Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
Resource
win7-20240729-en
General
-
Target
ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe
-
Size
2.8MB
-
MD5
bf03b982421c50b3c232a902eed53e31
-
SHA1
5f1bdec3bf5ef51e982ebd35ef62d4ab461891bd
-
SHA256
ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249
-
SHA512
dd77759327f5bac2cbb935de95e4d9c57931a548715fb7de041d8367b4e98a0ef2476577d399ef2c84a9b2f26516abf579575949bfd7917bd83ce2f9f91fdfd1
-
SSDEEP
49152:nvzSPYPGhM06DbXnnIMgFsXK5vQxw6oO:n7SPYPG206DcMCsa5vQKPO
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
cryptbot
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4732 created 2712 4732 68a321b9be.exe 45 -
Xmrig family
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF e9af4c7f3b.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 68a321b9be.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e9af4c7f3b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 475ff6d638.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe -
XMRig Miner payload 13 IoCs
resource yara_rule behavioral2/memory/3064-221-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3064-222-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3064-223-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3064-224-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3064-225-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3064-227-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3064-226-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3064-230-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3064-232-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3064-236-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3976-265-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3976-267-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral2/memory/3976-271-0x0000000140000000-0x0000000140770000-memory.dmp xmrig -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e9af4c7f3b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 475ff6d638.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 68a321b9be.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 475ff6d638.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e9af4c7f3b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 68a321b9be.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation skotes.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 8ff44bb8e2.exe -
Executes dropped EXE 20 IoCs
pid Process 2756 skotes.exe 2200 8ff44bb8e2.exe 3532 7z.exe 844 7z.exe 4128 7z.exe 1912 7z.exe 1312 7z.exe 2636 7z.exe 2424 7z.exe 3464 7z.exe 4900 in.exe 4732 68a321b9be.exe 4008 43cf0fb499.exe 2108 43cf0fb499.exe 1192 e9af4c7f3b.exe 3744 475ff6d638.exe 4648 skotes.exe 3556 Intel_PTT_EK_Recertification.exe 4700 skotes.exe 2348 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 68a321b9be.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine e9af4c7f3b.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine 475ff6d638.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Wine skotes.exe -
Loads dropped DLL 8 IoCs
pid Process 3532 7z.exe 844 7z.exe 4128 7z.exe 1912 7z.exe 1312 7z.exe 2636 7z.exe 2424 7z.exe 3464 7z.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 4720 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 2756 skotes.exe 4732 68a321b9be.exe 1192 e9af4c7f3b.exe 3744 475ff6d638.exe 4648 skotes.exe 4700 skotes.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4008 set thread context of 2108 4008 43cf0fb499.exe 122 PID 3556 set thread context of 3064 3556 Intel_PTT_EK_Recertification.exe 135 PID 2348 set thread context of 3976 2348 Intel_PTT_EK_Recertification.exe 142 -
resource yara_rule behavioral2/files/0x0007000000023cc9-110.dat upx behavioral2/memory/4900-112-0x00007FF645730000-0x00007FF645BC0000-memory.dmp upx behavioral2/memory/4900-114-0x00007FF645730000-0x00007FF645BC0000-memory.dmp upx behavioral2/memory/3556-219-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp upx behavioral2/memory/3556-229-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp upx behavioral2/memory/2348-270-0x00007FF79C520000-0x00007FF79C9B0000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2468 4732 WerFault.exe 111 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43cf0fb499.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ff44bb8e2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 43cf0fb499.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 68a321b9be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e9af4c7f3b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 475ff6d638.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1680 powershell.exe 4100 PING.EXE 4072 powershell.exe 3136 PING.EXE 4644 powershell.exe 3888 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 3888 PING.EXE 4100 PING.EXE 3136 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1104 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 4720 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 4720 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 2756 skotes.exe 2756 skotes.exe 1680 powershell.exe 1680 powershell.exe 4732 68a321b9be.exe 4732 68a321b9be.exe 4732 68a321b9be.exe 4732 68a321b9be.exe 4732 68a321b9be.exe 4732 68a321b9be.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 1120 svchost.exe 2108 43cf0fb499.exe 2108 43cf0fb499.exe 2108 43cf0fb499.exe 2108 43cf0fb499.exe 1192 e9af4c7f3b.exe 1192 e9af4c7f3b.exe 1192 e9af4c7f3b.exe 1192 e9af4c7f3b.exe 1192 e9af4c7f3b.exe 1192 e9af4c7f3b.exe 1192 e9af4c7f3b.exe 1192 e9af4c7f3b.exe 1192 e9af4c7f3b.exe 1192 e9af4c7f3b.exe 3744 475ff6d638.exe 3744 475ff6d638.exe 4648 skotes.exe 4648 skotes.exe 3556 Intel_PTT_EK_Recertification.exe 4072 powershell.exe 4072 powershell.exe 2348 Intel_PTT_EK_Recertification.exe 4700 skotes.exe 4700 skotes.exe 4644 powershell.exe 4644 powershell.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeRestorePrivilege 3532 7z.exe Token: 35 3532 7z.exe Token: SeSecurityPrivilege 3532 7z.exe Token: SeSecurityPrivilege 3532 7z.exe Token: SeRestorePrivilege 844 7z.exe Token: 35 844 7z.exe Token: SeSecurityPrivilege 844 7z.exe Token: SeSecurityPrivilege 844 7z.exe Token: SeRestorePrivilege 4128 7z.exe Token: 35 4128 7z.exe Token: SeSecurityPrivilege 4128 7z.exe Token: SeSecurityPrivilege 4128 7z.exe Token: SeRestorePrivilege 1912 7z.exe Token: 35 1912 7z.exe Token: SeSecurityPrivilege 1912 7z.exe Token: SeSecurityPrivilege 1912 7z.exe Token: SeRestorePrivilege 1312 7z.exe Token: 35 1312 7z.exe Token: SeSecurityPrivilege 1312 7z.exe Token: SeSecurityPrivilege 1312 7z.exe Token: SeRestorePrivilege 2636 7z.exe Token: 35 2636 7z.exe Token: SeSecurityPrivilege 2636 7z.exe Token: SeSecurityPrivilege 2636 7z.exe Token: SeRestorePrivilege 2424 7z.exe Token: 35 2424 7z.exe Token: SeSecurityPrivilege 2424 7z.exe Token: SeSecurityPrivilege 2424 7z.exe Token: SeRestorePrivilege 3464 7z.exe Token: 35 3464 7z.exe Token: SeSecurityPrivilege 3464 7z.exe Token: SeSecurityPrivilege 3464 7z.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeLockMemoryPrivilege 3064 explorer.exe Token: SeDebugPrivilege 4072 powershell.exe Token: SeLockMemoryPrivilege 3976 explorer.exe Token: SeDebugPrivilege 4644 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4720 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4720 wrote to memory of 2756 4720 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 83 PID 4720 wrote to memory of 2756 4720 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 83 PID 4720 wrote to memory of 2756 4720 ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe 83 PID 2756 wrote to memory of 2200 2756 skotes.exe 85 PID 2756 wrote to memory of 2200 2756 skotes.exe 85 PID 2756 wrote to memory of 2200 2756 skotes.exe 85 PID 2200 wrote to memory of 5008 2200 8ff44bb8e2.exe 86 PID 2200 wrote to memory of 5008 2200 8ff44bb8e2.exe 86 PID 5008 wrote to memory of 1896 5008 cmd.exe 88 PID 5008 wrote to memory of 1896 5008 cmd.exe 88 PID 5008 wrote to memory of 3532 5008 cmd.exe 89 PID 5008 wrote to memory of 3532 5008 cmd.exe 89 PID 5008 wrote to memory of 844 5008 cmd.exe 92 PID 5008 wrote to memory of 844 5008 cmd.exe 92 PID 5008 wrote to memory of 4128 5008 cmd.exe 93 PID 5008 wrote to memory of 4128 5008 cmd.exe 93 PID 5008 wrote to memory of 1912 5008 cmd.exe 94 PID 5008 wrote to memory of 1912 5008 cmd.exe 94 PID 5008 wrote to memory of 1312 5008 cmd.exe 95 PID 5008 wrote to memory of 1312 5008 cmd.exe 95 PID 5008 wrote to memory of 2636 5008 cmd.exe 96 PID 5008 wrote to memory of 2636 5008 cmd.exe 96 PID 5008 wrote to memory of 2424 5008 cmd.exe 97 PID 5008 wrote to memory of 2424 5008 cmd.exe 97 PID 5008 wrote to memory of 3464 5008 cmd.exe 98 PID 5008 wrote to memory of 3464 5008 cmd.exe 98 PID 5008 wrote to memory of 4736 5008 cmd.exe 99 PID 5008 wrote to memory of 4736 5008 cmd.exe 99 PID 5008 wrote to memory of 4900 5008 cmd.exe 100 PID 5008 wrote to memory of 4900 5008 cmd.exe 100 PID 4900 wrote to memory of 5092 4900 in.exe 101 PID 4900 wrote to memory of 5092 4900 in.exe 101 PID 4900 wrote to memory of 1784 4900 in.exe 102 PID 4900 wrote to memory of 1784 4900 in.exe 102 PID 4900 wrote to memory of 1104 4900 in.exe 103 PID 4900 wrote to memory of 1104 4900 in.exe 103 PID 4900 wrote to memory of 1680 4900 in.exe 104 PID 4900 wrote to memory of 1680 4900 in.exe 104 PID 1680 wrote to memory of 4100 1680 powershell.exe 109 PID 1680 wrote to memory of 4100 1680 powershell.exe 109 PID 2756 wrote to memory of 4732 2756 skotes.exe 111 PID 2756 wrote to memory of 4732 2756 skotes.exe 111 PID 2756 wrote to memory of 4732 2756 skotes.exe 111 PID 4732 wrote to memory of 1120 4732 68a321b9be.exe 116 PID 4732 wrote to memory of 1120 4732 68a321b9be.exe 116 PID 4732 wrote to memory of 1120 4732 68a321b9be.exe 116 PID 4732 wrote to memory of 1120 4732 68a321b9be.exe 116 PID 4732 wrote to memory of 1120 4732 68a321b9be.exe 116 PID 2756 wrote to memory of 4008 2756 skotes.exe 120 PID 2756 wrote to memory of 4008 2756 skotes.exe 120 PID 2756 wrote to memory of 4008 2756 skotes.exe 120 PID 4008 wrote to memory of 2108 4008 43cf0fb499.exe 122 PID 4008 wrote to memory of 2108 4008 43cf0fb499.exe 122 PID 4008 wrote to memory of 2108 4008 43cf0fb499.exe 122 PID 4008 wrote to memory of 2108 4008 43cf0fb499.exe 122 PID 4008 wrote to memory of 2108 4008 43cf0fb499.exe 122 PID 4008 wrote to memory of 2108 4008 43cf0fb499.exe 122 PID 4008 wrote to memory of 2108 4008 43cf0fb499.exe 122 PID 4008 wrote to memory of 2108 4008 43cf0fb499.exe 122 PID 4008 wrote to memory of 2108 4008 43cf0fb499.exe 122 PID 2756 wrote to memory of 1192 2756 skotes.exe 128 PID 2756 wrote to memory of 1192 2756 skotes.exe 128 PID 2756 wrote to memory of 1192 2756 skotes.exe 128 PID 2756 wrote to memory of 3744 2756 skotes.exe 132 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 4736 attrib.exe 1784 attrib.exe 5092 attrib.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2712
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1120
-
-
C:\Users\Admin\AppData\Local\Temp\ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe"C:\Users\Admin\AppData\Local\Temp\ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\1016686001\8ff44bb8e2.exe"C:\Users\Admin\AppData\Local\Temp\1016686001\8ff44bb8e2.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\system32\mode.commode 65,105⤵PID:1896
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4128
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"5⤵
- Views/modifies file attributes
PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SYSTEM32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:5092
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe6⤵
- Views/modifies file attributes
PID:1784
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE6⤵
- Scheduled Task/Job: Scheduled Task
PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4100
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016687001\68a321b9be.exe"C:\Users\Admin\AppData\Local\Temp\1016687001\68a321b9be.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 5364⤵
- Program crash
PID:2468
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe"C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe"C:\Users\Admin\AppData\Local\Temp\1016688001\43cf0fb499.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
-
-
C:\Users\Admin\AppData\Local\Temp\1016689001\e9af4c7f3b.exe"C:\Users\Admin\AppData\Local\Temp\1016689001\e9af4c7f3b.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\1016690001\475ff6d638.exe"C:\Users\Admin\AppData\Local\Temp\1016690001\475ff6d638.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3744
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4732 -ip 47321⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4648
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3556 -
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3136
-
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exeC:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4700
-
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2348 -
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3888
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD5828f78461e16d0b91a35d0944d51fba9
SHA10bb5286101d225afeeb6964a5c779945b7c8cc87
SHA256f8dc8f369035751dcc251e25aa8ca9a0e0e49f505a4da1d2414698d99366614c
SHA512dccd418d1dd1434382040732d1f0677b55bb3af4a763ad8db2821aa8e19f408eab71f89fa522eec66a47cb3feb4b86d5feedda4a3b3401a52b66e5db0543bc23
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
1.9MB
MD53706a6571036ab9a574a21d776a657b7
SHA12ac51df5469be87a03bd17d86759054feb215f2e
SHA25628c9f7564a7df8973c2f9a3a375955a3028d88617491ddb239768dd5e9fb77a5
SHA5124db39ee86eccb158ac9e87b9bd926f5543eef401d19169952c06e30fc0664164fc0c8db27000546ab7cede52aa36c02ad183e699d41c940c0eded3dca7e44318
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
4.2MB
MD5079795064f41b5e6be3580417649285b
SHA125f3575baaf1808837cc6cefa61e340d5f6b8352
SHA25640147209edc2604a1d653bf65890c705939237f79a43ec544dfc74343777923c
SHA512dc0ec23df0f74aa4f6ee48b1e0a8b5c70067daade43090debc504f561cf75de92893f202c1eb28fef4f6bdb420fac1cac191a01fc4bad60ba8b7ed26fbd6beec
-
Filesize
4.2MB
MD562f3849cef2ef1f8210727a558f9017b
SHA143ee32a6fca4c1182f3669a4af4dc3ab23c028b4
SHA256f7879073e27c916f86ed3da35dd0c38918abd3962c9c2b8738564e282a138ec6
SHA512bb2bfc58c096b8a71fb720d3fd04641dbce70131bd4ecf253ecd3ed4ab54302da27ad6490897f2f7c2cd9de546cba997b5921cf669bb222fb938f60d18ab4296
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.8MB
MD5bf03b982421c50b3c232a902eed53e31
SHA15f1bdec3bf5ef51e982ebd35ef62d4ab461891bd
SHA256ad8773dd53db992fecf9988cbedeea0a42e899995030766e4314fbb752b67249
SHA512dd77759327f5bac2cbb935de95e4d9c57931a548715fb7de041d8367b4e98a0ef2476577d399ef2c84a9b2f26516abf579575949bfd7917bd83ce2f9f91fdfd1
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD5579a63bebccbacab8f14132f9fc31b89
SHA1fca8a51077d352741a9c1ff8a493064ef5052f27
SHA2560ac3504d5fa0460cae3c0fd9c4b628e1a65547a60563e6d1f006d17d5a6354b0
SHA5124a58ca0f392187a483b9ef652b6e8b2e60d01daa5d331549df9f359d2c0a181e975cf9df79552e3474b9d77f8e37a1cf23725f32d4cdbe4885e257a7625f7b1f
-
Filesize
1.7MB
MD55659eba6a774f9d5322f249ad989114a
SHA14bfb12aa98a1dc2206baa0ac611877b815810e4c
SHA256e04346fee15c3f98387a3641e0bba2e555a5a9b0200e4b9256b1b77094069ae4
SHA512f93abf2787b1e06ce999a0cbc67dc787b791a58f9ce20af5587b2060d663f26be9f648d116d9ca279af39299ea5d38e3c86271297e47c1438102ca28fce8edc4
-
Filesize
1.7MB
MD55404286ec7853897b3ba00adf824d6c1
SHA139e543e08b34311b82f6e909e1e67e2f4afec551
SHA256ec94a6666a3103ba6be60b92e843075a2d7fe7d30fa41099c3f3b1e2a5eba266
SHA512c4b78298c42148d393feea6c3941c48def7c92ef0e6baac99144b083937d0a80d3c15bd9a0bf40daa60919968b120d62999fa61af320e507f7e99fbfe9b9ef30
-
Filesize
1.7MB
MD55eb39ba3698c99891a6b6eb036cfb653
SHA1d2f1cdd59669f006a2f1aa9214aeed48bc88c06e
SHA256e77f5e03ae140dda27d73e1ffe43f7911e006a108cf51cbd0e05d73aa92da7c2
SHA5126c4ca20e88d49256ed9cabec0d1f2b00dfcf3d1603b5c95d158d4438c9f1e58495f8dfa200dbe7f49b5b0dd57886517eb3b98c4190484548720dad4b3db6069e
-
Filesize
1.7MB
MD57187cc2643affab4ca29d92251c96dee
SHA1ab0a4de90a14551834e12bb2c8c6b9ee517acaf4
SHA256c7e92a1af295307fb92ad534e05fba879a7cf6716f93aefca0ebfcb8cee7a830
SHA51227985d317a5c844871ffb2527d04aa50ef7442b2f00d69d5ab6bbb85cd7be1d7057ffd3151d0896f05603677c2f7361ed021eac921e012d74da049ef6949e3a3
-
Filesize
1.7MB
MD5b7d1e04629bec112923446fda5391731
SHA1814055286f963ddaa5bf3019821cb8a565b56cb8
SHA2564da77d4ee30ad0cd56cd620f4e9dc4016244ace015c5b4b43f8f37dd8e3a8789
SHA51279fc3606b0fe6a1e31a2ecacc96623caf236bf2be692dadab6ea8ffa4af4231d782094a63b76631068364ac9b6a872b02f1e080636eba40ed019c2949a8e28db
-
Filesize
1.7MB
MD50dc4014facf82aa027904c1be1d403c1
SHA15e6d6c020bfc2e6f24f3d237946b0103fe9b1831
SHA256a29ddd29958c64e0af1a848409e97401307277bb6f11777b1cfb0404a6226de7
SHA512cbeead189918657cc81e844ed9673ee8f743aed29ad9948e90afdfbecacc9c764fbdbfb92e8c8ceb5ae47cee52e833e386a304db0572c7130d1a54fd9c2cc028
-
Filesize
3.3MB
MD5cea368fc334a9aec1ecff4b15612e5b0
SHA1493d23f72731bb570d904014ffdacbba2334ce26
SHA25607e38cad68b0cdbea62f55f9bc6ee80545c2e1a39983baa222e8af788f028541
SHA512bed35a1cc56f32e0109ea5a02578489682a990b5cefa58d7cf778815254af9849e731031e824adba07c86c8425df58a1967ac84ce004c62e316a2e51a75c8748
-
Filesize
3.3MB
MD5045b0a3d5be6f10ddf19ae6d92dfdd70
SHA10387715b6681d7097d372cd0005b664f76c933c7
SHA25694b392e94fa47d1b9b7ae6a29527727268cc2e3484e818c23608f8835bc1104d
SHA51258255a755531791b888ffd9b663cc678c63d5caa932260e9546b1b10a8d54208334725c14529116b067bcf5a5e02da85e015a3bed80092b7698a43dab0168c7b
-
Filesize
1.7MB
MD583d75087c9bf6e4f07c36e550731ccde
SHA1d5ff596961cce5f03f842cfd8f27dde6f124e3ae
SHA25646db3164bebffc61c201fe1e086bffe129ddfed575e6d839ddb4f9622963fb3f
SHA512044e1f5507e92715ce9df8bb802e83157237a2f96f39bac3b6a444175f1160c4d82f41a0bcecf5feaf1c919272ed7929baef929a8c3f07deecebc44b0435164a
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd