Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-11-2024 18:32
General
-
Target
167f2c3220576c1a500f69c95b5e61c1aaff9171465adb197f0f620bfee3b9ca.exe
-
Size
7.1MB
-
MD5
1a6a75e5a7ce926ddfa4fc19122bc205
-
SHA1
15572996a846a37324eb81e05308e136ea2679e6
-
SHA256
167f2c3220576c1a500f69c95b5e61c1aaff9171465adb197f0f620bfee3b9ca
-
SHA512
93275f686b5d57f452e0435e5855722a18cbc68b99360e7e3e5577e3f782ca414090431e51bc6c1c92055bbd1e3a0a482c6d8c853b3d1561964522effcb63014
-
SSDEEP
196608:IOZy29TBvf/u/u+owHzOMmG7tWQM43naT1GA6om5+z:IeV9TJnYlRHzOMmwxnF95
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 19 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\167f2c3220576c1a500f69c95b5e61c1aaff9171465adb197f0f620bfee3b9ca.exe"C:\Users\Admin\AppData\Local\Temp\167f2c3220576c1a500f69c95b5e61c1aaff9171465adb197f0f620bfee3b9ca.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Y2e39.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Y2e39.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\B9V60.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\B9V60.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1S35a4.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1S35a4.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008236001\7798288b6b.exe"C:\Users\Admin\AppData\Local\Temp\1008236001\7798288b6b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffdd180cc40,0x7ffdd180cc4c,0x7ffdd180cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2356,i,17045232835076704408,166593299387192391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2352 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1772,i,17045232835076704408,166593299387192391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2400 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1956,i,17045232835076704408,166593299387192391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2600 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3200,i,17045232835076704408,166593299387192391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,17045232835076704408,166593299387192391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3372 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4600,i,17045232835076704408,166593299387192391,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 15687⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008237001\0579ddb4a7.exe"C:\Users\Admin\AppData\Local\Temp\1008237001\0579ddb4a7.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008238001\b9fc5f2080.exe"C:\Users\Admin\AppData\Local\Temp\1008238001\b9fc5f2080.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008239001\124950aa76.exe"C:\Users\Admin\AppData\Local\Temp\1008239001\124950aa76.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b23ce1ca-e3ec-4ec4-99bf-309df6ebfa64} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2456 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2436 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {619d7d89-deaa-46c2-a1c6-43d6ae3c80af} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3132 -childID 1 -isForBrowser -prefsHandle 3344 -prefMapHandle 3336 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7de310cb-b116-4451-960d-d6daa5df02dd} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3784 -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30467a8e-6085-41fa-ad2b-6f6e2e05f9f4} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4332 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3760 -prefMapHandle 4328 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6df11df-186f-45cb-a76f-cf6611810de1} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5192 -childID 3 -isForBrowser -prefsHandle 5184 -prefMapHandle 5180 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16bf89c8-5dce-4103-850a-7d2295dc77fe} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 4 -isForBrowser -prefsHandle 5384 -prefMapHandle 5388 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85a1ef3c-c7d9-4f70-a250-6e0c0743a004} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 5 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {133c0b1d-91b4-4a7c-9cc7-fda4661b1634} 3404 "\\.\pipe\gecko-crash-server-pipe.3404" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008240001\6942124ba1.exe"C:\Users\Admin\AppData\Local\Temp\1008240001\6942124ba1.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1008241001\lll.exe"C:\Users\Admin\AppData\Local\Temp\1008241001\lll.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\1008241001\lll.exe"C:\Users\Admin\AppData\Local\Temp\1008241001\lll.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2U3546.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2U3546.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3U04d.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3U04d.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Y451j.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Y451j.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 368 -ip 3681⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD5f2acab3b0c284111b82b26e82e7df49c
SHA1dd7bc387103a27ea535b976f7d535060b731d01a
SHA256b0772db5f346588c4aca8533e6d1052c6f2544bb65807ec56a963ff937dbd9d6
SHA51294dffe6bd80632abf2f75fea596056ba6d648990586b88161ff8600462b04da32f7671053233eef7e8b2f75e46d2dff4c20ed74ad387cf6d082d832aa2ffb62f
-
Filesize
13KB
MD5337077ca0f22c793ad98e64d3dcfec92
SHA148162cc793537d8b1271e5d75bd7e75e863630b1
SHA256572ceae0a13b7f69b2043c86e2bf34650631d53f6718cbd8670e8c7dd5829bea
SHA5127bd822e919e5f2fac21300b159e20e17458cd724d39650e405b754d6affff679700e27f230ce649960382a57f29ad31d64a7786c458e849182d46d255a05efea
-
Filesize
4.2MB
MD53540f08b37b30b6c554e0e5ff05a8e97
SHA11ca146fe61b66a73900f1008f8267ec5554413c2
SHA256562ab7435cbde0c5528a05f60ce959fa9b428d3378f4d0f5b22f48eb09fe13e6
SHA5129ca4c49a620c2cb06a8c334d1cdce999579f3dcd472b10e7227c54089efe9e68844bfc0e2d34e0b72558e714b01094eeaa849b30566b1d7e7461fe928f1ed201
-
Filesize
1.8MB
MD5d52a17d31b33d3217bc5bcb6804c27d5
SHA11ee51e35abd1af1c72dc30a74eedd51fdd660e3b
SHA2563d39460a9254daa6b78f2957f452f5368dbb47f5dbfd51d3a69ba84ec9719eb7
SHA5129ad31decb22cd2a9f5ef446cca0c28f04165ea609258ab0087530253f8252bf8915bc711695c6e72a169ab648ee5f4090ab9c45055a1a6086b952cd00d8a95e3
-
Filesize
1.7MB
MD5e0205bfeadfb01c33d5a13ede54fbf10
SHA13ef5bc11132a9dd29a98e80db03f4c19494745b9
SHA2566b6a89b114bb94bef88235b97bfe7dc73933be77b833cb7fc522def6f37a415d
SHA5121d5d157fc2078b2db86e421057a52fc47cfe424fbedf6eec6865ab84385bfb8c7ba454f8e5a9d58712cf1c1346f633530649742e72e2cb576a14164af29f289c
-
Filesize
901KB
MD5f2b30bcd1f22e596f3fc49af0b3056f0
SHA10521752bd3d15a67f74e1bc88098ffaea7026ade
SHA256db7113060f611073d4f233254166c07fc9e523f5374e2a770071d7c98238f4b1
SHA5122fd6f01b6392745b3a76974188ff0257d69873fa7899a8ed6330a05b4890b18a86b78a9e59ee89fdeece17f7980a073c03039e39dc8c2b500770fe3b3dd8496a
-
Filesize
2.7MB
MD565650d0918fa25e48b9becb46f001c3f
SHA109b56cc99dd74ccfbf08166023c9be6aa5132970
SHA256ab0c3f5cfb603911e16064d4d783ed4b44e74242325f073dc49beded13b5944e
SHA5127f1d5bf947fa5626fcb7a7420e2795f47240940e6788159fecbce3eeb3c6ab790710103c19d2344f9b37b55fceb52abaef8c4f27aa08e2b043dcd61c292a0a4e
-
Filesize
481KB
MD5b8296c353c157263195539504ea1bb9b
SHA1a0e63246fc2aee469a0523f86c1dcb846d02d844
SHA256fcd7fb6bd93a6a6987262b70379c20e553703205e6594101ef053e1bae44feff
SHA512c524fc748152d46841db8899ee5ea58d1c7f6f5d7535166b7441b8151b21642a798b7daf4a7b6898063cad3d0ba57a852b01617376ff65709c75313894108f49
-
Filesize
2.6MB
MD55af36bb43cce3acc83f3113ba20156ee
SHA18a51b7a9f5195321a68736ecb4a8c6356c80af94
SHA25608451cdd0fd94f955d77aa2c6439ee9b441ce204a3b4b49ca8096ec5f3d7c402
SHA512e03ae96ac9bb4ec55d33b87a6c302a46a83d8fed80712a212217cb89c3b56e53f8e892f6eb42e61e0601e4f1f909f1f5b2e6001623d018f243d78eb0418cbdec
-
Filesize
5.5MB
MD5b3c65efc4b11fb94d5dfe3fb1eac76d1
SHA1689bf0ec508e62daf13aa879a6e9e889e8de14e6
SHA2565d47912c5e231f9cf378021085fe1d91a20f377ec3f928f385900bd51fc3cf04
SHA5126d44d52c524263edd674b71d70fdf2e96867601d4621e83ac4b0f8d73cc94eee87251fd32b1a4bfae296cc9cd450fec42b706a4312d61b9334e3914082e9ee94
-
Filesize
1.7MB
MD5a6a5206fd22c5bef02eabdf3152414e3
SHA197cdb21c7343613cb4e7b20291fa50d36682d451
SHA2561e55248aeae25b8281871f9771133ee30b88b32e8c44f6ce0e3ac1ca0214da9b
SHA5122911bc1f5737bab4221e4a51f7269b3a91e0d5ab1135fc2128df08b9f6caff329b91e38e5ae75471f55664f87b46a977654108b2dc17db8078aadd9c0ab7ef47
-
Filesize
3.7MB
MD507371c7461bab51bcc7b199fb2538ac1
SHA1c9c9a44b7eae53d1183e5f4fdbd966587bae7545
SHA2560edb2b3d0b336ba6ef95b09d542c629502161d04aa439f5a41d855464b3fe130
SHA512167984e46c663c4220fb3fd786f3ddebf13ba1b774036fc403baf032e1b22147b05850e4441ca817da9bf0641bf8b65c2732e76bf40726eacbda0fe5d23f09e0
-
Filesize
1.8MB
MD578d4dee0280d6956a51b9273f0ad737d
SHA12ef2fa793744883d76fa5bae923921bc9c30adb6
SHA2560303ddb89a4883dd612b2781fe062bdf4492883aa54955b9bc022d4565ed51ca
SHA5121d8c2603530a5531826e268127b6b2707c616caaa12c92d34f9346ca1cb813a5f778f2842db39e95d51727aaca6bc80e784dae399937df95de79b72b302ab847
-
Filesize
1.8MB
MD58fef87827d3d6d483a5651baed2430a2
SHA14e000643d43d03ed9447c97923c835d7d2950ce6
SHA2564464c4cead60d120714fc0b1dbcc130efbbca4aa6e9efd46679fe1b429a1562c
SHA5123f1243a012f1543d48c42270fbc902f63db997bdbb8fcb43fe051f787b9157b25ff91a1cc593e1c557cc0acc72ff2bf209d055b0efc38ddc8f26081e63c3dd77
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD51b7236b170549629b7458c0da67bbd8d
SHA186c2a4e722cc7a966c8cfd77ba3c3f763bf077be
SHA256bd7c0b7d8c69fe40cb11085ec670eadf1a01201d2d2e7a8fc0f9ba0d037366c9
SHA5121420411a0cd9bab6e6dbacc91539f3e87f8e4cdf996d5b6fb9b1d78f0329cca9b1e84f9c645a4994339a1d3a33ee460d74e6ef71cbac0ddc0a689570ab23c20f
-
Filesize
8KB
MD5089108665ea6da83100b06bf015a1a65
SHA1b0da95ebdcdfba7aec4cd9990faf551f01965bdb
SHA25632d60628494be381e6dcd7a19ebeab79f430d22cd8007f058588372ce103c12f
SHA512cf5d8b7340433253a0e629bf8bb6b711ab0fd120277ad337a4ce43687683d357c370e7a57e133aa34f7e102e643fad496e8f2133fb5a71dbd29702c023e80d00
-
Filesize
23KB
MD51fc02567c4a4ef37d5cee37af93d498c
SHA1908ecffd08a36a457098361a998b3ec2c0a78143
SHA25634edf16e7f127ad7c2e643f3486b82b2aeab57a19a52adc811cdd08213d43f6f
SHA512e061fd32f970bef22403a14df913b7d8b30b06f0a6b77d0d2fd655a227d8e627945494cc330c6be1b8f2463785e96dd901824be7d1384b99d32cfb16ca78cc55
-
Filesize
5KB
MD591cd6bcdc11c09006f227c016a4e5efb
SHA1065c000145f9bd2732f7ba1cba84269ff49b07ad
SHA25660105565f6e0eba552e14a33446f187060de412b8cd90e7c1ae9ead1e4be2187
SHA5121e7c0cdcef1f2e92efd1ff5e40516d7d9b50f7adf8f6a7e249c74f9dc14fc774831ca64cb6c454a93eb27c065662718a0a552a6653dc5fbe47546062aec24bff
-
Filesize
15KB
MD5d015969cc82972003e0f72af9c69b23b
SHA1e3dbb4e3e6b59ae75916ea54002799bcd476ddae
SHA256e4bb64bb54a2b4c991f4276a81a67b3ccf749b9700c79cbdd10c1583c04596eb
SHA512aad1cb74478c91e9f1b9722dac5ca4d114d4cdf846099626e3bb47d2b468ff5bc4469b663456be430ff820da0c73f9fda03e9ea554b26d3dfae711e7660a9279
-
Filesize
5KB
MD50f38af1fd6dfb3ae7969f3be9169b653
SHA16f670f65834650b7631b8bcfdbd0ba17274b4d6c
SHA256d3bb6c241bca9912dfd1c1a49a9f899206b3c910cea0c0b954aff0d7100cb319
SHA512ab5a118085a70102039a0aa287f7d50f88c2fc825e8809f6aba4bd92c733230700bba38c6e6eb575753289b93cbe98130e9a78ff895919d7c2e6ef576635e110
-
Filesize
6KB
MD5cafad28d4fa48b258466e5346da7da1b
SHA11973e87d5d60b6dc7d269f71a533f61c9fd4ab46
SHA256c80df7134c8a968b9abe4af00d2a7984edad7e4c53e1149fb1b8fdba702659be
SHA512871ad14818955474cee1df89daa3db0704627e65f605c6044a99c66b33297fda0b5604b33f1182e408cb541b86de8dc9cc1f616b5f9ad486463f8971d5ea590c
-
Filesize
15KB
MD5b58437342346bfc4512005115606ee45
SHA187af3b6956eea50622bc2d1da252bd5dfb6137ce
SHA256bea50dc243c37527bfc01300a7866f4e98f83049ece190ba233dbf86513ed6b5
SHA5128badfaf280ef7e016836bcfc70dcd216241c9ca016af0504dec8d47797f78d5b9fea84cbfd167f0ce032c48928bc594aa5ce5754b17cacde92b3eb9586cbfb49
-
Filesize
671B
MD5612abdc8cc6a841b370a72e5cfb35816
SHA104ec44a6f2ed145b6b01c6949a2ef369f353ea8a
SHA256eb1e3bbface8deeb5c485150b0453bb393763aab21769bc328a84b0153781b1c
SHA512146cb5a65bd07b8314426566dee3cea970cfc721e8f6e6e8123af466dae218967481217254525aa4b415bb83b82365d189037e8d794d13328633292bf70bab08
-
Filesize
26KB
MD52291137a01fe5644c1162485ab32d999
SHA195bdea1c9fd562f301373efb95bf3ee285e9902f
SHA256a5b776f8a490d8dcc5e892792e31f19dc01ac290a34fc1307ce54152e3da6c64
SHA512febf22c976702684cf4b2e5644055512020d1a5ec03bdd451ce7e090c6e341b0560b4c28711ccd2ae6e875e299cf237d6c74016439284e6aeda58bb5f1c6f84c
-
Filesize
982B
MD586dd6921884cadb2faca2d7dd816503c
SHA16e05e1dd088de82b20daa4838ad5ded8955b82ab
SHA2568de6639161d9307d2535b161a3dac3c13a7b8f2390916bfabb6348265fe5a787
SHA51291a07aaf8eba2960970fbbca634b8fa346a5004918461beeb708a4f2901343d87f9b1f357cc7fdbcd2b784b20b62872625d9ea0244715ee8760383fd6d31cacb
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD53da451d835cc799492cb076e8f4f5e29
SHA1f83a5a8fd206cd003b654cc3867d72f6692b929c
SHA256c303fd4d2c903c67ab555c21b05f68990ecfdca38191466010e59a217f47ef9b
SHA5124e926bf4ace9826d8b4039f51be1dfd85beb743b038a01f3832cc948d2da65ec74ef3ebbd41741257aa92fd85685afe81a4c6d914abced883560bd76542cb534
-
Filesize
12KB
MD575030b87db4bae97c9e5a855227bfb1e
SHA1b1d1c2fbb6774e83df02eb4ac604137bd10982a6
SHA2561ca1f1e757a6ffea729778ccb73a4fa3c2b41affee58583c35e2a009e3fe6d7b
SHA512c045a489fae99f1e15e5208f659003096114fff3a25da1d5a780b9c20b31ced25789b948f2f2c83ba13d8374d9f9e70b5f27bf61c98e91c8f806da8148e4ccd4
-
Filesize
15KB
MD5d7b9bb2ea83ced6659fe319d41108e6e
SHA19684ec0fb6d7538b5a37234464dec858a888814a
SHA2567781d63dabd564cb44ab13c65ad6885868a7314bd457aa2735c669e720538aee
SHA5127f60bfe9e77c950f2059a3c33021025597f9fd2b5f3e8ba68aec303ed1c882580355ca879aa640099c855696436baae559c9b8c433a56bb1f37e443c7b0ff017
-
Filesize
11KB
MD539cd30776d9b6d509f7b0746a49950c0
SHA135da2c279acc0671a1c9f82a7f35cbaa58f70a0d
SHA256cbb76156441f19ba933faf2a0e8fb645b06fe1282427979c7c4cd5bf24332698
SHA51275eb191ab831d63449905bab33edd52861063adb58e2b8538fd8b31d3b8b80b19c9319bbe564851aee343bd83ec6be9f0b94dcc060b0223be9e17838759ab695
-
Filesize
1.7MB
MD5eebf113fd6cc4a9f877b4a4fd43ab703
SHA191ee7b0fd09ac9e833c32afa24aa0c0669dc16ce
SHA256676ebe44ebc881ad885de7db5af1342f85891a415b86ccb13d4b4a541ad3d6f0
SHA5121592da8d1c7bd29591f899e6a3ca0f1337293ec0f7258d0439d912e40f4c6a29cf56a98e6f5c185799b56cf3d5dd1b1df004e2d3718926f69059a4de2346cdfc
-
Filesize
1.8MB
MD5ef22921789a483e70619c1430d5ed1e8
SHA1e88c3515c454b74c9bb9c423b8dae4dc039be1ca
SHA256695336deaa4e24c60d0918e027ee362e7a6500f3ba5264f6a48fd707b46c6abd
SHA51240a3ab331fc95c3794824eb4bb974c2195fece93cb59676ba64b4e7e46406f22792860d60a76f52a442da6c65daa03c57e07caa480f89930bbfbe9f673e44037
-
Filesize
3.0MB
MD5cfcc1f2485b1b81d61e2ff3fd2dadc03
SHA11ea047581ba86e0f5eaaa7676be31c333c5f314f
SHA256b042622e72230f2b83adb46821eac57c3ca1ee55f9669891bd3eaa090fbd1bba
SHA512c5995d19b62d7fbba863ab7c6e6673bb0c0c147e1398df9f492153788e64b0f5597d18fd5338113edcb6d02f51aba3692655872be7a168b30b72ad57c86be09c
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
10.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
72KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
4.7MB
-
Filesize
4.7MB