Analysis
-
max time kernel
54s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-12-2024 01:51
General
-
Target
8797b7e5edfcffb2943103f14e99d32534e3a8d19de4476811cb3de24c834260N.exe
-
Size
1.7MB
-
MD5
f3237f81afa56e6f54369ca2a98beb90
-
SHA1
718bc313b7b3ba5dffdcf157421582547e4d2c2f
-
SHA256
8797b7e5edfcffb2943103f14e99d32534e3a8d19de4476811cb3de24c834260
-
SHA512
f163fc8e8282125b5bf8306edd1029fee0724578d9c5cfd16ca976055bb1f37afd7ed7fbb6be730745ff74c82afef2b071718393e7fff0b41de399a4dd1c9be4
-
SSDEEP
49152:TWzTqNaHWzakLV/s1aR9Wjn4zREeosVjtvjWTRFGa86C:6z+NQWzD/yjn4zVJa2Vb
Malware Config
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
cryptbot
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://tacitglibbr.biz/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Downloads MZ/PE file
-
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 4 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 52 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8797b7e5edfcffb2943103f14e99d32534e3a8d19de4476811cb3de24c834260N.exe"C:\Users\Admin\AppData\Local\Temp\8797b7e5edfcffb2943103f14e99d32534e3a8d19de4476811cb3de24c834260N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcfcaecc40,0x7ffcfcaecc4c,0x7ffcfcaecc583⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,16401170675897206127,17300098192945787226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,16401170675897206127,17300098192945787226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:33⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,16401170675897206127,17300098192945787226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2372 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,16401170675897206127,17300098192945787226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,16401170675897206127,17300098192945787226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3452 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9229 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4504,i,16401170675897206127,17300098192945787226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4496 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,16401170675897206127,17300098192945787226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4604,i,16401170675897206127,17300098192945787226,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:83⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="Default"2⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfcaf46f8,0x7ffcfcaf4708,0x7ffcfcaf47183⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,12948898792924415927,15038251342131179736,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,12948898792924415927,15038251342131179736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,12948898792924415927,15038251342131179736,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2036,12948898792924415927,15038251342131179736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2036,12948898792924415927,15038251342131179736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2036,12948898792924415927,15038251342131179736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:13⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9229 --field-trial-handle=2036,12948898792924415927,15038251342131179736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:13⤵
- Uses browser remote debugging
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\Documents\HDGCAAFBFB.exe"2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Documents\HDGCAAFBFB.exe"C:\Users\Admin\Documents\HDGCAAFBFB.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"C:\Users\Admin\AppData\Local\Temp\1015665001\IQ7ux2z.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"C:\Users\Admin\AppData\Local\Temp\1015781001\sUSFJjY.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANQA3ADgAMQAwADAAMQBcAHMAVQBTAEYASgBqAFkALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADEANQA3ADgAMQAwADAAMQBcAHMAVQBTAEYASgBqAFkALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAcwBTAHQAbwBwAHAAZQBkAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAcwBTAHQAbwBwAHAAZQBkAC4AZQB4AGUA6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015865001\88cac44747.exe"C:\Users\Admin\AppData\Local\Temp\1015865001\88cac44747.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"6⤵
-
C:\Windows\system32\mode.commode 65,107⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015866001\a0e49e24e6.exe"C:\Users\Admin\AppData\Local\Temp\1015866001\a0e49e24e6.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\1015866001\a0e49e24e6.exe"C:\Users\Admin\AppData\Local\Temp\1015866001\a0e49e24e6.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1015866001\a0e49e24e6.exe"C:\Users\Admin\AppData\Local\Temp\1015866001\a0e49e24e6.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015867001\1eb8cf9949.exe"C:\Users\Admin\AppData\Local\Temp\1015867001\1eb8cf9949.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1015868001\a2f8158282.exe"C:\Users\Admin\AppData\Local\Temp\1015868001\a2f8158282.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1015869001\c13ad272c5.exe"C:\Users\Admin\AppData\Local\Temp\1015869001\c13ad272c5.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1015870001\2b6556ad00.exe"C:\Users\Admin\AppData\Local\Temp\1015870001\2b6556ad00.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1015871001\6065ca3ad4.exe"C:\Users\Admin\AppData\Local\Temp\1015871001\6065ca3ad4.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1015872001\b38723a8e8.exe"C:\Users\Admin\AppData\Local\Temp\1015872001\b38723a8e8.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\1015873001\80e66735b4.exe"C:\Users\Admin\AppData\Local\Temp\1015873001\80e66735b4.exe"5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1015874001\b8cae74898.exe"C:\Users\Admin\AppData\Local\Temp\1015874001\b8cae74898.exe"5⤵
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"1⤵
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
649B
MD5a682e4f347ce10a887a75d8adda4fc09
SHA1ec2e6220835b43072acf7e8794aa1ed254349d07
SHA25673a688ae28951d976fb103ce0e146d0bbdc15708994c5ff2328ab8a132086e5b
SHA512e3dabf68931406444bc76fb183229615bc4b35382f3fb8f62ba91b4fbbe4af7fd77b8ea24302a8f53eacd8f6ebb858176ad3ada367ccabd7498811c1c9d74e44
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
14B
MD5ef48733031b712ca7027624fff3ab208
SHA1da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
5KB
MD565a3cd6376dbb39cf3ec7128ced37f3c
SHA1972f6bf0fe51f0928f3be4c2fc6c278a1e722aca
SHA256b67ca6ce78086ac18521f4eca50dabd399515442f313bf5eb741c1350de32de9
SHA5125c92b9f26315afd69121f1d7c8014f4ade3fd8fda6b36f73150c4ff0f8d178b8ee2c80b201cd08e2f6e9f84fc07d60a6ddca4dd90e7fcfe0aa838f80aaa47898
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
2.8MB
MD50dad190f420a0a09ed8c262ca18b1097
SHA1b97535bf2960278b19bda8cad9e885b8eefbdc85
SHA25629e1e95110c03e84720e213a2bb0dcdff95af85a8a894d71518e06c62131e64a
SHA5128ae92676fc5539899414f0a70cba1ed01685b30af9002c68114720d6a7213e4e9c2368e17717c4e3e02650781a022001e4a2e43f83afbd709e7f1ab81003b646
-
Filesize
87KB
MD53c104350cc2661c345673e91ed672c4c
SHA1d205e94d47949cf3bc3f5226978f6d370c3d3b94
SHA2561fb9f279263c252a09f12b69c7238c18d2325f7cf7250ebe24ad9149abe62cf4
SHA5129c02bde2d096e181f00e906f4e242905d0e54dd207f309764805c7444c9f43073106812ade97fca9fc2363f59ed071371276880ce85e9a307fcdb03d3250cf6a
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
710KB
MD528e568616a7b792cac1726deb77d9039
SHA139890a418fb391b823ed5084533e2e24dff021e1
SHA2569597798f7789adc29fbe97707b1bd8ca913c4d5861b0ad4fdd6b913af7c7a8e2
SHA51285048799e6d2756f1d6af77f34e6a1f454c48f2f43042927845931b7ecff2e5de45f864627a3d4aa061252401225bbb6c2caa8532320ccbe401e97c9c79ac8e5
-
Filesize
4.2MB
MD53617bfad36063c68a129b7e2bd89ceef
SHA16621e1f1403b9fa874124c374021034a3c86421e
SHA256e5637e64459e1868bf6318ea3b48b76ecf3f5669992ba882a7ddab2567af8b24
SHA512fdf2d08361b48faccf5ee0e2f04104f07f4677a0299a80d49cf50aabd952a6bb23332f51b12102d87c01ee3291bf1bc3833035e42d613e4c35e657dc06044c21
-
Filesize
4.3MB
MD5c5f945671aec219fd0af66f72065a536
SHA17956212b4272158ebf29243e79067cc73066fee6
SHA2567fdc637cd02ad95b233c17569424fe28b53228f5d7dc853dc1449527ad2fd05d
SHA5121cf363e35bbdaa90af47ff79e59a3175559b81d6ec63b296534793b1b406b883dd0b89412b0115be4a42041d27c15e97e494b284e092397d1878b8dfb544144a
-
Filesize
384KB
MD5dfd5f78a711fa92337010ecc028470b4
SHA11a389091178f2be8ce486cd860de16263f8e902e
SHA256da96f2eb74e60de791961ef3800c36a5e12202fe97ae5d2fcfc1fe404bc13c0d
SHA512a3673074919039a2dc854b0f91d1e1a69724056594e33559741f53594e0f6e61e3d99ec664d541b17f09ffdebc2de1b042eec19ca8477fac86359c703f8c9656
-
Filesize
1.8MB
MD5671c63520e6f85080fdfee66e75b088c
SHA1465521d02a577a1562b8d0627974b0fbb584717d
SHA256208a4c4d748a4654ca78fe196668346f3a1ea0422dd18a9f847e7e67b53c1cee
SHA5125b7e8ed1f24f89031ff32af855e9f4239c7b5a5f332d252c66254d7d776cd915c534bc25b7562c3f3236b9774ce39ce837f7b9b78ccecbbf81ce2503c5f863ea
-
Filesize
1.7MB
MD5152183d5e4b7b2ef9ef86c8058b4f206
SHA127eb52cbc887fd34e1eb670e8aedecc5b98e4f3f
SHA2564236f536a03e938da4c2f2ae0eb7c369db22c632e0b326fac2373b764f0581bb
SHA51229836420c214c9a6fdb107a8d318a6b689f5222f66a668e683a9a2fd9e640408176c2194bbc81388ddec9b7cab34106147646252c0f3e4d184dcd6f1c9f211bd
-
Filesize
948KB
MD5d05ca64153f5442be0247eac17719be0
SHA130293f1a5a54852b90552c7af1a9ea6589aa9d5a
SHA2562c50cb782e98b05c225fb1f96a8f7619c9b4ffedeb9135ea02df48d459e81951
SHA5127344729c7029e71c1553c64ddf0aae2b7b65b435506f4b76246514a843ded457d3d17fe8c93ce4d34b226ed2a3b7c00a3a1ecc678b72b9e6f89db59e7e123537
-
Filesize
2.7MB
MD56057aeab10d089e6a3e587ded21ebb70
SHA10a32b8621cebc79aac6d04a59b763d99da13226c
SHA2567d0c96884615c52ad015b0b7d35cb688e77635dfbf5a1eb958fb189bd1c9aa98
SHA512a11d2f365ae2be83c285e0d81dc986f12843fa099afb4547834ab20a0874793bfd0aff426c4cb1b1e8a39f2f91f59f5c67d2b7fcde18ffa61b7ccea91514fb4e
-
Filesize
1.7MB
MD56c1d0dabe1ec5e928f27b3223f25c26b
SHA1e25ab704a6e9b3e4c30a6c1f7043598a13856ad9
SHA25692228a0012605351cf08df9a2ad4b93fa552d7a75991f81fb80f1ae854a0e57d
SHA5123a3f7af4f6018fcbd8c6f2871270504731cf269134453c9a146351c3e4a5c89165ecccafb3655d8b39c1ff1ec68f06e1851c0abd66d47602e1f0f8e36d4acfe9
-
Filesize
1.2MB
MD50b7c362e9e3d84233dd28aece2c3c3f1
SHA1c7e3b81dbf7502db401807ecc6cc8d4dd28a6bcf
SHA25646d856aa6213a2981a66a8e6281523d3934e746f2a2216badadf1a312b615612
SHA51200fb24109bbb3d745520258cd51f966dac342f7daa775e562524cd9178b1faed7299f3ef6eaea3cf0a5a65b11a89be2712741218d0e7fde4da8c5ca43c717f8d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
2.9MB
MD5319d6e5c5383363d4f68a1f422ae9e31
SHA14b919f22b8ed24d26316f566187e98936fcfca3b
SHA256feb3e3e1723c3caac7629f6f9ee8591246bd9a8b35ada99da08740d4fcedc93b
SHA5121fee8daefa7cb39fabed1a4d2e3296724e4f6105f2ed0131c557dc8342d2e3555732c54f25180deaac10d53dcb16dad9b9e8eae5de8c8bf0918e4e1ca4e2975b
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
12.3MB
-
Filesize
12.3MB
-
Filesize
4.5MB
-
Filesize
6.6MB
-
Filesize
6.6MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
96KB
-
Filesize
336KB
-
Filesize
304KB
-
Filesize
4.9MB
-
Filesize
5.4MB
-
Filesize
24KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
2.9MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
8KB
-
Filesize
92KB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
6.5MB
-
Filesize
972KB
-
Filesize
6.5MB
-
Filesize
136KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
11.9MB
-
Filesize
3.1MB
-
Filesize
3.1MB