Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-11-2024 06:34
General
-
Target
1c426f1ad81c74eb0158b1b18252cc7283ee69f49f02035e2b40ca66aeb638b5.exe
-
Size
7.2MB
-
MD5
e0771bc5f3048589be9eea1f210d4b93
-
SHA1
aa00923cfb63fcb3b011e2a4eb325ae88beab06b
-
SHA256
1c426f1ad81c74eb0158b1b18252cc7283ee69f49f02035e2b40ca66aeb638b5
-
SHA512
5af101178c04c275bb1c36dd5e7b36774bd9bec5a50099f01227208e53af95af48565f57be2ef796a7660834a9133b252ce69011c0912854f2f692b3b2f9b801
-
SSDEEP
196608:9NfbfrZEbPLvP17nRkELGO3o9DEQWOz5aYvt8F+Rl:eLvP17iE/3QDEQh3to+Rl
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
stealc
mars
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Detect Poverty Stealer Payload 1 IoCs
-
Detects CryptBot payload 1 IoCs
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Povertystealer family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 4 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 24 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 19 IoCs
-
Identifies Wine through registry keys 2 TTPs 12 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 59 IoCs
-
Suspicious use of SendNotifyMessage 31 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c426f1ad81c74eb0158b1b18252cc7283ee69f49f02035e2b40ca66aeb638b5.exe"C:\Users\Admin\AppData\Local\Temp\1c426f1ad81c74eb0158b1b18252cc7283ee69f49f02035e2b40ca66aeb638b5.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\S5P41.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\S5P41.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\S1C86.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\S1C86.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1S30E2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1S30E2.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"C:\Users\Admin\AppData\Local\Temp\1009157001\1Shasou.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\1009219001\ba9087aa8b.exe"C:\Users\Admin\AppData\Local\Temp\1009219001\ba9087aa8b.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"7⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9d769cc40,0x7ff9d769cc4c,0x7ff9d769cc588⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,4496479628926750050,8690816047946587985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:28⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2028,i,4496479628926750050,8690816047946587985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:38⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1300,i,4496479628926750050,8690816047946587985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2480 /prefetch:88⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3216,i,4496479628926750050,8690816047946587985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,4496479628926750050,8690816047946587985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:18⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3660,i,4496479628926750050,8690816047946587985,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:18⤵
- Uses browser remote debugging
-
-
-
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 13647⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009224001\aebb5ff8f1.exe"C:\Users\Admin\AppData\Local\Temp\1009224001\aebb5ff8f1.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009225001\0a61eb9868.exe"C:\Users\Admin\AppData\Local\Temp\1009225001\0a61eb9868.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009226001\18f92eb99e.exe"C:\Users\Admin\AppData\Local\Temp\1009226001\18f92eb99e.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking7⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking8⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2068 -parentBuildID 20240401114208 -prefsHandle 2000 -prefMapHandle 1960 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7864870-f5e8-4742-8e10-7458e0d0b0a4} 856 "\\.\pipe\gecko-crash-server-pipe.856" gpu9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2500 -prefMapHandle 2488 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ed454a1-8d42-4e4b-98fe-7f25e9a9301c} 856 "\\.\pipe\gecko-crash-server-pipe.856" socket9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3324 -childID 1 -isForBrowser -prefsHandle 3240 -prefMapHandle 3316 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86518718-fdb7-4238-a8c3-654f72d61174} 856 "\\.\pipe\gecko-crash-server-pipe.856" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 2 -isForBrowser -prefsHandle 2672 -prefMapHandle 3884 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74fac658-4fe2-4879-b43f-aa4e46d97674} 856 "\\.\pipe\gecko-crash-server-pipe.856" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4608 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2852 -prefMapHandle 4728 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b73cf272-c8ef-41df-ac02-a79ccf898d5c} 856 "\\.\pipe\gecko-crash-server-pipe.856" utility9⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6dd80378-a81b-4490-b8da-89450f355dbc} 856 "\\.\pipe\gecko-crash-server-pipe.856" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 4 -isForBrowser -prefsHandle 5724 -prefMapHandle 5720 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf6ac962-0624-4d39-9011-f05e7f7fc906} 856 "\\.\pipe\gecko-crash-server-pipe.856" tab9⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5852 -childID 5 -isForBrowser -prefsHandle 5808 -prefMapHandle 5520 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f958d2b-48e8-425c-acdb-7fb9d1524120} 856 "\\.\pipe\gecko-crash-server-pipe.856" tab9⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009227001\df4ac0b67f.exe"C:\Users\Admin\AppData\Local\Temp\1009227001\df4ac0b67f.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N0139.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2N0139.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3E30G.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3E30G.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4R338v.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4R338v.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3760 -ip 37601⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Authentication Process
1Modify Registry
3Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
28KB
MD502fdff297f942a45c64e0dc014241635
SHA1d584d52362be8e477198608084bbd21b6c288734
SHA256e76566760d4eef73057c6fbf52af72aac8229db1b1c8828d47173a0bb51c3221
SHA5120029dd29676c7aa1c0c537999e5ba0980e65ccce73623a2c4d3a35428e3b89ac3bab72b1fc4964e71d9a5e193fcd4b2fc28b5994216f4714f64c47cacd053ebc
-
Filesize
13KB
MD50ded18dd333d6d0d412a9a7193f0ceb5
SHA17056b5ecb907e076024d4ab22c5e1d6cec4ba6e0
SHA256c317d6eef0c0f30d27ca1ac33262a17d80362762ec9eecb97815da069f85bcf0
SHA51259aa33fb670b41015c12618564833c5b1fd388f5b7e027de7285b32646e56dae49922ba859d885531abaf7da5ba2b50c3f173957e46441742ccba65715a10876
-
Filesize
29KB
MD5d0038532ae6cec64be83bc19d0b8f695
SHA117a23380f80068d15ebc014cb2b1748bb45fb5c1
SHA256b412dd132cb21a0d4d7bb622c6fe49f9e6c5c934201815d570db774ac80194f5
SHA512af269471f7093445fb05bc6d6d185f9e48d0666674a3de50c4217757d3fdf39b067668bf2ca37eac91d5cb203c3ce3d4d634661e470d84d12c80c332344503ea
-
Filesize
4.2MB
MD533e72d51549d3800e51d14eb601613c6
SHA1820d9b2b12b3db4196c8d5e1ad28a79db39eaf1a
SHA2566197d1d2c2baa6c717181ed4ab4236fac17c1d71eff8fa45c406620e55c94c16
SHA512e01b7e40c3d28a17aac7270a36199293c24cc95c6b7c7a9e5398bfca044798ec335d943d039bdd9639e0b8d07b7435b8f3ca2cc4b22ff7400482ba8dad3ff004
-
Filesize
900KB
MD5ae81a1bee1fe99f08c622b98100850e4
SHA1dff48fe8c901e7f0ed8b4a48dc9fe47316c37309
SHA256fdd2d2f278842747aaad0ad6fcf485155603efa94700918a3beea0769fb434bf
SHA5124208633033f35c2b8cb7d56f49cef24d21932ea7fb2de1e1275b473047c7b91b660507a5499cfd5790e31473a32d636118691a2f65ba644877570647445d0f8f
-
Filesize
2.7MB
MD50d1e5334ceac878a5054ae5dbcfe0942
SHA11e3bdc4a9a1b54c65cd489187c51f41b51f2a3a2
SHA256fece7908c91ac1248fe2ac0d2bd28f80c59b6d26669d2f144e8d5f92a7d1166b
SHA512d96f09715b513b8bfa277df9524c4da73ad7e761128714f9da21c4fdff354d10f6bfe75936156fc70f2e6ed9fc02a827b29e2967fe3da9234e6f584d7dddf945
-
Filesize
5.6MB
MD560e1fc0ed340a7011835cbde7a37b696
SHA15c2ef8361eb21b498141d3fb452c433651a003dc
SHA256db7db95fee29a07e25ac78aa5de16a06d671adcef4f2d2395be23fe99213eb4b
SHA51221fd1daa875ade461c1a1adc3e75d3553aeb75969d1e018b04bae149e32de1b5aea2a052b567153611da3b1051861ddfd582b552557da0887f45f574127afbc6
-
Filesize
1.7MB
MD59c3907317b9374403b30537d305a9608
SHA1cc0a6c6a0902debac4da3bad9b3eded80a503a6e
SHA2568f0d52b51a86a71a362bd071e2ee687c7921e0c4f32a0e96fd0ba4c9a3f568e0
SHA512a8779fad2d12d9d5ea7afd49ce8ec7a051818f96933668715a7587bc881e3f85178ca199a0a4b307bb2d459122253390fae83058297202e0dbe281bb808121ec
-
Filesize
3.8MB
MD579a99bd8be2bf0348d96d2d6df7ce7ee
SHA12254eb9f809ffd51a806ad45f074fbfcfa1d0f2c
SHA2560c7aebca7a40ff63396c3e8e78e154b449dd9823131ed7d86c80d263f8694290
SHA51237c9f40a7e4700920d8ccd3c4c715d30911da1f2c4ff17c3aaad3fe1e85336066c3a37fdfc74ede1cfb796e8e4981791fe2d732ea2428dac4a9712d0610996da
-
Filesize
1.9MB
MD502df1b0ec1d78585dec46078ca6e1a0d
SHA17f443bd08c910be5dc82c8013b7c09fc02be471f
SHA256d6fc7892f09b0d26ff17e257209cdb634e3295423cab49d1f3af3ab892d721af
SHA512c28a393fac2511b31ea9beea669495a4340d513a6f96aaa3eb96ba52325c509678805d342bbdbdc6df29e84c630a528a8496b21d217a5ae14c12626ddfd753f6
-
Filesize
1.8MB
MD54e74078466a464a3e168f9a2c0a81a5d
SHA17cec6570b1bc2688019354ddb0764c6fe606c10f
SHA256fa3ce4c12cf5e9a03a82dca680308e69d0d6ef4eda47b9cda5b04636a7ae7e30
SHA512afa4a29de9443403dd402de6a4fcfd9c94593417473d90944ca01ca09bba14e606d7d8fa336b5c356a41d613152698975acd21c7903540fbf19469b05454bb99
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD519a2b52daeb1f7a966b55ce56e2c1b07
SHA1afe965f2efe6b1b255429178f3cbb4614759ebf3
SHA256b09dc61ae719160508e403703a5933dea305242930be669dd54e1d2cdc98c457
SHA512433706b9b7766d6057fc5f16e5536f466b075482afb72690fd24a801ddc475c4f8ffcdd34125cdd614d7c3939fe2a6a249c440bd5e4ac7465b8338fd151f7132
-
Filesize
18KB
MD5189b3a0eb445fe0f82117f240ba89676
SHA148535105cfd1c795634ae41e7a34fca09499e9e3
SHA256c37eeebdf560a2dcf6e9ef8f5f62fa3768b78079433a0df53de4c0be4393104a
SHA5127771351e411ad1a54379954a80d842685a443d73361eda7e7b545ae09becd943f754f7f43aec984132820573e1e231ebeb1adc9ecd51bbfcb0fde1caa15d300d
-
Filesize
8KB
MD5158fbf93873535c9fc032fbd9fd49b75
SHA1a21acc9edc4f53aba9ea1f943d34e1382802ad83
SHA256778e6e7b6fc19c9389dc016c49e8365251f821e918f305f086d7dea657d635e0
SHA512127bc0d4e63a64996683cc9f5e7a589e20979a818a957a335a2c7f9966815f312b6937f8142365bf18acd79ea4fb2d7848dcc95f0194387cea023c7377b7a3da
-
Filesize
23KB
MD5ad7579dc229199faa01162b9a44ea51b
SHA13d164700a919562b4b744c84dfb023d4b4be0d2d
SHA256406f199bc1a8e43b7cbce21a5cf3a4f2573d2d7275b3bc916411564f2c9aabb2
SHA512c81f5867f21eee746cb9456f1c044c719bb874377c7605d8cb09ab95ee18078c5c435f171681d75635fd6cd72db97bb96c7a615a3e7509d808495d9446055b1e
-
Filesize
15KB
MD5c4b0879e657273f0ae3e8aa9e518de01
SHA1df10dd2a75af68145ccd36ad8632a870c2586d56
SHA256f4bc82d7dc9bba455644564c058e5d8f89dd98bf38c720d515b5bc8958b1183e
SHA512a5b449b94c469ed70f949e75a424414029faad2be67a6bb6d32f03696332871ef2f4d37b716c7981a277e5c2e1a6dda2db7737c40d5bee6c0d6bf8db3f689e4a
-
Filesize
15KB
MD596fbc628cd6a7fdd2cd695f0e0836a5a
SHA114b1af6795e5c40818dfd4dd8fbee96c1bc5e568
SHA256e2f63d72f2c17b1d299d142387f81613f68e94aa1d96bc656c39be9817d3fc20
SHA5121158915e5a5634966ced579d2398a8ab7f009d58111b5413e017032ddac9dde8f859971d8e706b6fc2e9d4c5f11c38bfb5cf5b60ee43b978b15c1c9a496847d4
-
Filesize
5KB
MD5709e79e14bd32a87692887779ad123e0
SHA15d01311ff347d2f403114ed26f5039cbd68932fa
SHA256f7d6f7f9a98496c281b35782c9e9e288f03ecc8de37fbecfef79873332b5a12d
SHA5129d0ba84afff272cc75757890c92d430c5f279ec2901e1b9a5410e152a3a0a325ee33bdf178d16722a52ccfc7af6cf172b55b9de0a29759dd4bbb01ed9f13bc69
-
Filesize
5KB
MD51e31f5d790bdfadd709f99a47a3f6d61
SHA128225480659a72f6ae2f127b507ae9a597556bae
SHA2561f68d65942c21700147d6c35952c8f3b1754c048d58d1a4a9e5ab365f39550a9
SHA51289e00dbe3c8680641a03536408355d2bfcc7b43c08a2d363b23a018cc9b19907e1782f9285fde07ddf6c8e55c933526764f884da9f7c0c6062ec08f8835d2047
-
Filesize
5KB
MD5e78240d51f59388b5841312279b3d39e
SHA132c0dab73b055fb826abdef166be0b6721fd64ac
SHA25689a31ad914f9b3f758491b527df2d74936e7bcee786fd2dae06c2889bdbdceeb
SHA5126c02ae020f519a59a242cff24e3d1b8a8179a3aef6ed2373715ff59bff77761216798f724d78627d273236f360c99c54262c25a8eaebf57d5c3e9210b9ec4af4
-
Filesize
6KB
MD5e7e3f0fdd2248809b5ea0def35bb1c9f
SHA1cc190063eecff15c510efd98fbc16c7f1b744c76
SHA256a46e13e07953bd5a43a39d2668aa0454e50ad67e27e37ddc080bc6ea82202aaf
SHA5120d2402f553935c8a4c277d899ffb913d70f47474256b74ead727d48e53a452094ad3a8aa0dce77acfe05d7796e52b407ec46ca0bd2ab7a5f75c58327e40235b2
-
Filesize
6KB
MD54e97660fec6f3a5e80ae22bab2c4f212
SHA118400503f388ffe8edd181444491ab130efde371
SHA2563b88eda723aae735f4d73ed320ce0e3b9b115fae91fb4aa44d3aac692c1fbd41
SHA51245fbb69c9aae90fdbb2ec0a713747bb2c3afbeda71aca7d7dae8c5ef40c0dce8d5ea1b2c2b68fa2aa87f316652e2e7cb4ee076ee2063fc3ddd282ff2e28f3306
-
Filesize
15KB
MD5bcc7d03d41af97750657c5c8812b2037
SHA1fe6e3785402ec854e90bfa03fbbb7862a34837cc
SHA256a58f6603bedfb54879ae55ab6104725140035f69a0d456734fc405d0a31d9c11
SHA51200f526ac67c901b17573253deebd73b409de68ff2e83971926a28cff37a3b55c5955a364db8eb28bd01e1ee3609cf0d6a5b5ec0481110caa86ad1fa5570f30a7
-
Filesize
15KB
MD532db224b056085d06e01116a791d9a08
SHA1d6caf9a636e252851cbd0ec2c79d750e56ebcea5
SHA256f3f1249befa441b1427ad7394cb7c27feb62e6a33553bf2e838ad86ca14faa0b
SHA512815c1fd90df49dc5584d9cb4413e1b17e942db77274764a347a3c22ce808f3f722a0834d9bfa2cd1ac70a403315b6e11cedf779324c7c8da1694ffc86018c631
-
Filesize
27KB
MD5c52b9ec25d9baabc2c779e40614ccebe
SHA162d18a5e5b88a9f26cd32f57f81955b92f1995cc
SHA256a622b12c1548b46c3942cce0fbe51cb2e643c6aed3f28ba9d975437aaa904bf3
SHA512b2279a2d087caab5d7249a02c519ce1ed4840856aaa2115ef1aea284dc7be8ee7690bebeafc362ad8328c57dcaeb11dda0920cd468d854239d9694cb8b21603a
-
Filesize
671B
MD5aaf5d03182127c56dd39fd87ce1863d7
SHA1301f7089d706995ad4187c7980f131b65d440716
SHA25617a13f9ac15f93fe65dc74a542bfad92e491992180db3021de55e58d6a702052
SHA512e1728790f8feee6c38a0764d4c8f6b0d8671b4d972103bdedf28872f5f59b70285918afc478c74ad4b16e3c12227dabd4eea1e0c0e088c459d5eb394f6de05f6
-
Filesize
982B
MD5e72953ff7c0285cc852468b874982791
SHA15828d283e694c797bfa0334a6b5e98b97dea3b94
SHA256342f052d3d09e5977f1aac14ca87558bb6308f811ce26f5f5355ea3843ba1b6c
SHA512fe002409cb51a3047d329a30f84f291db6c93a6476b7f9a221d5e804e3c113824b455d7bb98b39a1a589c538895915c03e19380860c53c4de0240699f67cdb05
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
10KB
MD5bc717d85bb135fbd4e74c51c1fba5dec
SHA1db96a6958a8cf179b716780c9878bb7e5d7de3a2
SHA256db9622722358b61e902c6862fd4afe1e7171d7937922171cc7ec1bc4f4225687
SHA512174b6d2a05aeb94d89e0ae8f0be9c1d8cbf3ebc16387e1d330632532b4282311433951925b29554b9846ae8118f70adbdb8c4b06f22e9b4e495642f5cd64baa8
-
Filesize
12KB
MD59b2c07ea8bde045520f6d0f6a01784ca
SHA1e00e441aeaa21f034350f414802995b8320e5a88
SHA256680b80ba184db6062b480c10112dc3a67f97c05a0be857154ffff7c3239e1b76
SHA5125c80bdd325a2733e2ee678c764a25281b599fa6356da59e5a15ec725eb8d535b3f4fc90afae978c2467a1817665ecfec7c72b8bcae941acc0eeab781b60877d7
-
Filesize
15KB
MD5dfd967faecc18d937c0a1d34dd1711d0
SHA1528a377fb98c5056d6f3012f9a0896b7f3b8fba4
SHA25623b1afdc797473c32d448041ecbccd85242187af3af857b5f0b9aba1b37fd9a9
SHA5127d1b9f876e3f70a208029c50e033d5f4f8d7a0a51d7086182f81af99ed646678b27e9dc10f4e408f97c6cfd36e9338cc8dd16bda54dfd1fe7d8fce5e52727665
-
Filesize
10KB
MD54f92fb39e3ff8d280aa0861bef27eaa0
SHA1b65a8cc5fb6bce544dff34ac9ea3452025aadef4
SHA256d9d91faab3f8e63a184cc9f4e9beb7b2a35422915ae8e924d990b66be95bf3ce
SHA51285598ee6c88ab82f7928c372040c40f6ed0dc1c563facf5593ff8c74c7c1606d464266963eb75c6a8014fb3f4bb2f4a47a469ca66ff37761e603806272b03da9
-
Filesize
1.5MB
MD56f5625265da0b3000442c6b976fc6adf
SHA18f402788545b6ed6ae45d7483240b944485da086
SHA2569cbbe8eb82d20575cad4ac583efb07c18d69efb5f64c309a79aa052855d46503
SHA512260baf5fbcd9a2c0d0d026f205021282e35d2c5d84124cf63f977d8121c00e8ea69cf6ac9541c8e00e202bec2b17e7683b66e7e12f8e6ca49736a5bacea0b041
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
72KB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
10.4MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
4.8MB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
72KB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB