Overview

overview

10

Static

static

10

15becbaa36...1f.exe

windows7_x64

7

15becbaa36...1f.exe

windows10_x64

7

Nuovo ordine .exe

windows7_x64

10

Nuovo ordine .exe

windows10_x64

10

189d5314ce...6e2b44

linux_amd64

189d5314ce...6e2b44

linux_mipsel

189d5314ce...6e2b44

linux_mips

18ccb7df2f...2a.exe

windows7_x64

10

18ccb7df2f...2a.exe

windows10_x64

10

1b11ae98b8...4f.dll

windows7_x64

10

1b11ae98b8...4f.dll

windows10_x64

10

204591aa6d...b8.exe

windows7_x64

10

204591aa6d...b8.exe

windows10_x64

10

2c7540c6d0...ff.exe

windows7_x64

10

2c7540c6d0...ff.exe

windows10_x64

10

2cb4d62827...d9.dll

windows7_x64

10

2cb4d62827...d9.dll

windows10_x64

10

4fd784c26d...49.exe

windows7_x64

10

4fd784c26d...49.exe

windows10_x64

10

553dc4c06c...5f.exe

windows7_x64

10

553dc4c06c...5f.exe

windows10_x64

10

5afed1cccc...2d.dll

windows7_x64

10

5afed1cccc...2d.dll

windows10_x64

10

62742e4698...10.exe

windows7_x64

10

62742e4698...10.exe

windows10_x64

10

6707289e11...1b.exe

windows7_x64

10

6707289e11...1b.exe

windows10_x64

10

69a43a40f0...e5.exe

windows7_x64

10

69a43a40f0...e5.exe

windows10_x64

10

6ca42fe27f...b7.exe

windows7_x64

10

6ca42fe27f...b7.exe

windows10_x64

10

6db4bb653b...97.jar

windows7_x64

3

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    30-07-2021 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f.exe

  • Size

    158KB

  • MD5

    7456214bc55be7cc872f065ebe8af1b1

  • SHA1

    94fcad942bc030f7c8e0f7665ab995a47db7a06c

  • SHA256

    553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f

  • SHA512

    5b0afcb86716c3e487a2351a118e0ef6f4944715a8e862054a30e588ed5029cd50a3b58c2c9331e72cf5ba47ca781fe87b26c3699958b283f1638e7b4cfa8128

Score
10/10
amadeysmokeloaderbackdoorsuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://custom100.ru/

http://other191.com/

http://custom300.com/

http://600other.com/
rc4.i32
rc4.i32

Extracted

Family

amadey

Version

2.41

C2

ama529.ru/gBcskbwWs/index.php

amaad100.com/gBcskbwWs/index.php

900ama.com/gBcskbwWs/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE Amadey CnC Check-In
    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f.exe
    "C:\Users\Admin\AppData\Local\Temp\553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3236
  • C:\Users\Admin\AppData\Local\Temp\9475.exe
    C:\Users\Admin\AppData\Local\Temp\9475.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:188
    • C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
      "C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\152c6d54a1\
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\152c6d54a1\
          4⤵
            PID:2316
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rgbux.exe /TR "C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:3788
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      1⤵
        PID:1112
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        1⤵
          PID:2284
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          1⤵
            PID:3768
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            1⤵
              PID:1252
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 1252 -s 672
                2⤵
                • Suspicious use of NtCreateProcessExOtherParentProcess
                • Program crash
                • Suspicious use of AdjustPrivilegeToken
                PID:3900
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              1⤵
                PID:3968
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe
                1⤵
                  PID:3464
                • C:\Users\Admin\AppData\Roaming\jtccjti
                  C:\Users\Admin\AppData\Roaming\jtccjti
                  1⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s)
                  • Suspicious behavior: MapViewOfSection
                  PID:500
                • C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
                  C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2744
                • C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
                  C:\Users\Admin\AppData\Local\Temp\152c6d54a1\rgbux.exe
                  1⤵
                  • Executes dropped EXE
                  PID:200

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/188-125-0x00000000001C0000-0x00000000001F2000-memory.dmp

                  Filesize

                  200KB

                  Download

                • memory/188-127-0x0000000000400000-0x00000000008A4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/200-158-0x0000000000400000-0x00000000008A4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/500-152-0x0000000000400000-0x0000000000891000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/1112-122-0x0000000003000000-0x0000000003074000-memory.dmp

                  Filesize

                  464KB

                  Download

                • memory/1112-124-0x0000000002D80000-0x0000000002DEB000-memory.dmp

                  Filesize

                  428KB

                  Download

                • memory/1252-136-0x0000000000400000-0x000000000040F000-memory.dmp

                  Filesize

                  60KB

                  Download

                • memory/1252-135-0x0000000000410000-0x0000000000419000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/2284-123-0x0000000000370000-0x0000000000377000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/2284-126-0x0000000000360000-0x000000000036C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/2720-142-0x0000000000400000-0x00000000008A4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2744-153-0x00000000008B0000-0x000000000095E000-memory.dmp

                  Filesize

                  696KB

                  Download

                • memory/2744-154-0x0000000000400000-0x00000000008A4000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2756-116-0x00000000007C0000-0x00000000007D5000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/2756-155-0x0000000000970000-0x0000000000985000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/3236-115-0x0000000000400000-0x0000000000891000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/3236-114-0x0000000000030000-0x0000000000039000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/3464-147-0x0000000000C90000-0x0000000000C9D000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/3464-146-0x0000000000CA0000-0x0000000000CA7000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/3768-132-0x00000000003F0000-0x00000000003F7000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/3768-133-0x00000000003E0000-0x00000000003EB000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/3968-144-0x0000000003000000-0x000000000300B000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/3968-143-0x0000000003010000-0x0000000003016000-memory.dmp

                  Filesize

                  24KB

                  Download