amadey | 786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	e025f989fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	e025f989fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	e025f989fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	e025f989fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	e025f989fb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	e025f989fb.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e025f989fb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4612d825b6.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4612d825b6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e025f989fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e025f989fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4612d825b6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 7 IoCs

pid	Process
2904	skotes.exe
2176	778666b23e.exe
1940	4564bdbd93.exe
4540	4612d825b6.exe
5068	e025f989fb.exe
2596	skotes.exe
2412	skotes.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	e025f989fb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Wine	4612d825b6.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	e025f989fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	e025f989fb.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4612d825b6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014618001\\4612d825b6.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e025f989fb.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014619001\\e025f989fb.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4564bdbd93.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1014617001\\4564bdbd93.exe"	skotes.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023b65-48.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1080	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
2904	skotes.exe
4540	4612d825b6.exe
5068	e025f989fb.exe
2596	skotes.exe
2412	skotes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5300	2176	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4612d825b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	778666b23e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4564bdbd93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	4564bdbd93.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	4564bdbd93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e025f989fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2640	taskkill.exe
2368	taskkill.exe
3440	taskkill.exe
1488	taskkill.exe
4836	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1080	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
1080	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
2904	skotes.exe
2904	skotes.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
4540	4612d825b6.exe
4540	4612d825b6.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
5068	e025f989fb.exe
5068	e025f989fb.exe
5068	e025f989fb.exe
5068	e025f989fb.exe
5068	e025f989fb.exe
2596	skotes.exe
2596	skotes.exe
2412	skotes.exe
2412	skotes.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	4152	firefox.exe
Token: SeDebugPrivilege	4152	firefox.exe
Token: SeDebugPrivilege	5068	e025f989fb.exe
Token: SeDebugPrivilege	4152	firefox.exe
Token: SeDebugPrivilege	4152	firefox.exe
Token: SeDebugPrivilege	4152	firefox.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1080	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
4152	firefox.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe
1940	4564bdbd93.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4152	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2904	1080	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe	83
PID 1080 wrote to memory of 2904	1080	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe	83
PID 1080 wrote to memory of 2904	1080	786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe	83
PID 2904 wrote to memory of 2176	2904	skotes.exe	85
PID 2904 wrote to memory of 2176	2904	skotes.exe	85
PID 2904 wrote to memory of 2176	2904	skotes.exe	85
PID 2904 wrote to memory of 1940	2904	skotes.exe	91
PID 2904 wrote to memory of 1940	2904	skotes.exe	91
PID 2904 wrote to memory of 1940	2904	skotes.exe	91
PID 1940 wrote to memory of 2640	1940	4564bdbd93.exe	93
PID 1940 wrote to memory of 2640	1940	4564bdbd93.exe	93
PID 1940 wrote to memory of 2640	1940	4564bdbd93.exe	93
PID 1940 wrote to memory of 2368	1940	4564bdbd93.exe	96
PID 1940 wrote to memory of 2368	1940	4564bdbd93.exe	96
PID 1940 wrote to memory of 2368	1940	4564bdbd93.exe	96
PID 1940 wrote to memory of 3440	1940	4564bdbd93.exe	98
PID 1940 wrote to memory of 3440	1940	4564bdbd93.exe	98
PID 1940 wrote to memory of 3440	1940	4564bdbd93.exe	98
PID 1940 wrote to memory of 1488	1940	4564bdbd93.exe	100
PID 1940 wrote to memory of 1488	1940	4564bdbd93.exe	100
PID 1940 wrote to memory of 1488	1940	4564bdbd93.exe	100
PID 2904 wrote to memory of 4540	2904	skotes.exe	102
PID 2904 wrote to memory of 4540	2904	skotes.exe	102
PID 2904 wrote to memory of 4540	2904	skotes.exe	102
PID 1940 wrote to memory of 4836	1940	4564bdbd93.exe	106
PID 1940 wrote to memory of 4836	1940	4564bdbd93.exe	106
PID 1940 wrote to memory of 4836	1940	4564bdbd93.exe	106
PID 1940 wrote to memory of 1120	1940	4564bdbd93.exe	108
PID 1940 wrote to memory of 1120	1940	4564bdbd93.exe	108
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 1120 wrote to memory of 4152	1120	firefox.exe	109
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110
PID 4152 wrote to memory of 224	4152	firefox.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe
"C:\Users\Admin\AppData\Local\Temp\786cacdf01a6f995fa366ec96f869e36aea02b478426595de4d72ce297b92312.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Users\Admin\AppData\Local\Temp\1014616001\778666b23e.exe
    "C:\Users\Admin\AppData\Local\Temp\1014616001\778666b23e.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 224
      4⤵
      Program crash
      PID:5300
- - C:\Users\Admin\AppData\Local\Temp\1014617001\4564bdbd93.exe
    "C:\Users\Admin\AppData\Local\Temp\1014617001\4564bdbd93.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3440
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4836
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e914fdcb-2624-4fb8-98d5-35228d8e91d8} 4152 "\\.\pipe\gecko-crash-server-pipe.4152" gpu
        6⤵
        
        PID:224
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f6db250-266e-4f25-97e9-26dda8b0d229} 4152 "\\.\pipe\gecko-crash-server-pipe.4152" socket
        6⤵
        
        PID:5096
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 3036 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a2c2a18-2415-4598-b220-14bf4ad0feeb} 4152 "\\.\pipe\gecko-crash-server-pipe.4152" tab
        6⤵
        
        PID:1620
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3916 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bae6ae6a-a69b-4b10-bb3d-9016b6d4ff99} 4152 "\\.\pipe\gecko-crash-server-pipe.4152" tab
        6⤵
        
        PID:4468
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 3876 -prefMapHandle 4636 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52f6b583-141f-479e-aa6e-7f9ac068c738} 4152 "\\.\pipe\gecko-crash-server-pipe.4152" utility
        6⤵
        Checks processor information in registry
        
        PID:844
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -childID 3 -isForBrowser -prefsHandle 5112 -prefMapHandle 5108 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {268bef43-e747-4b7b-88cf-bb35216e0de9} 4152 "\\.\pipe\gecko-crash-server-pipe.4152" tab
        6⤵
        
        PID:5404
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5288 -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5240 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acadbda7-996b-4b50-84a4-71a8dc7ef923} 4152 "\\.\pipe\gecko-crash-server-pipe.4152" tab
        6⤵
        
        PID:5424
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 5 -isForBrowser -prefsHandle 5440 -prefMapHandle 5472 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea70a7b9-980b-41d4-897f-49875edd043a} 4152 "\\.\pipe\gecko-crash-server-pipe.4152" tab
        6⤵
        
        PID:5460
- - C:\Users\Admin\AppData\Local\Temp\1014618001\4612d825b6.exe
    "C:\Users\Admin\AppData\Local\Temp\1014618001\4612d825b6.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4540
- - C:\Users\Admin\AppData\Local\Temp\1014619001\e025f989fb.exe
    "C:\Users\Admin\AppData\Local\Temp\1014619001\e025f989fb.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2176 -ip 2176
1⤵
PID:5224

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2596

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion