amadey | 50df2efc36116c3304f57dbc7d5f6ef6adef582e53f0662b2dac87f8757f1ced

Virtualization/Sandbox Evasion

credential_access stealer

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aa883f75bff0257a0fefd5d8d20c6297.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2376	powershell.exe
1004	powershell.exe
2984	powershell.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
5	2800	skotes.exe
5	2800	skotes.exe
5	2800	skotes.exe

Uses browser remote debugging 2 TTPs 4 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

Steal Web Session Cookie

T1539

Modify Authentication Process

pid	Process
1320	chrome.exe
1832	chrome.exe
2540	chrome.exe
556	chrome.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x000600000001739a-66.dat	net_reactor
behavioral1/memory/876-76-0x0000000000BD0000-0x0000000000CB8000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aa883f75bff0257a0fefd5d8d20c6297.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aa883f75bff0257a0fefd5d8d20c6297.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bjkm5hE.exe

Executes dropped EXE 6 IoCs

pid	Process
2800	skotes.exe
1848	hLbU8qp.exe
876	PNYmoTn.exe
2080	PNYmoTn.exe
2016	Bjkm5hE.exe
2760	WveK4j1.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	aa883f75bff0257a0fefd5d8d20c6297.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	Bjkm5hE.exe

Loads dropped DLL 13 IoCs

pid	Process
2056	aa883f75bff0257a0fefd5d8d20c6297.exe
2056	aa883f75bff0257a0fefd5d8d20c6297.exe
2800	skotes.exe
2800	skotes.exe
2800	skotes.exe
876	PNYmoTn.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
2800	skotes.exe
2800	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
39	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2056	aa883f75bff0257a0fefd5d8d20c6297.exe
2800	skotes.exe
2016	Bjkm5hE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 876 set thread context of 2080	876	PNYmoTn.exe	35

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016cd3-43.dat	upx
behavioral1/memory/2800-54-0x00000000066B0000-0x0000000006ED1000-memory.dmp	upx
behavioral1/memory/1848-55-0x000000013F950000-0x0000000140171000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	aa883f75bff0257a0fefd5d8d20c6297.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1296	876	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PNYmoTn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PNYmoTn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa883f75bff0257a0fefd5d8d20c6297.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bjkm5hE.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

defense_evasion spyware trojan

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 6 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Bjkm5hE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Bjkm5hE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Bjkm5hE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Bjkm5hE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Bjkm5hE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Bjkm5hE.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2056	aa883f75bff0257a0fefd5d8d20c6297.exe
2800	skotes.exe
2080	PNYmoTn.exe
2080	PNYmoTn.exe
2080	PNYmoTn.exe
2080	PNYmoTn.exe
2984	powershell.exe
2016	Bjkm5hE.exe
2376	powershell.exe
1004	powershell.exe
2016	Bjkm5hE.exe
2016	Bjkm5hE.exe
1832	chrome.exe
1832	chrome.exe
2016	Bjkm5hE.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe
Token: SeShutdownPrivilege	1832	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2056	aa883f75bff0257a0fefd5d8d20c6297.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe
1832	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2800	2056	aa883f75bff0257a0fefd5d8d20c6297.exe	30
PID 2056 wrote to memory of 2800	2056	aa883f75bff0257a0fefd5d8d20c6297.exe	30
PID 2056 wrote to memory of 2800	2056	aa883f75bff0257a0fefd5d8d20c6297.exe	30
PID 2056 wrote to memory of 2800	2056	aa883f75bff0257a0fefd5d8d20c6297.exe	30
PID 2800 wrote to memory of 1848	2800	skotes.exe	33
PID 2800 wrote to memory of 1848	2800	skotes.exe	33
PID 2800 wrote to memory of 1848	2800	skotes.exe	33
PID 2800 wrote to memory of 1848	2800	skotes.exe	33
PID 2800 wrote to memory of 876	2800	skotes.exe	34
PID 2800 wrote to memory of 876	2800	skotes.exe	34
PID 2800 wrote to memory of 876	2800	skotes.exe	34
PID 2800 wrote to memory of 876	2800	skotes.exe	34
PID 876 wrote to memory of 2080	876	PNYmoTn.exe	35
PID 876 wrote to memory of 2080	876	PNYmoTn.exe	35
PID 876 wrote to memory of 2080	876	PNYmoTn.exe	35
PID 876 wrote to memory of 2080	876	PNYmoTn.exe	35
PID 876 wrote to memory of 2080	876	PNYmoTn.exe	35
PID 876 wrote to memory of 2080	876	PNYmoTn.exe	35
PID 876 wrote to memory of 2080	876	PNYmoTn.exe	35
PID 876 wrote to memory of 2080	876	PNYmoTn.exe	35
PID 876 wrote to memory of 2080	876	PNYmoTn.exe	35
PID 876 wrote to memory of 2080	876	PNYmoTn.exe	35
PID 876 wrote to memory of 1296	876	PNYmoTn.exe	36
PID 876 wrote to memory of 1296	876	PNYmoTn.exe	36
PID 876 wrote to memory of 1296	876	PNYmoTn.exe	36
PID 876 wrote to memory of 1296	876	PNYmoTn.exe	36
PID 2800 wrote to memory of 2984	2800	skotes.exe	38
PID 2800 wrote to memory of 2984	2800	skotes.exe	38
PID 2800 wrote to memory of 2984	2800	skotes.exe	38
PID 2800 wrote to memory of 2984	2800	skotes.exe	38
PID 2800 wrote to memory of 2016	2800	skotes.exe	40
PID 2800 wrote to memory of 2016	2800	skotes.exe	40
PID 2800 wrote to memory of 2016	2800	skotes.exe	40
PID 2800 wrote to memory of 2016	2800	skotes.exe	40
PID 2800 wrote to memory of 2760	2800	skotes.exe	42
PID 2800 wrote to memory of 2760	2800	skotes.exe	42
PID 2800 wrote to memory of 2760	2800	skotes.exe	42
PID 2800 wrote to memory of 2760	2800	skotes.exe	42
PID 2760 wrote to memory of 2608	2760	WveK4j1.exe	44
PID 2760 wrote to memory of 2608	2760	WveK4j1.exe	44
PID 2760 wrote to memory of 2608	2760	WveK4j1.exe	44
PID 2760 wrote to memory of 2096	2760	WveK4j1.exe	45
PID 2760 wrote to memory of 2096	2760	WveK4j1.exe	45
PID 2760 wrote to memory of 2096	2760	WveK4j1.exe	45
PID 2760 wrote to memory of 2576	2760	WveK4j1.exe	46
PID 2760 wrote to memory of 2576	2760	WveK4j1.exe	46
PID 2760 wrote to memory of 2576	2760	WveK4j1.exe	46
PID 2760 wrote to memory of 2300	2760	WveK4j1.exe	47
PID 2760 wrote to memory of 2300	2760	WveK4j1.exe	47
PID 2760 wrote to memory of 2300	2760	WveK4j1.exe	47
PID 2760 wrote to memory of 2272	2760	WveK4j1.exe	48
PID 2760 wrote to memory of 2272	2760	WveK4j1.exe	48
PID 2760 wrote to memory of 2272	2760	WveK4j1.exe	48
PID 2760 wrote to memory of 2252	2760	WveK4j1.exe	49
PID 2760 wrote to memory of 2252	2760	WveK4j1.exe	49
PID 2760 wrote to memory of 2252	2760	WveK4j1.exe	49
PID 2760 wrote to memory of 2452	2760	WveK4j1.exe	50
PID 2760 wrote to memory of 2452	2760	WveK4j1.exe	50
PID 2760 wrote to memory of 2452	2760	WveK4j1.exe	50
PID 2760 wrote to memory of 1512	2760	WveK4j1.exe	51
PID 2760 wrote to memory of 1512	2760	WveK4j1.exe	51
PID 2760 wrote to memory of 1512	2760	WveK4j1.exe	51
PID 2760 wrote to memory of 680	2760	WveK4j1.exe	52
PID 2760 wrote to memory of 680	2760	WveK4j1.exe	52

C:\Users\Admin\AppData\Local\Temp\aa883f75bff0257a0fefd5d8d20c6297.exe
"C:\Users\Admin\AppData\Local\Temp\aa883f75bff0257a0fefd5d8d20c6297.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\1075543001\hLbU8qp.exe
    "C:\Users\Admin\AppData\Local\Temp\1075543001\hLbU8qp.exe"
    3⤵
    - Executes dropped EXE
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\1075544001\PNYmoTn.exe
    "C:\Users\Admin\AppData\Local\Temp\1075544001\PNYmoTn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Users\Admin\AppData\Local\Temp\1075544001\PNYmoTn.exe
      "C:\Users\Admin\AppData\Local\Temp\1075544001\PNYmoTn.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 516
      4⤵
      Loads dropped DLL
      Program crash
      PID:1296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1075545041\tYliuwV.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\1075546001\Bjkm5hE.exe
    "C:\Users\Admin\AppData\Local\Temp\1075546001\Bjkm5hE.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      4⤵
      Uses browser remote debugging
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6659758,0x7fef6659768,0x7fef6659778
        5⤵
        
        PID:2936
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:2112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1288,i,15516208045283667620,6681232572801861267,131072 /prefetch:2
        5⤵
        
        PID:620
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1488 --field-trial-handle=1288,i,15516208045283667620,6681232572801861267,131072 /prefetch:8
        5⤵
        
        PID:572
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1536 --field-trial-handle=1288,i,15516208045283667620,6681232572801861267,131072 /prefetch:8
        5⤵
        
        PID:1568
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2176 --field-trial-handle=1288,i,15516208045283667620,6681232572801861267,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:2540
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2184 --field-trial-handle=1288,i,15516208045283667620,6681232572801861267,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1516 --field-trial-handle=1288,i,15516208045283667620,6681232572801861267,131072 /prefetch:2
        5⤵
        
        PID:2964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1300 --field-trial-handle=1288,i,15516208045283667620,6681232572801861267,131072 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:1320
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3500 --field-trial-handle=1288,i,15516208045283667620,6681232572801861267,131072 /prefetch:8
        5⤵
        
        PID:2872
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1288,i,15516208045283667620,6681232572801861267,131072 /prefetch:8
        5⤵
        
        PID:1644
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 --field-trial-handle=1288,i,15516208045283667620,6681232572801861267,131072 /prefetch:8
        5⤵
        
        PID:2216
- - C:\Users\Admin\AppData\Local\Temp\1075547001\WveK4j1.exe
    "C:\Users\Admin\AppData\Local\Temp\1075547001\WveK4j1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\HGRBC'"
      4⤵
      PID:572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\HGRBC'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      PID:1644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Modify Authentication Process

Privilege Escalation

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion