Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 19:27
General
-
Target
dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe
-
Size
1.8MB
-
MD5
72683bf9c6f350a7af5d18a98462fcdf
-
SHA1
1fd96a421e53351f72998a1a72f923b36e866a0b
-
SHA256
dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3
-
SHA512
989da907980a4bfab558aed381271e77a77fce8b88458767bdf9d893c540f95ea87f9b81388f4558e27e1b9316fe5df5974481c39a45186e7770826a9c54557d
-
SSDEEP
49152:eu/AKF/HKZIZwiv29BZlYif1AYO5regp:F/AE/HmIiie9TlYC1Anreg
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 20 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 13 IoCs
-
Identifies Wine through registry keys 2 TTPs 10 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe"C:\Users\Admin\AppData\Local\Temp\dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1008450001\5468191780.exe"C:\Users\Admin\AppData\Local\Temp\1008450001\5468191780.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 10124⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008496001\rh.exe"C:\Users\Admin\AppData\Local\Temp\1008496001\rh.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 5364⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008506001\64d488fae4.exe"C:\Users\Admin\AppData\Local\Temp\1008506001\64d488fae4.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008507001\c839fdb833.exe"C:\Users\Admin\AppData\Local\Temp\1008507001\c839fdb833.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1008508001\10dfb4f667.exe"C:\Users\Admin\AppData\Local\Temp\1008508001\10dfb4f667.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f550be11-3478-4a16-888d-9e54d137ce84} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" gpu6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8290a00-7214-49cc-90aa-76962b2e0fc3} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" socket6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3424 -childID 1 -isForBrowser -prefsHandle 3024 -prefMapHandle 3408 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2736403-e222-4e4a-a1eb-a9a21159f54d} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3892 -childID 2 -isForBrowser -prefsHandle 3204 -prefMapHandle 3200 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a33a920-d61e-49d5-90bf-492a9a28d57c} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4596 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4572 -prefMapHandle 4568 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {739b398b-5f10-46df-92df-5693ced49478} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" utility6⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5460 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af18dbbe-b07d-4e00-b2ef-0ca391ccf5dd} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1058134b-ee82-4bb1-b8a5-87b9bc417500} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" tab6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5772 -prefMapHandle 5832 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {283a094f-d2bf-44e7-8eae-99ba77213828} 2932 "\\.\pipe\gecko-crash-server-pipe.2932" tab6⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008509001\43cf261ac4.exe"C:\Users\Admin\AppData\Local\Temp\1008509001\43cf261ac4.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1008510001\92e94ce798.exe"C:\Users\Admin\AppData\Local\Temp\1008510001\92e94ce798.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9278ecc40,0x7ff9278ecc4c,0x7ff9278ecc585⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1856,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2072 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2492 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3368 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,9451600913264706484,8157720578925574431,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:15⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 13044⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3636 -ip 36361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3248 -ip 32481⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3256 -ip 32561⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
19KB
MD52dd112a8b2848a0f901aad0b8f1f98c1
SHA1847b5eea635068d94df0d4fe11ebaa1f5dad1dc3
SHA256db1a5360ec9fd1a3ca054a77deaeaeea5be428b1e0e58f0dc1c5f09212409157
SHA5127bda74970e5c7e223e4a90cfc109918d5f0a43aa2188e9b1af230f559b9977027fd93ca8ba4b41149e0e9ea974c52fd4ba94f1562399fa5b759fe56a4e6a2936
-
Filesize
13KB
MD532a0f9baa00a7a260f11671c6642365f
SHA109f10275c54b59df147639e528927325fcaf016a
SHA2569c8e134cc750a6105134790f0558bd295e412a9ca4c106e6160029437bec8d9d
SHA512cb3f6d1344d0822a232e930cfb05a470d82a8599ffaa8561bee52ca785455fb3ce606a2ce58c606d8eb704fab947fdc1fbc4ac342c266b387303c48a3b456368
-
Filesize
649KB
MD5e7aa83909ace3906ec75144cc33e024c
SHA1333ee9d7f4c683d8e0ed05bdadfbd2baade379e3
SHA25624443cd457177eeed9c584e5d5ad194303fd94269fdb0d72e0db598215a5c826
SHA512508fd7984ea8b9d8c8b2cd3c7c3587941a6ee4627c7cf54fe56db7db75dbff0abdaf0db1b0c46876dc6ad0cc21735bd7a2f0351d5edeb735b2de796beef2ea72
-
Filesize
1.9MB
MD54cecb04d97630cc2d5cce80368b87fdd
SHA14f693736497e06c820b91597af84c6fece13408b
SHA25651698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd
SHA512acdf93d12791a6a11b307fbbdc6df2b27a6e8de6b8cc015c4892304d4653e79ac58351600b53c7ea78d285d69df8e8f2e270cf9a168b187d372a3de17e84ec66
-
Filesize
1.8MB
MD5acc594995958c5cf5f107fe27db38f8e
SHA192b6e9ee6a4a61b292883566738f8b7e038f5eb1
SHA2562c3841d0070158d8f5824289380656aad74c190ddfd4ee8240eefbfd16988b89
SHA512e82304a2948ab275c1b243255ce5dc01e5e2763f766eaea6915f6e7be0d130ab7e92d52b38f8f1186d30c809a7da2697f06bf55eb9152a52c81a26df8f21373c
-
Filesize
1.7MB
MD56af05407143697f6c49bd94e5903f73a
SHA1003809f7aa6cb6ab5bf4ddb22dc659f22f0879ef
SHA256e4853246b4c0b4d13aa84e929cf4313961f176e893a8c1c29720a1eb7f68c5a7
SHA51242447c96152cfd43f6ba7d7533edc62e10e66eab6030c8914bcf1af64d6980b29d1ac6a960fb6a1e3699ce68a8fad92684f2c3ebe11009f911d2b98e49f61b5e
-
Filesize
900KB
MD57f05860baee4ff5da95e342eaee96e85
SHA1a909d75ee89b3123f66c6ab227106c66e8cb5fb7
SHA256dabb569816b302dccb1fa4c032f5e39a2660d32c3f95ece75e9ebf4144ce0b17
SHA512a963cabe33d4f92041a1731afae796add8fd1ebb448583edfa9cf1a7e427bad514881b9dbf3d404c700d3bb24beab89fad4266fbaefd1aef3e76d4fad05bc0d0
-
Filesize
2.7MB
MD59a939117e7e796c8036b7a92bac70c4f
SHA174fe3772448794929f7f18f1c72f4f388b573468
SHA256d94dec75c03b2044787f940bd7d96bf066eeada41e23854726ec54f2ff77bd72
SHA512a722c1af22a5b67f5618b080f561977dbe5686abe1923a618a67a9c643a4cf814c033869625585cd8bff603f342a8ccfe2103654d9d6cc2bd87d56c097b651ec
-
Filesize
4.2MB
MD515a46db0313993e635e8a7f4ae91f44a
SHA193f7e0d18cda291de56f04e2ad35fff64446eb62
SHA256aa421056287f6114a5932fc6fe92734a06fb0760567b1086774d25881b6bf4a1
SHA5121ebc9e6e2e35dac10752f4e11466f0310af10c9911f004f41455d175602a199cb17a91297733179d3d0ee59801431464da62fc1e4f8639f0ba244c16076c2258
-
Filesize
1.8MB
MD572683bf9c6f350a7af5d18a98462fcdf
SHA11fd96a421e53351f72998a1a72f923b36e866a0b
SHA256dfc453c8498400fd0f9cd272a842f6e4893a362e9476764a6aec751b224c7eb3
SHA512989da907980a4bfab558aed381271e77a77fce8b88458767bdf9d893c540f95ea87f9b81388f4558e27e1b9316fe5df5974481c39a45186e7770826a9c54557d
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
18KB
MD5436d993a5baeededd3eb5a67239f3701
SHA1f673db3274aa1d60bfac3347efe71a11d2d80c62
SHA2568d0c8923287d98a429fe2002981bff58635904fefb9150ab996c703f8b297313
SHA512949c35e54d25102e00aee77b944d8257548c81c518abbeaf542c5fe639cfef394d997b8c15a62031bc7f4306a81ee7b6bd252acd41d10543fde5dd37a1a0713a
-
Filesize
6KB
MD5bc82e422d891b9380b8db01de48375c4
SHA18d793c6f6cef9dd108bb0eb5ef177c542ae0ffd2
SHA2563701955c8094b7bcbe1cdc4bcda5bd5e4a27cdfd4550fc17d0923d875be3ca4d
SHA5129447a671a687c02f0126c0418870cced6d0d453059c0b039aba067b12118a3bf4b83d699ed930e57f6aef68a567954a10cdf57d0299fafa991fe58f5c2c319d9
-
Filesize
12KB
MD5b61cfc61b1b060cfa178aec5c0b5c095
SHA152902eccce5735cb8416397897a3f3bc02ce11df
SHA25636169b75d368f2cc2cff9a9260fe5a78b0ca8e590b0aefdd7e6a834f117b51ab
SHA512fba3b3c295bfe4030ec62e5129e997990c066930b044131ae137e1f46fd6d19cd8df623cd4724b2a043fc3eb6c2363e37901490a1fd6ee99b32b57a060bc98ac
-
Filesize
13KB
MD57b81695f85cbf7eac3aa034d069c90c8
SHA197bee937e4565e2f421148aaef1e21ac46e1f4cb
SHA256113cfe4d82127a6b40af16ecf6a7dc9179ad91fe866e7d0672869b437c64b15a
SHA512236b0c074ea23073c567551bf99e4d1c568a281df5e77ff673d32b368571f440a1cec05dc863cd776df7d7ee5ed7ee58da21c6a03c5bdbc37a735cf384104745
-
Filesize
5KB
MD56851716c426cfe5816a862651142f142
SHA1af7e7d4632b8d1f0ad9885f8ca86aa813ee96ff8
SHA25612edc8a64cd9d3930ad61307f69568700b6a937fe17e085f3f4ab40588537815
SHA5127d8662c2194264f8ba81f3a92e4a223dbd2a74f787eb070ec829a9a89102a4bcb19c3a3538058eae8a1a435d545451715ebfa84f43f82e16981a1fd2e055ad4d
-
Filesize
15KB
MD5230f5720540dc1b47f711b57f69d3c47
SHA1f014a0ca1dddc89a43873190527bebdb932ed5d7
SHA256fe70d2ec7e660a84519b153f254f95f80d4325740020b189181211668eb88d2e
SHA512b12e32fd5d4647bca270a2faf882811967bb777788cae768345c431474beee14dbfefd64771d1aec45bc62af73c7fd96610d739f60c2f3b21ca4f5af57dd456d
-
Filesize
671B
MD59a3f0849e70037aaeff712fe90fe5229
SHA181483518d8ad1cbe0574198107e8ec75e7e51404
SHA25672cf1c64c41fb1bd468a65dd07c0562bd192608c2cc47afea3d739d23ffdb6db
SHA5121a83793ead2815e4a06191478b05a1dc5b71c1be9856a7b4e9de3f5fbe6c5c33686e1629d392923f319d9dfb047322eee4670448c70e2f5883a9aa728f5ca0d9
-
Filesize
982B
MD5891c1855874886cbc48e45cdc9cf9054
SHA1a6ad7affbb634c6dd61241f3e9a3a864a10882de
SHA256249976a99c3210821553e63780b98d065c9075f1de8687b1030b8ecb8997badf
SHA5122aa324652d53f86a418de7e482d71df1275a98239bc5d800aa032d4b89324a948737b08406ee14df730e12f21ad065202419e6946693132b832672f52f306905
-
Filesize
26KB
MD5ad9654c43fc2bb19d2f4180a6e098afb
SHA1a73186caf6f4fb7c46d249ffa765f6f1b54bbedf
SHA25601c0a58e7980d2b5942aa35dcbd12734b29d66a6734462e67c0fc7d8c6b1f0ef
SHA512e5f2647ae11f9936f767f5f305b5a1fe7c892795b10fa80671a5912a5add3af72454cd22ff6c150e36e153d4d5b2d1e419a2607f312146a95bf55b6de1082ef8
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD5c730508619fcd91d1efd32f7c40f088a
SHA13d3e4d57a8eaeea2656b3decc7087aa31fd2563f
SHA25692da38f89d4cd3289278abd592b798a3ef7c468801621b5dbddab70ca8a1935f
SHA512ef0bbffce5cd574236bf85816d3e8d9f843bb8d8f89055ac33c47e062a7e208e83e062e2751d81dd00fb1fa9b9f2ab2c55dbbf92c5bbf1c53ea27131b74d3db2
-
Filesize
12KB
MD591d9a6f20b865ba45003f1dfa4e90389
SHA1bedbfb41d915028481782f02801438f4180ee796
SHA256ea2a768163bda7df9379577dd4b9701f620f8f778cd128ae804dde4f80817855
SHA512d8701f7cf87c42947e37067ba265a7fc06dbdb2efed6e3f2baabedbf5e371dcffdf3c6432e3482012304d74197155dab7bf2d829277858e8be02e411cccc6516
-
Filesize
10KB
MD57316597151925d46238514daed6d44ae
SHA16aed2a81119433d195ca88d58c7c3b6e00ff0b1a
SHA256ab0200ce35418cb40f9914cd73832b297fec778930ba869ff3a4b9eefa80b582
SHA5123c2d4e60c4692c0d487a4459b419f8bbdc2af5b2f41b3b8e2498e4b6c2d32aebf4c8961804bc9517bc6c334a474cbde1dcd1afc5c2096db706135b836427acd7
-
Filesize
10KB
MD51e6184cee247d65c3fcb02e40d773870
SHA1caf0048c60adab5486f4ec94e73badc7f213249d
SHA25600afd5384201052c0ce36cd72bce0971673c2e9214405de9095c2e4f99858f0a
SHA5121c1024a2d46cc73de48fcc6c6102f45265d0df4539e0a3886aec3c9364091dc234820bd389160ec3d4a149f16289fd1c7a490d4efd0d8ff45cc7fe7f2177c095
-
Filesize
401KB
MD53535fcd3063a2965f1dd8f9b65ca8355
SHA11f5c89caf911a08415d55ce1687101b65871b122
SHA256086057602eec63ed064bd97c1643b20c727aa4a557d16bd26a763716414620fe
SHA5129b623500ffbe25d6dc08c3c90aeb8c123e9fc2841f0962b6fe57ca1d2ab44fb1062352e1d5ab1d506b156c0b25aaf96ca6267a36fd064c97c12df965bcd66929
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
72KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
2.0MB
-
Filesize
2.1MB
-
Filesize
4.0MB
-
Filesize
40KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
368KB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.1MB
-
Filesize
4.7MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
2.0MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
24KB
-
Filesize
688KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB