amadey | 61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
Size

2.1MB
MD5

d8245fcdf409ff44a3f14f197ef933b5
SHA1

e1e5e2ec2a6e186f1d57a824dd021b4d17295b74
SHA256

61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9
SHA512

a261cbceb50107c7818f3790a1f9abd41f68435e8828f9c760308abf5b5fd6a7267040fe2941115923ba7b6aee5f54211cafa16e920b3fb2367bcacd0c658f16
SSDEEP

49152:0vRx7KuH1YMQVw6BvdjAmmjsZUjDY/FhKygISz3NaBvY:0/muH1YvVwevdjiwZUjDYtZg7cO

Score

10^/10

amadey gcleaner stealc 9c9aa5 reno defense_evasion discovery loader persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	64e3f97605.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e79875d627.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5037f90281.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f7a11e508d.exe

Downloads MZ/PE file 6 IoCs

flow	pid	Process
11	536	skotes.exe
11	536	skotes.exe
14	536	skotes.exe
32	1192	BitLockerToGo.exe
34	1252	BitLockerToGo.exe
5	536	skotes.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	64e3f97605.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	64e3f97605.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e79875d627.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5037f90281.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f7a11e508d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e79875d627.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5037f90281.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f7a11e508d.exe

Executes dropped EXE 8 IoCs

pid	Process
536	skotes.exe
1716	36bb345892.exe
1476	154c8dde98.exe
1308	b9fdc26767.exe
2584	64e3f97605.exe
2488	e79875d627.exe
2308	5037f90281.exe
1908	f7a11e508d.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	64e3f97605.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	e79875d627.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	5037f90281.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	f7a11e508d.exe

Loads dropped DLL 16 IoCs

pid	Process
2320	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
2320	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
536	skotes.exe
536	skotes.exe
536	skotes.exe
536	skotes.exe
536	skotes.exe
536	skotes.exe
536	skotes.exe
536	skotes.exe
536	skotes.exe
536	skotes.exe
536	skotes.exe
536	skotes.exe
1192	BitLockerToGo.exe
1252	BitLockerToGo.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\64e3f97605.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091929001\\64e3f97605.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\e79875d627.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091930001\\e79875d627.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\5037f90281.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091931001\\5037f90281.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\f7a11e508d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091932001\\f7a11e508d.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2320	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
536	skotes.exe
2584	64e3f97605.exe
2488	e79875d627.exe
2308	5037f90281.exe
1908	f7a11e508d.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 1192	2308	5037f90281.exe	41
PID 1908 set thread context of 1252	1908	f7a11e508d.exe	44
PID 1716 set thread context of 2968	1716	36bb345892.exe	42

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bb345892.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64e3f97605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7a11e508d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	154c8dde98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e79875d627.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5037f90281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	154c8dde98.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	154c8dde98.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	154c8dde98.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2320	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
536	skotes.exe
1476	154c8dde98.exe
1476	154c8dde98.exe
1476	154c8dde98.exe
1476	154c8dde98.exe
2584	64e3f97605.exe
2584	64e3f97605.exe
2584	64e3f97605.exe
2584	64e3f97605.exe
2584	64e3f97605.exe
2488	e79875d627.exe
2308	5037f90281.exe
1908	f7a11e508d.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2320	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 536	2320	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe	30
PID 2320 wrote to memory of 536	2320	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe	30
PID 2320 wrote to memory of 536	2320	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe	30
PID 2320 wrote to memory of 536	2320	61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe	30
PID 536 wrote to memory of 1716	536	skotes.exe	33
PID 536 wrote to memory of 1716	536	skotes.exe	33
PID 536 wrote to memory of 1716	536	skotes.exe	33
PID 536 wrote to memory of 1716	536	skotes.exe	33
PID 536 wrote to memory of 1476	536	skotes.exe	34
PID 536 wrote to memory of 1476	536	skotes.exe	34
PID 536 wrote to memory of 1476	536	skotes.exe	34
PID 536 wrote to memory of 1476	536	skotes.exe	34
PID 536 wrote to memory of 1308	536	skotes.exe	35
PID 536 wrote to memory of 1308	536	skotes.exe	35
PID 536 wrote to memory of 1308	536	skotes.exe	35
PID 536 wrote to memory of 1308	536	skotes.exe	35
PID 536 wrote to memory of 2584	536	skotes.exe	36
PID 536 wrote to memory of 2584	536	skotes.exe	36
PID 536 wrote to memory of 2584	536	skotes.exe	36
PID 536 wrote to memory of 2584	536	skotes.exe	36
PID 536 wrote to memory of 2488	536	skotes.exe	38
PID 536 wrote to memory of 2488	536	skotes.exe	38
PID 536 wrote to memory of 2488	536	skotes.exe	38
PID 536 wrote to memory of 2488	536	skotes.exe	38
PID 536 wrote to memory of 2308	536	skotes.exe	39
PID 536 wrote to memory of 2308	536	skotes.exe	39
PID 536 wrote to memory of 2308	536	skotes.exe	39
PID 536 wrote to memory of 2308	536	skotes.exe	39
PID 536 wrote to memory of 1908	536	skotes.exe	40
PID 536 wrote to memory of 1908	536	skotes.exe	40
PID 536 wrote to memory of 1908	536	skotes.exe	40
PID 536 wrote to memory of 1908	536	skotes.exe	40
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 2308 wrote to memory of 1192	2308	5037f90281.exe	41
PID 1716 wrote to memory of 2968	1716	36bb345892.exe	42
PID 1716 wrote to memory of 2968	1716	36bb345892.exe	42
PID 1716 wrote to memory of 2968	1716	36bb345892.exe	42
PID 1716 wrote to memory of 2968	1716	36bb345892.exe	42
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1908 wrote to memory of 1252	1908	f7a11e508d.exe	44
PID 1716 wrote to memory of 2968	1716	36bb345892.exe	42
PID 1716 wrote to memory of 2968	1716	36bb345892.exe	42
PID 1716 wrote to memory of 2968	1716	36bb345892.exe	42
PID 1716 wrote to memory of 2968	1716	36bb345892.exe	42
PID 1716 wrote to memory of 2968	1716	36bb345892.exe	42
PID 1716 wrote to memory of 2968	1716	36bb345892.exe	42

C:\Users\Admin\AppData\Local\Temp\61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe
"C:\Users\Admin\AppData\Local\Temp\61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\1091747001\36bb345892.exe
    "C:\Users\Admin\AppData\Local\Temp\1091747001\36bb345892.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2968
- - C:\Users\Admin\AppData\Local\Temp\1091749001\154c8dde98.exe
    "C:\Users\Admin\AppData\Local\Temp\1091749001\154c8dde98.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1476
- - C:\Users\Admin\AppData\Local\Temp\1091788001\b9fdc26767.exe
    "C:\Users\Admin\AppData\Local\Temp\1091788001\b9fdc26767.exe"
    3⤵
    - Executes dropped EXE
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\1091929001\64e3f97605.exe
    "C:\Users\Admin\AppData\Local\Temp\1091929001\64e3f97605.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\1091930001\e79875d627.exe
    "C:\Users\Admin\AppData\Local\Temp\1091930001\e79875d627.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2488
- - C:\Users\Admin\AppData\Local\Temp\1091931001\5037f90281.exe
    "C:\Users\Admin\AppData\Local\Temp\1091931001\5037f90281.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\1091932001\f7a11e508d.exe
    "C:\Users\Admin\AppData\Local\Temp\1091932001\f7a11e508d.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\success[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091747001\36bb345892.exe

Filesize
9.8MB

MD5
db3632ef37d9e27dfa2fd76f320540ca

SHA1
f894b26a6910e1eb53b1891c651754a2b28ddd86

SHA256
0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

SHA512
4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091749001\154c8dde98.exe

Filesize
325KB

MD5
f071beebff0bcff843395dc61a8d53c8

SHA1
82444a2bba58b07cb8e74a28b4b0f715500749b2

SHA256
0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

SHA512
1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091788001\b9fdc26767.exe

Filesize
429KB

MD5
a92d6465d69430b38cbc16bf1c6a7210

SHA1
421fadebee484c9d19b9cb18faf3b0f5d9b7a554

SHA256
3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

SHA512
0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091929001\64e3f97605.exe

Filesize
3.0MB

MD5
5e79df97975b488e901487db545d5de8

SHA1
2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6

SHA256
aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966

SHA512
5bbfee010c11ba03ef2db2a7a0280aae19f94aced5b2bb2085d5ea97a5d321d89368912cf8d563cbeb7de0f755ef5990adf9199b5f172d115bdc6e6e4442571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091930001\e79875d627.exe

Filesize
1.7MB

MD5
847574da42ba3d0640c821e8eb11e286

SHA1
f63a12f36991a1aab0b0cfa89e48ad7138aaac59

SHA256
b730e010dc5deb7b1e33bc057ec8839e99c7943f136f4fe0a20b3a6d4d628202

SHA512
edff0a63a03d94684a695a57b10fc956792014dbcd31fe295dfca5ee19411e367d2129740157fc1c816e5890d736d53b4c81980de1faa1a7cf70f985f78325b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091931001\5037f90281.exe

Filesize
4.5MB

MD5
6daf449ec943a3140c434e2d744b760e

SHA1
49c1c0108117b6e22869edfcb0e6b56ead9a1ca8

SHA256
e3c8c288c36388152f0007613345fb93363560f7124c811700f54db0303bba40

SHA512
a2dfe16e8bda35836bde7be01313a65b4d5bd56a0e1cda2189f410ab119e479fe6d3f5e752a6c86cd9f94804ed91d64b01892f607ebac49b47df39cd4bdbcd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091932001\f7a11e508d.exe

Filesize
3.8MB

MD5
d7e1f46aacf3fde82d701af6db36aa41

SHA1
383e67c0ae6f57b68544bf016128855b36d3b821

SHA256
5d011c284919611fc393c417a19774284990aa7bcc07a380527bc06b277c877b

SHA512
8e67452695b9db7ea01ba7180d1bbfd0614575e4d5a354c02bca003269a5c76bcd9840be3e7d4063f386fc6c5254fae6ffabe2129f32a07858e8618380bca5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B9E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1BC0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
1KB

MD5
142b046e6e925e60a60fbe49d32937d7

SHA1
493784f3e800cd57f6e344e0e92fb34c6e781ae0

SHA256
13761adf58a0ebad07cd082cef44d97240fc53c88e9e214a61e1261bd8a3affc

SHA512
bd0d77d3c80421a09d2b17d199695e67f2bcd2bcc1f08490bad247e70f0a61f5d95813e9852a674d54f297d67eeda25a2b167e831165fc245937ce7055bd1dcd

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.1MB

MD5
d8245fcdf409ff44a3f14f197ef933b5

SHA1
e1e5e2ec2a6e186f1d57a824dd021b4d17295b74

SHA256
61aaf2478d2dce679714fb2357e761310b0e86a74f144506f17b30d939e031d9

SHA512
a261cbceb50107c7818f3790a1f9abd41f68435e8828f9c760308abf5b5fd6a7267040fe2941115923ba7b6aee5f54211cafa16e920b3fb2367bcacd0c658f16

Download Submit
\Users\Admin\AppData\Local\Temp\weCeeYSd1Z0\Y-Cleaner.exe

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
memory/536-152-0x00000000065A0000-0x000000000689B000-memory.dmp

Filesize
3.0MB

Download
memory/536-191-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-28-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-26-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-24-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-23-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-73-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-266-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-265-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-19-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-264-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-125-0x00000000065A0000-0x000000000689B000-memory.dmp

Filesize
3.0MB

Download
memory/536-124-0x00000000065A0000-0x000000000689B000-memory.dmp

Filesize
3.0MB

Download
memory/536-263-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-262-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-145-0x0000000006BC0000-0x0000000007252000-memory.dmp

Filesize
6.6MB

Download
memory/536-146-0x0000000006BC0000-0x0000000007252000-memory.dmp

Filesize
6.6MB

Download
memory/536-261-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-260-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-150-0x00000000065A0000-0x000000000689B000-memory.dmp

Filesize
3.0MB

Download
memory/536-240-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-151-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-230-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-169-0x0000000006BC0000-0x000000000780E000-memory.dmp

Filesize
12.3MB

Download
memory/536-170-0x0000000006BC0000-0x000000000780E000-memory.dmp

Filesize
12.3MB

Download
memory/536-212-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-172-0x0000000006BC0000-0x0000000007252000-memory.dmp

Filesize
6.6MB

Download
memory/536-173-0x0000000006BC0000-0x0000000007252000-memory.dmp

Filesize
6.6MB

Download
memory/536-208-0x0000000006BC0000-0x00000000075E0000-memory.dmp

Filesize
10.1MB

Download
memory/536-190-0x0000000006BC0000-0x00000000075E0000-memory.dmp

Filesize
10.1MB

Download
memory/536-27-0x0000000000CC0000-0x0000000001184000-memory.dmp

Filesize
4.8MB

Download
memory/536-192-0x0000000006BC0000-0x000000000780E000-memory.dmp

Filesize
12.3MB

Download
memory/536-194-0x0000000006BC0000-0x000000000780E000-memory.dmp

Filesize
12.3MB

Download
memory/1192-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-202-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/1252-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-206-0x0000000000890000-0x00000000012B0000-memory.dmp

Filesize
10.1MB

Download
memory/1908-210-0x0000000000890000-0x00000000012B0000-memory.dmp

Filesize
10.1MB

Download
memory/2308-198-0x00000000012A0000-0x0000000001EEE000-memory.dmp

Filesize
12.3MB

Download
memory/2308-195-0x00000000012A0000-0x0000000001EEE000-memory.dmp

Filesize
12.3MB

Download
memory/2308-171-0x00000000012A0000-0x0000000001EEE000-memory.dmp

Filesize
12.3MB

Download
memory/2308-193-0x00000000012A0000-0x0000000001EEE000-memory.dmp

Filesize
12.3MB

Download
memory/2320-4-0x0000000000EA0000-0x0000000001364000-memory.dmp

Filesize
4.8MB

Download
memory/2320-16-0x0000000006A50000-0x0000000006F14000-memory.dmp

Filesize
4.8MB

Download
memory/2320-3-0x0000000000EA0000-0x0000000001364000-memory.dmp

Filesize
4.8MB

Download
memory/2320-22-0x0000000000EA1000-0x0000000000F09000-memory.dmp

Filesize
416KB

Download
memory/2320-21-0x0000000000EA0000-0x0000000001364000-memory.dmp

Filesize
4.8MB

Download
memory/2320-17-0x0000000006A50000-0x0000000006F14000-memory.dmp

Filesize
4.8MB

Download
memory/2320-0-0x0000000000EA0000-0x0000000001364000-memory.dmp

Filesize
4.8MB

Download
memory/2320-2-0x0000000000EA1000-0x0000000000F09000-memory.dmp

Filesize
416KB

Download
memory/2320-1-0x0000000076F00000-0x0000000076F02000-memory.dmp

Filesize
8KB

Download
memory/2488-149-0x0000000000ED0000-0x0000000001562000-memory.dmp

Filesize
6.6MB

Download
memory/2488-148-0x0000000000ED0000-0x0000000001562000-memory.dmp

Filesize
6.6MB

Download
memory/2584-129-0x00000000003E0000-0x00000000006DB000-memory.dmp

Filesize
3.0MB

Download
memory/2584-126-0x00000000003E0000-0x00000000006DB000-memory.dmp

Filesize
3.0MB

Download
memory/2968-222-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2968-221-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download