amadey | 1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84

Analysis

max time kernel
143s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe
Size

5.3MB
MD5

2e38fe421e39b0ab882abdcafe8d3768
SHA1

72c625f23eda9b710265e6f2df8d4973ab4dee28
SHA256

1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84
SHA512

305cace9b1659227f9cf39b2ce464669a8b9fbf3569c14f73b6ad8467d1403b737a2192bd6235b7a4c82f671b1799cf1067ed7e9fce9fa9685292d2218d878e8
SSDEEP

98304:iqkKHicPk0Go0TLgIJlDovsGWP/8ogkf3SEnLnYJ0:ioHbk0Go0NKtWqk/nLnF

Score

10^/10

amadey gcleaner stealc 9c9aa5 reno defense_evasion discovery loader persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3Z59K.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5685aa3f3c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dd451a1251.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1v94Z3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2Q4122.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	79784b5377.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	beea09ccbd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Downloads MZ/PE file 4 IoCs

flow	pid	Process
66	5000	BitLockerToGo.exe
73	4000	BitLockerToGo.exe
34	3008	skotes.exe
47	3008	skotes.exe

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2Q4122.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd451a1251.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	beea09ccbd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79784b5377.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5685aa3f3c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1v94Z3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2Q4122.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3Z59K.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79784b5377.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1v94Z3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3Z59K.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5685aa3f3c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	beea09ccbd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd451a1251.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	1v94Z3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 12 IoCs

pid	Process
3052	P8M04.exe
2300	1v94Z3.exe
3008	skotes.exe
3128	2Q4122.exe
4936	skotes.exe
4032	3Z59K.exe
3548	79784b5377.exe
4112	5685aa3f3c.exe
1556	beea09ccbd.exe
4032	dd451a1251.exe
4936	skotes.exe
4240	skotes.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	1v94Z3.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	2Q4122.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	5685aa3f3c.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	beea09ccbd.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	dd451a1251.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	3Z59K.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	79784b5377.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	P8M04.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\79784b5377.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091974001\\79784b5377.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5685aa3f3c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091975001\\5685aa3f3c.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\beea09ccbd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091976001\\beea09ccbd.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dd451a1251.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091977001\\dd451a1251.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
2300	1v94Z3.exe
3008	skotes.exe
3128	2Q4122.exe
4936	skotes.exe
4032	3Z59K.exe
3548	79784b5377.exe
4112	5685aa3f3c.exe
1556	beea09ccbd.exe
4032	dd451a1251.exe
4936	skotes.exe
4240	skotes.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1556 set thread context of 4000	1556	beea09ccbd.exe	105
PID 4032 set thread context of 5000	4032	dd451a1251.exe	108

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1v94Z3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2Q4122.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5685aa3f3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P8M04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1v94Z3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3Z59K.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79784b5377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beea09ccbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd451a1251.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2300	1v94Z3.exe
2300	1v94Z3.exe
3008	skotes.exe
3008	skotes.exe
3128	2Q4122.exe
3128	2Q4122.exe
3128	2Q4122.exe
3128	2Q4122.exe
3128	2Q4122.exe
3128	2Q4122.exe
4936	skotes.exe
4936	skotes.exe
4032	3Z59K.exe
4032	3Z59K.exe
3548	79784b5377.exe
3548	79784b5377.exe
3548	79784b5377.exe
3548	79784b5377.exe
3548	79784b5377.exe
3548	79784b5377.exe
4112	5685aa3f3c.exe
4112	5685aa3f3c.exe
1556	beea09ccbd.exe
1556	beea09ccbd.exe
4032	dd451a1251.exe
4032	dd451a1251.exe
4936	skotes.exe
4936	skotes.exe
4240	skotes.exe
4240	skotes.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2300	1v94Z3.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 3052	456	1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe	86
PID 456 wrote to memory of 3052	456	1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe	86
PID 456 wrote to memory of 3052	456	1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe	86
PID 3052 wrote to memory of 2300	3052	P8M04.exe	89
PID 3052 wrote to memory of 2300	3052	P8M04.exe	89
PID 3052 wrote to memory of 2300	3052	P8M04.exe	89
PID 2300 wrote to memory of 3008	2300	1v94Z3.exe	90
PID 2300 wrote to memory of 3008	2300	1v94Z3.exe	90
PID 2300 wrote to memory of 3008	2300	1v94Z3.exe	90
PID 3052 wrote to memory of 3128	3052	P8M04.exe	91
PID 3052 wrote to memory of 3128	3052	P8M04.exe	91
PID 3052 wrote to memory of 3128	3052	P8M04.exe	91
PID 456 wrote to memory of 4032	456	1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe	97
PID 456 wrote to memory of 4032	456	1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe	97
PID 456 wrote to memory of 4032	456	1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe	97
PID 3008 wrote to memory of 3548	3008	skotes.exe	99
PID 3008 wrote to memory of 3548	3008	skotes.exe	99
PID 3008 wrote to memory of 3548	3008	skotes.exe	99
PID 3008 wrote to memory of 4112	3008	skotes.exe	101
PID 3008 wrote to memory of 4112	3008	skotes.exe	101
PID 3008 wrote to memory of 4112	3008	skotes.exe	101
PID 3008 wrote to memory of 1556	3008	skotes.exe	103
PID 3008 wrote to memory of 1556	3008	skotes.exe	103
PID 3008 wrote to memory of 1556	3008	skotes.exe	103
PID 3008 wrote to memory of 4032	3008	skotes.exe	104
PID 3008 wrote to memory of 4032	3008	skotes.exe	104
PID 3008 wrote to memory of 4032	3008	skotes.exe	104
PID 1556 wrote to memory of 4000	1556	beea09ccbd.exe	105
PID 1556 wrote to memory of 4000	1556	beea09ccbd.exe	105
PID 1556 wrote to memory of 4000	1556	beea09ccbd.exe	105
PID 1556 wrote to memory of 4000	1556	beea09ccbd.exe	105
PID 1556 wrote to memory of 4000	1556	beea09ccbd.exe	105
PID 1556 wrote to memory of 4000	1556	beea09ccbd.exe	105
PID 1556 wrote to memory of 4000	1556	beea09ccbd.exe	105
PID 1556 wrote to memory of 4000	1556	beea09ccbd.exe	105
PID 1556 wrote to memory of 4000	1556	beea09ccbd.exe	105
PID 1556 wrote to memory of 4000	1556	beea09ccbd.exe	105
PID 4032 wrote to memory of 5000	4032	dd451a1251.exe	108
PID 4032 wrote to memory of 5000	4032	dd451a1251.exe	108
PID 4032 wrote to memory of 5000	4032	dd451a1251.exe	108
PID 4032 wrote to memory of 5000	4032	dd451a1251.exe	108
PID 4032 wrote to memory of 5000	4032	dd451a1251.exe	108
PID 4032 wrote to memory of 5000	4032	dd451a1251.exe	108
PID 4032 wrote to memory of 5000	4032	dd451a1251.exe	108
PID 4032 wrote to memory of 5000	4032	dd451a1251.exe	108
PID 4032 wrote to memory of 5000	4032	dd451a1251.exe	108
PID 4032 wrote to memory of 5000	4032	dd451a1251.exe	108

C:\Users\Admin\AppData\Local\Temp\1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe
"C:\Users\Admin\AppData\Local\Temp\1f0bb0fbcfe49d1f61d56eb89f17fbc2028fe56196a223b356e4a60916942d84.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P8M04.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P8M04.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1v94Z3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1v94Z3.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Users\Admin\AppData\Local\Temp\1091974001\79784b5377.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091974001\79784b5377.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3548
    - - C:\Users\Admin\AppData\Local\Temp\1091975001\5685aa3f3c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091975001\5685aa3f3c.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4112
    - - C:\Users\Admin\AppData\Local\Temp\1091976001\beea09ccbd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091976001\beea09ccbd.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:4000
    - - C:\Users\Admin\AppData\Local\Temp\1091977001\dd451a1251.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091977001\dd451a1251.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:5000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Q4122.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Q4122.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3128
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z59K.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z59K.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4032

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4936

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4936

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QETCX6A4\success[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMV73H33\soft[1]

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091974001\79784b5377.exe

Filesize
3.0MB

MD5
5e79df97975b488e901487db545d5de8

SHA1
2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6

SHA256
aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966

SHA512
5bbfee010c11ba03ef2db2a7a0280aae19f94aced5b2bb2085d5ea97a5d321d89368912cf8d563cbeb7de0f755ef5990adf9199b5f172d115bdc6e6e4442571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091975001\5685aa3f3c.exe

Filesize
1.8MB

MD5
cd628b34b76fd44d828e69c0eb4529a4

SHA1
1d47f0f1d40afdc61356ccb4f9a1be6fe97f0731

SHA256
b36e04f63b20811a4a277644e7574e64f9f8c29ca67f011ae04551c442686e88

SHA512
959e9ebd955128cbe7cadf2b82f74d75909b3744df6fb0ca2faf7ad99f210339b6c304cab327b56f7b6d2486b4b36ff12c23cdbf7bd8b1e17d91247a6cc230fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091976001\beea09ccbd.exe

Filesize
4.5MB

MD5
b0cc3c294b640712f09ab2f3c64e7631

SHA1
6539a8da1b0876091d19388aa23b4e687e142baa

SHA256
aa915a1957f0b49c1dc5beff6c6b1ef6f8cff9a1a5d171ad5ca41653fd013f1c

SHA512
6e4fd76bb4272bbd1d8137470f875d0c4d80c758ee072a2f06b2972949fbb118f382e2284f078f2b00e8d6d946229ed783666c6c9d8674825124ffe31faf6082

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091977001\dd451a1251.exe

Filesize
3.8MB

MD5
4f426af97f4bcc8021759016a6a9981e

SHA1
58d57830ccf8d0df3bb6ff12866665d0e4c4b98f

SHA256
22b7fd71548000fd221218727d7964e44cc2e2d16e074690b0b7cb2c7d44d984

SHA512
01fd043605ba5d5519dcb67c216154f5968ea4650af9351bcb179e165e456c527b34cc25e2b5f9f344adf79d097bb91588e2854f95ac0e73cb635988a36766e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Z59K.exe

Filesize
1.7MB

MD5
a7e9ec4dd973c27da2de717eb978c2f6

SHA1
d50d5bc80c8eaeadf4115c5080cf8fce50419963

SHA256
79f4d545d6842bd4211d75b2014a6cfe4ffbad232cac07bfa3f4e618f97b0c92

SHA512
618b9e5b84380f343edd2280a1b0fa9223b60b87c650b81c391099915d0c66f0bcfcfd90bf343cb190464bce17a46d42e2cc9265ba3a59e931f51b61b7e91d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\P8M04.exe

Filesize
3.6MB

MD5
c8e998d20dc469f2f571850f2d7aecf3

SHA1
f242b2dce7cdad4ee9c54145e719bd408aff9167

SHA256
36e55e8ef13afe62b81231fd9e011c9dee8034b4bb7bf093aba32875302c9eea

SHA512
ecb058de12baa3be586b416ef1f49695e0c333bee68ad076464ec5fa7a48222e556c786c25a5c914659f36c556993e4a03c66d159fe0e9075feb707b09110486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1v94Z3.exe

Filesize
3.1MB

MD5
e3fc6a11bb6781096677c59ee3f693ab

SHA1
f5b7cf73431d19209c1607a728e6bed92df73d65

SHA256
c459ef823ee6aca439150a1e3c924e39ca4e4677397455690c367d95534f3b69

SHA512
5e3b9a3f59678deef647a498e90d2d2f8953bd725be397bbb8e2d9e0c492ba4d76a7f3e8c4ec9438304a0e64facd7f05748b35297203821d98c6a3b0c0ab5823

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Q4122.exe

Filesize
2.0MB

MD5
032b4baebf487c1e81324c148c264ddc

SHA1
42b89612fc3608d8017fa2d4b8ffdcbe35aa539e

SHA256
a6c2aae9a9dd75a83272a0a4e6956dfe72f50520b52fe92e266d624d193b8674

SHA512
23de86501bed9e52e3cc48a8e147e67ebf9e9d213d4063dfe64d135404e93a9892621134592a84e6b5d94937d45b673ec65cdea7c672bc0c7c23432dbf538aae

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
2KB

MD5
b73b4603f31372786515d40d64029c02

SHA1
2c03b7c6a2ff09fcec1ea5cd2d8e6699d8ceb432

SHA256
22d6a3e646d2201bc81f84826cf3a147c6847acdd30e59ffc394477feafb9f67

SHA512
573173397d125af16cadd0e9b8975e2a81826808e362194f3f430e4543f4b1122b75adc7f98ee538acf4ed7e81dd7bc7d0c85d92049015bc091befb54b3133db

Download Submit
memory/1556-128-0x0000000000DE0000-0x0000000001A29000-memory.dmp

Filesize
12.3MB

Download
memory/1556-119-0x0000000000DE0000-0x0000000001A29000-memory.dmp

Filesize
12.3MB

Download
memory/1556-118-0x0000000000DE0000-0x0000000001A29000-memory.dmp

Filesize
12.3MB

Download
memory/1556-100-0x0000000000DE0000-0x0000000001A29000-memory.dmp

Filesize
12.3MB

Download
memory/2300-32-0x00000000000C1000-0x0000000000129000-memory.dmp

Filesize
416KB

Download
memory/2300-31-0x00000000000C0000-0x00000000003D7000-memory.dmp

Filesize
3.1MB

Download
memory/2300-18-0x00000000000C0000-0x00000000003D7000-memory.dmp

Filesize
3.1MB

Download
memory/2300-17-0x00000000000C0000-0x00000000003D7000-memory.dmp

Filesize
3.1MB

Download
memory/2300-16-0x00000000000C1000-0x0000000000129000-memory.dmp

Filesize
416KB

Download
memory/2300-15-0x0000000076F04000-0x0000000076F06000-memory.dmp

Filesize
8KB

Download
memory/2300-13-0x00000000000C0000-0x00000000003D7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-157-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-193-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-195-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-201-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-80-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-65-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-101-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-196-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-194-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-202-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-30-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-130-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-197-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-198-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-174-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3008-168-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/3128-36-0x0000000000410000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/3128-40-0x0000000000410000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/3548-64-0x0000000000E20000-0x000000000111B000-memory.dmp

Filesize
3.0MB

Download
memory/3548-84-0x0000000000E20000-0x000000000111B000-memory.dmp

Filesize
3.0MB

Download
memory/4000-133-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4000-126-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/4000-127-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/4000-121-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/4000-120-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/4032-48-0x0000000000480000-0x0000000000B0F000-memory.dmp

Filesize
6.6MB

Download
memory/4032-138-0x0000000000E30000-0x0000000001861000-memory.dmp

Filesize
10.2MB

Download
memory/4032-137-0x0000000000E30000-0x0000000001861000-memory.dmp

Filesize
10.2MB

Download
memory/4032-117-0x0000000000E30000-0x0000000001861000-memory.dmp

Filesize
10.2MB

Download
memory/4032-44-0x0000000000480000-0x0000000000B0F000-memory.dmp

Filesize
6.6MB

Download
memory/4032-145-0x0000000000E30000-0x0000000001861000-memory.dmp

Filesize
10.2MB

Download
memory/4112-81-0x00000000004F0000-0x0000000000B9E000-memory.dmp

Filesize
6.7MB

Download
memory/4112-83-0x00000000004F0000-0x0000000000B9E000-memory.dmp

Filesize
6.7MB

Download
memory/4240-200-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/4936-46-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/4936-177-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/4936-176-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/4936-38-0x00000000009D0000-0x0000000000CE7000-memory.dmp

Filesize
3.1MB

Download
memory/5000-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5000-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download