amadey | 19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/02/2025, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
Size

2.1MB
MD5

1e2dcc7657bad37aa49ccbbe7090afbc
SHA1

13b73c0d07acb0f8b548ab1a757f1119f7f933e5
SHA256

19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4
SHA512

e81e5914cba8bd2cac9d7bf373fb2f8a9425569794c7b0189fbae6459aa150ab71aef749dc9092bde68c616e7041b49816f02a69a8e961e01f36a551a28f2619
SSDEEP

49152:F9c9eMc44n6yotltu6pWjwBORaGt0/7V7AV:+eMc4+CtHbBVc0DV7A

Score

10^/10

amadey gcleaner stealc 9c9aa5 reno defense_evasion discovery loader persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	eeadb5b890.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cb56a91154.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	362a4a0d56.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b9130a9904.exe

Downloads MZ/PE file 6 IoCs

flow	pid	Process
5	2588	skotes.exe
8	2588	skotes.exe
8	2588	skotes.exe
14	2588	skotes.exe
28	2620	BitLockerToGo.exe
43	992	BitLockerToGo.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	eeadb5b890.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	eeadb5b890.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cb56a91154.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	362a4a0d56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b9130a9904.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cb56a91154.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	362a4a0d56.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b9130a9904.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Executes dropped EXE 8 IoCs

pid	Process
2588	skotes.exe
2756	c7ab46eed6.exe
2776	cee7029e3c.exe
2416	32cd439412.exe
2216	eeadb5b890.exe
1732	cb56a91154.exe
1468	362a4a0d56.exe
1212	b9130a9904.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	eeadb5b890.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	cb56a91154.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	362a4a0d56.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine	b9130a9904.exe

Loads dropped DLL 16 IoCs

pid	Process
2692	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
2692	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
2588	skotes.exe
2588	skotes.exe
2588	skotes.exe
2588	skotes.exe
2588	skotes.exe
2588	skotes.exe
2588	skotes.exe
2588	skotes.exe
2588	skotes.exe
2588	skotes.exe
2588	skotes.exe
2588	skotes.exe
2620	BitLockerToGo.exe
992	BitLockerToGo.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\eeadb5b890.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091933001\\eeadb5b890.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\cb56a91154.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091934001\\cb56a91154.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\362a4a0d56.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091935001\\362a4a0d56.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9130a9904.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091936001\\b9130a9904.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2692	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
2588	skotes.exe
2216	eeadb5b890.exe
1732	cb56a91154.exe
1468	362a4a0d56.exe
1212	b9130a9904.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 2620	1468	362a4a0d56.exe	38
PID 2756 set thread context of 476	2756	c7ab46eed6.exe	40
PID 1212 set thread context of 992	1212	b9130a9904.exe	43

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7ab46eed6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cee7029e3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeadb5b890.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb56a91154.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	362a4a0d56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9130a9904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	eeadb5b890.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	eeadb5b890.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	eeadb5b890.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2692	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
2588	skotes.exe
2216	eeadb5b890.exe
1732	cb56a91154.exe
1468	362a4a0d56.exe
1212	b9130a9904.exe
2776	cee7029e3c.exe
2776	cee7029e3c.exe
2776	cee7029e3c.exe
2776	cee7029e3c.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2588	2692	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe	30
PID 2692 wrote to memory of 2588	2692	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe	30
PID 2692 wrote to memory of 2588	2692	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe	30
PID 2692 wrote to memory of 2588	2692	19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe	30
PID 2588 wrote to memory of 2756	2588	skotes.exe	32
PID 2588 wrote to memory of 2756	2588	skotes.exe	32
PID 2588 wrote to memory of 2756	2588	skotes.exe	32
PID 2588 wrote to memory of 2756	2588	skotes.exe	32
PID 2588 wrote to memory of 2776	2588	skotes.exe	33
PID 2588 wrote to memory of 2776	2588	skotes.exe	33
PID 2588 wrote to memory of 2776	2588	skotes.exe	33
PID 2588 wrote to memory of 2776	2588	skotes.exe	33
PID 2588 wrote to memory of 2416	2588	skotes.exe	34
PID 2588 wrote to memory of 2416	2588	skotes.exe	34
PID 2588 wrote to memory of 2416	2588	skotes.exe	34
PID 2588 wrote to memory of 2416	2588	skotes.exe	34
PID 2588 wrote to memory of 2216	2588	skotes.exe	35
PID 2588 wrote to memory of 2216	2588	skotes.exe	35
PID 2588 wrote to memory of 2216	2588	skotes.exe	35
PID 2588 wrote to memory of 2216	2588	skotes.exe	35
PID 2588 wrote to memory of 1732	2588	skotes.exe	36
PID 2588 wrote to memory of 1732	2588	skotes.exe	36
PID 2588 wrote to memory of 1732	2588	skotes.exe	36
PID 2588 wrote to memory of 1732	2588	skotes.exe	36
PID 2588 wrote to memory of 1468	2588	skotes.exe	37
PID 2588 wrote to memory of 1468	2588	skotes.exe	37
PID 2588 wrote to memory of 1468	2588	skotes.exe	37
PID 2588 wrote to memory of 1468	2588	skotes.exe	37
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 1468 wrote to memory of 2620	1468	362a4a0d56.exe	38
PID 2588 wrote to memory of 1212	2588	skotes.exe	39
PID 2588 wrote to memory of 1212	2588	skotes.exe	39
PID 2588 wrote to memory of 1212	2588	skotes.exe	39
PID 2588 wrote to memory of 1212	2588	skotes.exe	39
PID 2756 wrote to memory of 476	2756	c7ab46eed6.exe	40
PID 2756 wrote to memory of 476	2756	c7ab46eed6.exe	40
PID 2756 wrote to memory of 476	2756	c7ab46eed6.exe	40
PID 2756 wrote to memory of 476	2756	c7ab46eed6.exe	40
PID 2756 wrote to memory of 476	2756	c7ab46eed6.exe	40
PID 2756 wrote to memory of 476	2756	c7ab46eed6.exe	40
PID 2756 wrote to memory of 476	2756	c7ab46eed6.exe	40
PID 2756 wrote to memory of 476	2756	c7ab46eed6.exe	40
PID 2756 wrote to memory of 476	2756	c7ab46eed6.exe	40
PID 2756 wrote to memory of 476	2756	c7ab46eed6.exe	40
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43
PID 1212 wrote to memory of 992	1212	b9130a9904.exe	43

C:\Users\Admin\AppData\Local\Temp\19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe
"C:\Users\Admin\AppData\Local\Temp\19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\1091747001\c7ab46eed6.exe
    "C:\Users\Admin\AppData\Local\Temp\1091747001\c7ab46eed6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:476
- - C:\Users\Admin\AppData\Local\Temp\1091749001\cee7029e3c.exe
    "C:\Users\Admin\AppData\Local\Temp\1091749001\cee7029e3c.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2776
- - C:\Users\Admin\AppData\Local\Temp\1091788001\32cd439412.exe
    "C:\Users\Admin\AppData\Local\Temp\1091788001\32cd439412.exe"
    3⤵
    - Executes dropped EXE
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\1091933001\eeadb5b890.exe
    "C:\Users\Admin\AppData\Local\Temp\1091933001\eeadb5b890.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\1091934001\cb56a91154.exe
    "C:\Users\Admin\AppData\Local\Temp\1091934001\cb56a91154.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1732
- - C:\Users\Admin\AppData\Local\Temp\1091935001\362a4a0d56.exe
    "C:\Users\Admin\AppData\Local\Temp\1091935001\362a4a0d56.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2620
- - C:\Users\Admin\AppData\Local\Temp\1091936001\b9130a9904.exe
    "C:\Users\Admin\AppData\Local\Temp\1091936001\b9130a9904.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      Downloads MZ/PE file
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091747001\c7ab46eed6.exe

Filesize
9.8MB

MD5
db3632ef37d9e27dfa2fd76f320540ca

SHA1
f894b26a6910e1eb53b1891c651754a2b28ddd86

SHA256
0513f12c182a105759497d8280f1c06800a8ff07e1d69341268f3c08ecc27c6d

SHA512
4490b25598707577f0b1ba1f0fbe52556f752b591c433117d0f94ce386e86e101527b3d1f9982d6e097e1fcb724325fdd1837cc51d94c6b5704fd8df244648fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091749001\cee7029e3c.exe

Filesize
325KB

MD5
f071beebff0bcff843395dc61a8d53c8

SHA1
82444a2bba58b07cb8e74a28b4b0f715500749b2

SHA256
0d89d83e0840155d3a4ceca1d514e92d9af14074be53abc541f80b6af3b0ceec

SHA512
1ac92897a11dbd3bd13b76bfeb2c8941fdffa7f33bc9e4db7781061fb684bfe8b8d19c21a22b3b551987f871c047b7518091b31fc743757d8f235c88628d121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091788001\32cd439412.exe

Filesize
429KB

MD5
a92d6465d69430b38cbc16bf1c6a7210

SHA1
421fadebee484c9d19b9cb18faf3b0f5d9b7a554

SHA256
3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

SHA512
0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091933001\eeadb5b890.exe

Filesize
3.0MB

MD5
5e79df97975b488e901487db545d5de8

SHA1
2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6

SHA256
aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966

SHA512
5bbfee010c11ba03ef2db2a7a0280aae19f94aced5b2bb2085d5ea97a5d321d89368912cf8d563cbeb7de0f755ef5990adf9199b5f172d115bdc6e6e4442571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091934001\cb56a91154.exe

Filesize
1.7MB

MD5
847574da42ba3d0640c821e8eb11e286

SHA1
f63a12f36991a1aab0b0cfa89e48ad7138aaac59

SHA256
b730e010dc5deb7b1e33bc057ec8839e99c7943f136f4fe0a20b3a6d4d628202

SHA512
edff0a63a03d94684a695a57b10fc956792014dbcd31fe295dfca5ee19411e367d2129740157fc1c816e5890d736d53b4c81980de1faa1a7cf70f985f78325b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091935001\362a4a0d56.exe

Filesize
4.5MB

MD5
6daf449ec943a3140c434e2d744b760e

SHA1
49c1c0108117b6e22869edfcb0e6b56ead9a1ca8

SHA256
e3c8c288c36388152f0007613345fb93363560f7124c811700f54db0303bba40

SHA512
a2dfe16e8bda35836bde7be01313a65b4d5bd56a0e1cda2189f410ab119e479fe6d3f5e752a6c86cd9f94804ed91d64b01892f607ebac49b47df39cd4bdbcd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091936001\b9130a9904.exe

Filesize
3.8MB

MD5
d7e1f46aacf3fde82d701af6db36aa41

SHA1
383e67c0ae6f57b68544bf016128855b36d3b821

SHA256
5d011c284919611fc393c417a19774284990aa7bcc07a380527bc06b277c877b

SHA512
8e67452695b9db7ea01ba7180d1bbfd0614575e4d5a354c02bca003269a5c76bcd9840be3e7d4063f386fc6c5254fae6ffabe2129f32a07858e8618380bca5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5498.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar54C9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
2KB

MD5
75b4f057c7319fe725569eb6518497c5

SHA1
83a0ed44fb90910b1a1803e9786f87285930882b

SHA256
7d41a3edfafa949fee08d1a32451489bcb515a1f89813b055a2e5fe5ae973905

SHA512
eb0bdeb6a3ab2ece1a579c1919797017d255f1bd03d32f78fe34463a232e44de3307fa81d9a6181edd4f7030ed64b5d8f7868921aba127fe2e4c580030978ffb

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.1MB

MD5
1e2dcc7657bad37aa49ccbbe7090afbc

SHA1
13b73c0d07acb0f8b548ab1a757f1119f7f933e5

SHA256
19b811f5b09535a91cd3627c3b4c36145ac01de811fce84482f74da6fdad2ad4

SHA512
e81e5914cba8bd2cac9d7bf373fb2f8a9425569794c7b0189fbae6459aa150ab71aef749dc9092bde68c616e7041b49816f02a69a8e961e01f36a551a28f2619

Download Submit
\Users\Admin\AppData\Local\Temp\fCDv3043Fwr\Y-Cleaner.exe

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
memory/476-213-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/476-212-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/992-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1212-224-0x0000000000E30000-0x0000000001850000-memory.dmp

Filesize
10.1MB

Download
memory/1212-219-0x0000000000E30000-0x0000000001850000-memory.dmp

Filesize
10.1MB

Download
memory/1468-180-0x0000000000800000-0x000000000144E000-memory.dmp

Filesize
12.3MB

Download
memory/1468-173-0x0000000000800000-0x000000000144E000-memory.dmp

Filesize
12.3MB

Download
memory/1468-188-0x0000000000800000-0x000000000144E000-memory.dmp

Filesize
12.3MB

Download
memory/1468-181-0x0000000000800000-0x000000000144E000-memory.dmp

Filesize
12.3MB

Download
memory/1732-152-0x0000000000B10000-0x00000000011A2000-memory.dmp

Filesize
6.6MB

Download
memory/1732-149-0x0000000000B10000-0x00000000011A2000-memory.dmp

Filesize
6.6MB

Download
memory/2216-183-0x0000000000D90000-0x000000000108B000-memory.dmp

Filesize
3.0MB

Download
memory/2216-176-0x0000000000D90000-0x000000000108B000-memory.dmp

Filesize
3.0MB

Download
memory/2216-102-0x0000000000D90000-0x000000000108B000-memory.dmp

Filesize
3.0MB

Download
memory/2216-218-0x0000000000D90000-0x000000000108B000-memory.dmp

Filesize
3.0MB

Download
memory/2216-155-0x0000000000D90000-0x000000000108B000-memory.dmp

Filesize
3.0MB

Download
memory/2216-221-0x0000000000D90000-0x000000000108B000-memory.dmp

Filesize
3.0MB

Download
memory/2588-146-0x00000000069F0000-0x0000000007082000-memory.dmp

Filesize
6.6MB

Download
memory/2588-23-0x0000000000121000-0x0000000000189000-memory.dmp

Filesize
416KB

Download
memory/2588-147-0x00000000069F0000-0x0000000007082000-memory.dmp

Filesize
6.6MB

Download
memory/2588-150-0x00000000069F0000-0x0000000006CEB000-memory.dmp

Filesize
3.0MB

Download
memory/2588-274-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-153-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-154-0x00000000069F0000-0x0000000006CEB000-memory.dmp

Filesize
3.0MB

Download
memory/2588-273-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-272-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-172-0x00000000069F0000-0x000000000763E000-memory.dmp

Filesize
12.3MB

Download
memory/2588-174-0x00000000069F0000-0x0000000007082000-memory.dmp

Filesize
6.6MB

Download
memory/2588-21-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-175-0x00000000069F0000-0x000000000763E000-memory.dmp

Filesize
12.3MB

Download
memory/2588-99-0x00000000069F0000-0x0000000006CEB000-memory.dmp

Filesize
3.0MB

Download
memory/2588-177-0x00000000069F0000-0x0000000007082000-memory.dmp

Filesize
6.6MB

Download
memory/2588-178-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-179-0x00000000069F0000-0x000000000763E000-memory.dmp

Filesize
12.3MB

Download
memory/2588-100-0x00000000069F0000-0x0000000006CEB000-memory.dmp

Filesize
3.0MB

Download
memory/2588-271-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-182-0x00000000069F0000-0x000000000763E000-memory.dmp

Filesize
12.3MB

Download
memory/2588-76-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-270-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-269-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-27-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-259-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-203-0x00000000069F0000-0x0000000007410000-memory.dmp

Filesize
10.1MB

Download
memory/2588-245-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-24-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-234-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-215-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-28-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-26-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-31-0x0000000000121000-0x0000000000189000-memory.dmp

Filesize
416KB

Download
memory/2588-220-0x00000000069F0000-0x0000000007410000-memory.dmp

Filesize
10.1MB

Download
memory/2588-30-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2588-29-0x0000000000120000-0x00000000005F0000-memory.dmp

Filesize
4.8MB

Download
memory/2620-208-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2620-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-3-0x0000000000E50000-0x0000000001320000-memory.dmp

Filesize
4.8MB

Download
memory/2692-0-0x0000000000E50000-0x0000000001320000-memory.dmp

Filesize
4.8MB

Download
memory/2692-2-0x0000000000E51000-0x0000000000EB9000-memory.dmp

Filesize
416KB

Download
memory/2692-5-0x0000000000E50000-0x0000000001320000-memory.dmp

Filesize
4.8MB

Download
memory/2692-1-0x00000000771E0000-0x00000000771E2000-memory.dmp

Filesize
8KB

Download
memory/2692-20-0x0000000006980000-0x0000000006E50000-memory.dmp

Filesize
4.8MB

Download
memory/2692-18-0x0000000000E51000-0x0000000000EB9000-memory.dmp

Filesize
416KB

Download
memory/2692-22-0x0000000006980000-0x0000000006E50000-memory.dmp

Filesize
4.8MB

Download
memory/2692-16-0x0000000000E50000-0x0000000001320000-memory.dmp

Filesize
4.8MB

Download