Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 19:10
Static task
static1
General
-
Target
0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe
-
Size
3.1MB
-
MD5
22bf111e0ffbce40da98521c8ac390ac
-
SHA1
86c47f8fc939e81d7ceba37f1824e22ce4ef1f43
-
SHA256
0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2
-
SHA512
a9d529513d988c20380432d0ce1f10b6286a949442f6964ba455d14f51d308810b495d6e04ec375c9a990230f04a1444e7a9647c205a38275aae08b34408d30e
-
SSDEEP
98304:pLPTyc5Jt2SKP64GsNe+WPvvFmuY6/JsYk:xTyc7me+W3v9Y6
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://impend-differ.biz/api
https://print-vexer.biz/api
https://dare-curbys.biz/api
https://covery-mover.biz/api
https://formy-spill.biz/api
https://dwell-exclaim.biz/api
https://zinc-sneark.biz/api
https://se-blurry.biz/api
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
lumma
https://atten-supporse.biz/api
Signatures
-
Amadey family
-
Gcleaner family
-
Lumma family
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3EUEYgl.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f6301a74ab.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a55cba72bb.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7b2c5d166f.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a55cba72bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a55cba72bb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f6301a74ab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f6301a74ab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Executes dropped EXE 7 IoCs
pid Process 2748 skotes.exe 2516 yiklfON.exe 2596 3EUEYgl.exe 2036 791bc9e6b8.exe 2428 f6301a74ab.exe 884 a55cba72bb.exe 2820 7b2c5d166f.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 3EUEYgl.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine f6301a74ab.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine a55cba72bb.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine 7b2c5d166f.exe -
Loads dropped DLL 11 IoCs
pid Process 1600 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 1600 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 2748 skotes.exe 2748 skotes.exe 2748 skotes.exe 2748 skotes.exe 2748 skotes.exe 2748 skotes.exe 2748 skotes.exe 2748 skotes.exe 2748 skotes.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\a55cba72bb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013789001\\a55cba72bb.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00050000000186f8-393.dat autoit_exe behavioral1/files/0x00050000000186f8-402.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 1600 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 2748 skotes.exe 2596 3EUEYgl.exe 2428 f6301a74ab.exe 884 a55cba72bb.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a55cba72bb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6301a74ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yiklfON.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3EUEYgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3EUEYgl.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3EUEYgl.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2528 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 2380 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 3EUEYgl.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 3EUEYgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 3EUEYgl.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1600 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 2748 skotes.exe 2596 3EUEYgl.exe 2596 3EUEYgl.exe 2428 f6301a74ab.exe 884 a55cba72bb.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1600 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1600 wrote to memory of 2748 1600 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 30 PID 1600 wrote to memory of 2748 1600 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 30 PID 1600 wrote to memory of 2748 1600 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 30 PID 1600 wrote to memory of 2748 1600 0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe 30 PID 2748 wrote to memory of 2516 2748 skotes.exe 33 PID 2748 wrote to memory of 2516 2748 skotes.exe 33 PID 2748 wrote to memory of 2516 2748 skotes.exe 33 PID 2748 wrote to memory of 2516 2748 skotes.exe 33 PID 2748 wrote to memory of 2596 2748 skotes.exe 35 PID 2748 wrote to memory of 2596 2748 skotes.exe 35 PID 2748 wrote to memory of 2596 2748 skotes.exe 35 PID 2748 wrote to memory of 2596 2748 skotes.exe 35 PID 2596 wrote to memory of 1856 2596 3EUEYgl.exe 37 PID 2596 wrote to memory of 1856 2596 3EUEYgl.exe 37 PID 2596 wrote to memory of 1856 2596 3EUEYgl.exe 37 PID 2596 wrote to memory of 1856 2596 3EUEYgl.exe 37 PID 2748 wrote to memory of 2036 2748 skotes.exe 38 PID 2748 wrote to memory of 2036 2748 skotes.exe 38 PID 2748 wrote to memory of 2036 2748 skotes.exe 38 PID 2748 wrote to memory of 2036 2748 skotes.exe 38 PID 1856 wrote to memory of 2528 1856 cmd.exe 40 PID 1856 wrote to memory of 2528 1856 cmd.exe 40 PID 1856 wrote to memory of 2528 1856 cmd.exe 40 PID 1856 wrote to memory of 2528 1856 cmd.exe 40 PID 2748 wrote to memory of 2428 2748 skotes.exe 41 PID 2748 wrote to memory of 2428 2748 skotes.exe 41 PID 2748 wrote to memory of 2428 2748 skotes.exe 41 PID 2748 wrote to memory of 2428 2748 skotes.exe 41 PID 2748 wrote to memory of 884 2748 skotes.exe 42 PID 2748 wrote to memory of 884 2748 skotes.exe 42 PID 2748 wrote to memory of 884 2748 skotes.exe 42 PID 2748 wrote to memory of 884 2748 skotes.exe 42 PID 2748 wrote to memory of 2820 2748 skotes.exe 43 PID 2748 wrote to memory of 2820 2748 skotes.exe 43 PID 2748 wrote to memory of 2820 2748 skotes.exe 43 PID 2748 wrote to memory of 2820 2748 skotes.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe"C:\Users\Admin\AppData\Local\Temp\0536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe"C:\Users\Admin\AppData\Local\Temp\1013765001\yiklfON.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe"C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1013771001\3EUEYgl.exe" & rd /s /q "C:\ProgramData\XLFUAS0RQQ9Z" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2528
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1013783001\791bc9e6b8.exe"C:\Users\Admin\AppData\Local\Temp\1013783001\791bc9e6b8.exe"3⤵
- Executes dropped EXE
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\1013788001\f6301a74ab.exe"C:\Users\Admin\AppData\Local\Temp\1013788001\f6301a74ab.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\1013789001\a55cba72bb.exe"C:\Users\Admin\AppData\Local\Temp\1013789001\a55cba72bb.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:884
-
-
C:\Users\Admin\AppData\Local\Temp\1013790001\7b2c5d166f.exe"C:\Users\Admin\AppData\Local\Temp\1013790001\7b2c5d166f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\1013791001\24e9bde244.exe"C:\Users\Admin\AppData\Local\Temp\1013791001\24e9bde244.exe"3⤵PID:708
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T4⤵
- Kills process with taskkill
PID:2380
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD5d71d031f039f8fb153488c26fb7d410f
SHA15b15fd6f94bdbb35ecd02bf9aa51912d698ebf45
SHA25636541a0e062085fed175a4a5eae45aa9e3563fff4a816a1bffa1b2c6f8280e5b
SHA512d97c801c73f14ae20b11529d0b0f58afc3981d92bd00f88dda59881f24d89d3b325a8c61b88adc77753cebb1c320afc64af7522c61c34b2a4916b13bddc278cf
-
Filesize
1.8MB
MD53b8b3018e3283830627249d26305419d
SHA140fa5ef5594f9e32810c023aba5b6b8cea82f680
SHA256258e444e78225f74d47ba4698d49a33e6d1f6ed1f3f710186be426078e2bf1cb
SHA5122e9a42e53406446b503f150abfa16b994ee34211830d14ccbfbf52d86019dc5cca95c40222e5c6aed910c90988f999560ff972c575f9c207d7834abba6f04aa0
-
Filesize
2.5MB
MD52a78ce9f3872f5e591d643459cabe476
SHA19ac947dfc71a868bc9c2eb2bd78dfb433067682e
SHA25621a2ac44acd7a640735870eebfd04b8dc57bc66877cb5be3b929299e86a43dae
SHA51203e2cd8161a1394ee535a2ea7d197791ab715d69a02ffab98121ec5ac8150d2b17a9a32a59307042c4bbeffad7425b55efa047651de6ed39277dba80711454f9
-
Filesize
1.9MB
MD59ab589c46a5b8ecd08d59093e5748144
SHA175be11f83b2857167e2f4a48f67fdd95ca9ab4ae
SHA25616ed4315e25a900e8bd2ab5a55932fea00923040bb95133ce263e952131f3286
SHA512b6f594a2d278fe3d4fbf232952053aae327753abbcca5508c17ba7900a0e088ca11815333b507ed83b1010747b4654a5786f47e57e444983b5ac75c308c59af4
-
Filesize
1.8MB
MD580e0d854dd91586d55b9fa20f3b1b120
SHA16f782acc39892cb21b99a82018aaeb497e78bb8a
SHA25695a2832b06a89c1301e8203874a883510f99e809362945c67a3acfdc567759ad
SHA512e8f4be7f8418d9bfda495d646309c02a58a3ec007906066a129ed9c4dab45339e7801af3084c9afaa4557bee3217cdea51d21dc6c4369418f0b27b3b9ce8ae2b
-
Filesize
1.7MB
MD5093eddd8a84eb5d27962c656e91682c2
SHA199d406e047b7ba3b65b4ede1750ab2b658cf3b65
SHA256ab4dbd5c9ff9c061d4e6523100d63fd51069075d1187fe327a89ac4dad472cbd
SHA51235c6086dbea9753540f4a9b9f8e99d7d9b312d6662e0eaee9515e706f77df18cc09b934c328114f4617723b7d6b450e87de357fec08649b990c62ca555505ba4
-
Filesize
950KB
MD51bc110dbf8f9443ee17a36a3ec9e61d9
SHA176c43e76605589b446d7e1e9062098198fe8a35d
SHA256ff4cff14832d70e6f6d09b99de046b0865bd4ad140a168f30bdf669a3406a557
SHA512ea8910b1a946a3a55cea6ee467fc03cb05577cc69890c28e26588fe29ffa4f9c1e30d86a244fd057eb733b17cc3787073cfc1a535b0f8063145928f6e2dffe55
-
Filesize
913KB
MD5f70c6476888e31be9241c56c40746e89
SHA1f6d3672084034c904571af8bdc3ef83f169be51f
SHA2567ace55085f60d585564081fa7ef0a97005df46d9e5effd2aed63a6689025b5d3
SHA512d58511fa1e632f76ac26493c62278bee71b129cd68287f5e3065d903877eaa4b0ba38b39d3e59aa92bcaace20a5c7cf0e0751fd1515a0618e9e17e86517277e8
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
704KB
MD5bea60bf2d08927ef38dd317711c9425a
SHA18882606b9aa97b9174ef435477169daffb4511fd
SHA256abc3b79f1beed2f88b54b9967e76259b521ef546b011bd5714485677bd1f958b
SHA5127b647389d059b7fd040c91074d0e22b3085e24c9707d2842d691bacef510f6b24447f2195fad1e15df3b11212701c94c345ec679c0d0453b9ff52501c7218d76
-
Filesize
3.1MB
MD522bf111e0ffbce40da98521c8ac390ac
SHA186c47f8fc939e81d7ceba37f1824e22ce4ef1f43
SHA2560536c8987bbf4c736ee1ffaba0cb1e52d1652574fcb80ab14ff7d23a40e446b2
SHA512a9d529513d988c20380432d0ce1f10b6286a949442f6964ba455d14f51d308810b495d6e04ec375c9a990230f04a1444e7a9647c205a38275aae08b34408d30e