amadey | f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	8cfadf0ea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	8cfadf0ea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	8cfadf0ea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	8cfadf0ea8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	8cfadf0ea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	8cfadf0ea8.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/2756-837-0x000000000AA80000-0x000000000ABA0000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9feskIx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ba674c26d2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	74968d29c8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	81f9258a13.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8cfadf0ea8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4896	powershell.exe
5220	powershell.exe
2740	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	iteteb.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ba674c26d2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8cfadf0ea8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9feskIx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ba674c26d2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	74968d29c8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	81f9258a13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9feskIx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	74968d29c8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	81f9258a13.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8cfadf0ea8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	9feskIx.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3356	cmd.exe
1540	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
3728	skotes.exe
2756	9feskIx.exe
2132	7a3e8e623d.exe
3996	ba674c26d2.exe
4392	74968d29c8.exe
3396	bfb40b775d.exe
4640	81f9258a13.exe
5672	8cfadf0ea8.exe
5896	skotes.exe
5508	iteteb.exe
4228	iteteb.exe
3192	rar.exe
4888	skotes.exe

Identifies Wine through registry keys 2 TTPs 9 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	9feskIx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	ba674c26d2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	8cfadf0ea8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	74968d29c8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Wine	81f9258a13.exe

Loads dropped DLL 17 IoCs

pid	Process
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe
4228	iteteb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	8cfadf0ea8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	8cfadf0ea8.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ba674c26d2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013853001\\ba674c26d2.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74968d29c8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013854001\\74968d29c8.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bfb40b775d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013855001\\bfb40b775d.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8cfadf0ea8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1013856001\\8cfadf0ea8.exe"	skotes.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
203	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023cce-111.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
5148	tasklist.exe
2344	tasklist.exe
1820	tasklist.exe
5700	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

pid	Process
1864	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe
3728	skotes.exe
2756	9feskIx.exe
3996	ba674c26d2.exe
4392	74968d29c8.exe
4640	81f9258a13.exe
5672	8cfadf0ea8.exe
5896	skotes.exe
4888	skotes.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023d53-878.dat	upx
behavioral2/memory/4228-891-0x00007FF857920000-0x00007FF857FE2000-memory.dmp	upx
behavioral2/memory/4228-914-0x00007FF86FE30000-0x00007FF86FE3F000-memory.dmp	upx
behavioral2/memory/4228-913-0x00007FF86A7C0000-0x00007FF86A7E5000-memory.dmp	upx
behavioral2/files/0x0007000000023d4d-912.dat	upx
behavioral2/files/0x0007000000023d4c-911.dat	upx
behavioral2/files/0x0007000000023d4b-910.dat	upx
behavioral2/files/0x0007000000023d4a-909.dat	upx
behavioral2/files/0x0007000000023d49-962.dat	upx
behavioral2/files/0x0007000000023d57-969.dat	upx
behavioral2/files/0x0007000000023d56-973.dat	upx
behavioral2/files/0x0007000000023d50-981.dat	upx
behavioral2/memory/4228-982-0x00007FF857920000-0x00007FF857FE2000-memory.dmp	upx
behavioral2/memory/4228-1000-0x00007FF86A810000-0x00007FF86A829000-memory.dmp	upx
behavioral2/memory/4228-1001-0x00007FF8668C0000-0x00007FF8669DA000-memory.dmp	upx
behavioral2/memory/4228-1024-0x00007FF867650000-0x00007FF867674000-memory.dmp	upx
behavioral2/memory/4228-1081-0x00007FF854230000-0x00007FF8543AF000-memory.dmp	upx
behavioral2/memory/4228-1138-0x00007FF867430000-0x00007FF867463000-memory.dmp	upx
behavioral2/files/0x0007000000023d58-995.dat	upx
behavioral2/memory/4228-990-0x00007FF86E5A0000-0x00007FF86E5AD000-memory.dmp	upx
behavioral2/memory/4228-989-0x00007FF867C60000-0x00007FF867C74000-memory.dmp	upx
behavioral2/files/0x0007000000023d48-987.dat	upx
behavioral2/memory/4228-986-0x00007FF86A7C0000-0x00007FF86A7E5000-memory.dmp	upx
behavioral2/memory/4228-984-0x00007FF853CF0000-0x00007FF854223000-memory.dmp	upx
behavioral2/memory/4228-979-0x00007FF866F90000-0x00007FF86705E000-memory.dmp	upx
behavioral2/files/0x0007000000023d52-978.dat	upx
behavioral2/memory/4228-977-0x00007FF867430000-0x00007FF867463000-memory.dmp	upx
behavioral2/memory/4228-976-0x00007FF86FDB0000-0x00007FF86FDBD000-memory.dmp	upx
behavioral2/memory/4228-975-0x00007FF8688F0000-0x00007FF868909000-memory.dmp	upx
behavioral2/memory/4228-970-0x00007FF854230000-0x00007FF8543AF000-memory.dmp	upx
behavioral2/memory/4228-968-0x00007FF867650000-0x00007FF867674000-memory.dmp	upx
behavioral2/memory/4228-965-0x00007FF86A810000-0x00007FF86A829000-memory.dmp	upx
behavioral2/files/0x0007000000023d45-964.dat	upx
behavioral2/memory/4228-963-0x00007FF86A730000-0x00007FF86A75C000-memory.dmp	upx
behavioral2/files/0x0007000000023d47-906.dat	upx
behavioral2/files/0x0007000000023d51-896.dat	upx
behavioral2/files/0x0007000000023d46-894.dat	upx
behavioral2/memory/4228-1523-0x00007FF866F90000-0x00007FF86705E000-memory.dmp	upx
behavioral2/memory/4228-1546-0x00007FF853CF0000-0x00007FF854223000-memory.dmp	upx
behavioral2/memory/4228-1579-0x00007FF86A7C0000-0x00007FF86A7E5000-memory.dmp	upx
behavioral2/memory/4228-1584-0x00007FF854230000-0x00007FF8543AF000-memory.dmp	upx
behavioral2/memory/4228-1578-0x00007FF857920000-0x00007FF857FE2000-memory.dmp	upx
behavioral2/memory/4228-1594-0x00007FF857920000-0x00007FF857FE2000-memory.dmp	upx
behavioral2/memory/4228-1608-0x00007FF8668C0000-0x00007FF8669DA000-memory.dmp	upx
behavioral2/memory/4228-1612-0x00007FF86A730000-0x00007FF86A75C000-memory.dmp	upx
behavioral2/memory/4228-1611-0x00007FF86FE30000-0x00007FF86FE3F000-memory.dmp	upx
behavioral2/memory/4228-1610-0x00007FF86A7C0000-0x00007FF86A7E5000-memory.dmp	upx
behavioral2/memory/4228-1609-0x00007FF854230000-0x00007FF8543AF000-memory.dmp	upx
behavioral2/memory/4228-1605-0x00007FF853CF0000-0x00007FF854223000-memory.dmp	upx
behavioral2/memory/4228-1604-0x00007FF866F90000-0x00007FF86705E000-memory.dmp	upx
behavioral2/memory/4228-1603-0x00007FF867430000-0x00007FF867463000-memory.dmp	upx
behavioral2/memory/4228-1602-0x00007FF86FDB0000-0x00007FF86FDBD000-memory.dmp	upx
behavioral2/memory/4228-1601-0x00007FF8688F0000-0x00007FF868909000-memory.dmp	upx
behavioral2/memory/4228-1599-0x00007FF867650000-0x00007FF867674000-memory.dmp	upx
behavioral2/memory/4228-1598-0x00007FF86A810000-0x00007FF86A829000-memory.dmp	upx
behavioral2/memory/4228-1607-0x00007FF86E5A0000-0x00007FF86E5AD000-memory.dmp	upx
behavioral2/memory/4228-1606-0x00007FF867C60000-0x00007FF867C74000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5936	2756	WerFault.exe	162
6136	4640	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a3e8e623d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74968d29c8.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	bfb40b775d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba674c26d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81f9258a13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cfadf0ea8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9feskIx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	bfb40b775d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfb40b775d.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
5404	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
5504	systeminfo.exe

Kills process with taskkill 14 IoCs

pid	Process
4356	taskkill.exe
5276	taskkill.exe
1100	taskkill.exe
464	taskkill.exe
4928	taskkill.exe
5012	taskkill.exe
1572	taskkill.exe
4656	taskkill.exe
3004	taskkill.exe
2520	taskkill.exe
5928	taskkill.exe
2332	taskkill.exe
1596	taskkill.exe
4884	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2756	9feskIx.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1864	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe
1864	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe
3728	skotes.exe
3728	skotes.exe
2756	9feskIx.exe
2756	9feskIx.exe
3996	ba674c26d2.exe
3996	ba674c26d2.exe
4392	74968d29c8.exe
4392	74968d29c8.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
2756	9feskIx.exe
2756	9feskIx.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
4640	81f9258a13.exe
4640	81f9258a13.exe
5672	8cfadf0ea8.exe
5672	8cfadf0ea8.exe
5672	8cfadf0ea8.exe
5672	8cfadf0ea8.exe
5672	8cfadf0ea8.exe
5896	skotes.exe
5896	skotes.exe
4896	powershell.exe
4896	powershell.exe
2740	powershell.exe
2740	powershell.exe
2740	powershell.exe
1540	powershell.exe
1540	powershell.exe
4896	powershell.exe
1540	powershell.exe
5220	powershell.exe
5220	powershell.exe
5336	powershell.exe
5336	powershell.exe
4888	skotes.exe
4888	skotes.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	464	taskkill.exe
Token: SeDebugPrivilege	4928	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeDebugPrivilege	5104	firefox.exe
Token: SeDebugPrivilege	5104	firefox.exe
Token: SeDebugPrivilege	2756	9feskIx.exe
Token: SeDebugPrivilege	5672	8cfadf0ea8.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	5148	tasklist.exe
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeDebugPrivilege	2344	tasklist.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeIncreaseQuotaPrivilege	5532	WMIC.exe
Token: SeSecurityPrivilege	5532	WMIC.exe
Token: SeTakeOwnershipPrivilege	5532	WMIC.exe
Token: SeLoadDriverPrivilege	5532	WMIC.exe
Token: SeSystemProfilePrivilege	5532	WMIC.exe
Token: SeSystemtimePrivilege	5532	WMIC.exe
Token: SeProfSingleProcessPrivilege	5532	WMIC.exe
Token: SeIncBasePriorityPrivilege	5532	WMIC.exe
Token: SeCreatePagefilePrivilege	5532	WMIC.exe
Token: SeBackupPrivilege	5532	WMIC.exe
Token: SeRestorePrivilege	5532	WMIC.exe
Token: SeShutdownPrivilege	5532	WMIC.exe
Token: SeDebugPrivilege	5532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5532	WMIC.exe
Token: SeRemoteShutdownPrivilege	5532	WMIC.exe
Token: SeUndockPrivilege	5532	WMIC.exe
Token: SeManageVolumePrivilege	5532	WMIC.exe
Token: 33	5532	WMIC.exe
Token: 34	5532	WMIC.exe
Token: 35	5532	WMIC.exe
Token: 36	5532	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5532	WMIC.exe
Token: SeSecurityPrivilege	5532	WMIC.exe
Token: SeTakeOwnershipPrivilege	5532	WMIC.exe
Token: SeLoadDriverPrivilege	5532	WMIC.exe
Token: SeSystemProfilePrivilege	5532	WMIC.exe
Token: SeSystemtimePrivilege	5532	WMIC.exe
Token: SeProfSingleProcessPrivilege	5532	WMIC.exe
Token: SeIncBasePriorityPrivilege	5532	WMIC.exe
Token: SeCreatePagefilePrivilege	5532	WMIC.exe
Token: SeBackupPrivilege	5532	WMIC.exe
Token: SeRestorePrivilege	5532	WMIC.exe
Token: SeShutdownPrivilege	5532	WMIC.exe
Token: SeDebugPrivilege	5532	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5532	WMIC.exe
Token: SeRemoteShutdownPrivilege	5532	WMIC.exe
Token: SeUndockPrivilege	5532	WMIC.exe
Token: SeManageVolumePrivilege	5532	WMIC.exe
Token: 33	5532	WMIC.exe
Token: 34	5532	WMIC.exe
Token: 35	5532	WMIC.exe
Token: 36	5532	WMIC.exe
Token: SeDebugPrivilege	5700	tasklist.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	2332	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
5104	firefox.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe
3396	bfb40b775d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5104	firefox.exe
2756	9feskIx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 3728	1864	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe	82
PID 1864 wrote to memory of 3728	1864	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe	82
PID 1864 wrote to memory of 3728	1864	f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe	82
PID 3728 wrote to memory of 2756	3728	skotes.exe	83
PID 3728 wrote to memory of 2756	3728	skotes.exe	83
PID 3728 wrote to memory of 2756	3728	skotes.exe	83
PID 3728 wrote to memory of 2132	3728	skotes.exe	84
PID 3728 wrote to memory of 2132	3728	skotes.exe	84
PID 3728 wrote to memory of 2132	3728	skotes.exe	84
PID 3728 wrote to memory of 3996	3728	skotes.exe	89
PID 3728 wrote to memory of 3996	3728	skotes.exe	89
PID 3728 wrote to memory of 3996	3728	skotes.exe	89
PID 3728 wrote to memory of 4392	3728	skotes.exe	91
PID 3728 wrote to memory of 4392	3728	skotes.exe	91
PID 3728 wrote to memory of 4392	3728	skotes.exe	91
PID 3728 wrote to memory of 3396	3728	skotes.exe	94
PID 3728 wrote to memory of 3396	3728	skotes.exe	94
PID 3728 wrote to memory of 3396	3728	skotes.exe	94
PID 3396 wrote to memory of 4356	3396	bfb40b775d.exe	95
PID 3396 wrote to memory of 4356	3396	bfb40b775d.exe	95
PID 3396 wrote to memory of 4356	3396	bfb40b775d.exe	95
PID 3396 wrote to memory of 1100	3396	bfb40b775d.exe	97
PID 3396 wrote to memory of 1100	3396	bfb40b775d.exe	97
PID 3396 wrote to memory of 1100	3396	bfb40b775d.exe	97
PID 3396 wrote to memory of 464	3396	bfb40b775d.exe	99
PID 3396 wrote to memory of 464	3396	bfb40b775d.exe	99
PID 3396 wrote to memory of 464	3396	bfb40b775d.exe	99
PID 3396 wrote to memory of 4928	3396	bfb40b775d.exe	101
PID 3396 wrote to memory of 4928	3396	bfb40b775d.exe	101
PID 3396 wrote to memory of 4928	3396	bfb40b775d.exe	101
PID 3396 wrote to memory of 4656	3396	bfb40b775d.exe	103
PID 3396 wrote to memory of 4656	3396	bfb40b775d.exe	103
PID 3396 wrote to memory of 4656	3396	bfb40b775d.exe	103
PID 3396 wrote to memory of 3936	3396	bfb40b775d.exe	105
PID 3396 wrote to memory of 3936	3396	bfb40b775d.exe	105
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 3936 wrote to memory of 5104	3936	firefox.exe	106
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107
PID 5104 wrote to memory of 1260	5104	firefox.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

Hidden Files and Directories

T1564.001

pid	Process
1808	attrib.exe
5524	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe
"C:\Users\Admin\AppData\Local\Temp\f3b4123a66aacafe980321a2da2a3631367ae898269d629efc134149a02d05df.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\1013829001\9feskIx.exe
    "C:\Users\Admin\AppData\Local\Temp\1013829001\9feskIx.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\iteteb.exe
      "C:\Users\Admin\AppData\Local\Temp\iteteb.exe"
      4⤵
      Executes dropped EXE
      PID:5508
    - - C:\Users\Admin\AppData\Local\Temp\iteteb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iteteb.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4228
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\iteteb.exe'"
        6⤵
        
        PID:3348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\iteteb.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        6⤵
        
        PID:5588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:2588
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:3636
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        6⤵
        
        PID:3244
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:3356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:5092
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:3200
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5724
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:3612
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:5504
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        6⤵
        
        PID:5792
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        7⤵
        
        PID:5888
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5208
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:1632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6140
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:2756
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        6⤵
        
        PID:5660
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        7⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:1808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5496
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:2164
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        6⤵
        
        PID:5112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5724
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        7⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5524
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:2236
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:3844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:3548
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5700
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5552
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:1540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5104"
        6⤵
        
        PID:2376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5496
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5104
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1260"
        6⤵
        
        PID:2660
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1260
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3268"
        6⤵
        
        PID:376
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3268
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2144"
        6⤵
        
        PID:1984
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2144
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2124"
        6⤵
        
        PID:832
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2124
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5132"
        6⤵
        
        PID:5816
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5132
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5592"
        6⤵
        
        PID:5280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5592
        7⤵
        Kills process with taskkill
        
        PID:5928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5684"
        6⤵
        
        PID:4968
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5684
        7⤵
        Kills process with taskkill
        
        PID:5276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        6⤵
        
        PID:5820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5700
        
        C:\Windows\system32\getmac.exe
        
        getmac
        7⤵
        
        PID:3548
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5748"
        6⤵
        
        PID:5124
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5748
        7⤵
        Kills process with taskkill
        
        PID:4884
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI55082\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\B7xIN.zip" *"
        6⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\_MEI55082\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI55082\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\B7xIN.zip" *
        7⤵
        Executes dropped EXE
        
        PID:3192
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        6⤵
        
        PID:1820
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        7⤵
        
        PID:2072
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        6⤵
        
        PID:116
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        7⤵
        
        PID:348
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:3088
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:2784
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        6⤵
        
        PID:4740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:1548
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:5404
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        6⤵
        
        PID:4104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 2292
      4⤵
      Program crash
      PID:5936
- - C:\Users\Admin\AppData\Local\Temp\1013852001\7a3e8e623d.exe
    "C:\Users\Admin\AppData\Local\Temp\1013852001\7a3e8e623d.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Users\Admin\AppData\Local\Temp\1013853001\ba674c26d2.exe
    "C:\Users\Admin\AppData\Local\Temp\1013853001\ba674c26d2.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3996
- - C:\Users\Admin\AppData\Local\Temp\1013854001\74968d29c8.exe
    "C:\Users\Admin\AppData\Local\Temp\1013854001\74968d29c8.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4392
- - C:\Users\Admin\AppData\Local\Temp\1013855001\bfb40b775d.exe
    "C:\Users\Admin\AppData\Local\Temp\1013855001\bfb40b775d.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4356
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1100
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4656
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ada2d875-efc0-4151-9871-0395a5a80355} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" gpu
        6⤵
        
        PID:1260
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6cc5b78-de37-44fc-af0f-5d7fd001d435} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" socket
        6⤵
        
        PID:3268
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3160 -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 2912 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {069c90d6-7d71-467d-9e3b-6478938ba899} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
        6⤵
        
        PID:2144
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3892 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3880 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9146dd28-e246-4dc2-9f08-d29de8bd3a1f} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
        6⤵
        
        PID:2124
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4600 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4584 -prefMapHandle 4572 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70e919de-c643-434e-8daf-4619ff863aae} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" utility
        6⤵
        Checks processor information in registry
        
        PID:5132
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5160 -childID 3 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01d54462-f9d2-465c-84fb-6bc85e37459b} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
        6⤵
        
        PID:5592
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5280 -childID 4 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c2b2fb7-b6bb-4829-a2ec-143247f7be9b} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
        6⤵
        
        PID:5684
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 5 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba864240-4ac0-40a3-8b8a-c3ab0301da49} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" tab
        6⤵
        
        PID:5748
- - C:\Users\Admin\AppData\Local\Temp\1013857001\81f9258a13.exe
    "C:\Users\Admin\AppData\Local\Temp\1013857001\81f9258a13.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4640
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1512
      4⤵
      Program crash
      PID:6136
- - C:\Users\Admin\AppData\Local\Temp\1013856001\8cfadf0ea8.exe
    "C:\Users\Admin\AppData\Local\Temp\1013856001\8cfadf0ea8.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5672

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 2756
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4640 -ip 4640
1⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion