Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-12-2024 17:04
General
-
Target
file.exe
-
Size
3.1MB
-
MD5
41f7104e635f418ec5a33d817b5324d9
-
SHA1
7c9a3124d4bf236a560c6a865b0034f79a65f875
-
SHA256
3301f21b0e9b43873293f712c6a8eccb7746c09207e0cedcfe836d060862c6f8
-
SHA512
7dfd8e767be1b7904ff44b90cbc973a577f831db0dc81c44167838146a8912efe3631510fcf37451396206613419ca6d0fa0554a74af1764d50c056a3b66338e
-
SSDEEP
49152:kVF+M26kfUw7yoxeBqOo7NjGOTIkets5JsE8p7OuEFWH:e4M26kfUwGoxeBqV7BVtZheKuEU
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
quasar
1.4.1
vuictim
91.214.78.16:7000
42d886c4-74fa-480d-8b7e-5fe1ac03ba03
-
encryption_key
D72F5D077DE4AC156A670D7D920C697F5FB66FA8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft edge
-
subdirectory
SubDir
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
https://atten-supporse.biz/api
Extracted
quasar
1.4.1
ewiop
91.214.78.16:4900
42d886c4-74fa-480d-8b7e-5fe1ac03ba03
-
encryption_key
D72F5D077DE4AC156A670D7D920C697F5FB66FA8
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft edge
-
subdirectory
SubDir
Extracted
lumma
https://atten-supporse.biz/api
https://se-blurry.biz/api
https://zinc-sneark.biz/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 5 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 19 IoCs
-
Identifies Wine through registry keys 2 TTPs 9 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 1 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 37 IoCs
-
Suspicious use of SendNotifyMessage 35 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1013209001\ZdGtikR.exe"C:\Users\Admin\AppData\Local\Temp\1013209001\ZdGtikR.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roomscience.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roomscience.exe5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe"C:\Users\Admin\AppData\Local\Temp\1013210001\B3vKvPi.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callmobile.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\callmobile.exe5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013215001\gDJ389J.exe"C:\Users\Admin\AppData\Local\Temp\1013215001\gDJ389J.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Microsoft edge" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aPfEGAWtw9qx.bat" "5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\1013215001\gDJ389J.exe"C:\Users\Admin\AppData\Local\Temp\1013215001\gDJ389J.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Microsoft edge" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "Microsoft edge" /f5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013220001\gdxjQRY.exe"C:\Users\Admin\AppData\Local\Temp\1013220001\gdxjQRY.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\everyonetechnollogyovlres.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\everyonetechnollogyovlres.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\everyonetechnollogyovlres.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 17⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oftendesignpropre.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oftendesignpropre.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oftendesign.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oftendesign.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013225001\659b8fdc6a.exe"C:\Users\Admin\AppData\Local\Temp\1013225001\659b8fdc6a.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 15085⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 14805⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013226001\cc3c57ea7d.exe"C:\Users\Admin\AppData\Local\Temp\1013226001\cc3c57ea7d.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1013227001\d7b69281db.exe"C:\Users\Admin\AppData\Local\Temp\1013227001\d7b69281db.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {567e17a2-d9fe-49aa-8a80-6a8eb7463839} 4544 "\\.\pipe\gecko-crash-server-pipe.4544" gpu7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab7231c6-b132-424f-b8f6-31271aa1d86b} 4544 "\\.\pipe\gecko-crash-server-pipe.4544" socket7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 1 -isForBrowser -prefsHandle 3060 -prefMapHandle 3168 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fd30233-a367-4bc3-9fd8-21635bd6b38f} 4544 "\\.\pipe\gecko-crash-server-pipe.4544" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -childID 2 -isForBrowser -prefsHandle 2596 -prefMapHandle 2584 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e047b4ec-b4a5-4e1f-92f4-96e988b883c1} 4544 "\\.\pipe\gecko-crash-server-pipe.4544" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 4728 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74be83ed-c6c9-493a-a53b-3ead35ceb95a} 4544 "\\.\pipe\gecko-crash-server-pipe.4544" utility7⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5236 -childID 3 -isForBrowser -prefsHandle 5064 -prefMapHandle 5216 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {422a8f62-1001-4c5c-aec9-7410cd170550} 4544 "\\.\pipe\gecko-crash-server-pipe.4544" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 4 -isForBrowser -prefsHandle 5380 -prefMapHandle 5388 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a97de3b4-80d3-4b1f-8b5c-06ca15296510} 4544 "\\.\pipe\gecko-crash-server-pipe.4544" tab7⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5244 -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5548 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 948 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf1be196-a432-4972-881c-92f88ab697f7} 4544 "\\.\pipe\gecko-crash-server-pipe.4544" tab7⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013228001\2da15b2182.exe"C:\Users\Admin\AppData\Local\Temp\1013228001\2da15b2182.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe"C:\Users\Admin\AppData\Local\Temp\1013229001\0tClIDb.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 14805⤵
- Program crash
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Wihnup" /tr '"C:\Users\Admin\AppData\Roaming\Wihnup.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDEC2.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\Wihnup.exe"C:\Users\Admin\AppData\Roaming\Wihnup.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3728 -ip 37281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3728 -ip 37281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2460 -ip 24601⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5e2579bffa168197c3202477129287b34
SHA199829141886f756dcdcb544dbeb1b4427aa4dc1b
SHA2561948bb44cdbfd6753a16d53500221e213de8b722836ebe4f27d1adbfbb4bdcaa
SHA51214d9803a2f9bc839517c2d9a47a3b30dd1633c3973ae70b24a32beece872081526e6c4832acc530797a6d70757b966cacb02ea0f4c0e64d58a3c591651e9efa1
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
3.1MB
MD536360ee587cfd256f326f4871a5423dd
SHA1df13b83b0860bc263f41a5da2146b9b6de9223a5
SHA256b72b2182f7127d3074ef836c1f51a1c039377112ac7a3f7582fe882ff5b93160
SHA512c4c0b79f39089c820925cb2545d78f8feac242924f87e396487a7070afda11400cef1c3aa8638039cd8ff6caea976da5f32338f0ff990aa561b05115225c8f46
-
Filesize
2.2MB
MD51d3f1b333a438438193b1d29731fd607
SHA10c8852028d925fc940ad1fcccc7539bf3c0db92c
SHA256ad822394ecd393272d3d1ba77306e502ee90259f4c328dab80e9d6b5e4bd363f
SHA512b9008ef7fc8aadc92fe20df3d3081a06bc561491b3aaac35caaf256f136e8c95c248d1622112ef08cc415f0b6efe10055b4cc31d9b1f88b508c64b688e8f561d
-
Filesize
2.2MB
MD53541c1ac26eb5bbb87f01c20fd9f8824
SHA1bf5d136c911491f59bdeb3bf37b8f1a155fd3a97
SHA256b7cd929ce4d0fa849eeab8a216e1333f63c7d3530da674f163efab4dae3439d1
SHA512babc17723d2389919acd96f977821d57bdd737f01a9598209efafa72ae0418e914a5d229f196d80cb5ba70ce82b0f340b18aa255bbe4ed77d821a432d5794a93
-
Filesize
2.8MB
MD5a4de831aec191850ac5b336069ce3d40
SHA1df6263aae32913b94a1d45e9ba7f9124bcd5fe33
SHA2560217b5932fcaf4679b2d394d5dd2f10775774d9e7b2d0679d6aace357e085cf8
SHA51264dd2342b6f177b73be0d1ff2df5b1ab1dd12bc511e944345c60cc233e7812a01958a867bc05f3158312e3d5e20a7ce9bb1e1d7b87b37bef2f915e6b1e87d552
-
Filesize
11.0MB
MD53a11b7a8fbf64b684369aeea7cd08e17
SHA16d2e049bdb475e47b6ed03547c5d20b286caaffd
SHA256ccacaf0bd975ea2b7cb9e03986419ef04947ed39bfe3b18bae3577a3890ddada
SHA512b3852c01797b02d8f387a72adbc997c66cd44164cf902851d30f3437cfc6bba4741b70b3a332de69d6776a84e43b207b7e1d3b6dd6582172313559b35f28ae79
-
Filesize
1.8MB
MD5dccc10f2a3e67d24320aa5abe819a2d9
SHA1e3a57b1581b2b1e4bfaa994ad836f27803f1aee9
SHA256ab51065a1271ffdd973c8c130f9f17fdb9d0631b3a9c9c39ce8f1840c43b0670
SHA512f967d8dba9afd807021040b88e567bb4f264ca8994a1c6d2e6865baef9a66a2a336aacba5c7c4f90b504f442ae891ab67627377c919e40839a005aa2263f1f34
-
Filesize
1.7MB
MD5da3e48a074978cf8a3eeaa8e523a1b35
SHA1959463b589892d5aad9ce625ce81b2339dbe8b22
SHA256b0759e11c119210c0c58de1f33b83e5aa09b7db04769ef3252287f09fa5b83d1
SHA5128605149816281fd07bf933274fdefb9e91ff8621091a27452348d663cf7e40b8855748ab0ad5ff592be60ec770ea941476be98a760a22d6d149055908338f584
-
Filesize
946KB
MD56872c10a10d2b102e179311094da805e
SHA1d6c9d4ded030a1c76c523cbc3836441678d2bc15
SHA2567f40b697f1684c203f7808caf9af431f3a4f87a69125b8da622c9f3507501e0a
SHA5123c84653cbd5b00a8bcf6073e989b6100d2f448994770b7ac7c5944bf7a73353888a421f71c1d06f8cebf9e9a2566933b02e9961c3d98189b8a43ef5b450833a2
-
Filesize
2.7MB
MD59429e601600bc4600ea346cc12304513
SHA14d463110a6fc9bb3017b89ee5af99d597f012bca
SHA25671dfde01e5e7a3f5266043149cc9e15f94d60335cf800ad353195df95a5ee2e4
SHA512ee48a83c1632da738cbb4d80e9cfa78e09765e3327fcb320c1a422fa1aba64bec49aed200702ef31f47d7d8fcfc79df03c82eacc87da0049af85b0b28988100c
-
Filesize
1.8MB
MD56367fb8a64f997be8d65536534bdd057
SHA13ee062142dde2330881566a63a92957037a0e6b3
SHA256bdae46a5cb1f1b6b9864b5e944ed5b2e24622d7385a196e0293f7b9da59bda5e
SHA512ace2dbba313180a64f70f49c7763fb9da23ef76b82548c8fa54a7d1e8d4810cad83726fe532459660e12e4f6a9210df09dd836ea28f1cc5a791a4873b95a274c
-
Filesize
5.6MB
MD51903d7d11d73afa8dd27d21bf148fc2a
SHA1b8388685baceaa5a88f00bcb8ff5083914ceb9c9
SHA256389259edafb04ed410e74813e0378910c4eec9ca066a9c4b3e9928aa50b18136
SHA512535bab32ac1de46eff9432bed6e9a4817ed85dd7a3452c7db2a3b4ac683d7c6b5be25208d0ac4df3189d8d8a278a293c81cf47612caaaaf0bf702643dfd66616
-
Filesize
9.5MB
MD5490864b581cfd93592b1d47e7c0b7c8f
SHA1bb35ed819f628a1894caaad9d41566d51675a3d8
SHA2563ddec7574b24a9d26a450c8cc725b347606ff33b9346a812d3012eb6f359d5f9
SHA51240adb01f4714165019f8eae6595be9faea20584b63b839d17288ce3d4ce8c74fb340c565bf22c1c6586a13d657e4ed080e3923b1a07f8d7d85a04a2c75a488a3
-
Filesize
2.3MB
MD56686485b91f2f50fbdeb53b83acd3a87
SHA11fcf914c4e3711332b0a62308082645b4f8bfbb8
SHA256605f8e4d0bc1f92c5bc9b0e37377c8e18226b1e2b4c61c0a0531ba865d66e43c
SHA512588762f9d07ea4887b37f7a217d22ce9061449d17bdc7948d1fdb0139315d7d56c0cc30b28dafd2f33358d17e18ea452af5bb7fab6f99e8b7d7aabbbc3236924
-
Filesize
2.3MB
MD5ffabcc262fb699998b6191d7656c8805
SHA1fd3ea79a8550b14e9cc75fb831fd7a141964a714
SHA256f46e4a7de978baceec5f64cbc9fa1f1e772e864fa3310045cd19d77264698cde
SHA51279b2e21a9111b16b0f67ae5d1cc40a25773b847d3f4cf78711a8dfd8b67c30beec332ed65ac008c9dca62c84de891eff20d7c6050bc868bce77a17fe56da61ba
-
Filesize
4.4MB
MD50f4bc1fb5d736a617a8733f62266945b
SHA12c99949405459f02fc2f9785c4edde830aecbe69
SHA256c8222b9d3f4e6d8e2b9d9fc7a027bac9d826572da7f05ecc8ae8ba8e00f7ce91
SHA5124b75bacd9244d082672ff9e84075d74e982a48797a9ada1121e5bce45bfb8b294ada379e57170588ec8b3a0607b8e32960034ff1163b9472451650deb4c73898
-
Filesize
2KB
MD5cbc6b2ad4bf883ea7ecb41d8d86b0964
SHA13051043976773abfc145a23942b42e4c7cac5a1c
SHA256c8844ba7ca7df3c75532044792065c3d2b742c389fc9fa1a6e2776ed425917af
SHA512355b1e180d067abaab69f1f51cf0776dee7156156195094825a1ba7fac3bcf7ab303b5d68be373878f400cd34ec9061dc549706b8ad344e66ac8968daa7e812f
-
Filesize
409B
MD569348f8b2789e259855bced274984179
SHA12fd64caaa0cfed5464bc9b77d0cd21132bf4b747
SHA256e886a19c9d84f24ba93db438d42ac050484cb050513f2c23b1d514904a770923
SHA5124373ce89ee779da9664f2874c32e212dd4c242765e4175719d58bb09c06430f43c78420c7ee81956ce8f55ebf0fdd3e72ee709c35506539ec3dacbefc350b26a
-
Filesize
3.1MB
MD541f7104e635f418ec5a33d817b5324d9
SHA17c9a3124d4bf236a560c6a865b0034f79a65f875
SHA2563301f21b0e9b43873293f712c6a8eccb7746c09207e0cedcfe836d060862c6f8
SHA5127dfd8e767be1b7904ff44b90cbc973a577f831db0dc81c44167838146a8912efe3631510fcf37451396206613419ca6d0fa0554a74af1764d50c056a3b66338e
-
Filesize
150B
MD558d23a63c64550276eadecee8d7610cd
SHA149d0ccf1b225940be1582534d5e93e0b8d9ccafa
SHA25614070a21e802ee899c824297525904bfb8ca9e2235fc5292a28826e704231cf7
SHA512f62af142737d0d9109901cad25665852c4ef5329f18558664ad45d7d43973277e8ed4b8969972cad8900bbe0bb20ec70cce46b97d8cfe3bad8047aa2505bf07d
-
Filesize
2KB
MD51460dd732d3fd15c84577cb82a8010cc
SHA1407ec1017e1f0ced6f24b99f2f41d97a77f228db
SHA2563e2388cb8ea2ffff33bc37abd9e6f1f16ed7d93f512a96ffc5ad2b8264c9017d
SHA512ef93dd0a5b1e6aab7b496499fd9decaf648f28340083404b6163b1f35d42b0d5b74421410abbecb0195d0f651c1dbd4c9c00243b3f76dc00961d4127e50ce256
-
Filesize
2KB
MD5929cac4baa4be4773d97f41a28d1ce11
SHA14ebec60c2d0ce555f2a148c8d18f26c93858bab3
SHA256fe52d7481a51af8f1ba517c9d8fb9e3cde6016eeeb8f9ba0efcb4d75589a29f1
SHA512b7d27853986b1040de0c6af27d1c586c60ade90e202484ea3bbbcbf9b609d765e7e8f0a391d8f61b5bf86fe8f39ba8ac7393f323da5c0314be1f6846ba496cb5
-
Filesize
8KB
MD502e11d39b38dc05dcf95c153eec1f38b
SHA11d909e5c0b163d38d4d3b578f5b381813300872d
SHA2562bdddb8b10f21a4b37999236609cba17586503a8a3879846d3287e61d78b07dd
SHA51231d05b39e1b66c182cc528bd381ef2a260b4927bcfb0dda8145e7a96d0764326f896228d9413de6033346f9b42c84f688c37efd647ba4a67f5ae19562e1962f4
-
Filesize
5KB
MD5e6b05ac5b4837885b245d2fdc8c9546e
SHA1145c4045d3e89398580065a2811362e3cc621e32
SHA2565b65645460a7d7f27ab00d567a0047b12b05e494104c53d4dd086e943bef3643
SHA51275f71f98d4047a1f83c090d2bf6891174eca713b9a0c08ff1ed9ccc6218db6665fa0264a255f5e03df17bb5b8494c357b85629ea756e04fecfcf58ec5fb82dad
-
Filesize
28KB
MD549a4743d6d2ad69c3801689e3c787e59
SHA1faf99928c3ff0377cacf6ed83d1ec0511ddcabb6
SHA2569480de0b336c9ad24bfec2ad0df3908c0ecc38a21b7956b0b4ad3adad5022baa
SHA512c4b3fb9a12ce3e6be4784d931a85f6525c203054e1ee2ec4f15249553d333226ae48f4aa71283bdcb3ed937c70954eaec586c6d4eab5b97ee496aa768b5f55b0
-
Filesize
982B
MD5c7c27fb7306ce1d33e66ab68220ac5ab
SHA1449962073ee8c0f4207909aced59238b6e8b1109
SHA2566977556a47a25f22a985430ae7d2d75d2df5ab8ab4221db5abb3fec4fe48d58d
SHA51237f9781f1cbf19cea4fe4a2ccf2dae065dc1a5a16909fd2fa6be85db1716736e739a96c47c150e5b4f92f05ce760d9d42a7c28a27e84e36a457763b3ad800295
-
Filesize
671B
MD59989a234b9eb1a290903faaa91e71280
SHA18665dd8771e3e98e64309b0c62169fe91aad9971
SHA256a374aa597d3b90143eadd3578e09460220c41894b0f1fd107db18873fa0ef1c1
SHA512d7f6e01f15e4c5f26548de120da14621d932b4dc6a7fd37650f64fb062e89439fd0cefad43b191f845fce30813945af6a1c7f73603d8ac6addaced236da515a4
-
Filesize
11KB
MD59fa9564e8dd6cfe6caf91de16014ff8d
SHA13eb1333db450e822709a969bdce6181c8ea6383d
SHA2562ba12086ba81b5c0c15797ebaa8b0a26ca3d67d1b4d9ac23cc3956a48931e417
SHA512b445c16a2658e2ce6578807245cf76679ff9455d04d934bfdeb626385a6e9c0ae213f1482597e3f13168f565a8b14a92ba771a396adf2a6ed4ff3a375801738f
-
Filesize
256KB
MD58fdf47e0ff70c40ed3a17014aeea4232
SHA1e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be
-
Filesize
7.5MB
-
Filesize
712KB
-
Filesize
7.5MB
-
Filesize
7.5MB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
320KB
-
Filesize
7.5MB
-
Filesize
240KB
-
Filesize
7.5MB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
176KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
3.2MB
-
Filesize
2.4MB
-
Filesize
2.0MB
-
Filesize
1.4MB
-
Filesize
256KB
-
Filesize
104KB
-
Filesize
1.4MB
-
Filesize
4.7MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
304KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
1.4MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
336KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.4MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
2.7MB
-
Filesize
3.0MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
416KB
-
Filesize
8KB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
3.2MB
-
Filesize
416KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
624KB
-
Filesize
3.0MB
-
Filesize
672KB
-
Filesize
4.4MB
-
Filesize
1.2MB
-
Filesize
3.1MB
-
Filesize
320KB
-
Filesize
712KB