Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 01:13
General
-
Target
ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9.exe
-
Size
1.8MB
-
MD5
3c271702f5eebc60e590f6803d8d2238
-
SHA1
488b5450a017ab4f78d50a1c5adb1c5b54643458
-
SHA256
ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9
-
SHA512
de4dff6c44ebee7a5b3bc8060a39167343cc9e5fb7d6555ff72289c6ca7c9daf25bd8e19378430509329d20035f01f9d0d9a14b22e7d756621393b53233da935
-
SSDEEP
49152:kCSkkgCY8/d3hr9tWCT17LMUVgXHqUlOosPSYxtT972HXrKpaV4nEaEb:kmeY89DzGaUDsPZf97EXrR4EaE
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 17 IoCs
-
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 62 IoCs
-
Suspicious use of SendNotifyMessage 34 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9.exe"C:\Users\Admin\AppData\Local\Temp\ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"C:\Users\Admin\AppData\Local\Temp\1007643001\GuidanceConnectors.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Frequently Frequently.cmd & Frequently.cmd4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa opssvc"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3906415⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "ConventionTroopsStudiedTooth" Version5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Accessing + ..\Entire + ..\Peripherals + ..\Et B5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comImposed.com B5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comC:\Users\Admin\AppData\Local\Temp\390641\Imposed.com6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comC:\Users\Admin\AppData\Local\Temp\390641\Imposed.com6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\390641\Imposed.comC:\Users\Admin\AppData\Local\Temp\390641\Imposed.com6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007744001\Lumma111.exe"C:\Users\Admin\AppData\Local\Temp\1007744001\Lumma111.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007810001\dbc048db45.exe"C:\Users\Admin\AppData\Local\Temp\1007810001\dbc048db45.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb29d1cc40,0x7ffb29d1cc4c,0x7ffb29d1cc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2108,i,17482408806749566673,4709069004674904708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1864,i,17482408806749566673,4709069004674904708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,17482408806749566673,4709069004674904708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2288 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,17482408806749566673,4709069004674904708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,17482408806749566673,4709069004674904708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4508,i,17482408806749566673,4709069004674904708,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 12524⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007811001\a62ca644c7.exe"C:\Users\Admin\AppData\Local\Temp\1007811001\a62ca644c7.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007812001\d59898f0c0.exe"C:\Users\Admin\AppData\Local\Temp\1007812001\d59898f0c0.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007813001\594b095e48.exe"C:\Users\Admin\AppData\Local\Temp\1007813001\594b095e48.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1956 -prefMapHandle 1948 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0e0a9fb-703a-4ac0-9d54-eaaf3512ac55} 2992 "\\.\pipe\gecko-crash-server-pipe.2992" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8960d905-3220-41b8-9f8c-4948c4aa086c} 2992 "\\.\pipe\gecko-crash-server-pipe.2992" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3000 -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 3040 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad9d602f-562c-4e86-85c3-a1abaee6c270} 2992 "\\.\pipe\gecko-crash-server-pipe.2992" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3976 -childID 2 -isForBrowser -prefsHandle 3724 -prefMapHandle 2588 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3e63f85-6a4c-4a08-9780-76d5600933da} 2992 "\\.\pipe\gecko-crash-server-pipe.2992" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4640 -prefMapHandle 4760 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68a5fd9c-4fce-4f54-9301-145a675ce76b} 2992 "\\.\pipe\gecko-crash-server-pipe.2992" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5520 -prefMapHandle 4700 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02374e62-b92c-47e3-be4b-3ce803c77b2c} 2992 "\\.\pipe\gecko-crash-server-pipe.2992" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5688 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fc16d39-980a-4c87-bfd6-eb459259506c} 2992 "\\.\pipe\gecko-crash-server-pipe.2992" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5868 -childID 5 -isForBrowser -prefsHandle 5876 -prefMapHandle 5880 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bfc9b01-fb8f-40b6-9a73-ed063ec8e8c0} 2992 "\\.\pipe\gecko-crash-server-pipe.2992" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007814001\3bbc33d809.exe"C:\Users\Admin\AppData\Local\Temp\1007814001\3bbc33d809.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3968 -ip 39681⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5fd5a000273ea098391856b7941fd2a3a
SHA1aa720e193a207747ccf025910df7893e55fd1def
SHA2569dc54a4d536a29ced8348c45d3f02b0aad8fd8011cdf2b34f5238a9ea50d2049
SHA51270124883b83588fb87a191595614e649e06611c3b1eebfe8de6b906b2adec58c1b4d34265307b0b866928c52d64dbadda5261e679f7c457057188d0d5596dae4
-
Filesize
356B
MD5b907f80b7d6030001db885f77d945342
SHA18ef91c58a850a74f045887677f37f36c7e39301e
SHA25629302a1cf2bec3aa9ff434f391f00b1a90f78473efdd89047d8655b74453f004
SHA512cd7615bda0e42935daefc9c02d5447774ba5348618bbc1960376ed71d88a514bd48029a8d7bfc671b4e91a5a7eacb1cd5ef1a4d6137fd2c4486f7bc4ccba9e10
-
Filesize
27KB
MD57fa346e4740fe2836732765a0096e78c
SHA1c3b7fe0fb73ec3bbd3bde280a857460bed8df97a
SHA25641d924d611e0bba16cc879e14636c4b6ad3bfdf26f925ad922541769a6d44024
SHA5126eb73fa2a616e1813557f658cd155d60a0bbf22ea41ac86e1255aa88c6edbccc4e210d146e9ad067ba66ce793d54651f31771867761326c028ecb13de4bb85e0
-
Filesize
13KB
MD54958d4adaa60114891b0d7d8f5d53ecd
SHA1ef865035d7076db8afcd678c3356a1ecd6730545
SHA25613c8ab240c0a17e58968dbf7d1124a196dd8d783456d877d51b3a185a81a1630
SHA51219a272b194ff2c6758a8dfac80829d00776a57da60cb9acfeef14b46b8027868a782f6aba724999e9ab0ed75c01bd100bae3fce2c4143290f80775af95f8d932
-
Filesize
741KB
MD5211dd0cc3da148c5bc61389693fd284f
SHA175e6bd440e37240fee4bf7ae01109093490ac5a7
SHA256645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe
SHA512628bb927b5a85674ed1f762d4c42e8e9f55859cd626ab0f01b7d47ee4c74ff5775ceafc4a45864344d5dd13e588fe60b6a121b00dac79276689d0a9970d12e89
-
Filesize
1.8MB
MD590e700a3800b87f46cbbc37be3724fd5
SHA125e3645bca71b87dbec92b55e5648452ffca782a
SHA2568cc02598acded7f8221865d08145297a9fc8162d626883fc9a72998c4a7f0da3
SHA512f06adebcc7d454a31ff36a3c2e8eedfc0086a638c7ec0fea6c0b41035ee03c2e329f3cef0e001939cab243fcfaae07a634f7839dd0fbb31942a793439df4ea8d
-
Filesize
4.2MB
MD5389910a7e7b0be062240be06d7ce5d31
SHA16c7f61dd43e11c3b5ee5bd21914ae5a9875adc7f
SHA256f9fe7307aac94b1dcd354cb199243dad83dcb5c3cdf4b599e643e8321b916ef1
SHA512231c854c70859b52f000f0a374d63077dfb00ee3af1ceabc76e53ffb289008d4a94df7dd0c6ab7482ca350ee6ee8f9ca79b20881534295a6ab7a0bfe545d66a0
-
Filesize
1.7MB
MD5a387bd34917033174622ded6a3bfd781
SHA14a83a6df052d479a8b9bfaf18c05e8bd3ad46989
SHA256c53f5b4eb89cb540a70a6719be2bdbd18719c0acbb1363c9603d43d83a18dc9c
SHA51299ba3da9056c4ae82acfd3ae9add555d00f1178e0c671cfb6931d872cbbfe32c27b788a90fb2ddc6dc1a1e35afedb67e45ec782fe5bc9f13b361e7a07e308ce4
-
Filesize
1.7MB
MD50157dd2ed057c6d60f978e502fbee0d8
SHA1c55dfd3bf8e99c7925d83ac14e96b7eccec2383c
SHA256f8806791549705d6be98d2b40314fd54bac69524369e3ff429c9d18b0acebd53
SHA5128af621f9303824192ef1c2a8f3f94a5dc4eb4436ed14f0af970051928dba42e3ae17baea629b7889be2479dcb6ed265598ca4f73d47a59a449495427bfe327af
-
Filesize
901KB
MD54d01319f036290a237344700140e9dcb
SHA18a993be2e7474092b7565cbc11a5436d4a707d57
SHA256f2d69993ab991c86827b9e87a737c9950912398dc17804147ab71aa5ab92568f
SHA512bcea48fb76c13f286b44ca585b637602684cec479d2cb519e036ede16b9fadff518d2e3b37a0f1492e387f1bdbbd06895d16f3733fa492221a3a0b8221eb6030
-
Filesize
2.7MB
MD561fe9ca456c2881848651738ab9f7148
SHA1589e60d69861bcc653b86d76fcf2e56ccc808521
SHA256b19e58f2f509590e8cb1f79218b9c0893130a929fcc21737b48f7238380c9c6d
SHA512530bfa627ac2033ea6845031b1860e3d575ff8054a3406d3c41e12f75ccea510849a34681f3217d9ec72cf2b3fe847acba3e431f0885507967a1539918a6fa5f
-
Filesize
224KB
MD56aaa6156bca65c60437b9dcf21a8566e
SHA174c4917b5006a2af825ed9e9d3bdaff7884aa11c
SHA256fe153e9df223598b0c2bba4c345b9680b52e1e5b1f7574d649e6af6f9d08be05
SHA51202f8a158815b29cfbad62403b5177ea5e073d84103e640441d901e12b2fbc4f2cd113924d2b06b09cf045c99b58a5527f2c68e6a664d8015f646672c11567199
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
52KB
MD50487661a3be3e516ecf90432e0f1a65b
SHA1548f56668cdfde2d71e714cd4e12e3a1419dfc31
SHA2561dbfc503087ed424d8befd455c6554ba03aa4c4c5e77f7b388dc412b6a99a70e
SHA5127f9027e567876bae2302652a2d63b457bc39f439ec6cd4d7d170423c5f27aa5b0479113b7d8c436cbc08ac76450b0e56c2d8dd42a219c7ad3dbbf693f935cf77
-
Filesize
919KB
MD5c09756dea58e68a563c05c98f2ee5822
SHA190675ae3c1a7f575dee20ceee5cbf3d761aee432
SHA2560d43333d98724395292ff88d573ad31c6ff65a0ec117e3a605b1009478f91ac8
SHA512c5b0bff60c4b44f62e224a58dbd508efb20f1324c85c62de13134f909a1cfd63349402d7472940992b6447685fbb665fd28929dc6693a5f3f1222173a8c477c7
-
Filesize
82KB
MD509d17ffb85794728c964c131c287c800
SHA1a1d7a2dea5e0763de64fb28892786617d6340a86
SHA256f913264e2aa6be78dae1261782f192ae4ef565439c5ad68a51c0397b33ee1475
SHA512d174de399777b691443de3abff35dde5040d84ea06f252e86ec5b76bc2c02dc0c5c430f0ed9bab83a69e128a7cea989a1a24c6f579947e448db1cc393838b1d6
-
Filesize
32KB
MD50e9173e00715288b2d6b61407a5a9154
SHA1c7ba999483382f3c3aba56a4799113e43c3428d5
SHA256aa4685667dd6031db9c85e93a83679051d02da5a396a1ad2ef41c0bdf91baf66
SHA512bb13d5de52ea0a0178f8474fceb7e9fc2d633baceacb4e057b976cac9131152076544891d0959fa22fe293eeee942ae0f6a2fdd3d3a4c050a39549baa2cb5ecd
-
Filesize
8KB
MD5283c7e0a2d03ff8afe11a62e1869f2e5
SHA1235da34690349f1c33cba69e77ead2b19e08dbc9
SHA25638582d3231748a788012e4c27a5ac0f54f9cb0467d60ecc247a31ea165edeef9
SHA512b9ba42910d150ce9e07542a501c4134fb668f9b4af70db1ed8fa402066c8fb5025cf4bb29abd91c877571361e71c582e1e7c5350b28c7bda18d6bf184e85273e
-
Filesize
58KB
MD56337b4a0ef79ecfc7a0e70beea5d5b5b
SHA1904aaf86b183865a6337be71971148e4ef55d548
SHA256024ad40c289bfdbea25aa7c319381595c700e6e9e92a951bc2e5df8a21382630
SHA5129b88533915190062002702b2b632e648a94f086b987040d3f22f1bc718a2e58fbcb6d85a9ad17c8ee34018364cd9486d52bef91d645cfc3608aa3b592fca6b48
-
Filesize
1KB
MD551c0f6eff2d7e54810b653329e530404
SHA152aef28dab5ba3202341fe2a34f64744f268b991
SHA256a8f5d7c5caed37fa9f6dc432c1f854f32564d6cf0fec70f4bede96ba4df4dcdd
SHA512ae804726dabe115186e5ccaf7827912b48517a8a4dea8bafa2d35286bc60cb1203cbe71b6936cc269bfa82c7037bacd79d9dbb586e49909fcb1d84e99e6f3fe7
-
Filesize
1.8MB
MD53c271702f5eebc60e590f6803d8d2238
SHA1488b5450a017ab4f78d50a1c5adb1c5b54643458
SHA256ea5afba952c7c52e7ff10d775ceca244907b4699642dde81d0dca9d6814ce3d9
SHA512de4dff6c44ebee7a5b3bc8060a39167343cc9e5fb7d6555ff72289c6ca7c9daf25bd8e19378430509329d20035f01f9d0d9a14b22e7d756621393b53233da935
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD5fd3774c5c86ff62d2bd5286acc823700
SHA16d28e9e0204a643b4f6196840f79d97b1ce7a67b
SHA2563fd3198a3c25baec34a9be486e31368f741ff0409df7b246adac9fd425ef28bc
SHA5127fd6288048fb90ebfa4a45b1acda31a48ecca81702304ddaca650449f88133387110bed24bf61b55aa8061319f34921efc17a89312832f34ff2dbe53fa1a564a
-
Filesize
8KB
MD579d35d246d2ef84f2b4977175986f19f
SHA108c5e725541597c83d72e1fd438ebb5fad8d8098
SHA256e940295a8ac86039fb0c4efb63641298796729797c4c4041567ce36b112db72e
SHA5123cd4598cc63018d26b87e08c35adf18584910f35aaeec734dcc747b8da912bf7a7d63d6fb5146eb690cc8c995302e131c366bc38cd48c9a29f37c188f1de8271
-
Filesize
21KB
MD552ff04875851cb87ce9b0e8a7fc17dcf
SHA131b7f7bfc5dff6859f2ae942096f5b57af81cd39
SHA256213e4a31be6494925a868682bfc9a0c32c54dd7f3cefb7259dfd69548b0e148f
SHA512c8e72b60fd75b951066fc057f41ec9edfdbfd38ed38fe3061fcefe04e06d68bd27f863a7dfa2031f652c082d7c62531472db5e727a5d27604c0931f30cbd57eb
-
Filesize
25KB
MD51d745fffa4cbb67bb58fc4c6a0086a9e
SHA12bae54f73de917f6c37bf14a30af2640cb9256c9
SHA2569927206851fc98fbc8427f556297f8f088744820cf31b3bfd64aa911042cbc77
SHA512d3464d50f9145303781305fb35fd45150576e0b2dc351b5c6291abffd3cf9c1792604241a51758651abdf4f8749acf4133f2703b81b587422455ebbc7874136e
-
Filesize
25KB
MD5088d33f61e66898c10be30fa1a8d36ae
SHA127cdb8a5aef6c5e5a07e75082c23c524ae74bd82
SHA2569eee5f86663950eeb5b14833287746c54aaf64accf70a2fa730cd60f1cf4d6a6
SHA5120f87abb9bd983d12b5b39a986dbcbb3a952502ae13eaa7020211b5d942cdf9bc8cbf9775de279e67a62c7f7dc28f6ed29c02c6928301030e2d4b4fb97f3562d4
-
Filesize
25KB
MD5b783b1122320ea05c444d83cf3040720
SHA170710591160327a80d8e9db83afee7ee59a7059d
SHA256a4449b6bf281be5e9399b9434b328494457b58c0c7e2909cf7b77866031da66c
SHA512a350a1652ece5befdc157ec325bc79f8dd3596ef4d1e5fb175f56fa42e14064c47967a29992cc1afeefa5feb03e0ded8bd6d89b4048a0354e5c4379c6b305c83
-
Filesize
22KB
MD5522add3ba1b481c3019785b5b6b351d8
SHA15859bb5ed7952d3609fdbd46d7dd0e56af4248ad
SHA2565e96706deee95afda13b82bfceac2db294006dc30eea7d5b4d2fc698cf191e51
SHA512926e0a30fa2d899c6f990df2c7cc074813f304ca5d0bc050e6c5d550aafaf8dc0f924892cde239c100c4c18131d1387f1d6a02f13a508b54ff8a1c07bb6329be
-
Filesize
659B
MD590cec85501e3ed6971e3c90e000cb578
SHA1fdafc756784a836e378e1e034e38dee6d39b14b9
SHA256d08514e42bf087718e90fea135ea53ce5b56b4336c3721382e1c1d863f3c61d8
SHA5126d04ddf38067c1fff81febcc60b26f5e913b713b5cf2a3b8cc5fb4cc7ad91fef7555cdffcb0bbfbfce3461aa17a360242bad5af703f94bd0db744753d7621a16
-
Filesize
982B
MD519f2c875eb107783e29722957c133e22
SHA1272658c4ccd1a095e3c4c701708ccb8a997e68c6
SHA256e3de237f18711f43c388340668677530168a0553d9fee730756abdb3ad083684
SHA5126538537a025713152727f9647540ba99e57b9ad52b851c327373c1e752fda28b920d93309c65bb885b1a82b2bcb59c0c4a4913389926b6d9ed0850e911814687
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD50c3d151ec04e8bf471cfc03f8c85d554
SHA1f53bb7dc7f26a748f3a8c98c9ca8d0e932d06025
SHA256402b951ee37dc16d4404a61ed9a2d621fb779a48f1e1887552600494032cb806
SHA5126725242072b88de2bd58a09b8e25d21884ef6856c140a40761c0cc0e75a992e49d91aad0034b4cbb099cbdc1ade849fe03dc8c0ab86954951a0bc8e938e343be
-
Filesize
15KB
MD56903b9b022f15fab27bfa2933210be80
SHA1c66ca729f69240a11e7f84fdbb59d2e41711c580
SHA2566e9c3ef1e4799d61425483031bddf27e362a2a4a168a57699d4df338da3fb6cd
SHA5125534d159f5d03af06065ae58ad2e9ca307674e5608b31df76899341e8f3ae81a0545c65b2e5544102dbf5c661cf65d7642cb923044fbc663846f5edb6c8a7122
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
72KB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.5MB
-
Filesize
4.5MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB