd626ab0f01b7d47ee4c74ff5775ceafc4a45864344d5dd13e588fe60b6a121b00dac79276689d0a9970d12e89
-
Filesize
298B
MD52743e30e43eb1ce82c66a468baaab1fb
SHA1e0677bf2c2e61be4ad9298760bb5f4c549596f85
SHA256698e2f245644603eef413b2a980713ce689d3464fe3ad3cbd89da2290e7e5b6e
SHA5124d16001390bf3e933c02b197f711eca14a751372024826b5b3c2d221c1f77a28687522fc91c3671d23586b0cdbb6456df9757b91a74437d532e6fb106178cd88
-
Filesize
4.2MB
MD591118d3b44b4a457cf5acadc62b39b5d
SHA17dea33e33708ee07d3e2475b9e5511e1722a7906
SHA2568e63a9969e3c9db4816c69fe88c5d323daae5e0de24d547a73104a89694d8901
SHA512fc1ce7eb30f2cb38e23fac0111933f0550b838db8274b1d7b509826b66d10ee21b51dba3356639ddd8463258e3ce8f11c96f2df49f550ee15d7f861acc60bec4
-
Filesize
1.7MB
MD5fe4356d29b3bb9d3ebf32984fd46bb00
SHA18c5423e8ad916cb272dfe8043f659807b196253e
SHA2563d57ed7ea8ceed067458d706e5c7ef5d3d843723b1a83919536134f14d925655
SHA5129249ff698e50fc1e9c2663901c16b09c626b83354a72dec7a3494548fd5f2e6645cf9e7beb49e9b9b091c895262dddf35d7561b2c3f56a77e63413e3a30ff947
-
Filesize
1.7MB
MD51fb763b01e1ffa3ab02b53ce4b2a88fd
SHA1881d6869788ced3bb3be507abea78f569af3775e
SHA256f98936eaa24f4c5b0339ad375b53e45e505c9c65cef4480cff417157252f77b4
SHA512c714e1043a8a0121ff30ba80a19fd11a61dab6494f760474e433487a21eeec8fcf5af56b3514e00723d348538920d94ff57edd8ba7b75308ae490c4bc4c54023
-
Filesize
901KB
MD5b0302cbf18ab90a0e43b26f4b4940c46
SHA1804696c2bf2f8e35ef2dcfeb1b33c50eced20b4c
SHA2567d09a69f6aa77fa98e6a6973963b776178a53a6a7c4b48f05a66e573696b0239
SHA5121aa4e5767f4a1948cd0776ccf01865763398bc1ce72cc6df3768e74d6d30ab79006aa31ff0ee1880db99ab068fe0f2c741c55fa08697ed68f5cd54c5d362e15d
-
Filesize
2.7MB
MD5478da8ccb212d832e72cc74a96f5d373
SHA1b118765c3e0e8d4ebd05184097d8bd92bf4febfb
SHA25624727171607fbcb404b5f51928012c5893e8f751a4e11f94fda0e9479fa58616
SHA512ce399d8c8ee6bf0318ce1cf52160a67b4485fc539fed2969f2af4680a48a4c3f660545084c4fa90aa25ed17ccfa3d1942a2e26003fca753054dde9c415ce876a
-
Filesize
224KB
MD56aaa6156bca65c60437b9dcf21a8566e
SHA174c4917b5006a2af825ed9e9d3bdaff7884aa11c
SHA256fe153e9df223598b0c2bba4c345b9680b52e1e5b1f7574d649e6af6f9d08be05
SHA51202f8a158815b29cfbad62403b5177ea5e073d84103e640441d901e12b2fbc4f2cd113924d2b06b09cf045c99b58a5527f2c68e6a664d8015f646672c11567199
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
52KB
MD50487661a3be3e516ecf90432e0f1a65b
SHA1548f56668cdfde2d71e714cd4e12e3a1419dfc31
SHA2561dbfc503087ed424d8befd455c6554ba03aa4c4c5e77f7b388dc412b6a99a70e
SHA5127f9027e567876bae2302652a2d63b457bc39f439ec6cd4d7d170423c5f27aa5b0479113b7d8c436cbc08ac76450b0e56c2d8dd42a219c7ad3dbbf693f935cf77
-
Filesize
919KB
MD5c09756dea58e68a563c05c98f2ee5822
SHA190675ae3c1a7f575dee20ceee5cbf3d761aee432
SHA2560d43333d98724395292ff88d573ad31c6ff65a0ec117e3a605b1009478f91ac8
SHA512c5b0bff60c4b44f62e224a58dbd508efb20f1324c85c62de13134f909a1cfd63349402d7472940992b6447685fbb665fd28929dc6693a5f3f1222173a8c477c7
-
Filesize
82KB
MD509d17ffb85794728c964c131c287c800
SHA1a1d7a2dea5e0763de64fb28892786617d6340a86
SHA256f913264e2aa6be78dae1261782f192ae4ef565439c5ad68a51c0397b33ee1475
SHA512d174de399777b691443de3abff35dde5040d84ea06f252e86ec5b76bc2c02dc0c5c430f0ed9bab83a69e128a7cea989a1a24c6f579947e448db1cc393838b1d6
-
Filesize
32KB
MD50e9173e00715288b2d6b61407a5a9154
SHA1c7ba999483382f3c3aba56a4799113e43c3428d5
SHA256aa4685667dd6031db9c85e93a83679051d02da5a396a1ad2ef41c0bdf91baf66
SHA512bb13d5de52ea0a0178f8474fceb7e9fc2d633baceacb4e057b976cac9131152076544891d0959fa22fe293eeee942ae0f6a2fdd3d3a4c050a39549baa2cb5ecd
-
Filesize
8KB
MD5283c7e0a2d03ff8afe11a62e1869f2e5
SHA1235da34690349f1c33cba69e77ead2b19e08dbc9
SHA25638582d3231748a788012e4c27a5ac0f54f9cb0467d60ecc247a31ea165edeef9
SHA512b9ba42910d150ce9e07542a501c4134fb668f9b4af70db1ed8fa402066c8fb5025cf4bb29abd91c877571361e71c582e1e7c5350b28c7bda18d6bf184e85273e
-
Filesize
58KB
MD56337b4a0ef79ecfc7a0e70beea5d5b5b
SHA1904aaf86b183865a6337be71971148e4ef55d548
SHA256024ad40c289bfdbea25aa7c319381595c700e6e9e92a951bc2e5df8a21382630
SHA5129b88533915190062002702b2b632e648a94f086b987040d3f22f1bc718a2e58fbcb6d85a9ad17c8ee34018364cd9486d52bef91d645cfc3608aa3b592fca6b48
-
Filesize
1KB
MD551c0f6eff2d7e54810b653329e530404
SHA152aef28dab5ba3202341fe2a34f64744f268b991
SHA256a8f5d7c5caed37fa9f6dc432c1f854f32564d6cf0fec70f4bede96ba4df4dcdd
SHA512ae804726dabe115186e5ccaf7827912b48517a8a4dea8bafa2d35286bc60cb1203cbe71b6936cc269bfa82c7037bacd79d9dbb586e49909fcb1d84e99e6f3fe7
-
Filesize
1.8MB
MD5333366f899b1211c3259144abeb6e7d0
SHA1b0cd88a3cfb3153a6f40682143b7872ed7abb0a5
SHA256f6b3275a6874dfae98dd683ff84c5d9894a17d86eb45c1cf0b621ad54a680580
SHA5129697d94ef6f11fcee853bc3615fd3441bc39a529a9eb5a18f8ba81d719485ac3119f260e93b62f90f4f0521e23851c508e12ae258ba29cf914dd1b3f8d3cd1f5
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD52be2fcb4d5b50a2ebf66cd25eb9cae93
SHA1850691e1f3a534969c5d0052e96fef3575d9b660
SHA2566dd38213e874697ac6e4e33b3d92d406aca44ef4db6d1d48bf8c45d60924c0aa
SHA5121467ac400e44927488f104e3d82cef9513bbe52cbe282f14a90057237c11076ebab29123a5ef83516eaa0f9c81f62477f8a7d26be12c8858d5358496d58f8870
-
Filesize
10KB
MD5f07005407d0f0f7b961328cbd79d44d5
SHA127cbf14582050677fa92595e996367f109cc1609
SHA2568ee621b41739368b121784cbfd5d4c7a2778a797483f241a2190e1d86fae4827
SHA512cd3efd0fc27b3dd2172696f4c9173520627cc20c1477a5cb742cd99b15423b3696f7961ee8d657e5b9f204c5a5a261adea03d08f7096cc9010eb592381e274cd
-
Filesize
15KB
MD560f4a218d0ca259e42f71fcabbd3da8a
SHA1353eba9f6d7585af761432931b24d876d69a42d6
SHA256494a65ee1d35a60f92d17539399f5761d2b1adae60baf46763bfff86afa64f4e
SHA5121d2bbb9da43717ce98b40298de946d5963d77c89baa368ce1f5b682f98f8cd224b6dcdd12fcdd5265a7659e9a1486b6df2b20e9a8c57153dbf4d5957348e7031
-
Filesize
15KB
MD54626ff5a726dddd8657c0854359bb292
SHA15e546f2708e93716015d41a9ca20b5e3032092fb
SHA2567df35a886bf3b9b05e617a9d2ac8d8b3dbe777d5fff5620218daf03e57c8e69f
SHA5129427798f04736f862a443fe524d4a98ee8e4c4d4f720944016eb8e0d51d04e8d68216fe0c434ca14562394217ea156a3d590672679299f2a3a71df8697348c55
-
Filesize
5KB
MD5cf2c906c2ddade6155a23d79a421e3ff
SHA1163b2be19c831dc0d1df3c0e527bb0fbc89dd34c
SHA2561702344df5d9ec6607e3ad72fcfb1ef29546a64a9db0666750c25731756468f4
SHA51268ce7b31c42ad5ce090e4f71f6d8b7a950f0815a34133942aa92f453ea40bb6e169ac0909858c2b22c037ef5ea219b39704ab8e021256581ca15791da3a0e2cf
-
Filesize
6KB
MD5722e0d156feca5442c78f077fe819cc2
SHA1fc14f205714d3848721d340a4ed47180cb2c601e
SHA256e913a571a021e38aa7766d0bf6c88fb57580a4847dee11dd10ad83c186bc97a1
SHA5127f12579fc9ad4db56bee24c2bfb821c42d92f063441979053aa3ceb3a48174a569c9268876186ebde8f4dac6a0d3339a4aedd64e103aa58fb04598d6ae177ea7
-
Filesize
671B
MD5dadff5d6feacfc6b0223e75e33b0e164
SHA17b93d332e08ab7f9541753fb46458f41c1ed822c
SHA256a84726e3f0581f75b59ae531e7056f9a1f39c99dec35752542533d87d07b80bb
SHA512eae9701a080d9faf91fc006c68549b76330a34e7bcf6375906df2b0a18ee0a34004337e2b68088bc93c432311be700998f5675a8f13116e10fc6e28dc37088df
-
Filesize
982B
MD581e29426faccef73232e501f8f2ba91d
SHA144d23f79ff5b9afedbba2252de26d29e26dc8dc2
SHA256814e71e0f7c11ceabf7455bb8093375a1c8f63a869963a7e9afc506f0cad4b34
SHA512ede8188f7cfca2196d68cc5cb20eaec198f0a046b16cf1d443bfded2fc99ab71fba9949c27f28cf8ddddb383f11014eaf0108997f2f84bb4d8a996b14b5eb2b7
-
Filesize
29KB
MD5b4696d08270ae316cbdafd55be3b2009
SHA160494e2570bb7f3ada9f12ade7eb834c68c53440
SHA2562c32a09fd832eae892b8a5f7cae15f08bab0a5d9638967567b3f1a71b2777bda
SHA5121037db795770132a4364e1674abf48f94c3555c5947f04d28aa398670019de5b221c0803a68a6b98129f5059e6eeb96d8fcbd5f52212b740aa0fa08cfb07679c
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5de791a0e4479cc4330fda6f8cb1ac193
SHA1b5c137b2be2c6a306287d98954f01f93463d5603
SHA256166a37658a303fa9fa56f411f97c41cfff2bbdce21c3c166094130485488153c
SHA51272379e240d2d03d967ae2bbcf49e1bb25c0e7e4cf64f002871213f3f2e1e63f14bdb42a1e72331bdd8c17071effca1574d91cff05934a1c8b99773ad831b7e2c
-
Filesize
15KB
MD567bec18a2a6ed10fb7596f56a21171b4
SHA11917685f0c3ff79bec11b4791e5e5acdebe3944f
SHA2562d41c37e6865928956453ffd690ef2a6e8ed24651966b6a9b97098deac870627
SHA5129ad73572057eb7dff786cceef8f47fa10fbcd317a2708a23cf168c78cc628f670ad8d37f02cc05e826efb2f23e5249b1054b6b98c49f1a4576288095c4bd0d7c
-
Filesize
12KB
MD5338a0b2ef02477712766e82fcc3fb89c
SHA1dfdba347336aed4ce02d3c2aa804949c58da946e
SHA256defc8d9965fe893bdd83d1e40c612fe025b74ae05fd15200e071e27140178415
SHA51245ff52e749e912754312a83a56a9f34f79121c631c985e017bf550449da6e060ab95f9faa5a5ff973bfb97b107e447d5b3f7260914bb934d04e78f5a8de251e0
-
Filesize
10KB
MD50b2b0fb5ea6c35df4fff6fea5bfa3d9a
SHA1dff45e32342f4f0a44df53adea7930ebac5045ec
SHA2563e725e4d74bd92b54aa3d863cdb5e30f5e2fd7753c55baab295a01f539f22385
SHA512b4cca1e58cfee9bc612f2dc6230eb5778396106563c851d5575ed9a5500370f8571c840725931d9da29d2c5b7049e9116440730cea1688afd4c6bb17af54d9a4
-
Filesize
9.6MB
MD5ac88380d73fcabfa8be02859ea4a9560
SHA1e4805257f5b388d792edaea1f5f25571d58a9f7d
SHA25627ceab420a8aea729dbc4ae0c830aefb1df81a364fef91303cacc6f1b0272bed
SHA512a588a640757927dba0139a1f07de47ed1434053e4a76c08254e4fa989168bda80d7df32f7b457e26fcfbb14b6d7c5f07b92a9af5fa3642195cf777a156822f15
-
Filesize
1.7MB
MD52affc194539933f4a7b8d9cd9591ebd0
SHA1005f1c0f15c254cce27bd1c6572461f13102d629
SHA25637ca7777039902826dbc2e4c6e469632f5acdb02b0791698131acbd6cb4bb995
SHA512bd066472c6f38aba94672aabd6bffbc314ffe60b9efd928a073de02399effe2bdc3079dc6c9ef2a8c23313de3799822dc5a88311fa61856c5ba67c0cd374d00f
-
Filesize
2.5MB
MD52ab6ac69970da7c580d52db7c7be8320
SHA1eeafadb82d8e564722da2c11b4abc893dc78f58c
SHA256fe0c27a997d4eeebaaced67a16ee74fbd3981bb504c4c7c17e9e12d58e2cf42e
SHA512a25aeab3d1e1545ce30271e6d3c81351652426cc0dd64b663769f79c7bd97f85fa1f2a979575b76a9a18b6cef86d3b0952a08d72de254bf41b9869bf146a7932
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4.6MB
-
Filesize
72KB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
8KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
184KB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
72KB
-
Filesize
4.6MB
-
Filesize
4.6MB