amadey | e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f

Analysis

max time kernel
142s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2025, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe
Size

5.5MB
MD5

26d02c92e4385bfa786ea70807a91037
SHA1

b85408cd519ba7c577111be782efc0f214c8a2a2
SHA256

e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f
SHA512

247177622d3167a27d105b9a299c68e0f50b7d5e1acacf28186eef3d55b87433d0b06fb2ff71e05fb69f5bdbd36b58dc8373757fdae088858f55961d6d61bed6
SSDEEP

98304:4217pWJbBleGBv4SuxjwKXYz+KOqQuVwpEKbT3xfornnoFDyAXtisFbD10Rj:bGbBlnBpuuOsuHTBUnor93Fbix

Score

10^/10

amadey gcleaner stealc 9c9aa5 reno defense_evasion discovery loader persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

http://185.215.113.115

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	550b76f083.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1i65e6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2g8144.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3u39G.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	be58c59714.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e94ec4ab84.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5552f5628c.exe

Downloads MZ/PE file 5 IoCs

flow	pid	Process
100	4308	BitLockerToGo.exe
34	1220	skotes.exe
34	1220	skotes.exe
41	1220	skotes.exe
94	2024	BitLockerToGo.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1i65e6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1i65e6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	be58c59714.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	550b76f083.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e94ec4ab84.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5552f5628c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5552f5628c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3u39G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e94ec4ab84.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2g8144.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	550b76f083.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2g8144.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3u39G.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	be58c59714.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	1i65e6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	skotes.exe

Executes dropped EXE 12 IoCs

pid	Process
4372	X0V02.exe
1664	1i65e6.exe
1220	skotes.exe
4016	2g8144.exe
3488	bb7412b9ed.exe
2728	3u39G.exe
1564	be58c59714.exe
4784	550b76f083.exe
4524	e94ec4ab84.exe
3760	skotes.exe
3228	5552f5628c.exe
1252	skotes.exe

Identifies Wine through registry keys 2 TTPs 10 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	2g8144.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	be58c59714.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	e94ec4ab84.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	5552f5628c.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	1i65e6.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	3u39G.exe
Key opened	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine	550b76f083.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5552f5628c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1092174001\\5552f5628c.exe"	skotes.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	X0V02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\be58c59714.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1092171001\\be58c59714.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\550b76f083.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1092172001\\550b76f083.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e94ec4ab84.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1092173001\\e94ec4ab84.exe"	skotes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
1664	1i65e6.exe
1220	skotes.exe
4016	2g8144.exe
2728	3u39G.exe
1564	be58c59714.exe
4784	550b76f083.exe
4524	e94ec4ab84.exe
3760	skotes.exe
3228	5552f5628c.exe
1252	skotes.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4524 set thread context of 2024	4524	e94ec4ab84.exe	119
PID 3228 set thread context of 4308	3228	5552f5628c.exe	120

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	1i65e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	X0V02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2g8144.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb7412b9ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be58c59714.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	550b76f083.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e94ec4ab84.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1i65e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3u39G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5552f5628c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1664	1i65e6.exe
1664	1i65e6.exe
1220	skotes.exe
1220	skotes.exe
4016	2g8144.exe
4016	2g8144.exe
4016	2g8144.exe
4016	2g8144.exe
4016	2g8144.exe
4016	2g8144.exe
2728	3u39G.exe
2728	3u39G.exe
1564	be58c59714.exe
1564	be58c59714.exe
4784	550b76f083.exe
4784	550b76f083.exe
4524	e94ec4ab84.exe
4524	e94ec4ab84.exe
3760	skotes.exe
3760	skotes.exe
3228	5552f5628c.exe
3228	5552f5628c.exe
1252	skotes.exe
1252	skotes.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1664	1i65e6.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4372	2196	e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe	89
PID 2196 wrote to memory of 4372	2196	e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe	89
PID 2196 wrote to memory of 4372	2196	e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe	89
PID 4372 wrote to memory of 1664	4372	X0V02.exe	90
PID 4372 wrote to memory of 1664	4372	X0V02.exe	90
PID 4372 wrote to memory of 1664	4372	X0V02.exe	90
PID 1664 wrote to memory of 1220	1664	1i65e6.exe	92
PID 1664 wrote to memory of 1220	1664	1i65e6.exe	92
PID 1664 wrote to memory of 1220	1664	1i65e6.exe	92
PID 4372 wrote to memory of 4016	4372	X0V02.exe	93
PID 4372 wrote to memory of 4016	4372	X0V02.exe	93
PID 4372 wrote to memory of 4016	4372	X0V02.exe	93
PID 1220 wrote to memory of 3488	1220	skotes.exe	96
PID 1220 wrote to memory of 3488	1220	skotes.exe	96
PID 1220 wrote to memory of 3488	1220	skotes.exe	96
PID 2196 wrote to memory of 2728	2196	e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe	101
PID 2196 wrote to memory of 2728	2196	e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe	101
PID 2196 wrote to memory of 2728	2196	e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe	101
PID 1220 wrote to memory of 1564	1220	skotes.exe	104
PID 1220 wrote to memory of 1564	1220	skotes.exe	104
PID 1220 wrote to memory of 1564	1220	skotes.exe	104
PID 1220 wrote to memory of 4784	1220	skotes.exe	106
PID 1220 wrote to memory of 4784	1220	skotes.exe	106
PID 1220 wrote to memory of 4784	1220	skotes.exe	106
PID 1220 wrote to memory of 4524	1220	skotes.exe	107
PID 1220 wrote to memory of 4524	1220	skotes.exe	107
PID 1220 wrote to memory of 4524	1220	skotes.exe	107
PID 1220 wrote to memory of 3228	1220	skotes.exe	111
PID 1220 wrote to memory of 3228	1220	skotes.exe	111
PID 1220 wrote to memory of 3228	1220	skotes.exe	111
PID 4524 wrote to memory of 2024	4524	e94ec4ab84.exe	119
PID 4524 wrote to memory of 2024	4524	e94ec4ab84.exe	119
PID 4524 wrote to memory of 2024	4524	e94ec4ab84.exe	119
PID 4524 wrote to memory of 2024	4524	e94ec4ab84.exe	119
PID 4524 wrote to memory of 2024	4524	e94ec4ab84.exe	119
PID 4524 wrote to memory of 2024	4524	e94ec4ab84.exe	119
PID 4524 wrote to memory of 2024	4524	e94ec4ab84.exe	119
PID 4524 wrote to memory of 2024	4524	e94ec4ab84.exe	119
PID 4524 wrote to memory of 2024	4524	e94ec4ab84.exe	119
PID 4524 wrote to memory of 2024	4524	e94ec4ab84.exe	119
PID 3228 wrote to memory of 4308	3228	5552f5628c.exe	120
PID 3228 wrote to memory of 4308	3228	5552f5628c.exe	120
PID 3228 wrote to memory of 4308	3228	5552f5628c.exe	120
PID 3228 wrote to memory of 4308	3228	5552f5628c.exe	120
PID 3228 wrote to memory of 4308	3228	5552f5628c.exe	120
PID 3228 wrote to memory of 4308	3228	5552f5628c.exe	120
PID 3228 wrote to memory of 4308	3228	5552f5628c.exe	120
PID 3228 wrote to memory of 4308	3228	5552f5628c.exe	120
PID 3228 wrote to memory of 4308	3228	5552f5628c.exe	120
PID 3228 wrote to memory of 4308	3228	5552f5628c.exe	120

C:\Users\Admin\AppData\Local\Temp\e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe
"C:\Users\Admin\AppData\Local\Temp\e9789f716fac51bdcfb51f4851d4ed4f87d3bb3c12a60f6b45f27ae295b9195f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X0V02.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X0V02.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1i65e6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1i65e6.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\1092062001\bb7412b9ed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1092062001\bb7412b9ed.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3488
    - - C:\Users\Admin\AppData\Local\Temp\1092171001\be58c59714.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1092171001\be58c59714.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
    - - C:\Users\Admin\AppData\Local\Temp\1092172001\550b76f083.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1092172001\550b76f083.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\1092173001\e94ec4ab84.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1092173001\e94ec4ab84.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4524
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\1092174001\5552f5628c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1092174001\5552f5628c.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3228
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        6⤵
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        
        PID:4308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2g8144.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2g8144.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3u39G.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3u39G.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3760

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3UCXAPQR\soft[1]

Filesize
987KB

MD5
f49d1aaae28b92052e997480c504aa3b

SHA1
a422f6403847405cee6068f3394bb151d8591fb5

SHA256
81e31780a5f2078284b011c720261797eb8dd85e1b95a657dbce7ac31e9df1f0

SHA512
41f715eea031fd8d7d3a22d88e0199277db2f86be73f830819288c0f0665e81a314be6d356fdc66069cb3f2abf0dd02aaa49ac3732f3f44a533fcec0dfd6f773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MO4IX4SL\success[1].htm

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1092062001\bb7412b9ed.exe

Filesize
429KB

MD5
a92d6465d69430b38cbc16bf1c6a7210

SHA1
421fadebee484c9d19b9cb18faf3b0f5d9b7a554

SHA256
3cdb245eb031230d5652ea5a1160c0cbbb6be92fb3ea3cf2ee14b3d84677fc77

SHA512
0fc65c930a01db8cf306252402c47cf00b1222cd9d9736baf839488cdd6cf96ae8be479e08282ec7f34b665250580466a25cdfc699f4ecef6d5e4d543db8c345

Download Submit
C:\Users\Admin\AppData\Local\Temp\1092171001\be58c59714.exe

Filesize
3.0MB

MD5
5e79df97975b488e901487db545d5de8

SHA1
2cc617e5bd4cf348b8a1fccf2716686cf2c63fe6

SHA256
aa38c813aafc36532f6d8e826f2f7665b26c2c0ef2ff7395c21230f2640cb966

SHA512
5bbfee010c11ba03ef2db2a7a0280aae19f94aced5b2bb2085d5ea97a5d321d89368912cf8d563cbeb7de0f755ef5990adf9199b5f172d115bdc6e6e4442571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1092172001\550b76f083.exe

Filesize
1.7MB

MD5
1e95dc10fef7079a5d3fa793732a7cce

SHA1
8e9ccb511e76c921c6ddf2a2615a2e3c86ea4113

SHA256
81ac77037e15e56a6cdc0ba7e2af38e3e5a9f7a353054276c763e57d03db5ec1

SHA512
c35cb0cc0cc9046acab79fc70e26c28fa32f86e79dc36d44f938efada6bd45b190746d6f966552aa3eba45967b7f3ba7e113d8593576b7bb7f7fcaf670a23773

Download Submit
C:\Users\Admin\AppData\Local\Temp\1092173001\e94ec4ab84.exe

Filesize
4.5MB

MD5
8cbbec39bdf3e1f10eeaea4656da886d

SHA1
6fdb0e23784ef7594822a74e6024d7dadeed9a69

SHA256
e02514353186797d824fe828a79482eb2ddb9db5c6fb62a79df34da7df0682b2

SHA512
0bf7fbe5b26863e606c193a7c7ec5846d9e70c47ad1b0d117c5e5a099219a347eaa28bae60b71a2296facc8898ac4adb69fbf505b6714eb3fdc23b97c7a41c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\1092174001\5552f5628c.exe

Filesize
3.8MB

MD5
2e362af2b1d8b6318058c3ed1af039c2

SHA1
c3e017093b541951aa28ead0ced0287e7a8427a8

SHA256
ea98c0e5da12cd75a419f89d2e0d984153bd7a4d3df4adce0b955bafc77f601d

SHA512
d886b67f1af6b00845fbc5c953ce9c279650711195a61624c87b46d6c236f569b75dd0b20fc8ffb420674250569b9e2024225e1c96c49228fa1350311f5d0c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3u39G.exe

Filesize
1.7MB

MD5
be387fa24001fc6815aaa56fd034e158

SHA1
ea2116971dc1c9e20250d6e895a467033d3b66cc

SHA256
97a0714c97ef7d24d3e6724c9101e4fa035159eab3dd194b4b8f2c3fe927ced3

SHA512
8f7ce5bd72a87b7147c65a341b0f6902d68af49b1400bd6a42bcbe2b90719da218a5568eac26ca24e9f6c045ab784a446cd9e81bcf3d8ea212f96c7b9422f1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\X0V02.exe

Filesize
3.7MB

MD5
dbd88528720e86b217dbd9a8cff854ce

SHA1
52dae3bbb552f4c043eacfc0b97061104e9b630c

SHA256
e86826f8c52ee462db7190e72d9f44db70b6c168cdda389f80d3d950b5720fac

SHA512
a47da18f3270a6758a7114b773c3f81c414dcae3ed365cdfc1b6b6231c6d97a634359401d5fe92c37565b143c894552c1bf47729e857cf420e187768c2c7bf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1i65e6.exe

Filesize
2.0MB

MD5
190126600c4f0d6f6f75c7bd47081ce9

SHA1
7fce3c146cb29413dcbe133013f7bf760fb3d6d1

SHA256
04a56891b310acf9bb0397f078f1ac1c117754423f6ebc76bd2b0c7182cf3825

SHA512
8ee42e579c04a085bca667cc797b07fe63e26d5379f95d15471c877f26e5f22fb478986c717ecb1871ccbb2758eea7f523f7ce0ab2231b358a17d41223f73384

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2g8144.exe

Filesize
1.8MB

MD5
411303148c2c132ec3b30a97c1936cf9

SHA1
9693f9e29924d1bbb1bf87f10707c74d1df7e996

SHA256
dc9c553a3ff7574b1007f70a911f10ca22590a7661dfb84a25c5009d1b564fbb

SHA512
f27dce51cbed73bb3f1b8fb977d3168f5778bab24b4c762f16333adfb9d93ce1b476a3277d994ee429781919385846c68c618c5d72b38ca6a7bc82f9c658dbdd

Download Submit
C:\Users\Admin\Desktop\YCL.lnk

Filesize
2KB

MD5
19fbdaa218702460eae217f3722ea86e

SHA1
25704b21967282397c5f16d98d6d0cf48e5c3cab

SHA256
f342f2e15df71033c92ceb51f9dc8ff21ab06538e2fd07108c2a157f3d8ccb69

SHA512
5e1321759bf24f79f30ab4e8fc70c2eb712620733fed6b8d2ebe83dafbe0c7e38acb20f48fcf7979d547415cc6d2f65f8880dd36bf8a705bdc0b8756e355866a

Download Submit
memory/1220-216-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-197-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-54-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-215-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-214-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-164-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-179-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-190-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-63-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-209-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-53-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-80-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-136-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-31-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-213-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1220-100-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1252-212-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1252-211-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/1564-79-0x0000000000A70000-0x0000000000D6B000-memory.dmp

Filesize
3.0MB

Download
memory/1564-82-0x0000000000A70000-0x0000000000D6B000-memory.dmp

Filesize
3.0MB

Download
memory/1664-17-0x0000000000450000-0x00000000008FE000-memory.dmp

Filesize
4.7MB

Download
memory/1664-19-0x0000000000450000-0x00000000008FE000-memory.dmp

Filesize
4.7MB

Download
memory/1664-16-0x0000000000451000-0x00000000004B9000-memory.dmp

Filesize
416KB

Download
memory/1664-32-0x0000000000450000-0x00000000008FE000-memory.dmp

Filesize
4.7MB

Download
memory/1664-15-0x0000000077C14000-0x0000000077C16000-memory.dmp

Filesize
8KB

Download
memory/1664-14-0x0000000000450000-0x00000000008FE000-memory.dmp

Filesize
4.7MB

Download
memory/1664-33-0x0000000000451000-0x00000000004B9000-memory.dmp

Filesize
416KB

Download
memory/2024-140-0x00000000001F0000-0x000000000021F000-memory.dmp

Filesize
188KB

Download
memory/2024-139-0x00000000001F0000-0x000000000021F000-memory.dmp

Filesize
188KB

Download
memory/2024-146-0x00000000001F0000-0x000000000021F000-memory.dmp

Filesize
188KB

Download
memory/2024-145-0x00000000001F0000-0x000000000021F000-memory.dmp

Filesize
188KB

Download
memory/2024-153-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2728-62-0x0000000000D50000-0x00000000013CC000-memory.dmp

Filesize
6.5MB

Download
memory/2728-61-0x0000000000D50000-0x00000000013CC000-memory.dmp

Filesize
6.5MB

Download
memory/3228-150-0x0000000000F80000-0x0000000001996000-memory.dmp

Filesize
10.1MB

Download
memory/3228-151-0x0000000000F80000-0x0000000001996000-memory.dmp

Filesize
10.1MB

Download
memory/3228-163-0x0000000000F80000-0x0000000001996000-memory.dmp

Filesize
10.1MB

Download
memory/3228-135-0x0000000000F80000-0x0000000001996000-memory.dmp

Filesize
10.1MB

Download
memory/3760-118-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/3760-119-0x0000000000CE0000-0x000000000118E000-memory.dmp

Filesize
4.7MB

Download
memory/4016-57-0x0000000000E40000-0x00000000012DF000-memory.dmp

Filesize
4.6MB

Download
memory/4016-56-0x0000000000E40000-0x00000000012DF000-memory.dmp

Filesize
4.6MB

Download
memory/4016-37-0x0000000000E40000-0x00000000012DF000-memory.dmp

Filesize
4.6MB

Download
memory/4308-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4524-147-0x0000000000C40000-0x000000000186B000-memory.dmp

Filesize
12.2MB

Download
memory/4524-138-0x0000000000C40000-0x000000000186B000-memory.dmp

Filesize
12.2MB

Download
memory/4524-137-0x0000000000C40000-0x000000000186B000-memory.dmp

Filesize
12.2MB

Download
memory/4524-116-0x0000000000C40000-0x000000000186B000-memory.dmp

Filesize
12.2MB

Download
memory/4784-99-0x0000000000990000-0x0000000001039000-memory.dmp

Filesize
6.7MB

Download
memory/4784-98-0x0000000000990000-0x0000000001039000-memory.dmp

Filesize
6.7MB

Download