amadey | 739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2025, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe
Size

5.5MB
MD5

d3ebaaef69df4dc9655830970e91f9a0
SHA1

edba90191e5cb92dd215de9d525f220201b91e1f
SHA256

739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c
SHA512

54fd7482c319f7d9cb712f44832b450817668bc420f2620d908586b1ae57efa0713aba4068c09ee69f21c01feaa3392c303a2e7d3a308632b3498347a2e27eb2
SSDEEP

98304:mCeaPcFoHsfNBG8vjUyOZrAaqASzZ+JL2veEHPCzr7mjHsuNYYELekSlY4RpPpdN:mIUFhfu8vjU/ZMvAEZMyNP84HyCRpwhW

Score

10^/10

amadey gcleaner stealc 9c9aa5 reno defense_evasion discovery loader persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2Q0144.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2ec85a8de9.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3D37F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	deed688cd8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7d16228572.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1l79v3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fe8803737f.exe

Downloads MZ/PE file 4 IoCs

flow	pid	Process
75	2300	BitLockerToGo.exe
81	5012	BitLockerToGo.exe
36	712	skotes.exe
66	712	skotes.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fe8803737f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7d16228572.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2ec85a8de9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3D37F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	deed688cd8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fe8803737f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1l79v3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2ec85a8de9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1l79v3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2Q0144.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7d16228572.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2Q0144.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3D37F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	deed688cd8.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	1l79v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 11 IoCs

pid	Process
4240	W4X31.exe
5116	1l79v3.exe
712	skotes.exe
4444	2Q0144.exe
3080	2ec85a8de9.exe
2380	3D37F.exe
2624	skotes.exe
556	deed688cd8.exe
3048	fe8803737f.exe
5084	skotes.exe
1784	7d16228572.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	1l79v3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	2Q0144.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	3D37F.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	deed688cd8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	7d16228572.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	2ec85a8de9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine	fe8803737f.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	W4X31.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2ec85a8de9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091986001\\2ec85a8de9.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\deed688cd8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091987001\\deed688cd8.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fe8803737f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091988001\\fe8803737f.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7d16228572.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1091989001\\7d16228572.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
5116	1l79v3.exe
712	skotes.exe
4444	2Q0144.exe
3080	2ec85a8de9.exe
2380	3D37F.exe
2624	skotes.exe
556	deed688cd8.exe
3048	fe8803737f.exe
5084	skotes.exe
1784	7d16228572.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 2300	3048	fe8803737f.exe	106
PID 1784 set thread context of 5012	1784	7d16228572.exe	109

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1l79v3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3D37F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deed688cd8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d16228572.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1l79v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2Q0144.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ec85a8de9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe8803737f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	W4X31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
5116	1l79v3.exe
5116	1l79v3.exe
712	skotes.exe
712	skotes.exe
4444	2Q0144.exe
4444	2Q0144.exe
4444	2Q0144.exe
4444	2Q0144.exe
4444	2Q0144.exe
4444	2Q0144.exe
3080	2ec85a8de9.exe
3080	2ec85a8de9.exe
2380	3D37F.exe
2380	3D37F.exe
3080	2ec85a8de9.exe
3080	2ec85a8de9.exe
3080	2ec85a8de9.exe
3080	2ec85a8de9.exe
2624	skotes.exe
2624	skotes.exe
556	deed688cd8.exe
556	deed688cd8.exe
3048	fe8803737f.exe
3048	fe8803737f.exe
5084	skotes.exe
5084	skotes.exe
1784	7d16228572.exe
1784	7d16228572.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5116	1l79v3.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4240	3132	739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe	88
PID 3132 wrote to memory of 4240	3132	739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe	88
PID 3132 wrote to memory of 4240	3132	739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe	88
PID 4240 wrote to memory of 5116	4240	W4X31.exe	89
PID 4240 wrote to memory of 5116	4240	W4X31.exe	89
PID 4240 wrote to memory of 5116	4240	W4X31.exe	89
PID 5116 wrote to memory of 712	5116	1l79v3.exe	90
PID 5116 wrote to memory of 712	5116	1l79v3.exe	90
PID 5116 wrote to memory of 712	5116	1l79v3.exe	90
PID 4240 wrote to memory of 4444	4240	W4X31.exe	91
PID 4240 wrote to memory of 4444	4240	W4X31.exe	91
PID 4240 wrote to memory of 4444	4240	W4X31.exe	91
PID 712 wrote to memory of 3080	712	skotes.exe	99
PID 712 wrote to memory of 3080	712	skotes.exe	99
PID 712 wrote to memory of 3080	712	skotes.exe	99
PID 3132 wrote to memory of 2380	3132	739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe	100
PID 3132 wrote to memory of 2380	3132	739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe	100
PID 3132 wrote to memory of 2380	3132	739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe	100
PID 712 wrote to memory of 556	712	skotes.exe	104
PID 712 wrote to memory of 556	712	skotes.exe	104
PID 712 wrote to memory of 556	712	skotes.exe	104
PID 712 wrote to memory of 3048	712	skotes.exe	105
PID 712 wrote to memory of 3048	712	skotes.exe	105
PID 712 wrote to memory of 3048	712	skotes.exe	105
PID 3048 wrote to memory of 2300	3048	fe8803737f.exe	106
PID 3048 wrote to memory of 2300	3048	fe8803737f.exe	106
PID 3048 wrote to memory of 2300	3048	fe8803737f.exe	106
PID 3048 wrote to memory of 2300	3048	fe8803737f.exe	106
PID 3048 wrote to memory of 2300	3048	fe8803737f.exe	106
PID 3048 wrote to memory of 2300	3048	fe8803737f.exe	106
PID 3048 wrote to memory of 2300	3048	fe8803737f.exe	106
PID 3048 wrote to memory of 2300	3048	fe8803737f.exe	106
PID 3048 wrote to memory of 2300	3048	fe8803737f.exe	106
PID 3048 wrote to memory of 2300	3048	fe8803737f.exe	106
PID 712 wrote to memory of 1784	712	skotes.exe	108
PID 712 wrote to memory of 1784	712	skotes.exe	108
PID 712 wrote to memory of 1784	712	skotes.exe	108
PID 1784 wrote to memory of 5012	1784	7d16228572.exe	109
PID 1784 wrote to memory of 5012	1784	7d16228572.exe	109
PID 1784 wrote to memory of 5012	1784	7d16228572.exe	109
PID 1784 wrote to memory of 5012	1784	7d16228572.exe	109
PID 1784 wrote to memory of 5012	1784	7d16228572.exe	109
PID 1784 wrote to memory of 5012	1784	7d16228572.exe	109
PID 1784 wrote to memory of 5012	1784	7d16228572.exe	109
PID 1784 wrote to memory of 5012	1784	7d16228572.exe	109
PID 1784 wrote to memory of 5012	1784	7d16228572.exe	109
PID 1784 wrote to memory of 5012	1784	7d16228572.exe	109

C:\Users\Admin\AppData\Local\Temp\739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe
"C:\Users\Admin\AppData\Local\Temp\739496e1cca53ab6e455044226a43fb615cb29280f950a1a984ced82ab3b4e9c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W4X31.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W4X31.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1l79v3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1l79v3.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:712
    - - C:\Users\Admin\AppData\Local\Temp\1091986001\2ec85a8de9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091986001\2ec85a8de9.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3080
    - - C:\Users\Admin\AppData\Local\Temp\1091987001\deed688cd8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091987001\deed688cd8.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
    - - C:\Users\Admin\AppData\Local\Temp\1091988001\fe8803737f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091988001\fe8803737f.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:2300
    - - C:\Users\Admin\AppData\Local\Temp\1091989001\7d16228572.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1091989001\7d16228572.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:5012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Q0144.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Q0144.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3D37F.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3D37F.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2380

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1DKHYZAK\service[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FBCE046F\soft[1]

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091986001\2ec85a8de9.exe

Filesize
3.0MB

MD5
5e79df97975b488e901487db545d5de8

SHA1
2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6

SHA256
aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966

SHA512
5bbfee010c11ba03ef2db2a7a0280aae19f94aced5b2bb2085d5ea97a5d321d89368912cf8d563cbeb7de0f755ef5990adf9199b5f172d115bdc6e6e4442571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091987001\deed688cd8.exe

Filesize
1.7MB

MD5
7010b42115cb2c14a8b71fe84a35304f

SHA1
7ddb806b2d90ebfc9f97fdbe83dcb65d5eddb598

SHA256
e43c37f98f7dd9d2cea007f685842aa871e687aab856b973d4675f19d62327ed

SHA512
720a9660bcbe99371855b6257d3894e91f7de34a3de79a6f6f01e7253d70e7c7b5a40e9e5a5ee2ab413635d04447ac89f6157959ef36d7b8b1f0616b70e4da79

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091988001\fe8803737f.exe

Filesize
4.5MB

MD5
1943fff1fa34275ce9bf9805cda8ae65

SHA1
d1c0fcaafd5939d6fa1b04297d7e16be80326a76

SHA256
1d6fda1f52789bdf856dfd25565537d0ab9cbc6eb40dcea7b661a8c824aff531

SHA512
bb878c9f425f882578a4a473fa06a1280d54abbf134ed2826d43821ba77d07caf06f08cad00cca3ddd76b4269da829ade11a5b9f98ecf2541b61c7b9b8f206ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1091989001\7d16228572.exe

Filesize
3.8MB

MD5
fb645089d2171e30a24ecfa9b7ff2214

SHA1
39133adb642d160b8969a4da8f7ca1e980a14b64

SHA256
76ee1fbc71df63a30382c84fbd3ca0b2ab43dd6bd3f6af7f892fe8045141c450

SHA512
109d55f2a0881bbd6684728ab3894f759aa6b83cd08dfdba2a8f6be2c59ef69b15cc9454eefda71dd1b6fe3fb42284d74376919b745801543b828db310cb49fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3D37F.exe

Filesize
1.7MB

MD5
5d75490b006b643bc00c28c2c9deef5c

SHA1
dc02ef3fc236b69122f0af6428ed68ef534fca90

SHA256
a588312a945488e455b44d6322e7b6dd4439512ec5411f34f2fd8fbc1c7ad217

SHA512
29f4005cdd051caa08ed484c834c78f8878f89335bda298f8b8e2b11e90c738979552401a1da948b1e4e78e361aea5da8a9a9914570f3985345acd4bcc84db15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W4X31.exe

Filesize
3.7MB

MD5
1009ab3c7ff43b23635442fcce885db8

SHA1
0753b38fce5739ad8b003481685bfee4b06d8a12

SHA256
408d4cb8fd90ec020e5d355c39d670c28415649d8745767ccf3238c91de87b10

SHA512
b881534788b02f326a89fd6de79a11d71766a049f87a020d1034d4af2ded4add98f2e62e33f2f312371e0196918b4364cc80ec213cfa47dbbbe40520342a5318

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1l79v3.exe

Filesize
3.1MB

MD5
4be75021ffa4db5d38f42a8297e6d2ae

SHA1
a0f0d8565109bcce6c074ea4daf9662e56e48f89

SHA256
898b36de9e53ecfec0c0f4cce2d2459fafbec111d8e438b82c7925230a0b349c

SHA512
c8d2698f0ed320420655bacaeaf1d299deacde0f1b0f993c84b22ebba382d407ecfbcc5726e1e78be64b7897936c344b57d3bfadc45111636c713527ac61ed0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Q0144.exe

Filesize
2.0MB

MD5
b5dbf141241326be38c6baad20a4f370

SHA1
821c809c4ab6ac5ed6463d30d2b8988e27a3adda

SHA256
e491d6400d1eb574422d6350e9e968cbf4b11e5cd843ac1ac1f8b91a29184116

SHA512
9d29cf15b2364e95ed92b22569df1b0e58fd83b167dae47f29879605fd1a4b9eb72389917cf2c8fc83b134e4344c259e04ecff9a41c12b5bad6ba861e1422df0

Download Submit
memory/556-91-0x00000000009E0000-0x000000000107F000-memory.dmp

Filesize
6.6MB

Download
memory/556-90-0x00000000009E0000-0x000000000107F000-memory.dmp

Filesize
6.6MB

Download
memory/712-65-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-94-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-38-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-41-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-144-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-37-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-191-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-152-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-74-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-73-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-111-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-31-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-173-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-186-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-93-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/712-92-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/1784-153-0x0000000000140000-0x0000000000B51000-memory.dmp

Filesize
10.1MB

Download
memory/1784-162-0x0000000000140000-0x0000000000B51000-memory.dmp

Filesize
10.1MB

Download
memory/1784-154-0x0000000000140000-0x0000000000B51000-memory.dmp

Filesize
10.1MB

Download
memory/1784-145-0x0000000000140000-0x0000000000B51000-memory.dmp

Filesize
10.1MB

Download
memory/2300-125-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2300-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2300-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-62-0x0000000000460000-0x0000000000AFF000-memory.dmp

Filesize
6.6MB

Download
memory/2380-64-0x0000000000460000-0x0000000000AFF000-memory.dmp

Filesize
6.6MB

Download
memory/2624-72-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/2624-71-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/3048-112-0x00000000006F0000-0x000000000134D000-memory.dmp

Filesize
12.4MB

Download
memory/3048-110-0x00000000006F0000-0x000000000134D000-memory.dmp

Filesize
12.4MB

Download
memory/3048-119-0x00000000006F0000-0x000000000134D000-memory.dmp

Filesize
12.4MB

Download
memory/3048-113-0x00000000006F0000-0x000000000134D000-memory.dmp

Filesize
12.4MB

Download
memory/3080-66-0x0000000000D70000-0x000000000106B000-memory.dmp

Filesize
3.0MB

Download
memory/3080-67-0x0000000000D70000-0x000000000106B000-memory.dmp

Filesize
3.0MB

Download
memory/3080-69-0x0000000000D70000-0x000000000106B000-memory.dmp

Filesize
3.0MB

Download
memory/3080-58-0x0000000000D70000-0x000000000106B000-memory.dmp

Filesize
3.0MB

Download
memory/4444-36-0x0000000000960000-0x0000000000E1E000-memory.dmp

Filesize
4.7MB

Download
memory/4444-59-0x0000000000960000-0x0000000000E1E000-memory.dmp

Filesize
4.7MB

Download
memory/4444-42-0x0000000000960000-0x0000000000E1E000-memory.dmp

Filesize
4.7MB

Download
memory/4444-39-0x0000000000960000-0x0000000000E1E000-memory.dmp

Filesize
4.7MB

Download
memory/4444-40-0x0000000000960000-0x0000000000E1E000-memory.dmp

Filesize
4.7MB

Download
memory/5012-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-121-0x0000000000150000-0x0000000000478000-memory.dmp

Filesize
3.2MB

Download
memory/5116-29-0x00000000008E0000-0x0000000000C08000-memory.dmp

Filesize
3.2MB

Download
memory/5116-32-0x00000000008E1000-0x0000000000949000-memory.dmp

Filesize
416KB

Download
memory/5116-18-0x00000000008E0000-0x0000000000C08000-memory.dmp

Filesize
3.2MB

Download
memory/5116-17-0x00000000008E0000-0x0000000000C08000-memory.dmp

Filesize
3.2MB

Download
memory/5116-16-0x00000000008E1000-0x0000000000949000-memory.dmp

Filesize
416KB

Download
memory/5116-15-0x00000000779E4000-0x00000000779E6000-memory.dmp

Filesize
8KB

Download
memory/5116-14-0x00000000008E0000-0x0000000000C08000-memory.dmp

Filesize
3.2MB

Download