Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25-11-2024 13:03
General
-
Target
9774d2eff3d73b1b0e300494b2b055ae69590d614b53f29d026b3e9ee66370e4.exe
-
Size
7.1MB
-
MD5
633492e2f891f632fe7140c9cd415d39
-
SHA1
51200c742cdcdc1a1cb2ebe67074d5e2b5166b0d
-
SHA256
9774d2eff3d73b1b0e300494b2b055ae69590d614b53f29d026b3e9ee66370e4
-
SHA512
6ee6c41a48e5ef530e59d5cbd5d064a298c97e28c91dc35d143fb18f0fd51a9de43b9e0a02db886fd8c75fb5949527187a908801345f5b0aa88be95ce4d32bb4
-
SSDEEP
196608:8PicWWRd9vgVIQAYhwDR124vIIJKUwHuSmiutKb:F0fvgVIQArX2bRH/v/b
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 17 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9774d2eff3d73b1b0e300494b2b055ae69590d614b53f29d026b3e9ee66370e4.exe"C:\Users\Admin\AppData\Local\Temp\9774d2eff3d73b1b0e300494b2b055ae69590d614b53f29d026b3e9ee66370e4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u0A10.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u0A10.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0w31.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0w31.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1J13R5.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1J13R5.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009032001\3bc311127e.exe"C:\Users\Admin\AppData\Local\Temp\1009032001\3bc311127e.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb4003cc40,0x7ffb4003cc4c,0x7ffb4003cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1796,i,2963419117952871597,8713782259636909105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1792 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,2963419117952871597,8713782259636909105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,2963419117952871597,8713782259636909105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2292 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,2963419117952871597,8713782259636909105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3420,i,2963419117952871597,8713782259636909105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3440 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,2963419117952871597,8713782259636909105,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 19167⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009033001\91a7a592ef.exe"C:\Users\Admin\AppData\Local\Temp\1009033001\91a7a592ef.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009034001\ee552493ce.exe"C:\Users\Admin\AppData\Local\Temp\1009034001\ee552493ce.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009035001\590c0fb861.exe"C:\Users\Admin\AppData\Local\Temp\1009035001\590c0fb861.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2076 -parentBuildID 20240401114208 -prefsHandle 1988 -prefMapHandle 1980 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8003c36e-ad2b-4e50-a562-c45bb2dcbe3c} 800 "\\.\pipe\gecko-crash-server-pipe.800" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2500 -prefMapHandle 2488 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0756cd5d-ff99-49d6-b065-7332e8c8f371} 800 "\\.\pipe\gecko-crash-server-pipe.800" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3140 -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3240 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2925feae-55fe-4531-9782-b035d3e8d7ad} 800 "\\.\pipe\gecko-crash-server-pipe.800" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -childID 2 -isForBrowser -prefsHandle 2876 -prefMapHandle 3652 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f769bc7-159e-4695-bfac-cc7f84460998} 800 "\\.\pipe\gecko-crash-server-pipe.800" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4772 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4760 -prefMapHandle 4752 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7006232f-e94a-4d5c-bb75-e1ffc894c49f} 800 "\\.\pipe\gecko-crash-server-pipe.800" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5308 -childID 3 -isForBrowser -prefsHandle 5300 -prefMapHandle 5280 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45bea7ef-858d-47d5-b586-e0884e78ccb0} 800 "\\.\pipe\gecko-crash-server-pipe.800" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5092 -prefMapHandle 5456 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2bb56c0-25aa-42cc-b390-a186aa521aa1} 800 "\\.\pipe\gecko-crash-server-pipe.800" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 5 -isForBrowser -prefsHandle 5744 -prefMapHandle 5740 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1308 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3adfb5bc-5b15-46f1-bba8-0a046162c7a5} 800 "\\.\pipe\gecko-crash-server-pipe.800" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009036001\5b789da562.exe"C:\Users\Admin\AppData\Local\Temp\1009036001\5b789da562.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2d1607.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2d1607.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3I79h.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3I79h.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4D901o.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4D901o.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4856 -ip 48561⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
22KB
MD56f435236d22e43683195fb6cbb48aa01
SHA18fba66883510c41b0a1dec804b4e663b2ba86c5c
SHA2566185ab458e7f65f44df1e416d9a4496c1a69ec0bbfbda6f07743a973d30fe61f
SHA5124117b1f7133aa6335184b0262ddf28b5d3480502dfbb7c4a8e18df01968cb5c95e73bb0d02d59964566abc0983ec3c6709ada1bdf30227e7abd04786479f5d6a
-
Filesize
13KB
MD5896647e94e52b29e27f96ac393b71a33
SHA15cb06a456ed2734e497ba443f37a2e4dbcb8d124
SHA2563204959650acdb094870b605db535a29a09675990b717288ca5fc9cfcd8adcde
SHA51217aef8924e303e6960ffab56bdcb30381eec04193be95d47ecb9769d080475dcf5d6516562cf2a582d35633759d55418dcf6e2f24ee4230188e720bd582fcc29
-
Filesize
9KB
MD5e324864962e861af4be77bcd7b7c7d15
SHA12faa16c50e6b45aa35ec36aa61cf960dde7edbff
SHA25698065364035e5a88cbf34934e3035c80abc456c6d1c9ef211d268ba97de396b4
SHA5124c62794b6cde1d1f3892a84ad5b22d1f16fa555c032d9a39decef52602b90bfb3db86e56786c6633e0632d8cc9ca3a3a614232a2700b39680a5fa9ecf8bf5817
-
Filesize
4.2MB
MD502bb15adea48221f6c39e50f1c4d902c
SHA17ca16530831f2388c7cf367e3e782533a764bf10
SHA256af2552f7d0586a5c95bbbf16460571b82e18aa651a440fa94136b0258c640c14
SHA51231c547da420e474dbc2e729b05f33c2022e24743ed673ca125ff5345a1e1e00c5b6579338bd6fa2c7c1fd316a49266d4ae4b14c35b3cb9f40842dd9c8bcef774
-
Filesize
1.8MB
MD56180812dca1859f8831c138cdeaf34c3
SHA1f7bc78cfa4037407f014818f2cf02f93b6903ae3
SHA2569a576b4a397bcc22e6521b0c49ac28dd5aee9f3f5a8d8e7f5a0f6b1bc890466e
SHA512e4f8f85324533ab2ba503004753343c51a12ed5b36ecbcc72c30dd4ee5026ef4e15444701853d49b0212f66866e30d7ce518d0a3d9d435cd8c839e543e9f4bde
-
Filesize
1.8MB
MD5989618b54cbe6d89c30aa67fe52fc62b
SHA1fb55e89cdd398d44eaf8ce549eff424a7cf47141
SHA256bee0fe71acfca971ebaf60e73f2026c1612cf89bc26d18e609891dfdaf4ad423
SHA5127e21675d2ce2f33d5ea3e9219733132cf403be18fd810912da03ac53a32c1e12c7821ff81f26874e2cd61452e5e734263be43f8985fdb7f581ce2d0194cdfba8
-
Filesize
900KB
MD5b732e89c499b07ea29c725416d62ff73
SHA15403902e4bc07eda12d6b26b552324d687dc6298
SHA256cb4df1de28626672c35c0a46077bc463061cac3ce8621f4751b3df8758e11519
SHA512f1f90fa17be3d00b6e299bc9132a59d2b0585972043b7791ee60806c21996216aa8c4668c7ba04ea77494a610fc8edc4525c40150aea5ba2f23799cfde39f23e
-
Filesize
2.7MB
MD55615bd983846db760a368756014c7279
SHA1f175ccae1f5c0d364cc1c4b0f156e99c264463a7
SHA2560650b9365c8df2f76101605bec1c7854dbad9543a7c34c25e50d0a8a919506e5
SHA512202158751411457283a5cd8b747051b4ecc95e80a0c8fdaa85ab6b6de7c53de65d60c7652a65d42fc82eebbbab45e6583bc5540458104ec7e92da7de66740404
-
Filesize
2.7MB
MD5d30bd6bc4ce8e63cd599e4d1b604c815
SHA1c79f06015669a06f56c7f3ce81e4b5f18c91d867
SHA25653705aeb862870ba7f20fcbe388077b9b47f049a6132ae4b3fe9a23208f5897f
SHA512847adf10aea75d02d7cfb45331946270f97624dc918ced6349c5c4b181fed23508fb67e64384c5d971a38fe4f318fd6ab985982f97a6b7fe483b6de426f612cd
-
Filesize
5.5MB
MD5c24c2430fa1597f49bb5fce55257c524
SHA1b31c962c2dd84c89ac16c7c603cc67ba7ef3d817
SHA256ec73aad3978aaab7fea208d04f1762df544dbc13335853adcee098451c80cacf
SHA51295061ac4a11280b38173e981963351dd78f10b6d08a5558f3233f93ab8d461658219473633485e47ea63319f6933975bf84ef6e6ad16c505cdb5cc1e6e1bb474
-
Filesize
1.7MB
MD591b37d2cd25d901080a13743131a5229
SHA10b77ba7424bf660b1bd8f4f6c01208cb8eaaef9e
SHA256d84a99942feba00f43b585deed2d7b44caa59488c61ec4d8b118b407d4f4c6f9
SHA512e6006d818362a4d5713fb2d41a8bde6db8d8a6961e7314741dd8719583a601b18775ef6ec7835c3db6ad6f6e8f7aedba67a3edc98d8e8faca7a825fbc0483323
-
Filesize
3.7MB
MD53bdac88a484cf1e0a17dd1ace87588a7
SHA1d37004f85cfcfdbcaaa8b0ccee419c4d0dbf3a67
SHA256869ed6d92afeacfac5323d367ac3caf728133a2d04eab662f7acc90e2e36cba5
SHA512c59fe2f0ced0dc8abc68758fe49617b2ffffe0b7796d173c0c0cc404fcb0d4b0f3e4e2962a10d650fe0c9af892b68c90ca2b76ba89dd494d0b7f7353f0a0eb8a
-
Filesize
1.8MB
MD59e17612d265863581fc761e5b94622d3
SHA183c605db6e0df8c9547f4ad9db9b46d1255a1e07
SHA2565c2df4701f0c81874096596ac9026c09edc28d8bb95f6388cc41700391ccf6a9
SHA512205454ce308fe6f6a39e3ff4bdff1d0dfddb12dfcf23d0a88a6d4cbf06b91e0ebec9b4b2896f18893017acd79d8e162c355c5a41cdaf96618cfb9cd02dc2ff84
-
Filesize
1.8MB
MD591ed86397a1d20fc8c1057985c13abc5
SHA131402c55aa6e6295383e405d9d12ff4bc84e980a
SHA256c1b9a83f47c5b38c215aff0cce585477e084a5af8630726d960f699971a3852e
SHA5124a3f739f61910575923801477a45373286612c131e1277c21b658fe8f227641f2f97bb323481f3a8f9f2c1508ed5dfce309d304f05b6d314eb3f5fa83d25fd1d
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
10KB
MD5298f6c713e9b3c340c06078f1ccb1ade
SHA1132834e050c19bb50820e303464502f848daef8b
SHA25624793fb8f215d69c28a7b0286ef3bf862a5b106c8d5974b23dc687f60f49ea1b
SHA5124d569587829cb223ec8896af7344dd8dd7d582cdfbe0ebd5e0d52da377305561140abc3cf0a7a0936f7c81f50850a1bffaa2f508185806a670f32f8a2c1f0e6b
-
Filesize
10KB
MD52d23227237fe7bc62a6be662db1d4973
SHA17c4d4dac7aabed6a77d45df34adfb4c1526526a0
SHA256449f5be6da893ab0cf841ed0dab15a163837cb30f009bae0714a7bf2b0114e2a
SHA512f59212729ab8bb715bb6a2ebca473f47c794fe13eb51ee8a36f6847a329dd370c0ef4416d3223034eb2084b6b6d63295afdba6ccb2a4a12283d97bcc929fd194
-
Filesize
14KB
MD529d7aa6ec7b2accddf550c4ec246e783
SHA14c900c33b55509f859b14d0a44533a7881168891
SHA256744ec945a144186e6c97a03ec3af4e1f88683c0144354dfd8f259a92b9e275a7
SHA5125c28049f394f9df56711ee73cd97a0dc00d97d66cebe8d17fd8308675d8c45dc382dc9644835e30998caad022289de8686cfcce4885519966035e4e5c62784bc
-
Filesize
15KB
MD528409021f41164e7bf74d8552ce91b45
SHA14308f0e9e316a1068697675545099a483bca0455
SHA2569cc4eec2bb798c01bdaf1e4adfed4b3c302a3d833b3d133960f26078ddc4dfbd
SHA512bd989395c3563c52f53e64a0587325e40a5de2c1543e40fda62e81052e6a5b7290e2b85ce81f713cbeaf43de208f4bffe3c10b15bbb48a4f0819a137f80a7042
-
Filesize
23KB
MD5c8170cec98025c25e2bda9ca16caed2c
SHA1686e11ac8ad7209007341d664b7a7a47dd71f073
SHA256b27864a40996eafe5b92132cc59744658f6cfa21dfb3fdca2f8bde17bcab4c34
SHA5128ba45eeb7718adcebca13239fabb96eb0ce4609deaa36621bbc77771240c4e6e04737a340439095d3ccfdc3fa70355f058268dfd1314271fb7833941267fba3c
-
Filesize
6KB
MD5c90152ac20acf814d5d0b36c96bbdfab
SHA1a554fd251358e55544ebf50bc5506eb9a57658d7
SHA256c10884166301c3923c0d082df0c7199e7925d6168d923956ffba0f6a33a2d18c
SHA512e6cd2285a191f71e8f477243172a6ff03572699cb77a778d143b05d93405c132f86aaf74d9e7d278f75bf94d9806fe6e78457b04322a84eb958b8741db481f4d
-
Filesize
5KB
MD5e0c99ba80525e2dcd89b3c61cbaf28ac
SHA139b73f7ef5d2e70fe9b0e1f62118ccdde179bd47
SHA256d908395f6ef41cbdc3212dffeff1b6c3b22042055671b8e8f292d8aa51b24dc4
SHA512950d253c9bdcac5445f8663d2cf11874d4a128d69998e0aec430ab8b0d72e76ad50fe458badb8fd8355d0caf24d90ad5d271a3ebe474efa5cc3bda2c7a2ba674
-
Filesize
5KB
MD5cbc629268bc0c126a59507d4cc5f5183
SHA128cffe15197a97432c766616e2b5653c708e6b5a
SHA256cd42d8645a8164519d7972338604556ef87c9a35c6aa79ae528d4f29714dd8dd
SHA512227052dcbc89e79637c9aa96549186fc40c83efcd04780ed399b5569251d70f64815e25c062ad645403d5481e7a9afd4bc6ab68b94507f50757d324df46acb67
-
Filesize
15KB
MD56c41990d65c490a88e5b0d39b176c898
SHA14ec998977632f628f48f5d8b8315a644d576ab8d
SHA25668b39bfac1fe059e6bebd16ceb8dd5a7c2ff475e1b7a874be35a237b8748fc8e
SHA512ba8c9209ba70a8e96a9f16c1fb15c9601dc81362a81062bc0066af056d32c3293cb55961f0a069cfb83533be0ec11e714d80ad8970e70767d85d0126a0478949
-
Filesize
6KB
MD513dcdba5978507790386df804640c12c
SHA13d5dc3ffc72cd5c3f311d8e30e9a862b86fe8f68
SHA256f07086745607d591a67f7c6069e64faec2748d083ebc4d0097fb7770eb46df98
SHA512121ea2913f6d32df4d37218af25cf4766fee73f20262d0368290190905b350301d9a6c9b6430a542d1a774c5064338df1c5161860ea2e55f9394b4d8e3866dae
-
Filesize
5KB
MD53c397e30d7c096fec83ff0f2b80ce4f6
SHA1fc1f00119a570255b32045cedbaa902d8bdd48ba
SHA2561679c825f6ed9caa79e7963d6fc9f63cb3f528cc532d85cf0be579cd65bd39f3
SHA5125927ec5a17dbaaba1100003130c972ea4c8fb2eb12443f3ed4801ec376bca207570545884c675ce877fd40023a9f86f059828bfce435b4a4d529b4fcb59de110
-
Filesize
25KB
MD519998b828ab7e1cc3c89b3e5828fb297
SHA1db1ba9a495d3b944902b1194b3f32f3537f747fb
SHA256ffcb9dec5338e30f43b8695a4a38cfe99447a2e40f297df9cd069d035c1ebfc0
SHA5124a788708cb703906523afec5a085d18eb8e215029654a6efdbc8c97d9343cb6b2f7ace6eade6f601ff2c991c12c132c9b2fb713dc3ea672fbf97416e5681b52a
-
Filesize
982B
MD5c1bc3352bf81ec65ccb009be4af2e6bc
SHA1630e89d035aaaf6067f70b230b1ed1dce5e5e7ad
SHA256165cc53553623c84aa2bee8d5c1491a1e1e7ad337482736af47d71646d562dbe
SHA51258d9208f94b83b5b3512a0266bf7f5c7c1f9c20588f75351c7c3f66de4969dccdac879a9ae75933fe790948d9e54862312e71058da6bd98c5efdea144d829f91
-
Filesize
671B
MD505691eb9d72a374766858e8496316a3e
SHA1804a7f9a8c751da73590b9b2cca3315a4d8c7542
SHA2563672894d6569d8d4d508d06f88ea104d7bb6058f12b862fc3e0d46316ad85fa6
SHA512166539b30d3599622c4722d22a01dbf864295518dd3486a7b8644ac838b17c6d0ee7c5ccab30646cd76258047a817f8e3457d7bf0c909d3622616c4de95d5a4a
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5ab2c581f929ee70e7419dfa1956b2a28
SHA130b35e6b57061da6230508b529a0153e56bb8310
SHA2563c4e1073633205393bea566b91e7716662576e84a012f48258d7c5605e58cd7f
SHA512a656780ed042c5b4f95ac1786504f89ea84f28158f39d892441ad151d04799f2f0bebbc362ca87db67505747852ecc7515bd6dbc54c86f8b72bf96e2d46129e8
-
Filesize
10KB
MD59e49f9c15e14e542ed42a3361ff47dce
SHA1d4e7139e501b2a102fc113f1dad65e18f4c38e23
SHA25695573e6b6b70e077775c6f40d87c9caec92cd8ca2aad982f1fdd6469ac9cd987
SHA51274c8e5d86e7ee085108a593db9e7eabe1ea990c48433338e1f737b53042a66b0fb61b5f901f87d1f30e06690e98ad2886e81c82775a45a78bc6801be5538c186
-
Filesize
15KB
MD596a162d1179bd0c5b313004cedccab01
SHA11ae1ef7f2550adbdecae5b59d1bbbc0119405899
SHA256b05345d35134218e2e8f62f18a1d8e01410c8c89d1d3675a11d3aaade5cbbc9c
SHA5121231ab4c4faaefe44f6d7a26e37c64227ccf3d54fee59f5d07759517f04d17bc1baa5488338a63bdb5d407e5e0d6fa12b077117ddd822bf29c8d25e61643176a
-
Filesize
10KB
MD500ce838edab3ec9cce87b6400184dbff
SHA1b447623b5a8b882e2139cbec2faa8e8360f400ca
SHA256659a946614f947de3df5ec50317df81cc7de06f0980ec88146b18703def4e6e1
SHA51247c275aa90c9cd861301fff0dba8bc6413a588f822fdfc98e48194a3c5cb4c81c8cb7703b534c0a149ca1d6748978306ac43127fdd486b45f9a1606566a58ccf
-
Filesize
9.4MB
MD56643208a348d3e963a106855cbceb34f
SHA1806a0bf159933f542f95aef95160ae0ccd0c3440
SHA2561bb62bb3c2b6d524a04db4f065a62959986204a87ca8ccec041069f4c9ff03d6
SHA5126f047b20d704409a5122453680f70dd465917220bc2ffe6c2fef456083b8345887494eff56b90314891a54154c5197e4564771461e32466240e0b9911d9a87ff
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4.8MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
72KB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
10.4MB
-
Filesize
12.4MB
-
Filesize
12.4MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
4.8MB
-
Filesize
4.8MB