Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 05:57
General
-
Target
e2950634d0ec877dc3b474f2c1757b9aae202777702784533f487437ed0a2125.exe
-
Size
7.1MB
-
MD5
1ed2181745278a22a9f82b4e55f9a875
-
SHA1
8867e3855c6e35be0623e51d90fe09c736ac0a10
-
SHA256
e2950634d0ec877dc3b474f2c1757b9aae202777702784533f487437ed0a2125
-
SHA512
75ca7a8fa4ece547b4fc1e769582277d54bf8a68a23dc60c2d17a00215b172d2af148b5313422b18267e492a2af9b68e650eab987ad8017d83b5fedbe11c1caa
-
SSDEEP
196608:24nTBfAQXrXIQ66P5dNn/dvUkvMrUgTiIVod:249IFQ66P5d9NUCstTij
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detect Poverty Stealer Payload 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Povertystealer family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 19 IoCs
-
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\e2950634d0ec877dc3b474f2c1757b9aae202777702784533f487437ed0a2125.exe"C:\Users\Admin\AppData\Local\Temp\e2950634d0ec877dc3b474f2c1757b9aae202777702784533f487437ed0a2125.exe"2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B8E55.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B8E55.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1v24.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1v24.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q32O3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Q32O3.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009146001\Zefoysm.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\Zefoysm.exe"7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1009215001\9d0db3267b.exe"C:\Users\Admin\AppData\Local\Temp\1009215001\9d0db3267b.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009216001\ec4bc0b5ca.exe"C:\Users\Admin\AppData\Local\Temp\1009216001\ec4bc0b5ca.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009217001\13b0830d01.exe"C:\Users\Admin\AppData\Local\Temp\1009217001\13b0830d01.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T8⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking8⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking9⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1940 -prefMapHandle 1932 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a89ac543-028b-49d0-abbb-dfe23a2cb8ee} 4784 "\\.\pipe\gecko-crash-server-pipe.4784" gpu10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2440 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c55f00d-4b57-4645-9b1f-e83571a923b9} 4784 "\\.\pipe\gecko-crash-server-pipe.4784" socket10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3588 -childID 1 -isForBrowser -prefsHandle 2788 -prefMapHandle 3564 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36e1eee0-f7fc-40ef-9427-f03e4559a185} 4784 "\\.\pipe\gecko-crash-server-pipe.4784" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2792 -childID 2 -isForBrowser -prefsHandle 3372 -prefMapHandle 3600 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb273740-9f6d-4059-ae1e-ca4c7c11c061} 4784 "\\.\pipe\gecko-crash-server-pipe.4784" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4300 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41ddcea1-3ce1-4b41-bb7e-19429bf93bb4} 4784 "\\.\pipe\gecko-crash-server-pipe.4784" utility10⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5068 -childID 3 -isForBrowser -prefsHandle 4872 -prefMapHandle 5160 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e922f9b3-e21a-4694-aea7-f1df5f234db3} 4784 "\\.\pipe\gecko-crash-server-pipe.4784" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 4 -isForBrowser -prefsHandle 5388 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9d93131-797d-4750-851c-097b94e69370} 4784 "\\.\pipe\gecko-crash-server-pipe.4784" tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2864 -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb1abef2-0346-4ddd-b09e-bbd9df666bde} 4784 "\\.\pipe\gecko-crash-server-pipe.4784" tab10⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009218001\836ae5f48f.exe"C:\Users\Admin\AppData\Local\Temp\1009218001\836ae5f48f.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1009219001\ae61c0f99a.exe"C:\Users\Admin\AppData\Local\Temp\1009219001\ae61c0f99a.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"8⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffba9facc40,0x7ffba9facc4c,0x7ffba9facc589⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1740,i,5908782483152739116,4612683671655343223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1744 /prefetch:29⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1852,i,5908782483152739116,4612683671655343223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2004 /prefetch:39⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,5908782483152739116,4612683671655343223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:89⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,5908782483152739116,4612683671655343223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:19⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3292,i,5908782483152739116,4612683671655343223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:19⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,5908782483152739116,4612683671655343223,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:19⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f8⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 13648⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2R4282.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2R4282.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3V59O.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3V59O.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4t000M.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4t000M.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009146001\Zefoysm.exe"C:\Users\Admin\AppData\Local\Temp\1009146001\Zefoysm.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3736 -ip 37361⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
25KB
MD5788708936ab91fddd098c32ff16d400a
SHA1a09abf6becb80cba1cb98831298532f748ff835d
SHA25658448792812b75b49090e80cf152024c2591bf5af7c627e76d482b6208db4c99
SHA512e2ddb211c908622a43bebacd712b5bed4e57f5089426858bd49727be7f4f3dabe811c3d6c5a9645e2ea65e66a5fda4fd964019b12ddb19e64a02d2c74ab2da76
-
Filesize
13KB
MD50ba87d75b6ac494c557e9b4bdd0cdde5
SHA1e872c9ce01034b394e7f93ddd6a188df528eba77
SHA2562ad4223d4b2f3daae88a5e118116583733e6e57d5cbee01fe3e08218f11fe947
SHA512931afbc27a9132c43bd0eedc4078714be672b02d81b7939790c041bb91b9bb997ae318644196e0a1a1048a9e1a73c5b7c48d40c93767e8fd62a7a230a2d78fe2
-
Filesize
211KB
MD5ebbaf388ef32ae0785459ea0e57f0b68
SHA12604c1636a3479667df404117fa3b57d1ac8849f
SHA256dca6babd2e9709e4f2f56946626b7919a84b09a8d4679f34a985eabb255aba20
SHA512d787214d90bb99be76fe4ede63ca50487b80c0da7c190faa4120b845cea42e631e1b59989d7b4fb07f2eb83ca7187890d40a36a07cc40236e76d1d1806aba4e7
-
Filesize
29KB
MD5d0038532ae6cec64be83bc19d0b8f695
SHA117a23380f80068d15ebc014cb2b1748bb45fb5c1
SHA256b412dd132cb21a0d4d7bb622c6fe49f9e6c5c934201815d570db774ac80194f5
SHA512af269471f7093445fb05bc6d6d185f9e48d0666674a3de50c4217757d3fdf39b067668bf2ca37eac91d5cb203c3ce3d4d634661e470d84d12c80c332344503ea
-
Filesize
1.8MB
MD54e74078466a464a3e168f9a2c0a81a5d
SHA17cec6570b1bc2688019354ddb0764c6fe606c10f
SHA256fa3ce4c12cf5e9a03a82dca680308e69d0d6ef4eda47b9cda5b04636a7ae7e30
SHA512afa4a29de9443403dd402de6a4fcfd9c94593417473d90944ca01ca09bba14e606d7d8fa336b5c356a41d613152698975acd21c7903540fbf19469b05454bb99
-
Filesize
1.7MB
MD59c3907317b9374403b30537d305a9608
SHA1cc0a6c6a0902debac4da3bad9b3eded80a503a6e
SHA2568f0d52b51a86a71a362bd071e2ee687c7921e0c4f32a0e96fd0ba4c9a3f568e0
SHA512a8779fad2d12d9d5ea7afd49ce8ec7a051818f96933668715a7587bc881e3f85178ca199a0a4b307bb2d459122253390fae83058297202e0dbe281bb808121ec
-
Filesize
900KB
MD5ae81a1bee1fe99f08c622b98100850e4
SHA1dff48fe8c901e7f0ed8b4a48dc9fe47316c37309
SHA256fdd2d2f278842747aaad0ad6fcf485155603efa94700918a3beea0769fb434bf
SHA5124208633033f35c2b8cb7d56f49cef24d21932ea7fb2de1e1275b473047c7b91b660507a5499cfd5790e31473a32d636118691a2f65ba644877570647445d0f8f
-
Filesize
2.7MB
MD50d1e5334ceac878a5054ae5dbcfe0942
SHA11e3bdc4a9a1b54c65cd489187c51f41b51f2a3a2
SHA256fece7908c91ac1248fe2ac0d2bd28f80c59b6d26669d2f144e8d5f92a7d1166b
SHA512d96f09715b513b8bfa277df9524c4da73ad7e761128714f9da21c4fdff354d10f6bfe75936156fc70f2e6ed9fc02a827b29e2967fe3da9234e6f584d7dddf945
-
Filesize
4.2MB
MD533e72d51549d3800e51d14eb601613c6
SHA1820d9b2b12b3db4196c8d5e1ad28a79db39eaf1a
SHA2566197d1d2c2baa6c717181ed4ab4236fac17c1d71eff8fa45c406620e55c94c16
SHA512e01b7e40c3d28a17aac7270a36199293c24cc95c6b7c7a9e5398bfca044798ec335d943d039bdd9639e0b8d07b7435b8f3ca2cc4b22ff7400482ba8dad3ff004
-
Filesize
2.7MB
MD55615bd983846db760a368756014c7279
SHA1f175ccae1f5c0d364cc1c4b0f156e99c264463a7
SHA2560650b9365c8df2f76101605bec1c7854dbad9543a7c34c25e50d0a8a919506e5
SHA512202158751411457283a5cd8b747051b4ecc95e80a0c8fdaa85ab6b6de7c53de65d60c7652a65d42fc82eebbbab45e6583bc5540458104ec7e92da7de66740404
-
Filesize
5.5MB
MD521c9a2998b8ce78d07f3076399d0c9d8
SHA1e0d2066cf91c990bc42950723d176ed089eb2931
SHA256d05c20503b836ec47a01411a3b49e95d6d8de065de1368243ee2d9f9e7d3f16f
SHA512b154c15c9b4facfd851298d2787c87072060f3a58300995c7f35489bdae98361b9e8041b60f6bd4118fe5fe86052321d6270050d824184c53b8b1ffc91d9af41
-
Filesize
1.8MB
MD5989618b54cbe6d89c30aa67fe52fc62b
SHA1fb55e89cdd398d44eaf8ce549eff424a7cf47141
SHA256bee0fe71acfca971ebaf60e73f2026c1612cf89bc26d18e609891dfdaf4ad423
SHA5127e21675d2ce2f33d5ea3e9219733132cf403be18fd810912da03ac53a32c1e12c7821ff81f26874e2cd61452e5e734263be43f8985fdb7f581ce2d0194cdfba8
-
Filesize
3.7MB
MD5030292ab2b06d43fdc43776bd5be17db
SHA15adc81dcb142788e71bba056b385f7a3e90f1513
SHA25690a82989c6d85b9995b35853b754ddeaddafd91e1f33cb0247ceba56da18c0fc
SHA512856909685a1dd047b7ea1b486f2cdef7c82dc4a101e1371e913b729f532cd2d0639452016e9fcb20bc1d81b291c40811646c63108ca91ef4eb1c6835b2a79b90
-
Filesize
1.8MB
MD5ddc85728e0670438b6aa74bd2c9c461b
SHA1ee91a95010fe03ae7b104859e5b69ffbcd667c3b
SHA256a753979f89debe5427241b085cfa4462b5ef7bcf502106f91165e67ddf9d5828
SHA5126164c7b16c89199a3c34e62d5976f9673581a9bc754ea6a3c03bfc497d1192752a1a4eac1192bf86281e0ec681386e777f111244ff58c43497f0ce78e0b6a70c
-
Filesize
1.8MB
MD56180812dca1859f8831c138cdeaf34c3
SHA1f7bc78cfa4037407f014818f2cf02f93b6903ae3
SHA2569a576b4a397bcc22e6521b0c49ac28dd5aee9f3f5a8d8e7f5a0f6b1bc890466e
SHA512e4f8f85324533ab2ba503004753343c51a12ed5b36ecbcc72c30dd4ee5026ef4e15444701853d49b0212f66866e30d7ce518d0a3d9d435cd8c839e543e9f4bde
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
10KB
MD5b0de8fc3f67300e20e180b7226f5c8d1
SHA1eb5c346bdd22342f82d97911502b5c399a691bc9
SHA256c3e879c203ddefcc0077cd4b41638e38b71115af773a016164ac0c9d0752318a
SHA512d3715f3e899ddbc69e3e5b9090f9b40de4d7ee6ed4d76846a7fbb0020791196572d902d468a36255c72f1a1dc64632175ca6963dcbaecee799dd7b1326bb7bd4
-
Filesize
23KB
MD519d496ea4a1a89e72be7c579cce24d48
SHA1df9b05d1477a5a26fd7ecd4b2ea770cfe585c4dd
SHA256ba500006701b4ebd7f4fb9ada768ee247eca10d104f7504e5566da6a64da75d0
SHA5122b707cd30c33be73d2fccaefb785e1bb794a4cba18b76f2b5c2f6f657b8965a04a78b670187bb25af91fd8eed42783a23d6c349146a02c466899d83a3a2204bd
-
Filesize
5KB
MD514e71a0b81796180de25c594899488d6
SHA1bfefaef3eecfc1be8afa668afb929f4abcd5ae1c
SHA256d8624144305fd0ed4996d175eb445111a2a5179bcd676b58d3c22b015b8cc8c8
SHA512acd6e0a1bad6e39c7e1495037caebc0738efe57ee19fad6cf4f9c99fc4c2e5bfa847d0ccf9a04d8c8925706611f7596d51cc5afdc3cbc8b9cf4aff7bc24b45d2
-
Filesize
15KB
MD5fe11e27384830740bba1cadd021f7e16
SHA1e1024d25f4612d3cfbc71d7b1e475ba866bba968
SHA256d7a61b60e42c6faca0d26797216e4643989c298660461b359384245be1b69260
SHA512b86b07906d790bbc631a5fddf92cfcc5a00380a32305ecb5c1b27e19e2ac6cd68569c5daa1823f52bba5f25a71840320830dc4e3778719b864be837bc852652f
-
Filesize
15KB
MD5675ed270962e93938293abc93d5c5fce
SHA19a460a9ee04f4f288bd7edfbf9cec956959cc36b
SHA256c110fdff6a14bc506694e1e1d5d1f5f94ae615fb5b30f70b0ea3b158761bfe3b
SHA51287828162cf17d6749cf64903cd4a41cc2917a7b034605e13efb1929afa0dcc80cf7e6c57e6d2561dfeb0d280509b622572f3bccbd9925ccac3217bc2f62dbcfb
-
Filesize
6KB
MD540c9fba56bf520d3b35cace9b3b47bbf
SHA115f1055dad3621a8a6b7254892ff0bf4e76d9881
SHA256391ae9f529dfd69b800babccbf19c420bced1c602a549ee84afdcf81a0fc1556
SHA512bb282874e66ffee727557f2669e769230a93b613db37b02cf6dc55e81b1287e4c2dafe6b06ceb37a201f276e74cccce162a4615c4a3d26dfcca9df4c40ddf6c4
-
Filesize
6KB
MD5ea241fdbb25adee90ecd5cadc8226363
SHA1d423a0502e080c64cd435f4f99c7ed76a3990d3c
SHA256f6533abfc6ecb1fdaffb97e27ad91a449ba77ab7df792e2e7efc0c0ba3fc4558
SHA51292377159cb887119033531314b5be8dd93110e6685f01d94ffd3fe2223a2e1e1970d5ec53afd8c3dbb1a7c1f3a99b7dbb2a1cbd9dbde62c1f88f50465f5382c2
-
Filesize
5KB
MD5efffb366b32defc372ac1179c5a34833
SHA1c4f1f3d35dadb28ae636b5b89ef3a320d6b2bd84
SHA256fa631bd177395d498d19a9f96b0ab91ae305cde86ee9fb52b5e6106306164aa1
SHA512fcf5dc5eee36dc1ca7c11f7fbd0606bc280eb5a47d071f9808c9c696a8f407f698f763f661957946dc343398a4354860e057841de6b10989bfe68571d5061667
-
Filesize
15KB
MD5fa4c9c19006f5582698554574f410e0d
SHA1aa3b6ed281e9bf70937b0cb9c8cb2753d2fd282b
SHA2569b555f476c8a205b4b2e71aecac5be4460bb594771992f391b264bcaa4f874ad
SHA512cce640c190551e34f5c6f56847c2d5fd0470a88a82a36b4e28cabd3b4f613f2156458a244113097b00bce50f694b24dbc765d9ee3b6fde2cb03cbcc2ec484b62
-
Filesize
982B
MD51c4b97df4265aca694e739aaa98e1808
SHA19b9ead1216b6fce0f84e06abc91c60d9e416c101
SHA2561d07108c9f0f76567790ca81eb58e60369adfdb072134a90ca83314de271a0fe
SHA512e0e29f7b18a2a0b8d10e018b2e344b6e593b4d752a01d8d2ec743481cd628b8d5664ff6d1fc2db700dd3f5077d24e845712a3a205332903aed6bf54796533be1
-
Filesize
671B
MD51ba7d0104905ad3a0aaba465a3b45754
SHA10194b33fc795dc3ed0e4ed76357d6b7cda6f6f29
SHA256c666e6c001bcf8446a5029c43a3e97c0983cabbee30c96c1fb2694f399a4a7f7
SHA512b3be4e703d00a5a8ff369344db750c1b098e2e05736218e88dae9d91c8c2dcbc9bc649a4ec16b48c9af1176b5e0760faf677d5d2d19f18249a690704bcd658e7
-
Filesize
25KB
MD5d6746a8b2267bc0298601912c28d34cb
SHA1fbf62083efc7a1704e8181983b4e83b2b1de2518
SHA256a6df1dda6861efe3dfe50c6bfbf06571b7452752424a5b3bd57decdcdfda8b59
SHA512cd1ee40a51cf6a725d664618de1672c8b1399048ad32f53cf8eb4156223104d0f1458a502f3763dacd0b11d8625e0febaf9ef2e99a40cfc9659d14c6cabd4056
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD59d4b46663eab387c93d407f984b248a3
SHA163b0e80269e6467de100e6762bd959a8a1bef51f
SHA2567e0dc1ed78b1ff8a24ccac67e9abef0fb57a45b2754a7affd94ff8f760f4b68a
SHA512ed33138de49bd3f0dc096f8057d6b303e065a36345c719539141aa7aa741c50b79872b70c6cec32060759cbc80218af1b6917dddec8ac2543d319860a9a6cb61
-
Filesize
12KB
MD538d9b0a8792509669a5768a0203083b5
SHA1ca5b7cf17059305cec8ddc8083d5b996e88b3848
SHA2562b8a3ecdaa08181c6b764f1063a918aa9908c22c3f3440297ddad6c8826511cc
SHA51295a4c30cec117e19af8364a3ae4d3fd15ca806824f42c86c0294678668ac91db4b2cd198a15db129f1f2d52f30b98a5777acb7837b4f02f36c8898c827e36fa7
-
Filesize
15KB
MD5fc1ff21f1c3b7ac803540c3ca7124e07
SHA10fbd02599186bb0f64d3dedf776866515cc30b86
SHA256101c8be8f890bb2d87d3f5020f001cc6c8002fb4fd7f813d89f0e85370f46a94
SHA512c1b9660dc86ffda6961c478fc9364d32c63d2a4659194180ee437f9dd25782529b3a979efb3ecb75d5f99a715d90bbaad543efe181c6b61dc602797c3022829a
-
Filesize
11KB
MD59cb09e60d5c03ce5c87a4f8b91a5a3b1
SHA1e2937fd85fa070ad355cfd9902b7c65c4333c708
SHA256339476a97236f22b8ea43a98c2fd0a392d6551694d782c2590f48fd4d6bd124c
SHA51274ad71c00a5a073fd8e1f8d5cc56f2d95c86f000a4d124a453ea18fe0321073cd4a5e185eb43788846c0cddcf9c7e4ff017da994e1ef45ba691bccb3f60ea651
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
1.1MB
-
Filesize
584KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
616KB
-
Filesize
304KB
-
Filesize
336KB
-
Filesize
232KB
-
Filesize
1.1MB
-
Filesize
5.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
40KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
24KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.6MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
4.6MB
-
Filesize
4.6MB