Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 10:02
General
-
Target
12478d2c590877784897ca6c4e1f4fc8c0c1ca9bfc2724506dda9a0407fdcd6a.exe
-
Size
7.1MB
-
MD5
d95ff3d821e33801a9dbc8e8c4d76b93
-
SHA1
4ed26b25a2ad05a14f0e73d669c12276d0961126
-
SHA256
12478d2c590877784897ca6c4e1f4fc8c0c1ca9bfc2724506dda9a0407fdcd6a
-
SHA512
d80f03713075358bd4a994cfc385e497b44e572f39f17c4547c6f80c64299d237478d467f443cc73c4087ba04131e98794ab9a485f967bbe7e1a966bd760d567
-
SSDEEP
196608:Et2JvVqNGNdf1V1a88oXsJrGLX938RwGGDi/b:U2dJddV17/8JrGLX9sh
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 3 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 17 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\12478d2c590877784897ca6c4e1f4fc8c0c1ca9bfc2724506dda9a0407fdcd6a.exe"C:\Users\Admin\AppData\Local\Temp\12478d2c590877784897ca6c4e1f4fc8c0c1ca9bfc2724506dda9a0407fdcd6a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u5F44.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u5F44.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\V4v03.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\V4v03.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1h69u0.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1h69u0.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008401001\b5df26e2a0.exe"C:\Users\Admin\AppData\Local\Temp\1008401001\b5df26e2a0.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffdce89cc40,0x7ffdce89cc4c,0x7ffdce89cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,15233615084573645583,13163540185910753564,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2016 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,15233615084573645583,13163540185910753564,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2144 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,15233615084573645583,13163540185910753564,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2256 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3208,i,15233615084573645583,13163540185910753564,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3236,i,15233615084573645583,13163540185910753564,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3368 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 13287⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008406001\594f914855.exe"C:\Users\Admin\AppData\Local\Temp\1008406001\594f914855.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008407001\f71a0cf8d5.exe"C:\Users\Admin\AppData\Local\Temp\1008407001\f71a0cf8d5.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008408001\5dc57b23af.exe"C:\Users\Admin\AppData\Local\Temp\1008408001\5dc57b23af.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2064 -parentBuildID 20240401114208 -prefsHandle 1968 -prefMapHandle 1960 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8958f05-3309-40a1-87c0-c0347971d4a5} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2504 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2028 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8304d51-3e4c-489b-997e-b2a4c4cab10a} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3100 -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3188 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7c60e5d-37c4-49aa-893b-0f8cc702bc4e} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3900 -childID 2 -isForBrowser -prefsHandle 2688 -prefMapHandle 2816 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {675d58b3-893f-4edf-8354-4bff322e0be5} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4808 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4672 -prefMapHandle 4732 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85511e0b-b819-4a0a-b656-cc9314a9804c} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5080 -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 5096 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4663df5-b052-4740-9f1d-bf06f52a7b91} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5048 -childID 4 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4c1b13a-0aba-410b-b86b-9082a84dc870} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 5 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1180 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16ee5680-8ff7-4aa8-8217-f59638e68525} 3548 "\\.\pipe\gecko-crash-server-pipe.3548" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008409001\43d8b43977.exe"C:\Users\Admin\AppData\Local\Temp\1008409001\43d8b43977.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2B2932.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2B2932.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P49v.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P49v.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4S816M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4S816M.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3656 -ip 36561⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD54612519d160d09147aea70cb2e19c390
SHA1a568d79757e177b470b56aa3134af09d3fca2312
SHA2568a491c4f5fe50ebe69884e2f71004b2e834533a46083630bb125fb6a9f052de0
SHA5124a7bc12977ba9a52de4b57c35aa455f035d4dcb40c4fded9981174b15da6164eb90b419646976d588240d52d0ce82dd5e7dd3e61c53972df1b5ba6a5d82162ab
-
Filesize
13KB
MD5d07b2f789902434559dd03ed6260ac13
SHA17acf78fece5ee2ca784659818eaebc216263a5f6
SHA256ec39dca8cd503e0d00b7db7587e89ecd0f707e72b6d4d2fa16d030e4441d318e
SHA512540f931d7aea0330027071dd4f13a1e9d98df014da1c750619266494ca9d3c2a4873ee7b548a9bd722669aaf09c52f3397c701ef7ae9ff3ba078247998ea4e47
-
Filesize
4.3MB
MD5791373b49f4ee813cd3b2869a62d5e86
SHA11231ef136f9d806edc7202e44e81bd35d05526e8
SHA256ff7dc25ce280c034e4038d4ebc20560904ceef62c9ada19631c8f4a42183c98d
SHA5128321138d61d3fec4b6e45ba45c0b3965a8a9d20f79e4956c1d8c97c815b6d9fc76ae8b8861475016d1aed8397c7d321a8af4b63ab88cf9a45576b131d9ac8c27
-
Filesize
1.8MB
MD5e29592877c28430510ef200ea5e9257b
SHA1c7d17b2f2ea1cb28c450eb232c278b94a9a6f453
SHA2562398510a1839ec4b89e7c3cd91f56c9235165f8d081d633ae0913a43508afb56
SHA5124b16a577886489915916db378c914b745ff0fbed5938f6736d302716ad05ecc82124b2817033ff2265ccc2b67f38d1c74fe9741fb3451ed96d5b7385032546f2
-
Filesize
1.7MB
MD569cbce48a9ce8b1da7a0195ae4dfbccc
SHA1c05a7472201be886b55e2958351df9e211fbe639
SHA25665e88eb9ca629cda57680a4f4f7d0d39fe7dfe7ef80d619b809779e9ecff33ad
SHA512f24c8b12f0d2fd02a4ffcc7d196f96f2c1f8edbe029c5e99133795d8834589b2ad60d27f55fcb3d5887fc818b8bc178298f53dbf43a5cc879aef279e809fa311
-
Filesize
900KB
MD530e0a4341ef78b82f707de1f75554d8f
SHA124b83e21c9e861202cba0f653fbdb480c2509d2f
SHA2569324205f06fb84bd07e372d2b405adede12597a5d18b42744aba08f72914c525
SHA512e3d83fd11036bd7c860fffd4330396905281c3d8b4127c7b95bd088cc3a5d8a99e75caac493e66caa7e618f2fd98f740eb24cd4ec1b339e3fa67b4f605c54122
-
Filesize
2.6MB
MD5a4ccc1e6f4894f4832ff349ee223714f
SHA1c1863ef0b3b70c0210e30bac674ccd04b0bc5857
SHA256f7a868b76e3f413f7cbeafd75c889febb45650ab6c963449f0c1d7ccc833c3b8
SHA5122d33b57f20309e10fa5d1ab1e9c5007de9a1f91518bb24caa8a94c56d356cc2f5f96d7319cdc2817c7a8b28e77629719fb5fd5a43a5ac418b4362e9277a16d66
-
Filesize
2.6MB
MD510e805250d9b4f6094aeae0c93f4279a
SHA10e89ae4fcfd91571c37a5e059c07f02c64941dde
SHA2562f209c823b7ac5953201ab20d871bc8cb520f5ebb4e1dcc1595bc575d0b05753
SHA512fbbc0974e83c2eec00d4abb2a802126726bb76bc19eb6be4ef0f7f9aadbd029bf93e84856365f6ad9dad5d87fa39ecebf245ae4e6d7cbad08ae0029ce422f101
-
Filesize
5.5MB
MD5553ea1e552aacf6cbe86ae4b68b9aa9c
SHA179551dd48a5a1164caf76a954ab23150f3c0a322
SHA2568d25d34f1a2fff68f0ff964e5683ccad90a2099ef2719e7c0ea0e75abae302d5
SHA51203ce47db33e186280a9309a0ddf01bd3d465d9bf88386033fe7d7d4b5a68e6ea0b35224865be61c1573896889ae49ffc6b1f58d211a4e7e1331d9bb446f2dab9
-
Filesize
1.7MB
MD5e0907cecf84597ff5476178c7addd920
SHA1d8deb30212420bf1ef69199146d869cf5408e836
SHA25608dc99ba8da04f16d328f32f11c7721366ecfaafd04c21e7b3c0a3a2eb794dae
SHA5128c51b90d7aef29a5f3e7fe4410035fbdc876d4a4966e119cecdef672fa6abe652762faec5d214cd210ed9c185083718946a8434a0d0fe24a20ac9793339f1336
-
Filesize
3.7MB
MD535588e50d5097a534f6fc9d81b7bb4f4
SHA12e927724766af202d1c69293eb35df7bd431e3a0
SHA2568b2a6e11ad4578a2bdb7a5e31939f23af927b47c502f774c55aecc3e9ee05af7
SHA512a9fbf80ef4076320297075d41b8d7e50de285262541eb2e47b2c7896d7403a8a7a9fc00a80033ad90ab103f6f9452872fbcc387205b08f3363df2369197f3293
-
Filesize
1.8MB
MD5642a88e4846a4148e7a4bed5a1f988a2
SHA11e02b5843578247066ca9017b345ecb511bdc3ba
SHA2567b98dd28b55e84671d52943a82b7919967c4c825ac6bd69c2dfdadfccb986747
SHA512e82a2d6bd293de9775ab69a0ecbb68e152dd2c1c12ac324503351c942709599ea7741259903e3ad2f6532bf54f4328ef22d47aef3137465375bb585ff15564d3
-
Filesize
1.8MB
MD528eec1f233fa603a73733f421f9f694c
SHA13060dd53aee77c2ab730e5d226f283583964ca21
SHA2568ce4d7610874498b34eab78b1859c8997397635f48c9621aaba8786251cb1acc
SHA5123dfb1f3565fe06db37e200314e40d4d66f7aaf3afd5b50b7813ce5b4a1b1b3750f2dd05e90124c5d2d38f6789013bf7cdaf9b6a9d807067328e75484945dac2d
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
10KB
MD59be01dec4c9d735844d9e4f68edcc916
SHA1251aa2c78711368a0df655e866cc1d47f745d195
SHA25688ace63e73a4fcb786b047a8cf90653a40a06c32e7b7654bb89318ceaa2f0da3
SHA512170de26220d613f609e43fcb15993471ac44bc6a979972755998162fb1776f8fdf315dec84db8f6407075ddd33848967e7880f33e8c37697e3a89d3d7bcc2878
-
Filesize
23KB
MD5c49d7a9b32b54b065dda21de510eca53
SHA18ae10d4b97c12dbdf074d4a6050d6315671d00d3
SHA2569c27c9b8b1aedf753a3b25e9e5a3f37c4fa2871252d7c9d285894537e6eccad3
SHA5127880525cd179ba534f2337ba74039cd33e1b09bc72c193b91a3b86cf62405ad3aa1f8f9b9db0fd3761a4e48180238012431cbff45c1ca3a855d14a681486ce3d
-
Filesize
15KB
MD5c761f1b35bdda443516a2368dbb964cb
SHA149bac8c880154957d6abfd816d5b93241b157e1f
SHA2561c5185968e7c35ff5e58d3bd92c3961a9c0e63f2a3d199e85ba160d277679768
SHA512183a4fb4753a42d31730f70de2bf82107c487caa6519d2197363198ae6d7e15749830b2ed6889c5c7c1f6abfc3900b63ba58f1ecee45ef2bb2324a56b39545d0
-
Filesize
14KB
MD5e71a1c24cea5e345376c5206514126ad
SHA1e4723ac7a340c6bcdc00433f7da33f4a8228840b
SHA2566be05b89aaa7433656f3af73864d78ecb32787f25efdce9ff3b3da83c0d56af7
SHA512413c39d53e4458f46248ee8f70e12558e14d8f39b20cdd9c95eb3146940241cb90fcd0d149faae269b121af550a79a76357983079cec23a3e08cb6e3bc05d03b
-
Filesize
5KB
MD5b00ea25a9ae96e3d8f9a8453fe01b995
SHA1b0b49a9c5e2205cf5da03277f179a95fe4458da2
SHA25605667cb3447c9fcedd646302142f34d3515eaf473875830fe404d50da8f2a5bf
SHA512244b8687248dc1187042be5b5b0917b0caadaba23043b46317eecfeff133781be34206c9a613f59ec73447f01df59231bf521425bc63b21d8e47135b55a7bb7e
-
Filesize
6KB
MD5c7d5ac71bf71d2feb72943b6c89b4324
SHA11f77e5f504e9448c65341aee3930dd5deeb1673d
SHA256374932c13fcda21bc0618487ffe72297f35552020acac03680d72b3e7dcbf6e3
SHA5123877a5fb47c1882d665e3ccf2ef0bad0a87e5adbe198b31c741e57b1d718ee84d9eba33e8802593cb89602f8cbed80cb221d79fc4656ffdddb05dd47ec6628e2
-
Filesize
15KB
MD587ddee09a934ec27c63e96cf68385a85
SHA1e7da2c6005134cfb76bc8b80d10eac8f97156e47
SHA256021c8333c7710b4ad3165f28b13faf18c614079238574a30fa13c03564ea8a5a
SHA512c9b48d852173630ba101e3834fef1e058358ab80963ac7736897ba6bfc3800813af32e69017e48caacbbacb526de57b4493cac9585e12588adc225c6c3007a61
-
Filesize
15KB
MD598886e5796be65e6f10f34092c81b9f8
SHA1cfbea8e42a150a6a564311f6d9e50159f3f8d2de
SHA25675420f644059ce334e0a9e2c77e7e92cce8b2314d824f0efc133befb9d550cc8
SHA512e880286a22781e9179d43a4e5a55fe8c5003e9a2baf1f075b338a66fc5953bc6e31d661adab67ed0bf607272e725dba89f4cc430314930526b8dfce98d742679
-
Filesize
5KB
MD571313d18584c1f40536f9ba6d89fac57
SHA14821640e49d00e8d5a067556f6317cd61ef75367
SHA2564c22c5093d1c3b742e6730b9c031b8621f078ca5d0a369b876c33e33b14e856a
SHA512a068ac4d9bfaf333466d376bdba7809ef8a30a50f9d940c3e32b7a8f6dd3ab77be7b748641508d70c0fcc88e63f839d94b98832a973377a952d498013a1d9ccf
-
Filesize
982B
MD5901d56863afb8bb768d271cfaab22122
SHA10d64a479893284705aebbed618f6ceddff7fd081
SHA256913f2820095d047c9bf15bf42151e2220af41eb3fd0803c1af4a5edd46f7e862
SHA512de54acd59c442dbec2a636438e099a41a39c2d869a9bd73cdfe223ca3158bc7f619e3e938b83864d35cac88265d2423721a129e92a6a1eb3a8ea1722d570a986
-
Filesize
671B
MD50b89e6f380d018debe8733ff89e20fb3
SHA1d868a7a5de0bf3fbf8dfe622f6798a440fd8449a
SHA2562d11c3608023f9969993684d6f4975c1ef0085593bc7f313a2728a6b1a725df5
SHA5125bc32ad64e68ea19487342c0a21a7e1d362a994ff930fc413e814ed35606721d1f41d498cde5f597f8a381788a4ccdd61d68c6f41fe82bf530d6a94f104406c2
-
Filesize
28KB
MD5f38b609b1473cc7d65ba97b11849f0d2
SHA1f97c312539d01214d2463b365b4ca68e4ff17307
SHA256c5b8e716859f6745d95171beb874bbf0c5bcbacb759984f593692c77a34386b2
SHA512d7ebbc6b82c3e508c524a6b285a40b915f9f5e2ffc4c84904cc1895675ba12bf53a641ced93a14541086c4bd23d00aa256d2eb845654aaab22f43b846b8cb756
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD5bfb0d5e73b5ba8f1c913a864655e066b
SHA1dec0d3a3e8dd34c68272af9251107f31e78e865c
SHA256b7cec7291a823d495963f08cdf43351acbe4dd555ecfed8518caebd0f73898ea
SHA5124b2448f0d14864cf1dcaad6e6c5b6a5857305b5ce00847961db332cbe9571862afae213338013138752105ad682b87aa3e3908597caff8f32655aee03d9916df
-
Filesize
10KB
MD537f00beec5991b753184a381f00428b2
SHA140a68a96d5075aeba6f398f12b9414f82c08523d
SHA256ab893405ebf649c946e5980b71d81dc6081a04d8cb525f9b07ce3354b1214267
SHA5126247963433245024a603adc9af333db640d360dd6e4e4d6f787a801fc6d615d9a299b3afde9db9df73287605b22bd694e57a10b934f0431795be06862a5c2d95
-
Filesize
15KB
MD5be115637413cefe9016f14dff123b410
SHA1fa55ab44cf067daf2dcfaa03e2c2a2e71ecf477d
SHA256257c242c2e7f9c887c5b66e2459e18fc3d536464203c408d8992af5b631a3e5d
SHA5120bc387a9eae159d6dab26cba7723c8f51769955fc42252391cc0941a03755fa57051cd7003c25f4076d52fbbd9acb5ccfeb43294868665f29b269287d39ba34c
-
Filesize
10KB
MD55b42b54b98a4fccdca9f985247f6f57c
SHA197c6fd08dbdf7f4b24cad217817000174c6c86b3
SHA256ac4468bb26bc85020f88f353fa6f2f63e5a5d2180e9c0cd2b37e1ee7014fd3b6
SHA51235dab2711220f14e45039e5fdbf5b8a3342e7c07b4c703301c8553e5075fe4c79b84fa59f9d87c41970f2445ea29a28c923d7e4af57862798b36716af5d51d9b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
12.5MB
-
Filesize
10.4MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
72KB