Analysis

  • max time kernel
    151s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-12-2021 15:10

General

  • Target

    4161b47ee520541835f5b43c966202df398b7ff882b6959d4ec4210cb638bce0.exe

  • Size

    291KB

  • MD5

    872b04e80be0331efa9ac74df5c45e62

  • SHA1

    8bcd6911de6ee70a57d42f365d43fd4a22d65ee0

  • SHA256

    4161b47ee520541835f5b43c966202df398b7ff882b6959d4ec4210cb638bce0

  • SHA512

    1867aaf71f585f9fc78b5363ec379ca03fba646e5f647fa9335b4897ad8e3e13bd0fa83617e8fb8a63871b55c359094d3326e90b7d321d6e8b1123e472cb4219

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

2.86

C2

2.56.56.210/notAnoob/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Neshta Payload 11 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4161b47ee520541835f5b43c966202df398b7ff882b6959d4ec4210cb638bce0.exe
    "C:\Users\Admin\AppData\Local\Temp\4161b47ee520541835f5b43c966202df398b7ff882b6959d4ec4210cb638bce0.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:656
  • C:\Users\Admin\AppData\Local\Temp\C9E3.exe
    C:\Users\Admin\AppData\Local\Temp\C9E3.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\ProgramData\5954_1640339821_5793.exe
      "C:\ProgramData\5954_1640339821_5793.exe"
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe"
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2536
          • C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
            C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
            5⤵
            • Executes dropped EXE
            PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
    MD5

    a344438de9e499ca3d9038688440f406

    SHA1

    c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

    SHA256

    715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

    SHA512

    8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

  • C:\ProgramData\5954_1640339821_5793.exe
    MD5

    05ac7818089aaed02ed5320d50f47132

    SHA1

    f9dfd169342637416bdc47d3d6ac6a31f062577f

    SHA256

    bd5a15ce7b5a16bde1c0a182285da7d47d64e2b1542d57947a139d5bd0a31e70

    SHA512

    1a32853839ca5b0cc1fbc45cbda944cc3681ff0c1e6bbe7e37cbeb60a2e7d400c214b85fd29c8fae72cd098e0bd312256a70d230e2404e2202b8d63c236fc53d

  • C:\ProgramData\5954_1640339821_5793.exe
    MD5

    05ac7818089aaed02ed5320d50f47132

    SHA1

    f9dfd169342637416bdc47d3d6ac6a31f062577f

    SHA256

    bd5a15ce7b5a16bde1c0a182285da7d47d64e2b1542d57947a139d5bd0a31e70

    SHA512

    1a32853839ca5b0cc1fbc45cbda944cc3681ff0c1e6bbe7e37cbeb60a2e7d400c214b85fd29c8fae72cd098e0bd312256a70d230e2404e2202b8d63c236fc53d

  • C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
    MD5

    8a403bc371b84920c641afa3cf9fef2f

    SHA1

    d6c9d38f3e571b54132dd7ee31a169c683abfd63

    SHA256

    614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

    SHA512

    b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

  • C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
    MD5

    32853955255a94fcd7587ca9cbfe2b60

    SHA1

    c33a88184c09e89598f0cabf68ce91c8d5791521

    SHA256

    64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

    SHA512

    8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

  • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
    MD5

    f6636e7fd493f59a5511f08894bba153

    SHA1

    3618061817fdf1155acc0c99b7639b30e3b6936c

    SHA256

    61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

    SHA512

    bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

  • C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
    MD5

    3e8de969e12cd5e6292489a12a9834b6

    SHA1

    285b89585a09ead4affa32ecaaa842bc51d53ad5

    SHA256

    7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

    SHA512

    b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

  • C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
    MD5

    a49eb5f2ad98fffade88c1d337854f89

    SHA1

    2cc197bcf3625751f7e714ac1caf8e554d0be3b1

    SHA256

    99da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449

    SHA512

    4649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593

  • C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe
    MD5

    47d324d0398317af1f842dd2a271c3f0

    SHA1

    045937d0083abe615ce4780684f500dfde4c550b

    SHA256

    0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

    SHA512

    ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

  • C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe
    MD5

    47d324d0398317af1f842dd2a271c3f0

    SHA1

    045937d0083abe615ce4780684f500dfde4c550b

    SHA256

    0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

    SHA512

    ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

  • C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
    MD5

    47d324d0398317af1f842dd2a271c3f0

    SHA1

    045937d0083abe615ce4780684f500dfde4c550b

    SHA256

    0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

    SHA512

    ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

  • C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
    MD5

    47d324d0398317af1f842dd2a271c3f0

    SHA1

    045937d0083abe615ce4780684f500dfde4c550b

    SHA256

    0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

    SHA512

    ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

  • C:\Users\Admin\AppData\Local\Temp\C9E3.exe
    MD5

    ac696ff26dae3d008a7f1a8a33a6c067

    SHA1

    0e450582db291be053ac6a4ccf722dc4441b1f2e

    SHA256

    44e08debeddf1bf932fd76e0fd0088eb196c036c92d662601ac8b55fe10528b9

    SHA512

    1e049cc4cdd0e6dc4f38771f271a8021ad5c771024ed9cc3aea787d184a976f84778fc127ff2ab67cb79e0621ddc60b4b872393f4fabb0dfceb977409f66c0c6

  • C:\Users\Admin\AppData\Local\Temp\C9E3.exe
    MD5

    ac696ff26dae3d008a7f1a8a33a6c067

    SHA1

    0e450582db291be053ac6a4ccf722dc4441b1f2e

    SHA256

    44e08debeddf1bf932fd76e0fd0088eb196c036c92d662601ac8b55fe10528b9

    SHA512

    1e049cc4cdd0e6dc4f38771f271a8021ad5c771024ed9cc3aea787d184a976f84778fc127ff2ab67cb79e0621ddc60b4b872393f4fabb0dfceb977409f66c0c6

  • C:\Windows\svchost.com
    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

  • C:\Windows\svchost.com
    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

  • C:\odt\OFFICE~1.EXE
    MD5

    02c3d242fe142b0eabec69211b34bc55

    SHA1

    ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

    SHA256

    2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

    SHA512

    0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

  • memory/656-117-0x0000000000400000-0x00000000004CA000-memory.dmp
    Filesize

    808KB

  • memory/656-116-0x0000000000560000-0x0000000000569000-memory.dmp
    Filesize

    36KB

  • memory/1036-129-0x0000000000000000-mapping.dmp
  • memory/1628-122-0x000002924A970000-0x000002924AA18000-memory.dmp
    Filesize

    672KB

  • memory/1628-123-0x000002924A970000-0x000002924AA18000-memory.dmp
    Filesize

    672KB

  • memory/1628-124-0x000002924AD20000-0x000002924AD44000-memory.dmp
    Filesize

    144KB

  • memory/1628-119-0x0000000000000000-mapping.dmp
  • memory/1628-128-0x000002924ADA0000-0x000002924ADA2000-memory.dmp
    Filesize

    8KB

  • memory/2536-132-0x0000000000000000-mapping.dmp
  • memory/2552-125-0x0000000000000000-mapping.dmp
  • memory/2760-118-0x0000000001490000-0x00000000014A6000-memory.dmp
    Filesize

    88KB

  • memory/3220-136-0x0000000000000000-mapping.dmp