Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/12/2022, 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    227KB

  • MD5

    6bf32612021913917fbb830d269ce6be

  • SHA1

    266cd4686efbc4bc571ad58f4025da39283fe18b

  • SHA256

    6be9c20a1a148f3867bc21d009d60db9e04d315535ccf9dcaed8372ff0963448

  • SHA512

    542595e1e03571194cf45b2e7c3320d37fa249bb4dde1c0d53355350f9097bfde6e71f8dc67305b9f861168f05798ee22b36f731b2526440fc8b621e107ce739

  • SSDEEP

    3072:wDv4jLGg/Km5UnzTT3a6j1Gp9ls8LW4P84nBRUijcNQK1+eJV5u43:KaLGg/mnzHK2Gp7siW85B2ijeRu4

Score
10/10
amadeysmokeloaderbackdoorcollectionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.63

C2

amadtrackings.com/g9TTnd3bS/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 2 IoCs
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 24 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4988
  • C:\Users\Admin\AppData\Local\Temp\E331.exe
    C:\Users\Admin\AppData\Local\Temp\E331.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 892
      2⤵
      • Program crash
      PID:224
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 956
      2⤵
      • Program crash
      PID:4424
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1096
      2⤵
      • Program crash
      PID:3664
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 944
      2⤵
      • Program crash
      PID:852
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 960
      2⤵
      • Program crash
      PID:4908
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1124
      2⤵
      • Program crash
      PID:444
    • C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 584
        3⤵
        • Program crash
        PID:4724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 708
        3⤵
        • Program crash
        PID:4108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 784
        3⤵
        • Program crash
        PID:3456
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 944
        3⤵
        • Program crash
        PID:4288
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 944
        3⤵
        • Program crash
        PID:2716
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 944
        3⤵
        • Program crash
        PID:4012
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 976
        3⤵
        • Program crash
        PID:5100
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:3224
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 896
        3⤵
        • Program crash
        PID:2628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1196
        3⤵
        • Program crash
        PID:4760
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 892
        3⤵
        • Program crash
        PID:3924
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 664
        3⤵
        • Program crash
        PID:4788
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1004
        3⤵
        • Program crash
        PID:3220
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1592
        3⤵
        • Program crash
        PID:316
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\253fa33afbb5b2\cred64.dll, Main
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Accesses Microsoft Outlook profiles
        • outlook_win_path
        PID:208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1544
        3⤵
        • Program crash
        PID:4700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1600
        3⤵
        • Program crash
        PID:3916
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1176
      2⤵
      • Program crash
      PID:3380
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2072 -ip 2072
    1⤵
      PID:1840
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2072 -ip 2072
      1⤵
        PID:1164
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2072 -ip 2072
        1⤵
          PID:3584
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2072 -ip 2072
          1⤵
            PID:3480
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2072 -ip 2072
            1⤵
              PID:4132
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2072 -ip 2072
              1⤵
                PID:4268
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2072 -ip 2072
                1⤵
                  PID:4884
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 744 -ip 744
                  1⤵
                    PID:4028
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 744 -ip 744
                    1⤵
                      PID:3936
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 744 -ip 744
                      1⤵
                        PID:896
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 744 -ip 744
                        1⤵
                          PID:4452
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 744 -ip 744
                          1⤵
                            PID:824
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 744 -ip 744
                            1⤵
                              PID:4248
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 744 -ip 744
                              1⤵
                                PID:2856
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 744 -ip 744
                                1⤵
                                  PID:3896
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 744 -ip 744
                                  1⤵
                                    PID:2180
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 744 -ip 744
                                    1⤵
                                      PID:3060
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 744 -ip 744
                                      1⤵
                                        PID:5016
                                      • C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe
                                        C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:1844
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 312
                                          2⤵
                                          • Program crash
                                          PID:4364
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1844 -ip 1844
                                        1⤵
                                          PID:1676
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 744 -ip 744
                                          1⤵
                                            PID:3408
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 744 -ip 744
                                            1⤵
                                              PID:3448
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 744 -ip 744
                                              1⤵
                                                PID:32
                                              • C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe
                                                C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe
                                                1⤵
                                                • Executes dropped EXE
                                                PID:4860
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 312
                                                  2⤵
                                                  • Program crash
                                                  PID:3844
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4860 -ip 4860
                                                1⤵
                                                  PID:4856
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 744 -ip 744
                                                  1⤵
                                                    PID:4132

                                                  Network

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe
                                                    Filesize

                                                    284KB

                                                    MD5

                                                    9b5be7c16e4803fdb868e86adf4d68f1

                                                    SHA1

                                                    01dda801ea44313fb9d858a38c16b1d9bacc52c8

                                                    SHA256

                                                    258823e5296543f589f71fef5ad2d68c93b1498eab2a8ddef4ef3af5cb5914d6

                                                    SHA512

                                                    38d174227c2bc31127790e58eeb0ff9aff885e40a1fac20619ba82d76cad941ce462ec95ceea43b9421d45f6c5e0a16258b70f2c372caed76998659a2d39e8d2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe
                                                    Filesize

                                                    284KB

                                                    MD5

                                                    9b5be7c16e4803fdb868e86adf4d68f1

                                                    SHA1

                                                    01dda801ea44313fb9d858a38c16b1d9bacc52c8

                                                    SHA256

                                                    258823e5296543f589f71fef5ad2d68c93b1498eab2a8ddef4ef3af5cb5914d6

                                                    SHA512

                                                    38d174227c2bc31127790e58eeb0ff9aff885e40a1fac20619ba82d76cad941ce462ec95ceea43b9421d45f6c5e0a16258b70f2c372caed76998659a2d39e8d2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe
                                                    Filesize

                                                    284KB

                                                    MD5

                                                    9b5be7c16e4803fdb868e86adf4d68f1

                                                    SHA1

                                                    01dda801ea44313fb9d858a38c16b1d9bacc52c8

                                                    SHA256

                                                    258823e5296543f589f71fef5ad2d68c93b1498eab2a8ddef4ef3af5cb5914d6

                                                    SHA512

                                                    38d174227c2bc31127790e58eeb0ff9aff885e40a1fac20619ba82d76cad941ce462ec95ceea43b9421d45f6c5e0a16258b70f2c372caed76998659a2d39e8d2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\320d7ecc7e\nbveek.exe
                                                    Filesize

                                                    284KB

                                                    MD5

                                                    9b5be7c16e4803fdb868e86adf4d68f1

                                                    SHA1

                                                    01dda801ea44313fb9d858a38c16b1d9bacc52c8

                                                    SHA256

                                                    258823e5296543f589f71fef5ad2d68c93b1498eab2a8ddef4ef3af5cb5914d6

                                                    SHA512

                                                    38d174227c2bc31127790e58eeb0ff9aff885e40a1fac20619ba82d76cad941ce462ec95ceea43b9421d45f6c5e0a16258b70f2c372caed76998659a2d39e8d2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\E331.exe
                                                    Filesize

                                                    284KB

                                                    MD5

                                                    9b5be7c16e4803fdb868e86adf4d68f1

                                                    SHA1

                                                    01dda801ea44313fb9d858a38c16b1d9bacc52c8

                                                    SHA256

                                                    258823e5296543f589f71fef5ad2d68c93b1498eab2a8ddef4ef3af5cb5914d6

                                                    SHA512

                                                    38d174227c2bc31127790e58eeb0ff9aff885e40a1fac20619ba82d76cad941ce462ec95ceea43b9421d45f6c5e0a16258b70f2c372caed76998659a2d39e8d2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Local\Temp\E331.exe
                                                    Filesize

                                                    284KB

                                                    MD5

                                                    9b5be7c16e4803fdb868e86adf4d68f1

                                                    SHA1

                                                    01dda801ea44313fb9d858a38c16b1d9bacc52c8

                                                    SHA256

                                                    258823e5296543f589f71fef5ad2d68c93b1498eab2a8ddef4ef3af5cb5914d6

                                                    SHA512

                                                    38d174227c2bc31127790e58eeb0ff9aff885e40a1fac20619ba82d76cad941ce462ec95ceea43b9421d45f6c5e0a16258b70f2c372caed76998659a2d39e8d2

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\253fa33afbb5b2\cred64.dll
                                                    Filesize

                                                    126KB

                                                    MD5

                                                    bfee01170eb2d9a9d881a27d3c590b21

                                                    SHA1

                                                    1fce13219189f12350427570cf3f00eced380978

                                                    SHA256

                                                    78edd4d43c88a72fb597719e580a54f566eb146d0b4ce9fc660063971c90adcf

                                                    SHA512

                                                    123bbf0f8d8c9b8d98e44f2a38041afb3cbba68d24564976a39a9143c85fe988b4645dd092957060f6498a399210a808edebd7d35a85495927ea4b0bb5f1883a

                                                    Download Submit

                                                  • C:\Users\Admin\AppData\Roaming\253fa33afbb5b2\cred64.dll
                                                    Filesize

                                                    126KB

                                                    MD5

                                                    bfee01170eb2d9a9d881a27d3c590b21

                                                    SHA1

                                                    1fce13219189f12350427570cf3f00eced380978

                                                    SHA256

                                                    78edd4d43c88a72fb597719e580a54f566eb146d0b4ce9fc660063971c90adcf

                                                    SHA512

                                                    123bbf0f8d8c9b8d98e44f2a38041afb3cbba68d24564976a39a9143c85fe988b4645dd092957060f6498a399210a808edebd7d35a85495927ea4b0bb5f1883a

                                                    Download Submit

                                                  • memory/744-152-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                    Download

                                                  • memory/744-151-0x00000000007B2000-0x00000000007D0000-memory.dmp

                                                    Filesize

                                                    120KB

                                                    Download

                                                  • memory/744-148-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                    Download

                                                  • memory/744-147-0x00000000007B2000-0x00000000007D0000-memory.dmp

                                                    Filesize

                                                    120KB

                                                    Download

                                                  • memory/1844-153-0x0000000000694000-0x00000000006B2000-memory.dmp

                                                    Filesize

                                                    120KB

                                                    Download

                                                  • memory/1844-154-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                    Download

                                                  • memory/2072-139-0x0000000000733000-0x0000000000752000-memory.dmp

                                                    Filesize

                                                    124KB

                                                    Download

                                                  • memory/2072-146-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                    Download

                                                  • memory/2072-145-0x0000000000733000-0x0000000000752000-memory.dmp

                                                    Filesize

                                                    124KB

                                                    Download

                                                  • memory/2072-141-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                    Download

                                                  • memory/2072-140-0x00000000005D0000-0x000000000060C000-memory.dmp

                                                    Filesize

                                                    240KB

                                                    Download

                                                  • memory/4860-159-0x00000000004A4000-0x00000000004C2000-memory.dmp

                                                    Filesize

                                                    120KB

                                                    Download

                                                  • memory/4860-160-0x0000000000400000-0x0000000000471000-memory.dmp

                                                    Filesize

                                                    452KB

                                                    Download

                                                  • memory/4988-132-0x00000000004B3000-0x00000000004C3000-memory.dmp

                                                    Filesize

                                                    64KB

                                                    Download

                                                  • memory/4988-135-0x0000000000400000-0x0000000000462000-memory.dmp

                                                    Filesize

                                                    392KB

                                                    Download

                                                  • memory/4988-134-0x0000000000400000-0x0000000000462000-memory.dmp

                                                    Filesize

                                                    392KB

                                                    Download

                                                  • memory/4988-133-0x0000000000470000-0x0000000000479000-memory.dmp

                                                    Filesize

                                                    36KB

                                                    Download