Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 05:51
General
-
Target
80cbb29cef66362d7c2bef76964649b71a21c031b181bf404d9f2023ec42835e.exe
-
Size
7.1MB
-
MD5
bbc9f8d74eb491c0ec0c2fea3bc83453
-
SHA1
6181371c640a4f9709c186ebd248757d0b2a381c
-
SHA256
80cbb29cef66362d7c2bef76964649b71a21c031b181bf404d9f2023ec42835e
-
SHA512
ffca0f696ce4f36856c30bb4ac2559195b883ff00ea8b5503d177901defd33de4b7598ba4f1cef8a01339c22bbdf1be3a8d8543339a9c5c74fe18c411425685c
-
SSDEEP
196608:YhMO8piTMpZY+IJNHdIPfKKx8nKjJZ7lN:fO88TMpq++NqPfKK/zZ
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 16 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\80cbb29cef66362d7c2bef76964649b71a21c031b181bf404d9f2023ec42835e.exe"C:\Users\Admin\AppData\Local\Temp\80cbb29cef66362d7c2bef76964649b71a21c031b181bf404d9f2023ec42835e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X7M84.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X7M84.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\P6F43.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\P6F43.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1m79z2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1m79z2.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009215001\70f22b2b18.exe"C:\Users\Admin\AppData\Local\Temp\1009215001\70f22b2b18.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009216001\c11d9fd862.exe"C:\Users\Admin\AppData\Local\Temp\1009216001\c11d9fd862.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009217001\4a17afd153.exe"C:\Users\Admin\AppData\Local\Temp\1009217001\4a17afd153.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16ccee0f-1f61-451c-85ed-85e0a6738dc3} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2456 -parentBuildID 20240401114208 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {933b1f4b-1cb9-4fb8-a701-2f24b38d34e9} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3180 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33be1156-6471-4905-8047-0a87ccd42b39} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 1412 -prefMapHandle 3704 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f71cec7-5c52-4009-93c2-e2527f9791d8} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4492 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4472 -prefMapHandle 4548 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3a4601d-fe72-4da6-a0ba-566ab9a8e3f5} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 3 -isForBrowser -prefsHandle 5280 -prefMapHandle 5276 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {622b9573-737d-4566-986c-7aa3b8e4a6c1} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5368 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46ba471f-3b2f-43ca-9196-ca982686b652} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 5 -isForBrowser -prefsHandle 5656 -prefMapHandle 5652 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b47bf11-fe14-48d7-aa59-5c743ba11951} 3128 "\\.\pipe\gecko-crash-server-pipe.3128" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009218001\32f9058448.exe"C:\Users\Admin\AppData\Local\Temp\1009218001\32f9058448.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1009219001\930ee83390.exe"C:\Users\Admin\AppData\Local\Temp\1009219001\930ee83390.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd64c9cc40,0x7ffd64c9cc4c,0x7ffd64c9cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,17157515053926470370,7697894797099657729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1816 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,17157515053926470370,7697894797099657729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2100,i,17157515053926470370,7697894797099657729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2260 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,17157515053926470370,7697894797099657729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,17157515053926470370,7697894797099657729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4612,i,17157515053926470370,7697894797099657729,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 18887⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N1288.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N1288.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3K31N.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3K31N.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4t423p.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4t423p.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3448 -ip 34481⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
28KB
MD515818291cdb170eed6698e9974ac6ec2
SHA1adbaaa2b15f7b3bbb53522dd33b20cc4ff287a26
SHA256c2116a1a3fea855a88644bf8f21a581549375c2558e5426e121b2225ffcecc82
SHA512eedbbfdad145aa03477c274efc627c0ae05ebd2f78ca59a0e59bc32f5ac00a6a33a68bf42fb951f195b4a10fa50d46d9c4ab19fa0ff7987a76088474dd553507
-
Filesize
13KB
MD5b38c17e8f6a1e48207cdc0501f8ec924
SHA1c6e06e6cefe4e73a2dc0d8dd0fd0384ea41919d3
SHA256fc3c42c7a96e5e0b90a4b6bb7249542393871a06c5e4424c6b28802fce255186
SHA512a39d0c070b4e1da349129ffbdfbee153789a162535fd8e3b2568f788180d15b596a5d71cca7c830df3106150241485ce449d9d8d14ff9bb527f2fbc8d7fc609d
-
Filesize
1.8MB
MD54e74078466a464a3e168f9a2c0a81a5d
SHA17cec6570b1bc2688019354ddb0764c6fe606c10f
SHA256fa3ce4c12cf5e9a03a82dca680308e69d0d6ef4eda47b9cda5b04636a7ae7e30
SHA512afa4a29de9443403dd402de6a4fcfd9c94593417473d90944ca01ca09bba14e606d7d8fa336b5c356a41d613152698975acd21c7903540fbf19469b05454bb99
-
Filesize
1.7MB
MD59c3907317b9374403b30537d305a9608
SHA1cc0a6c6a0902debac4da3bad9b3eded80a503a6e
SHA2568f0d52b51a86a71a362bd071e2ee687c7921e0c4f32a0e96fd0ba4c9a3f568e0
SHA512a8779fad2d12d9d5ea7afd49ce8ec7a051818f96933668715a7587bc881e3f85178ca199a0a4b307bb2d459122253390fae83058297202e0dbe281bb808121ec
-
Filesize
900KB
MD5ae81a1bee1fe99f08c622b98100850e4
SHA1dff48fe8c901e7f0ed8b4a48dc9fe47316c37309
SHA256fdd2d2f278842747aaad0ad6fcf485155603efa94700918a3beea0769fb434bf
SHA5124208633033f35c2b8cb7d56f49cef24d21932ea7fb2de1e1275b473047c7b91b660507a5499cfd5790e31473a32d636118691a2f65ba644877570647445d0f8f
-
Filesize
2.7MB
MD50d1e5334ceac878a5054ae5dbcfe0942
SHA11e3bdc4a9a1b54c65cd489187c51f41b51f2a3a2
SHA256fece7908c91ac1248fe2ac0d2bd28f80c59b6d26669d2f144e8d5f92a7d1166b
SHA512d96f09715b513b8bfa277df9524c4da73ad7e761128714f9da21c4fdff354d10f6bfe75936156fc70f2e6ed9fc02a827b29e2967fe3da9234e6f584d7dddf945
-
Filesize
4.2MB
MD533e72d51549d3800e51d14eb601613c6
SHA1820d9b2b12b3db4196c8d5e1ad28a79db39eaf1a
SHA2566197d1d2c2baa6c717181ed4ab4236fac17c1d71eff8fa45c406620e55c94c16
SHA512e01b7e40c3d28a17aac7270a36199293c24cc95c6b7c7a9e5398bfca044798ec335d943d039bdd9639e0b8d07b7435b8f3ca2cc4b22ff7400482ba8dad3ff004
-
Filesize
2.6MB
MD55b5a7ee12bc036ad16ba238d70b9f430
SHA1cefd368d3d47d2a2cf8525dc8f6a62c5a7d0b729
SHA256487fa85656b88a12921b3b2295401ed573471071c77c8b3f1c18ee3e39b40b5d
SHA5127601c33ccfeb5b0a0008ad88c157586925ad01165f541506ead2a43ab9567cf065933de79d8b7e1f59e9415948bc6ccb476bf6183ccb51a9b6451115401b96a0
-
Filesize
5.5MB
MD57b02f3c1af41c8354b1cbe3f37f3aae1
SHA119791aa884636cef399818972442d8a027d51f58
SHA2565350e6f3b5c4b25caae0a86a3e5f7832a36c72e93806b92fe36061879e6357ce
SHA512e14c6acceda4ca4c9be174e8ae9e12d89f3e9f3c830cc3774ba94ba928453d09278ad775c4f818b834a2cd38a96cf57935574bb644399376af6ec99d49d1f8e5
-
Filesize
1.7MB
MD5a9d91ce201b67a0f380f180b1bc1608f
SHA111b13c76cba1787bf529c511a256941f1138d80e
SHA25625ccbad485cc4302bf03d6bb66a5ca12ad0f5750b395e4dbe3fa39ea02025464
SHA512ae686432dfa86c2edeaa3442cd2289c31a09b9722a7f177efacde4fb440ffd6362f5e8c8bb5f08e8f147cc94b4daa8d81146e1da4a0d2ff4bdc146197a11eaa4
-
Filesize
3.7MB
MD574c7cd3cc49c7549ed376508a46f7e48
SHA1222aa6292469e39bd75818506f41e5f6e31204e8
SHA256dccb31db83ffd131660d28f915221d2b6b94ca6e89c8b523b85003178d71ca00
SHA512cf1d8795c75e242dc3faa059cea388b59ea92ed3cf9bff7b492185f5ae3ead3eeb7ce0c0aa25a0f18f83a27d3be169263513e75ad952b42a880460f5cd42d09e
-
Filesize
1.8MB
MD5e5e05e4b2a6c64e3abbc8a3a9628a2a1
SHA14bad26af17500c71afc4d088654d7af35eb50ef6
SHA256577eae82d3f8e365a6abf424397361c3cecd0ed3ea18f09196e7c6c71ab75295
SHA5128dcb85709d1ed71e5342a2f79843d574432bb694d81d4ee00eb0e6235b353bcf0d3421138461292659cd649befffba3325e8818002b135c930187b1ed04c7933
-
Filesize
1.8MB
MD50ed31b16369ff8498939b464c88dbfd6
SHA187748f9b4fe46dc076e29d708a996c49d15b72f5
SHA256289a24588b2a79d46e9d87a5d045a989d5337364843c008c33a6330478b1a9e6
SHA512cad245c6623f502eb078853586af81a893a0615aa7ce07e5cd67ddc5eceb2abcc77a305dda3794f1e2f82ebc96ddd8188d4ae669a99ba7b58e7cf4c91098b32b
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD57f155aa4c16d1a8d1e06efb1da1f8c4e
SHA141dea19b72136312a36ed730b2e8e9f36ea61a90
SHA2568adafe93fc0a0ad281456b5328413ef23152e4420d2f37b26f318069bdbe01df
SHA512865416cb3119709a20e6386ede179fa2c3343d24c9cee24a262d78425524e5a29838c74cabac9e45c0cdd7488cbbd117b16c9e03c53745839ca7a63e46eec639
-
Filesize
8KB
MD5fbbc910b6534cbea13f9405843b833d8
SHA13ff98d9e02810395fd53c128e40b5a41572de9e5
SHA256eaf85bf5f9b21737dd20192bdfbee6274a87c3b83e58ee80f7b14d36e0984e6d
SHA512e68eefea4e5327f213016342fdaee346798dfee7fcd2f39c6c67419b0f9c7d2da03cfed9f74f201febda0fbb82ddfefb07f3f65e5aca3e3ad2ed5a1da328e4ae
-
Filesize
8KB
MD5118584b55ffd20e5e9ab60ed688c3aad
SHA16cf16b4051edda217b47c8169e4e9d6bda7aa4b7
SHA256d2c7c1534980f4e21cfd3f993669fb1c487c1633a77f0efc90604eec7fc74eeb
SHA512ce613c296d3da726ba12fc261e2dbcd1067b98bf7d9d65b9ba3559bb3d1133619293e62225f885ea3ab012bcacd64824e1d8de0013bd2df1ea9d11a4119564a0
-
Filesize
12KB
MD5a61ae0c42638dbefb9bb2eb386a8879f
SHA131db5f668366853c4a4a2c8e1a4c3b710f394071
SHA256ee16f628b55c68195a733d2a5d777e313990d3e9ad3f5cf477d84363198d48c0
SHA5129c183b4f4189d20623764b336417af105c4dc16b87859ba128b2c990b34cbc573a36b53835f2127e292ede1091075251de48d1d4d91cd79c9add98e39d96a872
-
Filesize
23KB
MD585a50eb2d2d2d60a3da3baba946a8a8a
SHA1f664e661c5dfa981813b45eb959d471de88ae880
SHA2563e08b7723307a1949de23f93008330394b5ffb201e4f3c440e41b210418faa25
SHA512419a69dd694cf2e30ec5d08fc9943096e28b95a747dbce9bb42a635fb2a8b854a64b89a58527ab39c3d9ca2cef24be5d126465ac293bee833f90b5954e9be436
-
Filesize
14KB
MD554fe056e70143f6af52d6fc5d7dabce8
SHA1f6a1faecccee0599f91cb2f0ae4dd329a4571bbf
SHA256e3134bf4d8084b21b0ecc1debe7293dde9da2936a06bf7cbc91b9c2289005207
SHA512c67aa80e490afe727dd93ac6c0e94eb86ec2a7936a868a5b248b79d3047a18a0ca3fdf3499c7e410c98f884d6b14d2e64dd5f39d2d88cca5369dad8cd0af94b7
-
Filesize
15KB
MD5be8ce8ddb6f767f7dbfc5bff8b3f8eed
SHA1b775b82b5cbfda9800da9ff216f9c3497d389214
SHA256f051931f2db6b6cd3dcf0f02be578b2a813c94b6fb5dc0e4d31a63dc4024bb0d
SHA512ef800902682d8f35ede90140a063435494781b20c81148c93f7725ee09114818bc3e28eb46c8a9072a92d00482ba09258c309a3b3bd94c0540627eb13f948311
-
Filesize
15KB
MD51b0424fbc8510ffb1214a871577d657d
SHA17f43b691fae95a740e12b6ab3229c0595520dbb7
SHA256efa80f65b454f994062118b9a889b9bb5c0df139f57dd813f0ffb4de43d798c5
SHA5125c69312e956598e64bbe6675a6e0d2515589c2245798d3417c4f996cd909aeceabaa1423760f54ef3a92503380140d5934450b22ffc25a8327ab0d842abb659a
-
Filesize
5KB
MD563c40742660e7078ddf075f5e086f83d
SHA16077183a825da11aac9c04b408236fd921cb7610
SHA256e13ce847e4f424c092309514caf6b45ddc1fb7afde68111bbb0c74265da3e498
SHA51287d92f466a26845aab04b5d785d9c6f4a8c1545f3db0df5d98753cfb311f1ab7b02fd5c0dd74da42f5c7918c07ea6a845d9f9760598b5fe907f0ef590e903348
-
Filesize
5KB
MD53724668a0e8766721fea10cc3c8c3f61
SHA1bbc66a1693f457ea1cdcf740becbba6ef7dfb238
SHA256e18e9d8cbc2bb041ae0ef3f8e34c6b6220ad2078ad830c11b9195580e0517276
SHA5124cceaa8c3b7fab3b10cbba2c47377b10d7fdda8ea47d4499c07fc77de561be8ef9c5fa836f329113f1ffdc12783fd8249eb9c55e94b872097f89c89bc5505871
-
Filesize
5KB
MD5519455d3017495532b6a3583f33d5923
SHA1d228e96749366dcb539778c201f2cdd0dbdac0c0
SHA256576799c409068af92f6f7bf5445e8a6a41734bd6e84545c10e226c529eb55872
SHA512169f7fe2bfdb92ee1cabb0e9c91534fb60d496f15f7614cfce46bac2ed398276ec10136bb3a2b82d32ce7bc97d355b234a9178e67c7573617740287f4eb6a85d
-
Filesize
15KB
MD5c8c303c9cf32943e87e61ed55822c9b0
SHA1d6b7e04cb7ca8ff0e610604a7c2dadd9c9989442
SHA256b12177ae367012831e8f92aede4a2181ded9e2e3e03cd03b0d83da55f0a132d3
SHA51271f4af0c14d33612602fccd97b27be9218149af642e8d7db3deb38ed270d955b4e8997d382a4c645df8b1a76dab93b11cd09d40700ab7610fc39656dc8d7dbce
-
Filesize
6KB
MD5c1738ca98bf7943eb88fde04adef3bcb
SHA1c59acda5f840f30839e225e335ed02e12d351e73
SHA256e6e4e3ffdacadc04b0fcc856afdb3e5ad109ee43531ad92c3d6472fcab991e3d
SHA5125dca42c8fed6c28090543290b24126f8e6a62b897eaec48020ed08ce3075fda89ab069f9917260b2dceb5d19e6d89bd2d56a61d03aebfc32c471bb05c62dfe35
-
Filesize
15KB
MD5e059f2fb217ddb2b6cf60aa731b11ad1
SHA138fcda2d0455168598bc0948f4e5f8c234f5167a
SHA256925b49921855096e3a252b8a68f2a1f60bd732aacb74a95e51a64c0d305d4a6e
SHA512c09d97ae6017beabc5da0233ee7a7f77d5c7391e3a3de8f9c5d64aa25a481ce88e4e5949cfdddf94d09be39e5505eac2cb5d87e8cfda8d33f8c6bd1181dfdde0
-
Filesize
982B
MD5c43212845bdaa25c60532635986312a7
SHA17336bf9cd13a9eaa852a9432f988d77f898ad6bd
SHA2560830e0489c86115076586b8a431ed92212856435ca063d8426c47cd225ced102
SHA51210d93ec0357fb6e7041f9fbcaa5294f3d7bb3252ee4cc8c563200b690082a35607890a9f5e25d15de32719e41bc547f4a38891cec3d9ab20659ca1d3efddcb16
-
Filesize
26KB
MD588c5dfb893a43175212453bf58614c94
SHA1dd9ccf8a89ceab36886ecc185dbb73731e899efa
SHA25680ede20a29c8535761571ea5f459a7664f69cf1c43564dc1bd8aa05c6af0c749
SHA512daad6ee26ca58a33f34db52d9d509b93365087c48f493319d914d5ad61ad6527022ec9d0b86a547ae05194aa31eff2b15e0f6fa9bbc36ba71391888505c045c8
-
Filesize
671B
MD5b874cd3214e69ff974257fb6c0c60757
SHA13ee498a0fd5378a6314ebea74fe2fe14b7db1abd
SHA256916448e16e7be16aa62311448a1da0b5d60778f4dc87678b4a0e8de76f24dfdd
SHA512546a71ed553e68a4e0ee1e34c24624be5aa81dabcf8a6035f0fd80e9baa6f5292ee44f1082c82a795ec94fe6b8fe222a4cc01b1c562c9a7c3d5a14d602b84ec6
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5b8b60147f8d9d468d6ea769ab3bd1bd2
SHA1aba4649885497ad2b94478c099162375b0444c0b
SHA25622d60d4eac2324a93d2633a49dd23b39e98a51e6f30302d9e3521e8ea2d58114
SHA512d94123cc2eabf2761b5657ba2dee2e2ed4a23692e94fe5aa2d7b8ae8a080d784fccb78bb6924c8e27f1a6a2de340ab2fb68f7ae6e4d656750fd74d28b47358e6
-
Filesize
11KB
MD534889eb09186f9d4578ce08caa99e8c9
SHA19009986b81ab5709df07197cf498c887788ae7a7
SHA256516875bac6abf3116a3632dbde4d12b46a65744b7b8911cb64f13cec63e8e53f
SHA512fb8d107926959a66afcaef8ada54fe4ba5da2a30e4ef12f340f468ae1cde8cc594e57e7eababf303f99d4c2da09aa9fbb521ee7a7c6552a5a717fefac2f7d800
-
Filesize
15KB
MD55bc90ae78fc37a0320578017469f53c2
SHA1b1a0747e72da485317ccf903e316122617a0a943
SHA2562abbaccfc5ed76c75c608e71bf9d9de7cdb0c849cbfc9650e54c9c1e5399a7bf
SHA5120afe4b951dc3778089ab5d4513b347ac25551750449cda28c4790a8f243074506d8f7abb8e52b283a3f05bd968ab317e21fe7408cf5d78449726fa9f5a02603a
-
Filesize
11KB
MD596d7fcc83ce4b2c78bc8fdb6312f30f2
SHA1d78ddcbae14eabcd4cb9330b48f0ba491ca71592
SHA256d958831c3608fe601e6f649722d20bb9af9626cb58748f5504cb0d7a3c200ed2
SHA5126d6b5d98f4632c7baf7f0819bfbec8a96835f1f1545c09f54268869bad89c4083cc60e8d86fe9f29277ce13c1f6faf7cf0b2064e49f95903fde41937db213456
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
72KB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB