amadey | 04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2025 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe
Size

2.0MB
MD5

190126600c4f0d6f6f75c7bd47081ce9
SHA1

7fce3c146cb29413dcbe133013f7bf760fb3d6d1
SHA256

04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825
SHA512

8ee42e579c04a085bca667cc797b07fe63e26d5379f95d15471c877f26e5f22fb478986c717ecb1871ccbb2758eea7f523f7ce0ab2231b358a17d41223f73384
SSDEEP

49152:vD3uuvkus0w3aGun/cPBdj4i0XP3U5IX+3VfQ:vwqGdcJJX+lfQ

Score

10^/10

amadey 9c9aa5 defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\2RT.exe,"	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4940	powershell.exe
3452	powershell.exe
2956	powershell.exe

Downloads MZ/PE file 4 IoCs

flow	pid	Process
16	3104	skotes.exe
16	3104	skotes.exe
60	4476	Process not Found
44	1412	JvrVglO.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	JvrVglO.exe

Executes dropped EXE 7 IoCs

pid	Process
3104	skotes.exe
3704	skotes.exe
1412	JvrVglO.exe
4452	skotes.exe
2580	pw4Aadp.exe
3980	2RT.exe
4260	skotes.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Wine	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe
Key opened	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Wine	skotes.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\DZURP\\bot.exe"	JvrVglO.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
44	raw.githubusercontent.com

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
4940	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe
3104	skotes.exe
3704	skotes.exe
4452	skotes.exe
4260	skotes.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2RT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pw4Aadp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1712	cmd.exe
3328	PING.EXE
5032	cmd.exe
1312	PING.EXE
1544	PING.EXE
3848	MicrosoftEdgeUpdate.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3328	PING.EXE
1312	PING.EXE
1544	PING.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
4940	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe
4940	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe
3104	skotes.exe
3104	skotes.exe
3704	skotes.exe
3704	skotes.exe
4940	powershell.exe
4940	powershell.exe
3452	powershell.exe
3452	powershell.exe
2956	powershell.exe
2956	powershell.exe
4452	skotes.exe
4452	skotes.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
2580	pw4Aadp.exe
3980	2RT.exe
3980	2RT.exe
3980	2RT.exe
4260	skotes.exe
4260	skotes.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2580	pw4Aadp.exe
Token: SeDebugPrivilege	3980	2RT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3104	4940	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe	92
PID 4940 wrote to memory of 3104	4940	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe	92
PID 4940 wrote to memory of 3104	4940	04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe	92
PID 3104 wrote to memory of 1412	3104	skotes.exe	95
PID 3104 wrote to memory of 1412	3104	skotes.exe	95
PID 1412 wrote to memory of 1164	1412	JvrVglO.exe	97
PID 1412 wrote to memory of 1164	1412	JvrVglO.exe	97
PID 1412 wrote to memory of 4664	1412	JvrVglO.exe	102
PID 1412 wrote to memory of 4664	1412	JvrVglO.exe	102
PID 1412 wrote to memory of 672	1412	JvrVglO.exe	103
PID 1412 wrote to memory of 672	1412	JvrVglO.exe	103
PID 1412 wrote to memory of 3716	1412	JvrVglO.exe	104
PID 1412 wrote to memory of 3716	1412	JvrVglO.exe	104
PID 1412 wrote to memory of 4768	1412	JvrVglO.exe	105
PID 1412 wrote to memory of 4768	1412	JvrVglO.exe	105
PID 1412 wrote to memory of 2928	1412	JvrVglO.exe	106
PID 1412 wrote to memory of 2928	1412	JvrVglO.exe	106
PID 1412 wrote to memory of 4760	1412	JvrVglO.exe	107
PID 1412 wrote to memory of 4760	1412	JvrVglO.exe	107
PID 1412 wrote to memory of 3768	1412	JvrVglO.exe	108
PID 1412 wrote to memory of 3768	1412	JvrVglO.exe	108
PID 1412 wrote to memory of 5084	1412	JvrVglO.exe	109
PID 1412 wrote to memory of 5084	1412	JvrVglO.exe	109
PID 1412 wrote to memory of 2332	1412	JvrVglO.exe	110
PID 1412 wrote to memory of 2332	1412	JvrVglO.exe	110
PID 1412 wrote to memory of 4608	1412	JvrVglO.exe	111
PID 1412 wrote to memory of 4608	1412	JvrVglO.exe	111
PID 1412 wrote to memory of 4040	1412	JvrVglO.exe	112
PID 1412 wrote to memory of 4040	1412	JvrVglO.exe	112
PID 1412 wrote to memory of 3612	1412	JvrVglO.exe	113
PID 1412 wrote to memory of 3612	1412	JvrVglO.exe	113
PID 1412 wrote to memory of 4440	1412	JvrVglO.exe	114
PID 1412 wrote to memory of 4440	1412	JvrVglO.exe	114
PID 1412 wrote to memory of 3528	1412	JvrVglO.exe	115
PID 1412 wrote to memory of 3528	1412	JvrVglO.exe	115
PID 1412 wrote to memory of 3164	1412	JvrVglO.exe	116
PID 1412 wrote to memory of 3164	1412	JvrVglO.exe	116
PID 1412 wrote to memory of 3468	1412	JvrVglO.exe	117
PID 1412 wrote to memory of 3468	1412	JvrVglO.exe	117
PID 3468 wrote to memory of 4940	3468	cmd.exe	118
PID 3468 wrote to memory of 4940	3468	cmd.exe	118
PID 1412 wrote to memory of 4860	1412	JvrVglO.exe	119
PID 1412 wrote to memory of 4860	1412	JvrVglO.exe	119
PID 4860 wrote to memory of 3452	4860	cmd.exe	120
PID 4860 wrote to memory of 3452	4860	cmd.exe	120
PID 1412 wrote to memory of 1616	1412	JvrVglO.exe	121
PID 1412 wrote to memory of 1616	1412	JvrVglO.exe	121
PID 1616 wrote to memory of 2956	1616	cmd.exe	122
PID 1616 wrote to memory of 2956	1616	cmd.exe	122
PID 3104 wrote to memory of 2580	3104	skotes.exe	129
PID 3104 wrote to memory of 2580	3104	skotes.exe	129
PID 3104 wrote to memory of 2580	3104	skotes.exe	129
PID 2580 wrote to memory of 1712	2580	pw4Aadp.exe	130
PID 2580 wrote to memory of 1712	2580	pw4Aadp.exe	130
PID 2580 wrote to memory of 1712	2580	pw4Aadp.exe	130
PID 1712 wrote to memory of 3328	1712	cmd.exe	132
PID 1712 wrote to memory of 3328	1712	cmd.exe	132
PID 1712 wrote to memory of 3328	1712	cmd.exe	132
PID 2580 wrote to memory of 5032	2580	pw4Aadp.exe	133
PID 2580 wrote to memory of 5032	2580	pw4Aadp.exe	133
PID 2580 wrote to memory of 5032	2580	pw4Aadp.exe	133
PID 5032 wrote to memory of 1312	5032	cmd.exe	135
PID 5032 wrote to memory of 1312	5032	cmd.exe	135
PID 5032 wrote to memory of 1312	5032	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe
"C:\Users\Admin\AppData\Local\Temp\04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Users\Admin\AppData\Local\Temp\1081958001\JvrVglO.exe
    "C:\Users\Admin\AppData\Local\Temp\1081958001\JvrVglO.exe"
    3⤵
    - Downloads MZ/PE file
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:5084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\DZURP'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\DZURP'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\ProgramData'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
- - C:\Users\Admin\AppData\Local\Temp\1081961001\pw4Aadp.exe
    "C:\Users\Admin\AppData\Local\Temp\1081961001\pw4Aadp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\2RT.exe,"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 7
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3328
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\2RT.exe,"
        5⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 9 > nul && copy "C:\Users\Admin\AppData\Local\Temp\1081961001\pw4Aadp.exe" "C:\Users\Admin\AppData\Local\2RT.exe" && ping 127.0.0.1 -n 9 > nul && "C:\Users\Admin\AppData\Local\2RT.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1312
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 9
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1544
    - - C:\Users\Admin\AppData\Local\2RT.exe
        
        "C:\Users\Admin\AppData\Local\2RT.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        6⤵
        
        PID:3324

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDY1MkQ3QTctQzY2Ri00ODYyLThCMzItQjI5RTAwM0ExNDZCfSIgdXNlcmlkPSJ7RjY4Mzk0NTQtMjg5MC00RjYyLUEwQ0MtMUFCMDlGMkM2QzRDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUQwRDlEMkUtNDM0MC00NUNELTlEMDYtMkQ2NUM0MEQ0RjczfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTY1MTgzNzA2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3848

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4452

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DZURP\bot.exe

Filesize
960KB

MD5
375acb216c0b19388acecc9a8430aa94

SHA1
1c65072aecea02193beddb520b9bce24d73dbef8

SHA256
96dd5fe2277017a8ea3f98ca5f0467bb7e66cd4285a17e542257ad3783ee0ced

SHA512
dfe43fb64a9e0a104f97b01410f00ba256473bbafb12cdafa7e01a9e6d2a64e0bbe3f7c30b3c71061c13f31299eccfcdcb9930086ded96128b5a4a3488e4c89c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Temp\1081958001\JvrVglO.exe

Filesize
232KB

MD5
61df5bd677361765915aeee63c6b2b32

SHA1
b95821e718908535903ae4e9aee850af22a63206

SHA256
0d8a94a6639ce0c091363a25f027df4d30bb0b6d9d8a3039e931ad1f5c629480

SHA512
17e1d6860b74b159614dad61744c883469b7e8b3d4dd4c25e9ba64de5f2f1c2dcc213d581d5b1295b2d95f1e74cf89cbe96dcdec854e203a83cd173a9366c7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1081961001\pw4Aadp.exe

Filesize
2.7MB

MD5
3c0f3b5a806b49842bb68a75dd254373

SHA1
b3cd40b68570f86be8321874f286ed0236706a3e

SHA256
4c3ab36ffe8753174e59c0aabb096e16a24dd89cad762317851e76c250dac1cc

SHA512
c03233c5e7be93709c0d83333d065175a56a71325cda9990232afd24814b1f9b850ec657084fadd6f893d432ec504a7dba976e9dfdc6124afe1a5cf915fb26a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bp2bedds.tvf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.0MB

MD5
190126600c4f0d6f6f75c7bd47081ce9

SHA1
7fce3c146cb29413dcbe133013f7bf760fb3d6d1

SHA256
04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825

SHA512
8ee42e579c04a085bca667cc797b07fe63e26d5379f95d15471c877f26e5f22fb478986c717ecb1871ccbb2758eea7f523f7ce0ab2231b358a17d41223f73384

Download Submit
memory/2580-129-0x0000000005630000-0x0000000005984000-memory.dmp

Filesize
3.3MB

Download
memory/2580-127-0x0000000000A60000-0x0000000000D1A000-memory.dmp

Filesize
2.7MB

Download
memory/2580-134-0x0000000005D70000-0x0000000005D7A000-memory.dmp

Filesize
40KB

Download
memory/2580-133-0x0000000006260000-0x0000000006804000-memory.dmp

Filesize
5.6MB

Download
memory/2580-132-0x0000000005AD0000-0x0000000005B12000-memory.dmp

Filesize
264KB

Download
memory/2580-131-0x0000000005540000-0x0000000005562000-memory.dmp

Filesize
136KB

Download
memory/2580-130-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/2580-128-0x0000000005570000-0x000000000560C000-memory.dmp

Filesize
624KB

Download
memory/3104-102-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-20-0x0000000000131000-0x0000000000199000-memory.dmp

Filesize
416KB

Download
memory/3104-155-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-152-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-147-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-144-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-50-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-22-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-23-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-19-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-24-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-25-0x0000000000131000-0x0000000000199000-memory.dmp

Filesize
416KB

Download
memory/3104-89-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-100-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-101-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-21-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-103-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-26-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-107-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-108-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3104-28-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3704-34-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3704-31-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3704-32-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3704-30-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/3980-154-0x000000000A240000-0x000000000A246000-memory.dmp

Filesize
24KB

Download
memory/3980-153-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/3980-151-0x0000000005620000-0x0000000005974000-memory.dmp

Filesize
3.3MB

Download
memory/4260-157-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/4452-106-0x0000000000130000-0x00000000005DE000-memory.dmp

Filesize
4.7MB

Download
memory/4940-5-0x0000000000E40000-0x00000000012EE000-memory.dmp

Filesize
4.7MB

Download
memory/4940-17-0x0000000000E40000-0x00000000012EE000-memory.dmp

Filesize
4.7MB

Download
memory/4940-1-0x0000000077424000-0x0000000077426000-memory.dmp

Filesize
8KB

Download
memory/4940-51-0x000001D5663C0000-0x000001D5663E2000-memory.dmp

Filesize
136KB

Download
memory/4940-18-0x0000000000E41000-0x0000000000EA9000-memory.dmp

Filesize
416KB

Download
memory/4940-2-0x0000000000E41000-0x0000000000EA9000-memory.dmp

Filesize
416KB

Download
memory/4940-3-0x0000000000E40000-0x00000000012EE000-memory.dmp

Filesize
4.7MB

Download
memory/4940-0-0x0000000000E40000-0x00000000012EE000-memory.dmp

Filesize
4.7MB

Download