Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25/11/2024, 23:53
General
-
Target
338a8f4956cdd830b17b6b501e525c8337ab7916459684643116fceca31d4a9a.exe
-
Size
1.9MB
-
MD5
60345799039b0c985d836024c003b152
-
SHA1
54715118a518158f52de07baa3282b605350d7ba
-
SHA256
338a8f4956cdd830b17b6b501e525c8337ab7916459684643116fceca31d4a9a
-
SHA512
b8f2f62c5561e96cb9929e060893fc6d2d9fda3e5e508a211b046501b360015a85c59490f6bb1c89ed2b48ba55d46028373ed50769bb16e269c7744aa9a9202b
-
SSDEEP
49152:ONNzdkFg30Kk74f4wiVZLfGRf7s9HtjOThexHJ5C0o:2gFuW0wwiLfG1sbjOSJ5C0o
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\338a8f4956cdd830b17b6b501e525c8337ab7916459684643116fceca31d4a9a.exe"C:\Users\Admin\AppData\Local\Temp\338a8f4956cdd830b17b6b501e525c8337ab7916459684643116fceca31d4a9a.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\computerlead.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 3447⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\1009152001\803dd6e8be.exe"C:\Users\Admin\AppData\Local\Temp\1009152001\803dd6e8be.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"5⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc8301cc40,0x7ffc8301cc4c,0x7ffc8301cc586⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,12982489876415371275,5209721431079225926,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:26⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1928,i,12982489876415371275,5209721431079225926,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2060 /prefetch:36⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,12982489876415371275,5209721431079225926,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2500 /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,12982489876415371275,5209721431079225926,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,12982489876415371275,5209721431079225926,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:16⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,12982489876415371275,5209721431079225926,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:16⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 12885⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009153001\0ac8300055.exe"C:\Users\Admin\AppData\Local\Temp\1009153001\0ac8300055.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009154001\53e98cc7ea.exe"C:\Users\Admin\AppData\Local\Temp\1009154001\53e98cc7ea.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009155001\76dd1ed23b.exe"C:\Users\Admin\AppData\Local\Temp\1009155001\76dd1ed23b.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbc082a5-3e5a-471c-b2c3-92f68b011d6d} 496 "\\.\pipe\gecko-crash-server-pipe.496" gpu7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2452 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4585fe48-f166-4d12-977c-370b5383f774} 496 "\\.\pipe\gecko-crash-server-pipe.496" socket7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3356 -childID 1 -isForBrowser -prefsHandle 3376 -prefMapHandle 3324 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aef79617-2350-4e41-a1bd-a035517726d7} 496 "\\.\pipe\gecko-crash-server-pipe.496" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3392 -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3496 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15795eef-b8ab-48da-af2e-96b1dddedf19} 496 "\\.\pipe\gecko-crash-server-pipe.496" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4344 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4312 -prefMapHandle 4252 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df21bb14-7423-4ac4-bb32-5469b3e45fa5} 496 "\\.\pipe\gecko-crash-server-pipe.496" utility7⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5544 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4decc7a6-9662-4976-b3b1-c113e9a09d22} 496 "\\.\pipe\gecko-crash-server-pipe.496" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5692 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b54e62d5-0954-4e5e-8c21-d851662fff28} 496 "\\.\pipe\gecko-crash-server-pipe.496" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 5 -isForBrowser -prefsHandle 5856 -prefMapHandle 5680 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {479698b4-5dd7-4065-8667-436ad23e29a7} 496 "\\.\pipe\gecko-crash-server-pipe.496" tab7⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009156001\00281d3bc6.exe"C:\Users\Admin\AppData\Local\Temp\1009156001\00281d3bc6.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1956 -ip 19561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5152 -ip 51521⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
18KB
MD525b059ff13bff64216868a38854fb01a
SHA1e8664414a11df3d618a02ca9a9c151f08f6e089b
SHA25673231689c01d6d7d9fcc9e1604fa49dd9fd3edd415eec99a00611b09126f9517
SHA512ca04faf2d03e62410228eb70c9599d035624377059bfca700b9b1bce8b791d28cbf0cd9e999bac37dbb0f2da1f4a54bb70f85eeb367dd88a0d4895a0bc4cc410
-
Filesize
13KB
MD5406f389fe3afc990aa91b6ce2fddc31d
SHA15ae90e301c2cb1ac5437ccbf62d9e5aae763ab97
SHA256a074a4df8280e4dfd3ab61a8b9d93cd72ea4660b858bbbc1a6babe77aa9d074d
SHA512e17d7f022c49d975ff441ad3973abfeb91d7e6d28c858f08edcfc0a8075c2e43fd022caa0e8dd525ef271aefd7c928e61d653cc617ccf905dd313803f0fe4933
-
Filesize
932KB
MD596a7b754ca8e8f35ae9e2b88b9f25658
SHA1ed24a27a726b87c1d5bf1da60527e5801603bb8e
SHA25621d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50
SHA512facb2e44f5a506349710e9b2d29f6664357d057444a6bd994cf3901dee7bea471247b47496cc4480f1ad2fac4b1867117072ea7a0bfa83d55ced4e00dda96745
-
Filesize
228KB
MD50a089e934eb856c3e809d0fac53000c7
SHA1661f86072031587be18ada0b6606ee82bb52038f
SHA256f4e5ec593dcb18dca253d98f5133050e96f27f86c1e46b5882abf797fefe26b1
SHA512026152c47e9547d1f2c254bdb824f9b8ac113df6b3a98c61b1ac4adde0286dc8a06ade4a3bd73a149b4a9eaad0f86d702ab4b4042dbb7c17cc0af5a14e34cadc
-
Filesize
4.2MB
MD5e3f5abc2332ea769c91f7c6f2a5a664a
SHA12969a201926786c2e4d03f215077d2abec517dec
SHA2566bf3521dbb4d8610035627fd1ffba23169aaba4c7ed723522a1a73386edf5b69
SHA5126a2f821451483ad5781b761bd9f462fcbf6239c1d6260d2af02f128680588c56fb4b03ad199a01334ce50d4a351393a2dd69abd345fe949434c5733078949f2a
-
Filesize
1.8MB
MD59b74557efef93db56818bb3355dc0954
SHA1c7abf497b84ba4c3f3bebcdc92556a2a35fc67d8
SHA2566d0eea80b03ff05f40ac2c0bdefde7c8eb4ad3a7cebe0ef9917cab6c20a8be40
SHA51210e060cc93de062789ced58486a27b452f917e4641bd9911eeb5fbaa75af56e9d21258fe7e76e1d7c0fb07e419b151659df4c32e05cf4b81a9ab16d69d56645f
-
Filesize
1.7MB
MD5ae62896aac2820ebe9235b01b2370128
SHA1676a436318647235e6068e3e56408491c4ae46d1
SHA25678f8f56de1d7fe369fa9b7dfdf52d43af4ed2abb6ba0a05cd8adbdbf078ca405
SHA5123e692ab535e4e3d0cf53a92fd0beb0554eb449de2abe71391a54d8ad0965d8f4481d5155413a4638264c7fa555219f4195b1116e6631e9fdd63604805dfc1626
-
Filesize
900KB
MD557f54ff85248dd46810bdb948c32e71e
SHA1c3ae6412720aab3321ea1513342cc238c2e92648
SHA256e2797109bf85529b91f414b8e608a47c3f87e15388aa8b64a2f0848e6b6e3740
SHA512591ecceb9256ac0f5293b77dd409eaee36abc62732feec981d7254315b502d2a7788ffb35437819226447cebc633330a110a6eb4239eef66e6b92694e9c2e833
-
Filesize
2.6MB
MD51d51ecc205590f39930d9c4685aed827
SHA1eeb3ef56179a8534e6a8f3279491a59d6afc5ffe
SHA2568b3ca7da6a1d9976e10e0b1913b91ef8916d2852f04fb39f8a9875f6bfe50bbb
SHA5125b60c9ef97931818351780b7a56cfb46087d6483226f8757151c9faebe9d621b81f2a7aea821cc456979b115111cdd7f13103be117f8dd9be51f0af8f4ca6ef3
-
Filesize
1.1MB
MD52354e800eefc681a7d60f3b6b28acfd9
SHA110b6a3d9d2283b5f98c9924fa1fca6da79edb720
SHA256d3c21f6c3892f0c444ffb4b06f962caddf68d2c3938bbd399a3056db255007e3
SHA5120395737b77891d8cf7761266c2b3d594deb8e742bd5f12f15f58b2c161c242356b953ebf8cd1f41924a917b2c1332bd2e05ef275efd2419a6134a60729195354
-
Filesize
1.9MB
MD560345799039b0c985d836024c003b152
SHA154715118a518158f52de07baa3282b605350d7ba
SHA256338a8f4956cdd830b17b6b501e525c8337ab7916459684643116fceca31d4a9a
SHA512b8f2f62c5561e96cb9929e060893fc6d2d9fda3e5e508a211b046501b360015a85c59490f6bb1c89ed2b48ba55d46028373ed50769bb16e269c7744aa9a9202b
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD5db5e4edec60e22d28fe838cd77ef33e9
SHA13c6130b86f1a2b611110d8559cf2ed60e4bceea9
SHA2560eb0a70afd8c296ba495c36d84792d3deb0eb1a4d4e53de773ecd9364480dfb6
SHA51233461d2e87703bbd65468d6cf7818f6d6d50d09fba828666a7a5a3a3da691ab39e0d6731756e4bca8cea7565083d4a19ad491d848a55d6c3762eec2c1bf6a4c5
-
Filesize
11KB
MD5608266afc2f312f1a49c5aa6f0ef4f5e
SHA1cc2b28f82b8ae9f2e4cd1423dc6c7434bf445514
SHA256e2f7560960f7c9fb4cc569bd76cf98624fdd7843eba95b9d2465ce882222558d
SHA5128e4cd7a0ffb6d762f3843209266a7a94ebf4d52b01d3bb5a5a28eba93322d72362e88abee6d16cd2976d53a7ea083b2344606740ff57e4505d3be76d574c55ca
-
Filesize
5KB
MD5d6a0381e72c80a16277a73eb063c21c8
SHA1ada0dc3fd74d7ef58cb8913477686e2903ebd319
SHA25675bcafe82db781be8cd5fac50f588bf75ed6686c44b320aa00097f23650d2c5d
SHA512890612660b70cd9b7ff7f1d8c782389febbfeeaf94fda077812ac8f2be061bb40982e3985f66b99cac71207a59197f964c3d92fad02971827d38d37100b7a561
-
Filesize
15KB
MD5fe74bf85c4d336f6e09a7be87ffc1ca8
SHA1757fb8fb6255460ca26dd89e01db995505154f91
SHA2565f647c89ecf542aff5d4935e4bda3d9c47bba8ad6c13d540174ceb1562054c86
SHA51284f58594d1474b70878af00df42f1f4dae7e1beec5224ddf58919e4868a58fdab69180c8dcd172aa727bc46f201f335a0f0037337ed5ec0925004ae170a20cb1
-
Filesize
15KB
MD56d5aa30595422220c3f50bc64d878a01
SHA114de1c068fe667a8eb0caf477bdcf2ab76a4fa78
SHA256fd0497a188b39766a4a7ee78b0cf7c882b73ec506f05d6bbd49b9efe47d66b06
SHA51289a96c01ada9e3c5fb2a273a9a8137dfc627bafc7321f5dfd8a9640e4be47b0e8d9ce15b4bd5e37f9854d51a34ed4872ef84e6d20fd30c6e068b3dc6c18589ef
-
Filesize
25KB
MD51e905a2d2e73a5cd243ddb7813f4c994
SHA1ef53bd6ae6b6100c3b021389e2b7233f9a50476d
SHA256df9e01f26a760348b263974fc550608b9729a7e8655429c18421b77a612970ae
SHA51290fc75eae0929702aa20b9928ecd6c07656480849c17855c30f2d800dbb2b7fa5b937ab66563c91af6388f469c689f3d7a907559d867f437f1f78766f80b7049
-
Filesize
671B
MD542ec42d6fa9a93e5415b9555ae1dda11
SHA11d28d8abb214f7270405ac5644f09ee2091ce8a4
SHA256dcda2431eb188844d40a6855d1abf2406bf73c03be23bf4fd47c0757b9e18ee0
SHA51292223ab0e972fcb8d005bcf16ffe7527acc1b7abe42805ef47e662ea5790c32fead5b7961fb9c5a4a8242e1e07cb29d82d977637839f1db8c49e38e88768c4a6
-
Filesize
982B
MD5723edf8a2feb6a761f33e1c60fd5fdd5
SHA1d7006c984c80f148136698657fc8158ce8b8d9fa
SHA25628047f652c67dbeaf38b4f5346a53f38f55173918c768d710983eac01c8a3040
SHA51280be05d98de6cdd28fd89404857b74a9ce348e4abd0a96f30df753c9789d8484c8e6dc38459bd287546ee20587b069f931b55644d47eb67ddebc5624310714dc
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5347fc567da10e64af1e4931b15cf40dc
SHA11325b76c77f5f7462842d82719a3c242c5386352
SHA25660eeb7a9acfb389e3008343165605d46d095eef5f4b8a8ada7da436bcbdf122e
SHA512565501585c0e82bbec4bd5e7f55366965036b5da881146a6468ea490f57ba3db1443bc3aeb3cd49c2ce25cb50adccabc41ac3326c89f7e6783a4d623fd9ea4be
-
Filesize
15KB
MD506c6c523f91f7abfcbf563bab73cefb9
SHA13001a8b5453ac2d75e86307e6f68502b93308ee2
SHA256e5d0f89f47dacd397aeafbcaa256c852817f275f9aad74d5efe01219fb08d972
SHA5127fe2d379bcb97e78c2e6719841ea7a22f425968eafea9e6dc11678a25c59ed8ccf2b613488236721511777e907f86a9ec13a24f11322fe7cc9849c267d77cc4d
-
Filesize
11KB
MD5ff2b4b3c95b24c7e9a0aa4dfaedf3b15
SHA1954b3a3b8ffa4e1c2697ac4ef1efc2eb4501bf1e
SHA2566b36c2f6424ee8a35c520f73b7173ab9886888ece0640b51cbadbb5bb9e0e5dc
SHA512b363ff0939d17cd89e42cbe181d5aee7ae15dced93e88e9b200cb309c933ba3011cfc79189d2ceb8cc6ae94dd16b5c5fd0e3e2e5f4f4466ebfad11b403024c55
-
Filesize
10KB
MD5710e6b38e2b125842c61ac5343d0362e
SHA16de21914cd8cf241dfef69782b5c8970f4fff05a
SHA256d24e39574cb0197f380aa43d429be0f76e1cf7dc019606363e574f53de91b37b
SHA51296df76d705f9123d398c7b44103930ccb7e8cee406be6934fe8a70122b3a5645b997b81def73a17f55fdff718666676b470aefee03ca0f0823498afa24c99fa0
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
616KB
-
Filesize
304KB
-
Filesize
1.1MB
-
Filesize
336KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
256KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
184KB
-
Filesize
4.8MB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
584KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB