Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 00:18
General
-
Target
726979ea1163d1b8a872478fc405344cb0d50fededac45f1d62ddda1a3fe1ad3.exe
-
Size
7.1MB
-
MD5
c0e3bdb83ef9926381ac75cd79c5dc6b
-
SHA1
317ecf4e8b2336f24222b2d104be8d0c1110406f
-
SHA256
726979ea1163d1b8a872478fc405344cb0d50fededac45f1d62ddda1a3fe1ad3
-
SHA512
1c9db63f8b81f63fa0dc4d5037561234d8dea755d4c04a084f488b0c750e728a068c5b36a86b27c8e99effe6ee22e9fa2cb25fca59a43f57d4fb75183a2c4559
-
SSDEEP
196608:E3CqqB1lyAsdGTCKtGe7dbarMWFeQ2hkDoz:EyqaONdGTCKdJgMWFeQhDo
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detect Poverty Stealer Payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Povertystealer family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 22 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\fontdrvhost.exe"C:\Windows\System32\fontdrvhost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\726979ea1163d1b8a872478fc405344cb0d50fededac45f1d62ddda1a3fe1ad3.exe"C:\Users\Admin\AppData\Local\Temp\726979ea1163d1b8a872478fc405344cb0d50fededac45f1d62ddda1a3fe1ad3.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\p3v36.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\p3v36.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3c59.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3c59.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1E02K3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1E02K3.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"C:\Users\Admin\AppData\Local\Temp\1009118001\x4lburt.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\computerlead.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\computerlead.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"9⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6104 -s 59610⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\1009152001\17786bc528.exe"C:\Users\Admin\AppData\Local\Temp\1009152001\17786bc528.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"8⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff2408cc40,0x7fff2408cc4c,0x7fff2408cc589⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,11381245225947391342,8823444638943051743,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:29⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,11381245225947391342,8823444638943051743,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:39⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,11381245225947391342,8823444638943051743,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2496 /prefetch:89⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3204,i,11381245225947391342,8823444638943051743,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:19⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3264,i,11381245225947391342,8823444638943051743,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3476 /prefetch:19⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4212,i,11381245225947391342,8823444638943051743,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4480 /prefetch:19⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 13408⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1009158001\64b8a8e365.exe"C:\Users\Admin\AppData\Local\Temp\1009158001\64b8a8e365.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009159001\0cf1f8c663.exe"C:\Users\Admin\AppData\Local\Temp\1009159001\0cf1f8c663.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009160001\cc69082b34.exe"C:\Users\Admin\AppData\Local\Temp\1009160001\cc69082b34.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking8⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking9⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2072 -parentBuildID 20240401114208 -prefsHandle 1984 -prefMapHandle 1976 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e39ed3-6847-4912-8996-195642b97ee2} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" gpu10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2504 -parentBuildID 20240401114208 -prefsHandle 2484 -prefMapHandle 2480 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90a30b50-a5e3-4252-968e-d47591290c87} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" socket10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2888 -childID 1 -isForBrowser -prefsHandle 1492 -prefMapHandle 2884 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bccc0d2-cc1e-45dd-aed6-cd5819c493c2} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3744 -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 2896 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a61e12a2-b274-45e3-a1b5-4c1a2dea58ed} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4672 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4972 -prefMapHandle 4968 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {303a93e0-8ed1-4b7c-8aff-192386bad131} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" utility10⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5396 -childID 3 -isForBrowser -prefsHandle 5392 -prefMapHandle 5380 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {28ed2fba-41fc-4049-88a9-5c983b41a89c} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5628 -prefMapHandle 5624 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3750dce6-04aa-4291-bd82-43d818a987b3} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5816 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5744 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d750c6d2-bd83-4aff-a6f7-e54f1247a511} 1316 "\\.\pipe\gecko-crash-server-pipe.1316" tab10⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009161001\c01b2ebd6a.exe"C:\Users\Admin\AppData\Local\Temp\1009161001\c01b2ebd6a.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2S2685.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2S2685.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3L85i.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3L85i.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4s791e.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4s791e.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\xl.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6104 -ip 61041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1788 -ip 17881⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
13KB
MD584a2d615b50b225a4dcd47c29cfe1a59
SHA12bac76876b5006d5a97408742ce279d0bd3c0cd6
SHA2564ffc575cfeedb854993fba875844b904aa03d103b00c6dd398052876f546039e
SHA5128b839c0422649ef51773d62cf78ec36d5353b2b60c9021c6dd60598199c65bbe693ea6338c9033a5585c5f9dca86f4d22c8aee3c1eb9f259e08ef6c363568f79
-
Filesize
932KB
MD596a7b754ca8e8f35ae9e2b88b9f25658
SHA1ed24a27a726b87c1d5bf1da60527e5801603bb8e
SHA25621d262741b3661b4bf1569f744dc5b5e6119cfa4f0748b9c0fa240f75442cc50
SHA512facb2e44f5a506349710e9b2d29f6664357d057444a6bd994cf3901dee7bea471247b47496cc4480f1ad2fac4b1867117072ea7a0bfa83d55ced4e00dda96745
-
Filesize
228KB
MD50a089e934eb856c3e809d0fac53000c7
SHA1661f86072031587be18ada0b6606ee82bb52038f
SHA256f4e5ec593dcb18dca253d98f5133050e96f27f86c1e46b5882abf797fefe26b1
SHA512026152c47e9547d1f2c254bdb824f9b8ac113df6b3a98c61b1ac4adde0286dc8a06ade4a3bd73a149b4a9eaad0f86d702ab4b4042dbb7c17cc0af5a14e34cadc
-
Filesize
4.2MB
MD5e3f5abc2332ea769c91f7c6f2a5a664a
SHA12969a201926786c2e4d03f215077d2abec517dec
SHA2566bf3521dbb4d8610035627fd1ffba23169aaba4c7ed723522a1a73386edf5b69
SHA5126a2f821451483ad5781b761bd9f462fcbf6239c1d6260d2af02f128680588c56fb4b03ad199a01334ce50d4a351393a2dd69abd345fe949434c5733078949f2a
-
Filesize
29KB
MD5d0038532ae6cec64be83bc19d0b8f695
SHA117a23380f80068d15ebc014cb2b1748bb45fb5c1
SHA256b412dd132cb21a0d4d7bb622c6fe49f9e6c5c934201815d570db774ac80194f5
SHA512af269471f7093445fb05bc6d6d185f9e48d0666674a3de50c4217757d3fdf39b067668bf2ca37eac91d5cb203c3ce3d4d634661e470d84d12c80c332344503ea
-
Filesize
900KB
MD557f54ff85248dd46810bdb948c32e71e
SHA1c3ae6412720aab3321ea1513342cc238c2e92648
SHA256e2797109bf85529b91f414b8e608a47c3f87e15388aa8b64a2f0848e6b6e3740
SHA512591ecceb9256ac0f5293b77dd409eaee36abc62732feec981d7254315b502d2a7788ffb35437819226447cebc633330a110a6eb4239eef66e6b92694e9c2e833
-
Filesize
2.6MB
MD51d51ecc205590f39930d9c4685aed827
SHA1eeb3ef56179a8534e6a8f3279491a59d6afc5ffe
SHA2568b3ca7da6a1d9976e10e0b1913b91ef8916d2852f04fb39f8a9875f6bfe50bbb
SHA5125b60c9ef97931818351780b7a56cfb46087d6483226f8757151c9faebe9d621b81f2a7aea821cc456979b115111cdd7f13103be117f8dd9be51f0af8f4ca6ef3
-
Filesize
5.5MB
MD5b61a84b8ab5a478519ba0c5e2b9f49ee
SHA1e41a28541043275420fb6272dfb5bb5554958d71
SHA256f0073e001298c204d338b4de4b60aa9c7167d24a0429deecac8f49bafc58ce08
SHA5120c7a24d8952a955e5b965802f768a7c03028e2d23dbfb576a6b47f49f3f48816e1a9457a53bb538df0bc9002dd70ee19379cfa496d635507f9e473c1091acfc5
-
Filesize
1.7MB
MD5ae62896aac2820ebe9235b01b2370128
SHA1676a436318647235e6068e3e56408491c4ae46d1
SHA25678f8f56de1d7fe369fa9b7dfdf52d43af4ed2abb6ba0a05cd8adbdbf078ca405
SHA5123e692ab535e4e3d0cf53a92fd0beb0554eb449de2abe71391a54d8ad0965d8f4481d5155413a4638264c7fa555219f4195b1116e6631e9fdd63604805dfc1626
-
Filesize
3.8MB
MD50036884a30eb73f62b878d113150c294
SHA15315b61a2dac22815898a7305d26f4cabfbc9ed2
SHA2569b36c43333f3f7d2d959fb9bc866773c6a613f99ef672af6f3e03e4e5426faf3
SHA5127cdc9f08c5b87f68e92b040c083dacc8e0989dbe9e369faab8ab17b42aa3212e43b61cb10f3d7fca18ba6da1d4c0ca317444a6016ae0a64403a47b816ce77f61
-
Filesize
1.9MB
MD560345799039b0c985d836024c003b152
SHA154715118a518158f52de07baa3282b605350d7ba
SHA256338a8f4956cdd830b17b6b501e525c8337ab7916459684643116fceca31d4a9a
SHA512b8f2f62c5561e96cb9929e060893fc6d2d9fda3e5e508a211b046501b360015a85c59490f6bb1c89ed2b48ba55d46028373ed50769bb16e269c7744aa9a9202b
-
Filesize
1.8MB
MD59b74557efef93db56818bb3355dc0954
SHA1c7abf497b84ba4c3f3bebcdc92556a2a35fc67d8
SHA2566d0eea80b03ff05f40ac2c0bdefde7c8eb4ad3a7cebe0ef9917cab6c20a8be40
SHA51210e060cc93de062789ced58486a27b452f917e4641bd9911eeb5fbaa75af56e9d21258fe7e76e1d7c0fb07e419b151659df4c32e05cf4b81a9ab16d69d56645f
-
Filesize
1.1MB
MD52354e800eefc681a7d60f3b6b28acfd9
SHA110b6a3d9d2283b5f98c9924fa1fca6da79edb720
SHA256d3c21f6c3892f0c444ffb4b06f962caddf68d2c3938bbd399a3056db255007e3
SHA5120395737b77891d8cf7761266c2b3d594deb8e742bd5f12f15f58b2c161c242356b953ebf8cd1f41924a917b2c1332bd2e05ef275efd2419a6134a60729195354
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD56bd37169a9a6c734e280da8102656f37
SHA1df0168abc97ab5ccdb9b436eb14f6b720f9c87e1
SHA256f0990d67618d75529148b2912b2d0a9c54c0d307dcf2e8cc135659dfae81d57b
SHA512c40259f499dda83d3b851c59ae3a6dc5aad0cd01ec3243e9a6f12b7e5579d011ce24847d6b1a30ecb62fdafbde73218cafe6bb96b7215d21cb5155d01ebd5805
-
Filesize
7KB
MD5cea89a9553df86407695e54bbba40014
SHA1709d29daff7e51446aaef7bf66cfd1e7de5da8d9
SHA2560587c54b5e5b925ec5effd2b8b072dac7ebc78481f11ffb87f47422b37e231f0
SHA512e64bbbb9972501e592c5cc4a338480143dad8c849d67297c8206523b9205a9054ed76410a871f8b2a18dada14efa966422588d92c8bc3fd428fcf0f3563dc23e
-
Filesize
23KB
MD5f6d4ab6fdcb9ddd6b783a133c784593f
SHA1a5c18b2feac2a54ca7f1b584507d583c17426124
SHA256139aaf3f25dc0f1aebf073e8dd27c128d772e45049a34910f55b1d97c1a6374a
SHA512c8dacc816e0609a2b7c46d2cba5692f8e17605100dd33909875d2387e70dcea8b9077bc933b1f5af00bf4ab4b02bbe7bc835e79a3ddfd22ca0c51a4bf599a15b
-
Filesize
25KB
MD5d41e02884c0582f4032a9f55dc306fee
SHA15b39735dd59f4cfaf14f3b60c01f7b7adeef64f2
SHA256660436a8f55585684b5348177a605306febe9dc2b1271684a7b29e16b48d4504
SHA5126a706a6d6e95eedb2792ed5f2c204c5ea5548c859cb45f609311b7827d1b82602da38e965b2404b05d73e6962aa31bff2930ae383900374db0cac752bb6a7cb5
-
Filesize
22KB
MD55e7a092d86486df9d0d38be14aa603ab
SHA155f10ebeadc0b1282599da0b0f5025c5ae0f6bdc
SHA25642631caf665e47be5ca3ae6e5929d1a40f3442c7f9afd27cc9ac770e54e6e02c
SHA5129aa195c562ed3d5645fde8a80459780dca0135f93234444f3839215110b9cbad46c6b86c808d268bf76162e43a8e005bdbe9e965b3ab8a3986136dbe114b2e86
-
Filesize
25KB
MD5a985c84ff1fade42f0763fcadb9de4cd
SHA1ad697ff5f5fdc99a71833eb445cd59fa46a6e91e
SHA2563f6f8cbf6a60b6267b53af3a36b5c44f74c231b98140c1cc593d22c6b298fd77
SHA5129bd309468256658e2ed436a813508dd4e4bd66ce1da61def5c306c6f88c59485f0b7a247d5dc1b4f4a8e0f04bf03141577d73559f7723609167f2b7876322e92
-
Filesize
659B
MD5f9458cccc2651dec2e80b32d966d3ee1
SHA1ebda0542abc6eda1a5e80330eeeff97e2222ab6e
SHA25620a67abbf42d943835af10b362b4d3e019e7cd4d1751ed4872f8350e34e8c8c1
SHA512bb80f05a28559ca1bbb2687d3eecd7200dd88a96b5bd3a8cdb238cf73aa0a74360eea6cc942240d2add37d67d83a80788a2ff6d34dcca8888ca0b5c950f3dc12
-
Filesize
982B
MD57b645ac72b241d98f67d751aec4b069a
SHA143a9c4fe5c8681b34e0b485f652e9df5e100daea
SHA256ba0747901a459f696df3c70a50b55e638c26cd32f78e9c451a2a801ca92c58fc
SHA5123a0c1202cd765829fe435396eadb58e677c83cfff1e3bf5f0043cd2874b9761980670cfcf84efdd9e14d0798867572daf6d01f7dca21fca0b51705760f929d74
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5a1cde2c42798c27df3da1015c7979db1
SHA1237ee46e372f1b7a19f09723e61b09249a4eea30
SHA2561fc4d089d366418db50d4a5732202629a07ffd8d30c22044b2264e135a6747d6
SHA512dd6b49ba42c7d62401f1b5e52bfdf0a7d22c44663929668db335eeeb780108f42b779afe57a503940096f3f0c368b871b7dfa6a9456911823f4888766e36a464
-
Filesize
11KB
MD510cb98d3c291e1c42467326cd7d4ff2d
SHA121b0bcbb9182d35f50e6bba3688de068be713a12
SHA2568df081d40e28792d38075196ad3e38bf330f632d068f501a37e0b7ff786e1486
SHA512f44720036bc31521d43ed57ab591050dd7af0ee11a4b5e9684c28be2d0fc09b1c3dbf9b7fc517237d945b064460c7f256d08801532fcf71c2c1a7ccd7621974c
-
Filesize
15KB
MD571347176cb710c4253458ab2a419081a
SHA1384ca14d88d4890feb17b0b9159101959f25becb
SHA256000bd5c5c4bc96cb95cd45d4d4b1f1d0005d02b0d09a4ddcba733044d08fbda0
SHA512df9a9777d0042d349c682a28ad28b6444c2b507bf34b789e1f53caa2887d1fc373c1f572542694f1896ab411cc0cbf30d88c9f89e793abe1af004dfb0d293c51
-
Filesize
10KB
MD52de1964985c547c0de1c97d79861a8a7
SHA1b5f61105470070e89f9d654ecf7f7f1e0f8455c7
SHA2567607a7eee1a18eb297f05a9718d6168f18fd118faf6261fdaff8a495fb28e941
SHA51253eba7b2ca1af006d2ffda0cbd14104f00e0c271d0bb42d20f9a7bd77322a96cb2f24985a4ba13ff21349522f2d088a06d0b06d86eeb86b5cf0e2118769a7ded
-
Filesize
2.9MB
MD5022ec620c4f7e5a82d715f81e3506b75
SHA145a3bccc83ff3f82899802952b2ccde098a082c1
SHA2564c504b0b2afa8b82c3817dfb5aabaadb0dc7cc9bdbdbccbf7334683353e190ff
SHA5125e13c6198d8ecfb4f6706fb51a028f41c935611164650404328992be488da2b31b612c92dbfb1cd167d3e957d757149cc9af71961833f0989638b1b0553c0eee
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
24KB
-
Filesize
104KB
-
Filesize
1.1MB
-
Filesize
624KB
-
Filesize
152KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
336KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
256KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
304KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
616KB
-
Filesize
1.1MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB