Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 02:13
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
35d1c1965ed05d18f6d96f235a43a275
-
SHA1
c86ef2a0fcf22b02054f92f23c70a61ae8570b31
-
SHA256
d7ecee953b42d1ead347c587deabfc57ed5360b5c20278249d6e2bae39386d56
-
SHA512
25fd47d1e7ce7ee6202c0d90ba8e096e6442549045d3ff9b478ba0f2a815a85f2b44e5e17620e70e35e9c41dbc457b8b1adde9aca5f0ffd624a9b2d6f50fdbec
-
SSDEEP
49152:ouQbXZhAkVEfQcncuwxgFU2Gya/NIFQMn7ePxc8Oj:o1rZCoEfQcncBgFUnjFtv5E
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 3 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to execute payload.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 60 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1007819001\e4c60d6a8b.exe"C:\Users\Admin\AppData\Local\Temp\1007819001\e4c60d6a8b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8aabfcc40,0x7ff8aabfcc4c,0x7ff8aabfcc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,8284487380523466799,18299698764926197260,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,8284487380523466799,18299698764926197260,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,8284487380523466799,18299698764926197260,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2444 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,8284487380523466799,18299698764926197260,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,8284487380523466799,18299698764926197260,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 10804⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007820001\SillyShelf.exe"C:\Users\Admin\AppData\Local\Temp\1007820001\SillyShelf.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-VEQBH.tmp\SillyShelf.tmp"C:\Users\Admin\AppData\Local\Temp\is-VEQBH.tmp\SillyShelf.tmp" /SL5="$90200,1389145,140800,C:\Users\Admin\AppData\Local\Temp\1007820001\SillyShelf.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\1007820001\SillyShelf.exe" /VERYSILENT /SUPPRESSMSGBOXES5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 36⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\1007820001\SillyShelf.exe"C:\Users\Admin\AppData\Local\Temp\1007820001\SillyShelf.exe" /VERYSILENT /SUPPRESSMSGBOXES6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-AUB29.tmp\SillyShelf.tmp"C:\Users\Admin\AppData\Local\Temp\is-AUB29.tmp\SillyShelf.tmp" /SL5="$9020C,1389145,140800,C:\Users\Admin\AppData\Local\Temp\1007820001\SillyShelf.exe" /VERYSILENT /SUPPRESSMSGBOXES7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\PoisedCoyote.dll"8⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\PoisedCoyote.dll"9⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\PoisedCoyote.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{5C4DD7A1-8A0F-4985-A5E5-D4C930F82DD1}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007821001\73f1c4efa2.exe"C:\Users\Admin\AppData\Local\Temp\1007821001\73f1c4efa2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007822001\df9636df44.exe"C:\Users\Admin\AppData\Local\Temp\1007822001\df9636df44.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1007823001\29ece9dd2b.exe"C:\Users\Admin\AppData\Local\Temp\1007823001\29ece9dd2b.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4125cbdc-a36e-4638-aafd-004f171d4825} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72eb21d8-717a-48e7-ba18-37e135b016ab} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3272 -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 3256 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94c895dc-63d7-48d2-b109-51acc52c732f} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3924 -childID 2 -isForBrowser -prefsHandle 3920 -prefMapHandle 3916 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c7db8d3-df76-4d41-8c5e-bd4be0416f13} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4564 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4580 -prefMapHandle 4576 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7d65234-4ffd-4405-a5c8-11d69984100b} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -childID 3 -isForBrowser -prefsHandle 5056 -prefMapHandle 5052 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45226c88-b655-4bcd-b113-71c874715590} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -childID 4 -isForBrowser -prefsHandle 5084 -prefMapHandle 5076 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {157d6463-e4bf-4446-94c5-4b972e7b4310} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 5 -isForBrowser -prefsHandle 5532 -prefMapHandle 5528 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b812d43f-eca9-46b6-a118-65b6df4369be} 2376 "\\.\pipe\gecko-crash-server-pipe.2376" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1007824001\af107b3a6d.exe"C:\Users\Admin\AppData\Local\Temp\1007824001\af107b3a6d.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 232 -ip 2321⤵
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\PoisedCoyote.dll1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.EXEC:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\PoisedCoyote.dll1⤵
- Loads dropped DLL
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\PoisedCoyote.dll' }) { exit 0 } else { exit 1 }"2⤵
- Command and Scripting Interpreter: PowerShell
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD512c844ed8342738dacc6eb0072c43257
SHA1b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7
SHA2562afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519
SHA512e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a
-
Filesize
1KB
MD5f54d80e9f1fadc3bcd439a5afb11f61f
SHA1c751131196cacbf248b0278e2dd8ff59e49d5385
SHA256495d7c5fb521935fdd34065b6041bbb7df83e2d6e0ba4dab9a9ab528ced8175a
SHA5123d9dce58f6483795cdd440d17bc80d19a53512bc65e44bc50af878af2f1b85419f7ae0fda264da63a0d8b4b5bf27715258990a37ad17a6d1afbfe20fd92ab534
-
Filesize
1KB
MD56fda5926d242637b1d37aac775c4f645
SHA1039f865235d390eb0b793d23bc869ee6bf9d6f2d
SHA256d011f3b4ffc2959e0e1cdbcd87607c5f75c28e769fb7fb617d66ad8c5c15bb11
SHA51218763ae71e72e6ca2ca1840d85687ceec5a515722bc7e64a62ed933b85cde45c2936eddbb69601b02d1e77a435c1aaacf00ecdc5c57ba1315f946b84cdffc359
-
Filesize
13KB
MD518e826082afa563c8b4279c8687a0aa3
SHA1b04d005d2c5c83035d520e1c55d9608363acc2dd
SHA256cab1f090930bff5e5eb6a082f2caae241421dfb7918e5bab8a2fa6668c560990
SHA5121fe93941cdb65fb97ea705089f59927f2177ec49ffeded8aa6c8a11b4983c79cf6d8cc660e7800df72441fd4393a387f98670f7bf186ed605a75a71c85906dc1
-
Filesize
4.2MB
MD5580e5e0360775b95ab367ac5b849b95a
SHA15cc16de84752885fa1cdbd8adf038c55fa15f28f
SHA2565a2f8a3d3a35a24346e8c62d5f36d052e26834f1e58996674f2ceddf563e452b
SHA512b4ec8b572d4d39228485d63a82cb067931ab1b5845e3a8ec20dde6d70d06ae232570382081ce0cc2c2f6de4f91ebe47115dc4ae52542d1bdb76c72314fd594ae
-
Filesize
1.7MB
MD5fecd099f9b8d9500d7199a1054397e3f
SHA13df235780c9ad851474c20338e4921f5f2decaf7
SHA25696a60b6cde63794b637bce219083e7905560c626e68c00af1d99be451c8c3700
SHA512e8559b435fc053460cc7d5ba6755c1b8aa659f2bc620bd13f7ac6db7da846088018baf07c630f2fc97769e5da0d0bbc2fcd9b400b7166c6aa5cada4d9a85eca0
-
Filesize
1.8MB
MD5896b70ec58cd9c07e6f54178c959b1ab
SHA132517407995bcf199a780c697aa9ff0b407e1bb4
SHA2568edf303376c0b5eefe108e4726251f107b82ca778f3dd2a95859b2b43988ec55
SHA512fd2255e574c5080038805a6255b0077f29d1ea9bc6efefc729164c5ad5be3573f444efd8eb1e9b74a53b7e60374e0c6cbc161d4b3f837500ad5325bd3e29805c
-
Filesize
1.7MB
MD5839a665835f7c3206f7dcfc30378eb90
SHA11facfc21eed29ae31ea6781482da70e87a8f89ff
SHA25682672b451fdaee65c1fbcac9db7d969bb928f566f6d8ae55bd4c02a34236ddcd
SHA512f3543bad711c788329c6be8f8a7cfa06b9203cb1a73f9f617f05c4cc6f8557b3d0b81d8a500e1202d4b92ead0440d4b70ccd119896e51be531ededbee88b48f9
-
Filesize
901KB
MD5255340d5114625142bf036174e2d4137
SHA135f61fbba27ae11fb093c869b652cef80a37875b
SHA25696e13ea6b51e4485d4709faeb9cf7672e15cf36efd76c0441ff1b33ba15a676d
SHA51225a6bb226c73a64af547ae039f21a814e578f727f3c52eb0dd1234f2790fc5aff60e32704e0af963ec41cb91d01b456dfe373527d305d69c29ea90927aa9dc2b
-
Filesize
2.7MB
MD5dd4838b2c7c89b5d5130f5bc7168809b
SHA138ca577f79ffd22928874b9c74552027a7fce330
SHA256628693042f7cc6900f9b14c58b3d18499ff7fedf05335b7a81774db4bd5f23db
SHA512b56ffe826dd7a4bd43aafd402c139d930d3ffae5c2813de960d1d6544ee1d8d96b89e38728f4c4df024c0a38f60a730e1ab5b1d73a548fdac5f78f7164e004e3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD535d1c1965ed05d18f6d96f235a43a275
SHA1c86ef2a0fcf22b02054f92f23c70a61ae8570b31
SHA256d7ecee953b42d1ead347c587deabfc57ed5360b5c20278249d6e2bae39386d56
SHA51225fd47d1e7ce7ee6202c0d90ba8e096e6442549045d3ff9b478ba0f2a815a85f2b44e5e17620e70e35e9c41dbc457b8b1adde9aca5f0ffd624a9b2d6f50fdbec
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
1.1MB
MD514c6fa8e50b4147075eb922bd0c8b28d
SHA10faad18b0e26ce3b5c364621a4f0aee9db56a9a7
SHA25690c4a61af494b63ecfe1226714175675a4e49e57d50718491b3bc8fe29dd8fc7
SHA512e6c35bbcaa9a8bb306e58bb91aadf5feed6b1ad1df6ee0e68bf3bae9b76d84c862b4ee9dd87a1d288fe1b7aaaac13467964436a09ec529f67af50905cd0ef876
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
7KB
MD518690746f1c2f493a1f0983ddcaa8e8e
SHA161c3cd94d7f3d47b814e9004d1470c1d9beab5e2
SHA256b3788ca5572cd40b9cc21648c1f0f9d4da6984bc507b0a5aa37374015f77a513
SHA5122a24e1fdf54853e472dc34eabfc3713a7ddd02e75d1b4aad9568125190aaad461aa3ca531ba2c6d38bbc652dc5eb5e6d38daed2a9772c06a14d1bcf5b70a4abd
-
Filesize
12KB
MD50cdbe663a99f1e4516feed993af0645e
SHA19413658be16e6d2d2c76b80434bcba0a9b4d47ec
SHA256501efbbeeaeb7541ed523a7f118a43b73bd696e4d0c36724ed4d85fbd5224663
SHA512c665b0259dca7b21f6984451ecd468e62395e5b77066f7d02de21e16a95dc329bda5091c0f481a069fafadaa11cf24a20dd5b8f6fc2ec2c8d84ff2194b03994d
-
Filesize
22KB
MD530b63cf84a234a28ecd7d113631db07c
SHA19f4d09f31be1c12252a73053bd877e656181ebc9
SHA256b69becb23e117859d1a9af13b4580094d31627c3a9aa8c6204cf06f0fa432805
SHA51242c46a6c2fb52185e85784704499dd9f8441369b99a4cb0fdae338aa0900445ca83c99eb8a3e792e68b99a1b89ba450884ffa12f2d86993e0ae17ba37a9232cc
-
Filesize
25KB
MD5e781135c2db6f612bcdd0f2ab1e744f0
SHA1c898240f21482ff13ffd9cf7d596ef0785579d37
SHA25629c957b22f1c32446e0dfe8bf443af81631a6c53e0f3026dbd5b05f9200a5a3a
SHA5124a04345eb960233c449a938472222bacc6bd4125f21666f6ad2d03a847eaef6506e97252c6e1c0aea3bc716e7ffad20aaedcf2d04b9a347ebe1b3165037be4c1
-
Filesize
21KB
MD5325a34d1cfae3d7098410f61408a28b9
SHA1dedfa2781c4d9ae64277dfbdfb653b3448dab1c5
SHA2568654bcc3d7dfb92b42c34359d112b0025ec27e71a69fb7f3c1f6a8b7791af94d
SHA5121480eabcb8fc478593cd8e4a8fe7b667e51a4dc6a6ba8d358f4da2d957641bfd42679a615033e789e0a9e398c46cc8dab4b74d3616be9631462868c126d7e076
-
Filesize
23KB
MD5d13b0040c79df00528de97c4b9c149a7
SHA1eff60e85766db9f3c2c7cab1a1ada1578de29e61
SHA256d7d8c97a2abea1926876cad39e1796fb9a4e8b0c6b9a4b1b523de88c9e78b59c
SHA5125966ff34b92df875b655f3921e77d8a69064b8b1d55b5b885cd379a6900bcda746ebe3f1e55e9a5dbe0619461cc3b24ad70c7be6f9af8efa4b7cbecf21ba91fc
-
Filesize
25KB
MD5ceae5b333ac9c6c999c248c20552784f
SHA1eaa7358ad0c30aa4ee97d27e84ce3a359deae627
SHA2566c6f9eac8c9241da31d4e11b155e8505e7f95c2eed08053a0798626ac563d5ee
SHA5128e6f1db65519f40464a7affc89dfa943bcb0ec02e03db5b813c88910fd36d04d4d2b34bfee555dba1d0b9e4b65129e1b14eeafa704fc593b3442e900c6073d27
-
Filesize
659B
MD5e0b0c3db8f3df38beb17642a66b2af96
SHA107e81e976ecfa1c65c5c5b56a5408e4c6546a009
SHA25635bf13d2eeb740028951ab5b1ef3e0426d1ef85d40f099a58341fd2cee87d880
SHA5120180ba1433cf5e693044fb3c09a3cc5acdbf2c69d151d900f9caa8bf41ec8b01c557c85d6a94392701327b0885d4319b976728bbd9d032d6b7b3314fe49d468c
-
Filesize
982B
MD505f0610fa4aecb3e541af574311a1bb6
SHA1df9ae1cf1c2fc2a55355832af7865b05de988212
SHA2567668361ed263d1d011c926d586199ad7ee3af7e2a5a6160e0b1b511b8963a5ef
SHA512ec662f8b95199c3aa4b4f35000b44e948246140d0aaeab5ee4ced6d37237a5a755ca008119c81114942c22e25c21c409866e9cc33816658988542ad1e5ed484a
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5744b1a27e432155ea30c79eb568f8c2e
SHA116d610ffac2d8246612d595c2a11fbd0a8d2426b
SHA256db8e104b467f4aede37de436200938f9835b4e8b0c18435507671d6dfb5fde9b
SHA5128dabeb9d532794879c125fd357c111b88e0bc81485d0b4610528c1de921738a978d1f78406c982d36b1b287186c1aaa22ae32518169f26ff36b0bdee8f0f076d
-
Filesize
10KB
MD5868a1b8458bb9d75e5ba5e474b921f57
SHA194978020480e810d6d3d22e54f60e5d596007608
SHA256324a9540eae573fdef67c84a1422840f0c04a0ea9aa49cd641f4eeb96e5dac0c
SHA512992a0d953982c622c91877b14a63795423ea21bba733f51d76311631535689d2a47a510a38fd01504feff2e7ebcd51cec20080e0af252a318810c26ffcfc6dff
-
Filesize
15KB
MD5de9d690bde920c30a4e9a443b7fc470f
SHA166aad7d40235dffab8f6bbc0da08bf4bd2ca0222
SHA256ef4338e2769e62c62e5ada6e5ed2534c744a2c43b09ceb6f332046b09bd49299
SHA512708c684434c30375c15ffc5e8f7702570f5b86494c6db78fc4d79c3fe45a8446b2aa827489638001eaa4b7730da71e02dfda868e29774fbe6f7e17759c9313ba
-
Filesize
10KB
MD5642da0358f4719ee4b4790c05d4a7cc5
SHA1a2dac4cab10b74eae44107f6c519993b9dc780b9
SHA25661241dc71f65638429da6afaf9fbb15d530aaa860bf9bd4f1b7492c465cbe074
SHA512adb5994094e459b427e0896dfb42e755ff609404d1642052f5d489858cd1fdbb574bd78897feb97af58ae7098cda8c55bc3fe30f120f7dae9abddeb3a7e39d2d
-
Filesize
2.8MB
MD587aba2697a8deda3e1284a79780ff69d
SHA121dfe5aa0e8f32688faee3ac31652392696e0908
SHA256736af8f850ebf9fbf744002845787425aa493a5d11202094381051ee66568582
SHA5123a55df4bdd9f46126b85484e19bfd53ab8f744b073b1cfe42d9ffec101947a5a318b16ff7d446fb97834440a1f9d8ec1ffb82d3e67388027e62cad000cf38616
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
10.4MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
2.5MB
-
Filesize
12.2MB
-
Filesize
12.2MB
-
Filesize
840KB
-
Filesize
824KB
-
Filesize
648KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
304KB
-
Filesize
344KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
824KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
1.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
136KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
8KB
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
1.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB