Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 03:00
Static task
static1
General
-
Target
ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe
-
Size
1.9MB
-
MD5
699f4008683185b4a050b05ace13d601
-
SHA1
70d47e8921906a344885c279afa34522658bf06d
-
SHA256
ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733
-
SHA512
64fd7f8ba560dc9ff4718d2087755b76cc815edcdbaf124ba5f7f3b5f633a0870266e71d4bd42fcc041ffdaa087d2dd0b5cb7e9cd592534cd46b52307fa3b28c
-
SSDEEP
49152:PnkIJ9x3pmw2y1U0/VA9D2qK1ODPV69VjisvJ:PkIJb52y1K9aqGZ
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 7ced1a61ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 7ced1a61ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 7ced1a61ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 7ced1a61ce.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 7ced1a61ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 7ced1a61ce.exe -
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c3ee017136.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 26c5c1772c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7ced1a61ce.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c3ee017136.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 26c5c1772c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7ced1a61ce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7ced1a61ce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c3ee017136.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 26c5c1772c.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation skotes.exe -
Executes dropped EXE 8 IoCs
pid Process 3448 skotes.exe 760 c3ee017136.exe 812 26c5c1772c.exe 4860 04f745c1e6.exe 2168 7ced1a61ce.exe 3808 Jza18aT.exe 372 skotes.exe 4860 skotes.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine c3ee017136.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 26c5c1772c.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Wine 7ced1a61ce.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 7ced1a61ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 7ced1a61ce.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c3ee017136.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008603001\\c3ee017136.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26c5c1772c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008604001\\26c5c1772c.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\04f745c1e6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008605001\\04f745c1e6.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7ced1a61ce.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1008606001\\7ced1a61ce.exe" skotes.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0007000000023cb7-63.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 4236 ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe 3448 skotes.exe 760 c3ee017136.exe 812 26c5c1772c.exe 2168 7ced1a61ce.exe 372 skotes.exe 4860 skotes.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ced1a61ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04f745c1e6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3ee017136.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26c5c1772c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jza18aT.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 2588 taskkill.exe 4184 taskkill.exe 5104 taskkill.exe 3000 taskkill.exe 4936 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 4236 ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe 4236 ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe 3448 skotes.exe 3448 skotes.exe 760 c3ee017136.exe 760 c3ee017136.exe 812 26c5c1772c.exe 812 26c5c1772c.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 2168 7ced1a61ce.exe 2168 7ced1a61ce.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 2168 7ced1a61ce.exe 2168 7ced1a61ce.exe 2168 7ced1a61ce.exe 372 skotes.exe 372 skotes.exe 4860 skotes.exe 4860 skotes.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4184 taskkill.exe Token: SeDebugPrivilege 5104 taskkill.exe Token: SeDebugPrivilege 3000 taskkill.exe Token: SeDebugPrivilege 4936 taskkill.exe Token: SeDebugPrivilege 2588 taskkill.exe Token: SeDebugPrivilege 2860 firefox.exe Token: SeDebugPrivilege 2860 firefox.exe Token: SeDebugPrivilege 2168 7ced1a61ce.exe Token: SeDebugPrivilege 2860 firefox.exe Token: SeDebugPrivilege 2860 firefox.exe Token: SeDebugPrivilege 2860 firefox.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4236 ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 2860 firefox.exe 4860 04f745c1e6.exe 4860 04f745c1e6.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2860 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4236 wrote to memory of 3448 4236 ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe 83 PID 4236 wrote to memory of 3448 4236 ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe 83 PID 4236 wrote to memory of 3448 4236 ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe 83 PID 3448 wrote to memory of 760 3448 skotes.exe 90 PID 3448 wrote to memory of 760 3448 skotes.exe 90 PID 3448 wrote to memory of 760 3448 skotes.exe 90 PID 3448 wrote to memory of 812 3448 skotes.exe 97 PID 3448 wrote to memory of 812 3448 skotes.exe 97 PID 3448 wrote to memory of 812 3448 skotes.exe 97 PID 3448 wrote to memory of 4860 3448 skotes.exe 98 PID 3448 wrote to memory of 4860 3448 skotes.exe 98 PID 3448 wrote to memory of 4860 3448 skotes.exe 98 PID 4860 wrote to memory of 4184 4860 04f745c1e6.exe 99 PID 4860 wrote to memory of 4184 4860 04f745c1e6.exe 99 PID 4860 wrote to memory of 4184 4860 04f745c1e6.exe 99 PID 4860 wrote to memory of 5104 4860 04f745c1e6.exe 101 PID 4860 wrote to memory of 5104 4860 04f745c1e6.exe 101 PID 4860 wrote to memory of 5104 4860 04f745c1e6.exe 101 PID 4860 wrote to memory of 3000 4860 04f745c1e6.exe 103 PID 4860 wrote to memory of 3000 4860 04f745c1e6.exe 103 PID 4860 wrote to memory of 3000 4860 04f745c1e6.exe 103 PID 4860 wrote to memory of 4936 4860 04f745c1e6.exe 105 PID 4860 wrote to memory of 4936 4860 04f745c1e6.exe 105 PID 4860 wrote to memory of 4936 4860 04f745c1e6.exe 105 PID 4860 wrote to memory of 2588 4860 04f745c1e6.exe 107 PID 4860 wrote to memory of 2588 4860 04f745c1e6.exe 107 PID 4860 wrote to memory of 2588 4860 04f745c1e6.exe 107 PID 3448 wrote to memory of 2168 3448 skotes.exe 109 PID 3448 wrote to memory of 2168 3448 skotes.exe 109 PID 3448 wrote to memory of 2168 3448 skotes.exe 109 PID 4860 wrote to memory of 3492 4860 04f745c1e6.exe 110 PID 4860 wrote to memory of 3492 4860 04f745c1e6.exe 110 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 3492 wrote to memory of 2860 3492 firefox.exe 111 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 PID 2860 wrote to memory of 3612 2860 firefox.exe 112 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe"C:\Users\Admin\AppData\Local\Temp\ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\1008603001\c3ee017136.exe"C:\Users\Admin\AppData\Local\Temp\1008603001\c3ee017136.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
C:\Users\Admin\AppData\Local\Temp\1008604001\26c5c1772c.exe"C:\Users\Admin\AppData\Local\Temp\1008604001\26c5c1772c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:812
-
-
C:\Users\Admin\AppData\Local\Temp\1008605001\04f745c1e6.exe"C:\Users\Admin\AppData\Local\Temp\1008605001\04f745c1e6.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4184
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking4⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking5⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {979c416b-cb68-4fe5-b51a-579e6387ce88} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" gpu6⤵PID:3612
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6014f109-dd49-42f4-b554-815c075bb713} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" socket6⤵PID:556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3076 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85694201-c478-443b-ab1e-da4ccf6565c3} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" tab6⤵PID:1284
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4260 -childID 2 -isForBrowser -prefsHandle 4252 -prefMapHandle 4248 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0df560b-aa47-4ab2-a334-434a36efd4c2} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" tab6⤵PID:2072
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4736 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4612 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8084c9c8-d770-4a9d-89df-19d37cc428dc} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" utility6⤵
- Checks processor information in registry
PID:5240
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5144 -childID 3 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02fadb87-9907-4794-9945-22f535279413} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" tab6⤵PID:5600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -childID 4 -isForBrowser -prefsHandle 5296 -prefMapHandle 5300 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a642417-ef4f-46ff-af27-0f3e485a16d6} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" tab6⤵PID:5628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 5 -isForBrowser -prefsHandle 5464 -prefMapHandle 5272 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e570b2e-c721-432c-b5ec-cc2bee3378d9} 2860 "\\.\pipe\gecko-crash-server-pipe.2860" tab6⤵PID:5684
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1008606001\7ced1a61ce.exe"C:\Users\Admin\AppData\Local\Temp\1008606001\7ced1a61ce.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\1008607001\Jza18aT.exe"C:\Users\Admin\AppData\Local\Temp\1008607001\Jza18aT.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3808
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:372
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4860
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json
Filesize27KB
MD5edc55b97490f7d890b8e14d7b8a2a998
SHA1b620c82198217dfa294b8c5836d62bf478ad7e10
SHA256e0bc5b07641c26c46930a3a617a10cec45ab2e4983deef3d2a28f4f5bd46521f
SHA51245fba8b509243d07a24a40bb5442143367a1dd0d09e4401778761bf57d5c09feece7e8b25dc94220a0bd4bcaa0ef5ff2f9f562dde7be80780de0f29aebc46606
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878
Filesize13KB
MD5a4cb4d4a9643d80fff839cab8d6c8d39
SHA1a2b5c76af15e2861d76c4c44ab52bbc58de63bba
SHA2566a7004e0f7d9c83d9781c861de2d9dc432490768e5925885a5ad3e7bb9cca60e
SHA5124ae836d30ae2efb37a4c54bf02a9915c2d977785097734a4b1345990c1940e2560bbc5232f04f45b5d849bedd10b100f3b4e2931bd382fde7deb49a4108c171b
-
Filesize
1.8MB
MD588a2e1dc5f57311dc42a7d57dc7d9827
SHA1a26e33ea17b7d5ca3272e8a7521f141c927d1b75
SHA256c2c829ba69f689fe392435d8b886c002e050d3bb4cc6ec8f62317ceaa7ba02da
SHA512b4b2cdc31ced54f377e97f4b548dc128c6c7d1ee9888b6f2a5245b421f9673c9582c9a0a5981e7f70cfa1251e97672a9bec3a71b3d2bf7e7f09438a37ac69ae3
-
Filesize
1.7MB
MD53feea8ff886f1fc0d57da4a2b3a109ba
SHA178d6302f4f09726b6a129c5fcc7cd94a474cc53a
SHA256143e6525646d5d95639eb77420a54205cb02fb8624c6e1662b7460f58b03523f
SHA512e5c107f29e9b2c58365df6e7cb3d7c38534e931147c92ade485f949751712ae63a375608b9cacb178593f5b25b58ebb5980b8abef3df459ea6e15d2b6f709e32
-
Filesize
901KB
MD500ea2d526653b9beba2a5d4f3fadd366
SHA1d41eb397685765a9ca5b973d69e60a666fb8ad4a
SHA2560c85ff63c9613d92630d191fdd735eb0216bb64d0780e64e32e507b07a9b80b9
SHA512459ef594400dfa1c2dc60fedd43d3a36f95a75d7f7658e2b620546b9efec44526e797b1d815c84886f5f56b4dca01a5c706069b9991533ceff0e8d3103024628
-
Filesize
2.7MB
MD592b22f14f1664cc7bb2f42daf6fd1799
SHA168a767dd4bcd60e310bafd7219749093bd013bc6
SHA25685507d05a1da7659f9045ec2d969ddd0de20723fc7422b4985bd392411449fe8
SHA512c4b30103cc0b0dff93b5deb61f7301f45b24054239592f4c2778c179312193dce01b06043885d5ff260424ad7c49bf8d18d48a9523deb1e7d7e12601745d513a
-
Filesize
243KB
MD5b73ecb016b35d5b7acb91125924525e5
SHA137fe45c0a85900d869a41f996dd19949f78c4ec4
SHA256b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d
SHA5120bea9890dbcd3afd2889d0e7c0f2746995169e7b424f58d4998c50bc49d2b37d30f5bd1845d3079b25f9963af2b71f136719cbd9fda37f7b85874992096b3e1d
-
Filesize
1.9MB
MD5699f4008683185b4a050b05ace13d601
SHA170d47e8921906a344885c279afa34522658bf06d
SHA256ffc9a0fe541652271756108c9b20010b9f99024c69bc81111076ae8a132ae733
SHA51264fd7f8ba560dc9ff4718d2087755b76cc815edcdbaf124ba5f7f3b5f633a0870266e71d4bd42fcc041ffdaa087d2dd0b5cb7e9cd592534cd46b52307fa3b28c
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin
Filesize8KB
MD5694a9ea97602baeb3b0a1cd87e25b9c1
SHA1361748b825290102e5d4d27ef779b53bc67451f9
SHA256259d02d2b0df5f2206f8a925c32435db141baf7b954c0ba3f696034687b04e81
SHA5126113c33fa3205287d55e8d8734b56e58673d4890835cbb918318d81a5ef09195e2ea9368213ed616c0102c86a95e0cf7b59abe4712c94743954eb05fd6d2eb8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD5955897fdc9835fa25b072704d3f6732e
SHA1c6fb5153253b04f4f6ba11557b061f94f66a80bf
SHA2562a521edc16268d7f50e3b9094e20931fa106f93b5604b769bf19d7ac58aec0fc
SHA512810a7830fc2831207136fe432a387baa3fbc3cbbcf52fb5fc47bc19c10d89bbb2f588d539b421fe6846480f8c3bd021c4623d3a016538b6667adeac5b90e40d4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5c2cb8de4f05f609c8f66a0cfde995e44
SHA1a42d7a0e3da6800c766bf6a07f3ea538acef0ffb
SHA256355cddceb5e9f96d580dd14e96782d7dc03f6b0ae09900a410013d2a3cd2bdc4
SHA512d321c981a7f526403b3667f09f05774b370ce4829802d8813c5bc8574b0e3b4495cec68ff16a71efe41f1f5b927199bf1636c49ac0a1ca3cab10b7194460690e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD507ddca208614d7b97f9395f5eca4c79f
SHA15d8b6c56e3692782a4d142370e4fbd635d8a64ea
SHA256c1b09985e0d584a5ad7bead3c85e0325b2bb2e78b14bfb96e869c10e556d1ac3
SHA512e64db4474e796a55d4e95b4c91af57458f6fdab0e79faa766d5c06a8af5d9bf66e1688643f232e005af5053dfafaec25f0056664f723b4466211f01fd1736ef4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5923432a27ea66c3b25050dce0fcda9fd
SHA12eb17edbea2b0b5f271ffc72aec3714a95aa905a
SHA2560d9f3eb50ed714728bbd2409135a66e8db7cc3a38b51306eab03f45ca8ab9e5c
SHA51276ce7a578c6de7396dc05756477650e2049a5d176294a0690fd3d666281f5f4d3779dabc93ee7a54e943f9b381b1093688117b277052085518561a2179d7213f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\b6a5efeb-48d8-49e8-8999-61030980c6fe
Filesize659B
MD539c2ca1e02161074d71fa180c6d2587e
SHA15d243f655f02af78ccd4dd9ea9670f63f4644263
SHA25655cc53005c9d3aa9d5daf9b06ad39d5eed63f0f795acc6e4092623fd0b39fb59
SHA512e14acb47aef6a7c704e5765d196f05d2ef22e5932682a80996d3e6f78824698808b1fc923811a05d243806049d0f513cc111e28caded9c71b1a0cd5b54e46643
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\dd1068b2-0c86-4117-b1bd-d4f5f16b8616
Filesize982B
MD56151e7996ddf665132d692ca32d33c8e
SHA13f75db18f4963f7c18e86e1a70ef25c930ad2f89
SHA2561c4d0f56f64c67dc82e2cad0f87c4934f41263a7ad4855e8fc618f01edce7f35
SHA512a4b4a376fbbb65a2acaede49cffeb2bb52be429607d2fe537c18418d1d8c5d7a863ce7d08f83d6d39b0d6764cbb6d1e4ac326208c20e86f78dc2ffeea0694ab5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD571e9a311716b4cfede9238af19eea903
SHA1cccd4fa142c4a4b8ea1b43f9072edcd46c7e3310
SHA2562cf6a4b369d034ff65abfe23fe40d51d14c156d8a41bf7ef5a21b9efb0ff6caf
SHA51243e60fc09ed4ae9270282c5f7462dc04f0970686f6309b149e4c000f459ec084d2d8ced72c448c29d6d7043b1af03c5e42c57187a7e04e00c36ecb2b080dfe59
-
Filesize
11KB
MD5f1bcd173648b68fafa009d326ee14a46
SHA16dd24085745948aa10357e32ac49a0cc9340b59b
SHA2562552af05f2344ea408627e430a299d67f723fc847415cd51a4dbff62c22a653e
SHA512467b7b4df5cfe8d8e6660393af33b57d255e2c7d36b9252ec00b9454e9ae8e3e03ad5851214b55a91c50f8b2a78ef483f273ce68f2e810461becd8a664283fcd
-
Filesize
15KB
MD52952260f7684037f1ce6768ec93cc11b
SHA1cc61d3a9364134b48988a96bfbc6558e64e9e553
SHA2561ab1897b8679d9e36a1542dd005fb43cf5718e319b393d9ea58140a94460d15c
SHA5129f522f29bff1922794dc5d353756a192e42eb4a2c047eecf3f65d2a0f1551bb55bbc3ef5a4f2e6dd70b521dace17827039af10ecacb03afd47f8c3992118bf2f
-
Filesize
10KB
MD549d6c9a5703fdd88ffec31827742442e
SHA174ee50ab6f2d3b919e2173102185dc618585571d
SHA2561f49c4a84c15e5480a422198ed88e0b21a8a5d9c44256bfc72e6eeedbd049218
SHA5128794f264679f50cabb60ed7dc63b59dcef2bb003316e27cff7d66be913a9143400989347e8098d2b77b29c2d6b7e70a3101ea58047728fe45edf24b31f0052d3