Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 18:07
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
9026ca6bc267a2ac0e092e352cb39dfe
-
SHA1
081dbb285587965762103b87f260f1371af58087
-
SHA256
e2b42da09ca84002f6f77f31c1ed5c2d14346aa5984ffe8a494ff1e69c35a68d
-
SHA512
f03a4ff06faa9c32f1ddfa39da15c315bc12edfc04199f48a88c6fb7cc3c74612580668fc51d2303d24a70d11075bff48e148a21c17244adb7435ad12aa91cdf
-
SSDEEP
49152:d+NNooX6+IMF0uqSYgXRVb/LrDGvJpTb:oNNVXBIjgVTLWvJp
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
CLOUDYTNEWS
http://31.177.109.184
-
url_path
/8331a12a495c21b2.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 8 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Identifies Wine through registry keys 2 TTPs 8 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 62 IoCs
-
Suspicious use of SendNotifyMessage 34 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Frequently Frequently.cmd & Frequently.cmd4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3906415⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ConventionTroopsStudiedTooth" Version5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Accessing + ..\Entire + ..\Peripherals + ..\Et B5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comImposed.com B5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comC:\Users\Admin\AppData\Local\Temp\390641\Imposed.com6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007698001\stealc_main1.exe"C:\Users\Admin\AppData\Local\Temp\1007698001\stealc_main1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 12484⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007721001\7f0f286bdb.exe"C:\Users\Admin\AppData\Local\Temp\1007721001\7f0f286bdb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa6dd5cc40,0x7ffa6dd5cc4c,0x7ffa6dd5cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,14779440612356872291,2040501140040781294,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1864 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,14779440612356872291,2040501140040781294,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,14779440612356872291,2040501140040781294,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,14779440612356872291,2040501140040781294,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,14779440612356872291,2040501140040781294,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3352 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4252,i,14779440612356872291,2040501140040781294,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 14404⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007722001\e5376beb83.exe"C:\Users\Admin\AppData\Local\Temp\1007722001\e5376beb83.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007723001\c15125635e.exe"C:\Users\Admin\AppData\Local\Temp\1007723001\c15125635e.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007724001\86a743037b.exe"C:\Users\Admin\AppData\Local\Temp\1007724001\86a743037b.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {925cade2-3480-41a1-b05b-4ba8765cbf6e} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {878da0e5-f49e-460b-904b-fd8cc35d1afe} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3152 -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 3140 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb4945eb-a727-4f06-8c14-725d354c192c} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3332 -childID 2 -isForBrowser -prefsHandle 4016 -prefMapHandle 4012 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b481c6f-39fe-4e38-8b34-2d944fba7c30} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4468 -prefMapHandle 4464 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {100b9092-1689-4db2-a852-466a34cfbac9} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5012 -childID 3 -isForBrowser -prefsHandle 5004 -prefMapHandle 1268 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f02f0dd4-8e44-4d8d-9c5a-5df5f259294f} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5156 -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {884714b2-a160-4033-ae75-ab726c346d04} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 5 -isForBrowser -prefsHandle 5148 -prefMapHandle 5328 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 904 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0441f4c-5e1b-4708-b2ff-534e7ec945bc} 4724 "\\.\pipe\gecko-crash-server-pipe.4724" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007725001\636472efe9.exe"C:\Users\Admin\AppData\Local\Temp\1007725001\636472efe9.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4528 -ip 45281⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2084 -ip 20841⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
22KB
MD590c1a5c4d8018b1609e4d23a3c0ed289
SHA14e6f0a787401ee4dc74d4ab210eff4a2bf4725aa
SHA25658429feaa10af3b18188a191495a257e8729328e9c59fafb0fe5763002b4e95c
SHA5127d00a4ea9b71b8185068b694c54fe21e2b160829b385024f832b3529d9d2896a4e3c22e9e54c833bff2b260b84ca84244f0ce74c8dd2e715017631a944f9b7cf
-
Filesize
13KB
MD5aa58ebdf8e0490b2801b21573310fa8c
SHA1b91f636a7e7ac0644ab3875739be26c08fd4868d
SHA25653e6b6695703664644114d962829efaecfc527191841c02e6744254ebed79bdd
SHA5128e2283e80a486f203f898e0f177024d73d67f4939604980f8cb266529361a799062765e1feedd5d8e2bf08f0bc1658a29cb31e0b48a15c7de6eb7aa457e799b4
-
Filesize
741KB
MD5211dd0cc3da148c5bc61389693fd284f
SHA175e6bd440e37240fee4bf7ae01109093490ac5a7
SHA256645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe
SHA512628bb927b5a85674ed1f762d4c42e8e9f55859cd626ab0f01b7d47ee4c74ff5775ceafc4a45864344d5dd13e588fe60b6a121b00dac79276689d0a9970d12e89
-
Filesize
239KB
MD5da5c79183dabf3510e9c6d76f7c5c087
SHA1b06a732e61d91b4e2ddc0a288f7472f1c7952271
SHA256093f37a701ed0a89cb89e00cf665f26760de3a532ef97ecd5d75ce51223f932f
SHA512c3fef14434ddbbcf14a4e551257376ae0a57884662f22cad24a009569c8e218839423a52d9715307f57565614699f8d66bc524c0f2ce7930a9b4bff9f12ea0ec
-
Filesize
4.2MB
MD5d55a94d4acedebc4b42333312be08f6b
SHA1ec5da148a43839accda27c01e221b128777602fe
SHA256c1673b575277e0d0a5b6a58c7c71b8c7e973f51dbeb9e682562a5ec447724d04
SHA512d2612761dc8ed8bf29f06d7ef18b88015d6ea568c9faecb2196df030a71b09f5a30f69551ba7c06ee4dac2e052bf82f43581a56559ccc078769e1f81119359be
-
Filesize
1.8MB
MD5d428ba15ff307879562142d3b642619b
SHA108b51350fe8cf5acf85a1716cbde1a607b8b6ca0
SHA25623b3e65432828bc9913c5a1407a726a21ea9c8e4ca69bba65fc554d8475542f8
SHA51231b1d27b326f7ecf9f45fd57a1cee66e443c4d4cc5294fda201bf8d6062c1865e82d2096b83c33cc9d85ecb75fb617daf658cfc128ce1ea46d9934ff382f9ffc
-
Filesize
1.7MB
MD50c50a08dffa73cfbb9ee5ba4382bdefc
SHA1b21d45218d280416859c21b9c628315d6d71690f
SHA256ea7617b4a5571a89a06ef9bb195dc92a178ea4e0a6a514030eb288f54d26f0a3
SHA512529275d8e96270c711ecee981bb07a3e70eab1a01e3550898449cc9cf2da57b0e823d36fcbfca92f006ebd2b47dd1e9d7dbf2367baf14e010f179e521eeabeea
-
Filesize
901KB
MD55bdda578b122fe3decd3583123e91410
SHA1204c22df2afb0b5c4d518b5a1a5908fc357c8b68
SHA256f1062a92a8b4bcf35af6f22831c36b50b872e6faf3024cd956a5bb7a18846631
SHA512ce9ff05b0dd13e4560373eec092c864356c8ab38e2b73e8d668f8b814958b461439336c7cd3b765dca64183eab7eeadf5c4ec4a61fb7f6fe628723387109832b
-
Filesize
2.7MB
MD54fc28f8386b849a5633c3b4f97decd24
SHA12f68e0e548d77a1fc5b871ca56246ecf7810799c
SHA2565e33b2113f70189d082a8c87ae822718976c90a84e3a29d55c7acf8f940797f5
SHA5126c66eddc75a4acab38093fccb11f22572c0875ca8e1c182ae67e6628460e2302784165b2173d4593e9a1b9c6546cc0035e8798d218b90f338b94d54ed51d70ad
-
Filesize
224KB
MD56aaa6156bca65c60437b9dcf21a8566e
SHA174c4917b5006a2af825ed9e9d3bdaff7884aa11c
SHA256fe153e9df223598b0c2bba4c345b9680b52e1e5b1f7574d649e6af6f9d08be05
SHA51202f8a158815b29cfbad62403b5177ea5e073d84103e640441d901e12b2fbc4f2cd113924d2b06b09cf045c99b58a5527f2c68e6a664d8015f646672c11567199
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
52KB
MD50487661a3be3e516ecf90432e0f1a65b
SHA1548f56668cdfde2d71e714cd4e12e3a1419dfc31
SHA2561dbfc503087ed424d8befd455c6554ba03aa4c4c5e77f7b388dc412b6a99a70e
SHA5127f9027e567876bae2302652a2d63b457bc39f439ec6cd4d7d170423c5f27aa5b0479113b7d8c436cbc08ac76450b0e56c2d8dd42a219c7ad3dbbf693f935cf77
-
Filesize
919KB
MD5c09756dea58e68a563c05c98f2ee5822
SHA190675ae3c1a7f575dee20ceee5cbf3d761aee432
SHA2560d43333d98724395292ff88d573ad31c6ff65a0ec117e3a605b1009478f91ac8
SHA512c5b0bff60c4b44f62e224a58dbd508efb20f1324c85c62de13134f909a1cfd63349402d7472940992b6447685fbb665fd28929dc6693a5f3f1222173a8c477c7
-
Filesize
82KB
MD509d17ffb85794728c964c131c287c800
SHA1a1d7a2dea5e0763de64fb28892786617d6340a86
SHA256f913264e2aa6be78dae1261782f192ae4ef565439c5ad68a51c0397b33ee1475
SHA512d174de399777b691443de3abff35dde5040d84ea06f252e86ec5b76bc2c02dc0c5c430f0ed9bab83a69e128a7cea989a1a24c6f579947e448db1cc393838b1d6
-
Filesize
32KB
MD50e9173e00715288b2d6b61407a5a9154
SHA1c7ba999483382f3c3aba56a4799113e43c3428d5
SHA256aa4685667dd6031db9c85e93a83679051d02da5a396a1ad2ef41c0bdf91baf66
SHA512bb13d5de52ea0a0178f8474fceb7e9fc2d633baceacb4e057b976cac9131152076544891d0959fa22fe293eeee942ae0f6a2fdd3d3a4c050a39549baa2cb5ecd
-
Filesize
8KB
MD5283c7e0a2d03ff8afe11a62e1869f2e5
SHA1235da34690349f1c33cba69e77ead2b19e08dbc9
SHA25638582d3231748a788012e4c27a5ac0f54f9cb0467d60ecc247a31ea165edeef9
SHA512b9ba42910d150ce9e07542a501c4134fb668f9b4af70db1ed8fa402066c8fb5025cf4bb29abd91c877571361e71c582e1e7c5350b28c7bda18d6bf184e85273e
-
Filesize
58KB
MD56337b4a0ef79ecfc7a0e70beea5d5b5b
SHA1904aaf86b183865a6337be71971148e4ef55d548
SHA256024ad40c289bfdbea25aa7c319381595c700e6e9e92a951bc2e5df8a21382630
SHA5129b88533915190062002702b2b632e648a94f086b987040d3f22f1bc718a2e58fbcb6d85a9ad17c8ee34018364cd9486d52bef91d645cfc3608aa3b592fca6b48
-
Filesize
1KB
MD551c0f6eff2d7e54810b653329e530404
SHA152aef28dab5ba3202341fe2a34f64744f268b991
SHA256a8f5d7c5caed37fa9f6dc432c1f854f32564d6cf0fec70f4bede96ba4df4dcdd
SHA512ae804726dabe115186e5ccaf7827912b48517a8a4dea8bafa2d35286bc60cb1203cbe71b6936cc269bfa82c7037bacd79d9dbb586e49909fcb1d84e99e6f3fe7
-
Filesize
1.8MB
MD59026ca6bc267a2ac0e092e352cb39dfe
SHA1081dbb285587965762103b87f260f1371af58087
SHA256e2b42da09ca84002f6f77f31c1ed5c2d14346aa5984ffe8a494ff1e69c35a68d
SHA512f03a4ff06faa9c32f1ddfa39da15c315bc12edfc04199f48a88c6fb7cc3c74612580668fc51d2303d24a70d11075bff48e148a21c17244adb7435ad12aa91cdf
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
7KB
MD58fe17a855153ad979e9707fc225d7626
SHA19a996fa7bfcc499d002ef8fa0c05b681ce79776a
SHA2562b72a541679088623cd0eee87526d4b9f305fa8e0a291087d53a8302f93f6f48
SHA5127402dc379b348eedb84e474444707ea40f1db945920a6e49274ffd83fa15040ab902f24ff91d44e5e609893dc8d5ffa8cc61674c52c4bf43c553a77a4751c8ef
-
Filesize
8KB
MD56006416a1bcabd9bfcf2bdc088964395
SHA1d18be7334d0db103c93f566626f670792de55865
SHA256f61f7dcabc2d820de38b75c673c56f0a5c5ee7a00fcc20eb57059e7bb6429251
SHA5127a24fd42f9c1c9b2354c9315ba193a77d0a6f33b15173ab1df9a799dafc912670d29f7853b3da157bb72a7a06636443e15266dad5613e372dff17dcbc50be61b
-
Filesize
5KB
MD553851dd1624c1d4973f084a0c9a0f845
SHA1c4b5ec6a34da44061f91d9f17de110dd4ad294fe
SHA25623a7a9a2c571d3848e48b9086d66f7725c3c551c001a1f69e2d07371693fd70e
SHA512b505bb28c3253aeaf6503c55bbf571ebfedc2c0b26caa769d0dde5faed56d0b47b573e6e6c184585fa194b9522473cc364bfcc9c885a81a69cbaedab9edd2317
-
Filesize
14KB
MD527efd0d3aec8f5c444d0f5c86dc28f5a
SHA11b083e1323d9faa1d2b8b54ba3354b69d20e54a6
SHA25631ce2235c1c69930511f623ba28503172a9156b9fde3a6befa705a0d934ae256
SHA512a37d8bfb88a7cd8dc2e58d8707f0c3377faa104ab0972b1f090df8978bc7b6acfa483e068e855e3290a2c179a7474a311dcbfffb2c33b8c91e0cdf31b79726f9
-
Filesize
15KB
MD575a0b1b7457efa9c7cdc8805cdc9808b
SHA127e0938ed868d7c941710084c0cb8ef6a959c197
SHA256ee49407dc89af016af75e67bfec44ce35ad02160c2825459e20bfa80fddada9f
SHA5128ad4e181ee74671f0c78cca21280f3d6dcac3e0d9f30d9dca1f467ea67bbb3e51b1aef754c55ce2a360436ea333a63732b77b531817494b06390d1b1e7d8fffa
-
Filesize
15KB
MD582f90e7cafb87343d41045b9e606b6de
SHA1fd6fa061da0b900ce00719735e7e1f8e07272262
SHA25677506fa78b6ad0887f3fe2d525844d670492f1de7584b2e2b5b8c104ab60a8ba
SHA5124a4c7224817e7c3ed7649200684b5da221c2721d842cc8936d7b103fb5a8eb6388d27bafd35d9beea79126dc6b0af64871099fa44d12830eb8a894278c36f236
-
Filesize
27KB
MD596e2228504114563ecdfac3ebe0e0bd2
SHA12af31a10e84d2ddaaa3f9044ff5594d365b3e7ab
SHA256f9e8b5291c65932fe5b88ed5560c4833193d5e0ecce31ac80c4628892ac91eaf
SHA5127096e7c615b149083bcf013a0de52587412d058444c86b43c9d17e623b6442f35863d752d5365f59d7d35795387f8dc9ad48fd85971646016e5c1475c7ed4597
-
Filesize
671B
MD587c9a40d3c81ef000573f04b2e81f4b0
SHA1ebd15b05f44aad50bb1e7cc417e32dc310cb9dae
SHA25629e4d712fba6606710cb1e50e5f0eef3a1bf8abb6847185587e4fe033731b832
SHA5121f064b739ae4d0bb2ce76ec1e064ea7be51573a917d657822c6d29a23fabc5defa1af55949191d2334660f4767b7e7836d885f5e0691f7dc21ac395407b953c0
-
Filesize
982B
MD5f62d580796a4ab50f93a5560e32094ab
SHA1e8bc81b8da8f223681c978105a3bf93b2d5dbd09
SHA256436d368d13b39f2cb0eb17b4e75e623747ab0406398e817749443486af2a9634
SHA5126b633c7dd324585f971a8d7bd0b264ccb20a860e450653bf17dd3d937593455fee66c3636aba52d1fff5820f268e236156f9f2d7690339476200661b707c2557
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5be5573f4891c8523150683d91e829cac
SHA1066aa0f2c0cc1c52c5a0fc04e46175d44abd90ff
SHA256f22ca9ea6db1a14c1e33bfffd65dd59e1a517b3c5ade8447b9590552462cf12d
SHA5127b4a71bb06e5d0913e2f4e8367ae377c7e8fe33f1ad825d5cf6ae81efe53c1a2b4f1bddaecc08e8ff57dc302412168f9f5e706a9a0a614f6c151e02e44ff1f45
-
Filesize
15KB
MD56c22041a1616b92d0b54cca8e0fe85e9
SHA1cae715cd697f63a4873666861a2b250ee8d07c60
SHA25614193afe014c1359b702aa26c54038ba0d21cc41b32f9bb3d2e68c6ef5383d32
SHA512d43aa293594e57c065fc8bab70bca1812c3277e1f868ac5537c7d80a8b588ec779e35a1498b140b1b3226d9ae9a4e9684ef47f11b6a977aad428b5beb6244857
-
Filesize
10KB
MD5c9d8d4bcec466ae82f74d24b3f82c6c5
SHA1d82c5b1bc1dc5531ef0f9393d907e5b1dcc1989c
SHA2563e5c64635ffd4a12172877b8fae0a3ce46f1ee50158380a64bb9b8c771fe5627
SHA51253ec945e7f79c7d99086786af9a8441a90404a8b645dd82da282a7b0fd04198939e06a2faad72c6384de29f05f977add3eaf4b31ff2b0fb6a51aea22196e770c
-
Filesize
10KB
MD5b95a73700a52c8ed0717e8c1d82326f1
SHA1e8f88ef51837856ac9bf2b64a4d3b00844fb0052
SHA256c00df0e32276e02c55f0f447ed4a3c7c0bf5ab03e9c2d1740e541e74ef92d4d0
SHA512ba1232213fbd17c387f2c1d944f3ebe548d6046bcdf881c0dbe1ef7c78979f2d8541a4c0feb7a126582c4fb6c5d89dd640cb7a281960c4e18e619a155d4823ee
-
Filesize
1.8MB
MD5dab6947499cba22993b1caca3dec3da9
SHA12d46c2fd4f43bb36bcbba08cd85b201408cc4d4f
SHA256a5a0800cfcf273bf50196b2263f20cbea43b0387ec6bb591feb34412183e65ca
SHA51223c30be74b04aa10f6b1f24d0f62ae6395890d17a31b96b3e03432967d7c12f044c8683b31503dce7e0c869f82a2411ddd59eba761cb4ac8a3e73628d3ab0a56
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
72KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
1.2MB
-
Filesize
72KB