amadey | 939310706200640f603a1fb3e6528c3a4bafa87e0d610e817a7824cf2e089bc7

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	a1600af010.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	8b03cf3ea5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	397181413d.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
44	1744	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1584	powershell.exe
2068	powershell.exe
3000	powershell.exe
1888	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a1600af010.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8b03cf3ea5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	397181413d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	397181413d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a1600af010.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8b03cf3ea5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	vQeyqr1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	vQeyqr1.exe

Executes dropped EXE 10 IoCs

pid	Process
2868	skotes.exe
1928	KDLBJP7.exe
2724	systemetape.exe
1660	WEX7mCI.exe
328	Gxtuum.exe
628	vQeyqr1.exe
1600	a1600af010.exe
2060	8b03cf3ea5.exe
1152	5ddc9415f3.exe
1716	397181413d.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	a1600af010.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	8b03cf3ea5.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	397181413d.exe

Loads dropped DLL 17 IoCs

pid	Process
1872	file.exe
2868	skotes.exe
2868	skotes.exe
2868	skotes.exe
1660	WEX7mCI.exe
2868	skotes.exe
2868	skotes.exe
2868	skotes.exe
2868	skotes.exe
2868	skotes.exe
2868	skotes.exe
1744	rundll32.exe
1744	rundll32.exe
1744	rundll32.exe
1744	rundll32.exe
2868	skotes.exe
2868	skotes.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\a1600af010.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1019311001\\a1600af010.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	vQeyqr1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b03cf3ea5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1019312001\\8b03cf3ea5.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\5ddc9415f3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1019313001\\5ddc9415f3.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\397181413d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1019314001\\397181413d.exe"	skotes.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
126	pastebin.com
127	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0005000000019423-1356.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1872	file.exe
2868	skotes.exe
1600	a1600af010.exe
2060	8b03cf3ea5.exe
1716	397181413d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	WEX7mCI.exe
File created	C:\Windows\Tasks\skotes.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systemetape.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1600af010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ddc9415f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	5ddc9415f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	397181413d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WEX7mCI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b03cf3ea5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	5ddc9415f3.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
848	taskkill.exe
1536	taskkill.exe
916	taskkill.exe
1048	taskkill.exe
2532	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	a1600af010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	a1600af010.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	a1600af010.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2568	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
628	vQeyqr1.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1872	file.exe
2868	skotes.exe
1888	powershell.exe
1600	a1600af010.exe
1584	powershell.exe
2068	powershell.exe
3000	powershell.exe
628	vQeyqr1.exe
2060	8b03cf3ea5.exe
1152	5ddc9415f3.exe
1716	397181413d.exe
1152	5ddc9415f3.exe
1716	397181413d.exe
1716	397181413d.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	systemetape.exe
Token: SeDebugPrivilege	628	vQeyqr1.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	628	vQeyqr1.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	2344	firefox.exe
Token: SeDebugPrivilege	2344	firefox.exe
Token: SeDebugPrivilege	1716	397181413d.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
1872	file.exe
1660	WEX7mCI.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
2344	firefox.exe
2344	firefox.exe
2344	firefox.exe
2344	firefox.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
2344	firefox.exe
2344	firefox.exe
2344	firefox.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe
1152	5ddc9415f3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
628	vQeyqr1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2868	1872	file.exe	30
PID 1872 wrote to memory of 2868	1872	file.exe	30
PID 1872 wrote to memory of 2868	1872	file.exe	30
PID 1872 wrote to memory of 2868	1872	file.exe	30
PID 2868 wrote to memory of 1928	2868	skotes.exe	33
PID 2868 wrote to memory of 1928	2868	skotes.exe	33
PID 2868 wrote to memory of 1928	2868	skotes.exe	33
PID 2868 wrote to memory of 1928	2868	skotes.exe	33
PID 2868 wrote to memory of 2724	2868	skotes.exe	34
PID 2868 wrote to memory of 2724	2868	skotes.exe	34
PID 2868 wrote to memory of 2724	2868	skotes.exe	34
PID 2868 wrote to memory of 2724	2868	skotes.exe	34
PID 2868 wrote to memory of 1660	2868	skotes.exe	35
PID 2868 wrote to memory of 1660	2868	skotes.exe	35
PID 2868 wrote to memory of 1660	2868	skotes.exe	35
PID 2868 wrote to memory of 1660	2868	skotes.exe	35
PID 1660 wrote to memory of 328	1660	WEX7mCI.exe	36
PID 1660 wrote to memory of 328	1660	WEX7mCI.exe	36
PID 1660 wrote to memory of 328	1660	WEX7mCI.exe	36
PID 1660 wrote to memory of 328	1660	WEX7mCI.exe	36
PID 2868 wrote to memory of 628	2868	skotes.exe	37
PID 2868 wrote to memory of 628	2868	skotes.exe	37
PID 2868 wrote to memory of 628	2868	skotes.exe	37
PID 2868 wrote to memory of 628	2868	skotes.exe	37
PID 628 wrote to memory of 1888	628	vQeyqr1.exe	39
PID 628 wrote to memory of 1888	628	vQeyqr1.exe	39
PID 628 wrote to memory of 1888	628	vQeyqr1.exe	39
PID 2868 wrote to memory of 1600	2868	skotes.exe	41
PID 2868 wrote to memory of 1600	2868	skotes.exe	41
PID 2868 wrote to memory of 1600	2868	skotes.exe	41
PID 2868 wrote to memory of 1600	2868	skotes.exe	41
PID 628 wrote to memory of 1584	628	vQeyqr1.exe	43
PID 628 wrote to memory of 1584	628	vQeyqr1.exe	43
PID 628 wrote to memory of 1584	628	vQeyqr1.exe	43
PID 628 wrote to memory of 2068	628	vQeyqr1.exe	45
PID 628 wrote to memory of 2068	628	vQeyqr1.exe	45
PID 628 wrote to memory of 2068	628	vQeyqr1.exe	45
PID 628 wrote to memory of 3000	628	vQeyqr1.exe	47
PID 628 wrote to memory of 3000	628	vQeyqr1.exe	47
PID 628 wrote to memory of 3000	628	vQeyqr1.exe	47
PID 628 wrote to memory of 2568	628	vQeyqr1.exe	49
PID 628 wrote to memory of 2568	628	vQeyqr1.exe	49
PID 628 wrote to memory of 2568	628	vQeyqr1.exe	49
PID 2868 wrote to memory of 2060	2868	skotes.exe	51
PID 2868 wrote to memory of 2060	2868	skotes.exe	51
PID 2868 wrote to memory of 2060	2868	skotes.exe	51
PID 2868 wrote to memory of 2060	2868	skotes.exe	51
PID 2868 wrote to memory of 1152	2868	skotes.exe	52
PID 2868 wrote to memory of 1152	2868	skotes.exe	52
PID 2868 wrote to memory of 1152	2868	skotes.exe	52
PID 2868 wrote to memory of 1152	2868	skotes.exe	52
PID 1152 wrote to memory of 848	1152	5ddc9415f3.exe	53
PID 1152 wrote to memory of 848	1152	5ddc9415f3.exe	53
PID 1152 wrote to memory of 848	1152	5ddc9415f3.exe	53
PID 1152 wrote to memory of 848	1152	5ddc9415f3.exe	53
PID 1152 wrote to memory of 1536	1152	5ddc9415f3.exe	55
PID 1152 wrote to memory of 1536	1152	5ddc9415f3.exe	55
PID 1152 wrote to memory of 1536	1152	5ddc9415f3.exe	55
PID 1152 wrote to memory of 1536	1152	5ddc9415f3.exe	55
PID 1152 wrote to memory of 916	1152	5ddc9415f3.exe	57
PID 1152 wrote to memory of 916	1152	5ddc9415f3.exe	57
PID 1152 wrote to memory of 916	1152	5ddc9415f3.exe	57
PID 1152 wrote to memory of 916	1152	5ddc9415f3.exe	57
PID 1152 wrote to memory of 1048	1152	5ddc9415f3.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\1018586001\KDLBJP7.exe
    "C:\Users\Admin\AppData\Local\Temp\1018586001\KDLBJP7.exe"
    3⤵
    - Executes dropped EXE
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\1018676001\systemetape.exe
    "C:\Users\Admin\AppData\Local\Temp\1018676001\systemetape.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\1018833001\WEX7mCI.exe
    "C:\Users\Admin\AppData\Local\Temp\1018833001\WEX7mCI.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\e458d263c0\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\e458d263c0\Gxtuum.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:328
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\48cb35e3030a2b\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1744
- - C:\Users\Admin\AppData\Local\Temp\1018897001\vQeyqr1.exe
    "C:\Users\Admin\AppData\Local\Temp\1018897001\vQeyqr1.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1018897001\vQeyqr1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vQeyqr1.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3000
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2568
- - C:\Users\Admin\AppData\Local\Temp\1019311001\a1600af010.exe
    "C:\Users\Admin\AppData\Local\Temp\1019311001\a1600af010.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1600
- - C:\Users\Admin\AppData\Local\Temp\1019312001\8b03cf3ea5.exe
    "C:\Users\Admin\AppData\Local\Temp\1019312001\8b03cf3ea5.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\1019313001\5ddc9415f3.exe
    "C:\Users\Admin\AppData\Local\Temp\1019313001\5ddc9415f3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:916
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2532
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:108
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2344
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.0.1043321534\800340645" -parentBuildID 20221007134813 -prefsHandle 1244 -prefMapHandle 1236 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c55085d9-2356-4155-be7d-328c174f77c9} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 1332 106d6b58 gpu
        6⤵
        
        PID:2524
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.1.1037602703\696430570" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8398a1a4-76a3-40fc-93b0-d44b8fab8c74} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 1548 f4eb558 socket
        6⤵
        
        PID:2736
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.2.2042377034\1997423445" -childID 1 -isForBrowser -prefsHandle 1968 -prefMapHandle 1964 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74a3c62b-472c-427e-9394-e9d88021ddd8} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 2000 1065f158 tab
        6⤵
        
        PID:2096
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.3.1321080278\570791553" -childID 2 -isForBrowser -prefsHandle 2620 -prefMapHandle 2616 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e82ba24-54f2-4e64-ab64-58395b60f50c} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 2636 e5fc58 tab
        6⤵
        
        PID:1256
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.4.338108986\1260960734" -childID 3 -isForBrowser -prefsHandle 3648 -prefMapHandle 3624 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1694d244-1fce-4ed2-978c-a276a50a2472} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 3660 1ecf8e58 tab
        6⤵
        
        PID:3364
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.5.1469247502\417249430" -childID 4 -isForBrowser -prefsHandle 3784 -prefMapHandle 3788 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d584064b-0eeb-4369-8c0e-68f3d3aaacb4} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 3776 1ecfa658 tab
        6⤵
        
        PID:3372
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2344.6.1944299746\1748047627" -childID 5 -isForBrowser -prefsHandle 3932 -prefMapHandle 3936 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 568 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3c133c0-9e03-4b46-a87b-3d120449a62a} 2344 "\\.\pipe\gecko-crash-server-pipe.2344" 3692 1ecfac58 tab
        6⤵
        
        PID:3408
- - C:\Users\Admin\AppData\Local\Temp\1019314001\397181413d.exe
    "C:\Users\Admin\AppData\Local\Temp\1019314001\397181413d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\1019315001\6d676c83a2.exe
    "C:\Users\Admin\AppData\Local\Temp\1019315001\6d676c83a2.exe"
    3⤵
    PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion