Overview

overview

10

Static

static

10

15becbaa36...1f.exe

windows7_x64

7

15becbaa36...1f.exe

windows10_x64

7

Nuovo ordine .exe

windows7_x64

10

Nuovo ordine .exe

windows10_x64

10

189d5314ce...6e2b44

linux_amd64

189d5314ce...6e2b44

linux_mipsel

189d5314ce...6e2b44

linux_mips

18ccb7df2f...2a.exe

windows7_x64

10

18ccb7df2f...2a.exe

windows10_x64

10

1b11ae98b8...4f.dll

windows7_x64

10

1b11ae98b8...4f.dll

windows10_x64

10

204591aa6d...b8.exe

windows7_x64

10

204591aa6d...b8.exe

windows10_x64

10

2c7540c6d0...ff.exe

windows7_x64

10

2c7540c6d0...ff.exe

windows10_x64

10

2cb4d62827...d9.dll

windows7_x64

10

2cb4d62827...d9.dll

windows10_x64

10

4fd784c26d...49.exe

windows7_x64

10

4fd784c26d...49.exe

windows10_x64

10

553dc4c06c...5f.exe

windows7_x64

10

553dc4c06c...5f.exe

windows10_x64

10

5afed1cccc...2d.dll

windows7_x64

10

5afed1cccc...2d.dll

windows10_x64

10

62742e4698...10.exe

windows7_x64

10

62742e4698...10.exe

windows10_x64

10

6707289e11...1b.exe

windows7_x64

10

6707289e11...1b.exe

windows10_x64

10

69a43a40f0...e5.exe

windows7_x64

10

69a43a40f0...e5.exe

windows10_x64

10

6ca42fe27f...b7.exe

windows7_x64

10

6ca42fe27f...b7.exe

windows10_x64

10

6db4bb653b...97.jar

windows7_x64

3

Analysis

  • max time kernel
    151s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    30-07-2021 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f.exe

  • Size

    158KB

  • MD5

    7456214bc55be7cc872f065ebe8af1b1

  • SHA1

    94fcad942bc030f7c8e0f7665ab995a47db7a06c

  • SHA256

    553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f

  • SHA512

    5b0afcb86716c3e487a2351a118e0ef6f4944715a8e862054a30e588ed5029cd50a3b58c2c9331e72cf5ba47ca781fe87b26c3699958b283f1638e7b4cfa8128

Score
10/10
amadeysmokeloaderbackdoorsuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://custom100.ru/

http://other191.com/

http://custom300.com/

http://600other.com/
rc4.i32
rc4.i32

Extracted

Family

amadey

Version

2.41

C2

ama529.ru/gBcskbwWs/index.php

amaad100.com/gBcskbwWs/index.php

900ama.com/gBcskbwWs/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • suricata: ET MALWARE Amadey CnC Check-In
    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 13 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f.exe
    "C:\Users\Admin\AppData\Local\Temp\553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1892
  • C:\Users\Admin\AppData\Local\Temp\84AA.exe
    C:\Users\Admin\AppData\Local\Temp\84AA.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:476
    • C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
      "C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\152c6d54a1\
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:628
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\152c6d54a1\
          4⤵
            PID:1528
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rgbux.exe /TR "C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:1812
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      1⤵
        PID:684
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        1⤵
          PID:1484
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          1⤵
            PID:1120
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            1⤵
              PID:792
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              1⤵
                PID:1112
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe
                1⤵
                  PID:2044

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/476-80-0x0000000000400000-0x00000000008A4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/476-77-0x0000000000220000-0x0000000000252000-memory.dmp

                  Filesize

                  200KB

                  Download

                • memory/684-69-0x0000000000080000-0x00000000000EB000-memory.dmp

                  Filesize

                  428KB

                  Download

                • memory/684-68-0x00000000000F0000-0x0000000000164000-memory.dmp

                  Filesize

                  464KB

                  Download

                • memory/684-67-0x0000000074B81000-0x0000000074B83000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/792-94-0x00000000000E0000-0x00000000000EF000-memory.dmp

                  Filesize

                  60KB

                  Download

                • memory/792-93-0x00000000000F0000-0x00000000000F9000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/1112-98-0x0000000000090000-0x0000000000096000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/1112-99-0x0000000000080000-0x000000000008B000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/1120-83-0x0000000074A11000-0x0000000074A13000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1120-84-0x00000000000D0000-0x00000000000D7000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1120-85-0x00000000000C0000-0x00000000000CB000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/1272-62-0x0000000002A50000-0x0000000002A65000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/1484-79-0x0000000000060000-0x000000000006C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/1484-78-0x0000000000070000-0x0000000000077000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1892-59-0x0000000075D51000-0x0000000075D53000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1892-61-0x0000000000400000-0x0000000000891000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/1892-60-0x0000000000020000-0x0000000000029000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/1928-92-0x0000000000400000-0x00000000008A4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2044-101-0x0000000000070000-0x0000000000077000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/2044-102-0x0000000000060000-0x000000000006D000-memory.dmp

                  Filesize

                  52KB

                  Download