amadey | 65e38a7dd78629bc9a810a0dac0a18f977be82eacd6de5a090c0405c57de7a26

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	skotes.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	skotes.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	file.exe
2360	file.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000500000001c878-462.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2360	file.exe
2776	skotes.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3500-506-0x000000013F760000-0x000000013FBF0000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3584	powershell.exe
3856	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3856	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2360	file.exe
2776	skotes.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2360	file.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2776	2360	file.exe	31
PID 2360 wrote to memory of 2776	2360	file.exe	31
PID 2360 wrote to memory of 2776	2360	file.exe	31
PID 2360 wrote to memory of 2776	2360	file.exe	31

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3492	attrib.exe
3568	attrib.exe
3556	attrib.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe
    "C:\Users\Admin\AppData\Local\Temp\1015564001\ShtrayEasy35.exe"
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\VtfATRES\j7R7WnSpg0bta5Wr.exe
      C:\Users\Admin\AppData\Local\Temp\VtfATRES\j7R7WnSpg0bta5Wr.exe 1988
      4⤵
      PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\Da8Lnirlcv64V47B.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\Da8Lnirlcv64V47B.exe 1988
      4⤵
      PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\6t0P0EkqnjrpzOL8.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\6t0P0EkqnjrpzOL8.exe 1988
      4⤵
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\p9KISqvah0WTvfMZ.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\p9KISqvah0WTvfMZ.exe 1988
      4⤵
      PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\otfCi2sXBgv9Agub.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\otfCi2sXBgv9Agub.exe 1988
      4⤵
      PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\o8GZxM9kfWzRaDzw.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\o8GZxM9kfWzRaDzw.exe 1988
      4⤵
      PID:888
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\B4DhghSeeS5xfaRf.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\B4DhghSeeS5xfaRf.exe 1988
      4⤵
      PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\Kmr7aMsbcAfrOOCv.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\Kmr7aMsbcAfrOOCv.exe 1988
      4⤵
      PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\g8epWY1k4KyjTbI8.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\g8epWY1k4KyjTbI8.exe 1988
      4⤵
      PID:352
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\vQxVsyROtqjgJ4PO.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\vQxVsyROtqjgJ4PO.exe 1988
      4⤵
      PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\2Ew5FMkXlZpYg6Ws.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\2Ew5FMkXlZpYg6Ws.exe 1988
      4⤵
      PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\jkCPfVrsfXBOX8iL.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\jkCPfVrsfXBOX8iL.exe 1988
      4⤵
      PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\PyMLFlUNKb36Ivt8.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\PyMLFlUNKb36Ivt8.exe 1988
      4⤵
      PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\d8hWA3OMmFcTHn1i.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\d8hWA3OMmFcTHn1i.exe 1988
      4⤵
      PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\0tPp1FhqpNdYoJiy.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\0tPp1FhqpNdYoJiy.exe 1988
      4⤵
      PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\YRLXIAhVDjO14AMq.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\YRLXIAhVDjO14AMq.exe 1988
      4⤵
      PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\WVndIEJEv8lRpmY8.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\WVndIEJEv8lRpmY8.exe 1988
      4⤵
      PID:548
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\Wb6FkBbC1xkDYBnk.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\Wb6FkBbC1xkDYBnk.exe 1988
      4⤵
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\35xnBPaa8ppX05Eg.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\35xnBPaa8ppX05Eg.exe 1988
      4⤵
      PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\41Br7JFDKvw0JA4n.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\41Br7JFDKvw0JA4n.exe 1988
      4⤵
      PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\FagQi6Isu1DGI9ed.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\FagQi6Isu1DGI9ed.exe 1988
      4⤵
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\khSdX0JBNFq53R1l.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\khSdX0JBNFq53R1l.exe 1988
      4⤵
      PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\s0LtETYRGuOk27Ah.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\s0LtETYRGuOk27Ah.exe 1988
      4⤵
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\B8w0QlD6yOejmNcP.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\B8w0QlD6yOejmNcP.exe 1988
      4⤵
      PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\SJEzJgJBbFWp9XxJ.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\SJEzJgJBbFWp9XxJ.exe 1988
      4⤵
      PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\EX2iivS60WjRVPjm.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\EX2iivS60WjRVPjm.exe 1988
      4⤵
      PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\RIPjyM2gyklzfs5U.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\RIPjyM2gyklzfs5U.exe 1988
      4⤵
      PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\ObWhariE1CaWYDFo.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\ObWhariE1CaWYDFo.exe 1988
      4⤵
      PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\Ea8cBX6dAKD651wh.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\Ea8cBX6dAKD651wh.exe 1988
      4⤵
      PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\xjMHZONoP2g8D4Nb.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\xjMHZONoP2g8D4Nb.exe 1988
      4⤵
      PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\ygM7WZ8L32tDf9XG.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\ygM7WZ8L32tDf9XG.exe 1988
      4⤵
      PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\1gGhk1OPhdnYSMQr.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\1gGhk1OPhdnYSMQr.exe 1988
      4⤵
      PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\oNSfw5xUqgTmlFmA.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\oNSfw5xUqgTmlFmA.exe 1988
      4⤵
      PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\mTdlo2X4jGTHS1bE.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\mTdlo2X4jGTHS1bE.exe 1988
      4⤵
      PID:676
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\AwN7iaJBJYxLyPe0.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\AwN7iaJBJYxLyPe0.exe 1988
      4⤵
      PID:3140
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\RKRUJS0MQqwypTPd.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\RKRUJS0MQqwypTPd.exe 1988
      4⤵
      PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\6ma6NxJxDbxweZGO.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\6ma6NxJxDbxweZGO.exe 1988
      4⤵
      PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\wHwm9QUtN4L0rtw9.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\wHwm9QUtN4L0rtw9.exe 1988
      4⤵
      PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\JViXmPUfQTqBeaya.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\JViXmPUfQTqBeaya.exe 1988
      4⤵
      PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\vv4CH4hbVFN7va0v.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\vv4CH4hbVFN7va0v.exe 1988
      4⤵
      PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\QszGaTWrNtILnSFd.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\QszGaTWrNtILnSFd.exe 1988
      4⤵
      PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\2naI8WXRGSsvpA01.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\2naI8WXRGSsvpA01.exe 1988
      4⤵
      PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\B22r86H3wOU84VO1.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\B22r86H3wOU84VO1.exe 1988
      4⤵
      PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\1015564001\4JZmK0X0an81A3lu.exe
      C:\Users\Admin\AppData\Local\Temp\1015564001\4JZmK0X0an81A3lu.exe 1988
      4⤵
      PID:3184
- - C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe
    "C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"
    3⤵
    PID:3056
- - C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe
    "C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"
    3⤵
    PID:1560
- - C:\Users\Admin\AppData\Local\Temp\1015819001\XpAg0vN.exe
    "C:\Users\Admin\AppData\Local\Temp\1015819001\XpAg0vN.exe"
    3⤵
    PID:2352
- - C:\Users\Admin\AppData\Local\Temp\1015821001\4b20774e49.exe
    "C:\Users\Admin\AppData\Local\Temp\1015821001\4b20774e49.exe"
    3⤵
    PID:408
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:1704
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:812
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p24291711423417250691697322505 -oextracted
        5⤵
        
        PID:1812
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        
        PID:576
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        
        PID:3008
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        
        PID:856
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        
        PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        
        PID:812
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        
        PID:3160
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        
        PID:3244
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "in.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3492
    - - C:\Users\Admin\AppData\Local\Temp\main\in.exe
        
        "in.exe"
        5⤵
        
        PID:3500
      - C:\Windows\system32\attrib.exe
        
        attrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:3556
      - C:\Windows\system32\attrib.exe
        
        attrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe
        6⤵
        Views/modifies file attributes
        
        PID:3568
      - C:\Windows\system32\schtasks.exe
        
        schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell ping 127.0.0.1; del in.exe
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3584
        
        C:\Windows\system32\PING.EXE
        
        "C:\Windows\system32\PING.EXE" 127.0.0.1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3856
- - C:\Users\Admin\AppData\Local\Temp\1015822001\3f975f4b4b.exe
    "C:\Users\Admin\AppData\Local\Temp\1015822001\3f975f4b4b.exe"
    3⤵
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\1015822001\3f975f4b4b.exe
      "C:\Users\Admin\AppData\Local\Temp\1015822001\3f975f4b4b.exe"
      4⤵
      PID:2500
- - C:\Users\Admin\AppData\Local\Temp\1015823001\87ef6baa27.exe
    "C:\Users\Admin\AppData\Local\Temp\1015823001\87ef6baa27.exe"
    3⤵
    PID:2376
- - C:\Users\Admin\AppData\Local\Temp\1015825001\8ee5a7d86e.exe
    "C:\Users\Admin\AppData\Local\Temp\1015825001\8ee5a7d86e.exe"
    3⤵
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\1015826001\37a29f97ac.exe
    "C:\Users\Admin\AppData\Local\Temp\1015826001\37a29f97ac.exe"
    3⤵
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\1015824001\df16fc1c3f.exe
    "C:\Users\Admin\AppData\Local\Temp\1015824001\df16fc1c3f.exe"
    3⤵
    PID:1760
- - C:\Users\Admin\AppData\Local\Temp\1015827001\c1c2a8cc29.exe
    "C:\Users\Admin\AppData\Local\Temp\1015827001\c1c2a8cc29.exe"
    3⤵
    PID:2132
- - C:\Users\Admin\AppData\Local\Temp\1015828001\7337fd7e9a.exe
    "C:\Users\Admin\AppData\Local\Temp\1015828001\7337fd7e9a.exe"
    3⤵
    PID:3124
- - C:\Users\Admin\AppData\Local\Temp\1015829001\7ce32e7217.exe
    "C:\Users\Admin\AppData\Local\Temp\1015829001\7ce32e7217.exe"
    3⤵
    PID:3920
- - C:\Users\Admin\AppData\Local\Temp\1015830001\f33ba74913.exe
    "C:\Users\Admin\AppData\Local\Temp\1015830001\f33ba74913.exe"
    3⤵
    PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion