Analysis
-
max time kernel
180s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
01-12-2022 11:30
General
-
Target
572a73429f8b673f5b3188cae34f550c8177615004b9bd8f5779ac96af770cb4.exe
-
Size
279KB
-
MD5
e22b8a98049d7b829f95f2e50682d5b1
-
SHA1
11e2abb1d17d91c870fbf7c79473214dc9140e23
-
SHA256
572a73429f8b673f5b3188cae34f550c8177615004b9bd8f5779ac96af770cb4
-
SHA512
b3de7056ac5296039c1032c9427dd0d10db5cafd2adfff7918e4f98e9ffc61548414755ba4325a6eb9fc43cded0994da52a5842232e65f3697c9416e085757f8
-
SSDEEP
6144:lAuinvG8S/i0Pr7O4aUopaYaUkHhSfbr5:lVivGr/i0PreEBH0fbr
Malware Config
Extracted
amadey
3.50
62.204.41.252/nB8cWack3/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\572a73429f8b673f5b3188cae34f550c8177615004b9bd8f5779ac96af770cb4.exe"C:\Users\Admin\AppData\Local\Temp\572a73429f8b673f5b3188cae34f550c8177615004b9bd8f5779ac96af770cb4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1690.exeC:\Users\Admin\AppData\Local\Temp\1690.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\84EB.exeC:\Users\Admin\AppData\Local\Temp\84EB.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243KB
MD57a962d27153d64ea69753e52e02c9ca4
SHA158cadf3905ee2506927e80a60ee0fb32dab73952
SHA256685cff3f47d608b9fbea3cee17309ea0821168ea1e106ca193bed5457a0dbf6a
SHA5128bc5033f4fdc3fb5f5e6514fec68b0abe2c82e5ff0d32e9a247c3d04a8e7c95617de4bed54be15dd42d3b9285ac04aaa53269da64d2c6b80c6ed7680e419bb03
-
Filesize
243KB
MD57a962d27153d64ea69753e52e02c9ca4
SHA158cadf3905ee2506927e80a60ee0fb32dab73952
SHA256685cff3f47d608b9fbea3cee17309ea0821168ea1e106ca193bed5457a0dbf6a
SHA5128bc5033f4fdc3fb5f5e6514fec68b0abe2c82e5ff0d32e9a247c3d04a8e7c95617de4bed54be15dd42d3b9285ac04aaa53269da64d2c6b80c6ed7680e419bb03
-
Filesize
4.6MB
MD5c6ded8762cdd4b6dfd1786a86dd14527
SHA1fad44e357fca7c944fef59f75ecb33f2a0737d53
SHA2567b58f4a4d1f500506201a5e4c0f5842351caf8070863999d8166684786ffc0cb
SHA51200e2a36bf88283f9c560e9c55e40ac2779922b02cb6dcfb84f3df56ff82f9a779fb1c04f3ad009a5049773d27e8baefa137bd653266461409ec3733483fe38dd
-
Filesize
4.6MB
MD5c6ded8762cdd4b6dfd1786a86dd14527
SHA1fad44e357fca7c944fef59f75ecb33f2a0737d53
SHA2567b58f4a4d1f500506201a5e4c0f5842351caf8070863999d8166684786ffc0cb
SHA51200e2a36bf88283f9c560e9c55e40ac2779922b02cb6dcfb84f3df56ff82f9a779fb1c04f3ad009a5049773d27e8baefa137bd653266461409ec3733483fe38dd
-
Filesize
243KB
MD57a962d27153d64ea69753e52e02c9ca4
SHA158cadf3905ee2506927e80a60ee0fb32dab73952
SHA256685cff3f47d608b9fbea3cee17309ea0821168ea1e106ca193bed5457a0dbf6a
SHA5128bc5033f4fdc3fb5f5e6514fec68b0abe2c82e5ff0d32e9a247c3d04a8e7c95617de4bed54be15dd42d3b9285ac04aaa53269da64d2c6b80c6ed7680e419bb03
-
Filesize
243KB
MD57a962d27153d64ea69753e52e02c9ca4
SHA158cadf3905ee2506927e80a60ee0fb32dab73952
SHA256685cff3f47d608b9fbea3cee17309ea0821168ea1e106ca193bed5457a0dbf6a
SHA5128bc5033f4fdc3fb5f5e6514fec68b0abe2c82e5ff0d32e9a247c3d04a8e7c95617de4bed54be15dd42d3b9285ac04aaa53269da64d2c6b80c6ed7680e419bb03
-
Filesize
243KB
MD57a962d27153d64ea69753e52e02c9ca4
SHA158cadf3905ee2506927e80a60ee0fb32dab73952
SHA256685cff3f47d608b9fbea3cee17309ea0821168ea1e106ca193bed5457a0dbf6a
SHA5128bc5033f4fdc3fb5f5e6514fec68b0abe2c82e5ff0d32e9a247c3d04a8e7c95617de4bed54be15dd42d3b9285ac04aaa53269da64d2c6b80c6ed7680e419bb03
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
460KB
-
Filesize
124KB
-
Filesize
460KB
-
Filesize
248KB
-
Filesize
124KB
-
Filesize
248KB
-
Filesize
124KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
124KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
128KB
-
Filesize
460KB
-
Filesize
128KB