Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
03/03/2023, 13:34
General
-
Target
4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe
-
Size
258KB
-
MD5
8c2506fef155bd72ee5100610aebc9e4
-
SHA1
13067fec38a031c3eb365e96a797768c1249bf96
-
SHA256
4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e
-
SHA512
79d15edbec81dbce468bccb286fec0b35c2eec84182c5052dde3679091dcab4aaa50dd54c72f84fdee0dd7b31d88279a09317fe82b27292268ae2609a1105925
-
SSDEEP
3072:e4C5oq7lwHUZZu0Po6gtmNqs8OGWHGij/Moxr0KSlkMsg67IaOqcnD53pjAXPSQo:D4ocuU7u0Po6gRw7HGQCmOqcDzj
Malware Config
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
redline
rosto
hueref.eu:4162
-
auth_value
07d81eba8cad42bbd0ae60042d48eac6
Extracted
amadey
3.68
193.233.20.25/buH5N004d/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Smokeloader packer 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 12 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe"C:\Users\Admin\AppData\Local\Temp\4dc27dc6049bc102a6dd9ea4c12cc26a31d53655d702ee69a001d794e8008e2e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\ED14.exeC:\Users\Admin\AppData\Local\Temp\ED14.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptSj4050Vt.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptSj4050Vt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptmG0842gC.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptmG0842gC.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\befr56vK31.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\befr56vK31.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 10805⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctKK50AA79.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctKK50AA79.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk07mY49po25.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk07mY49po25.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 14084⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxRK12Ko52.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxRK12Ko52.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\46aee2aca4" /P "Admin:N"&&CACLS "..\46aee2aca4" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:R" /E5⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1576 -ip 15761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2540 -ip 25401⤵
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exeC:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
900KB
MD586f055d5a69e7666c0966f1cf7f34d0f
SHA1455d1356c4468824436e12dce4ffac66978b3521
SHA25626773f4b456f97d3ffa64aa3e705b42837103343bbc433dc0af635cf97579079
SHA512e652909b4560ee0a7ccf9e161056bf85399d8b15bc5087770c3659bc0295a1c97bb6705528c2bef04f5cd940b43238eef5703d72d6863ad1ded0b8483be1b0c9
-
Filesize
900KB
MD586f055d5a69e7666c0966f1cf7f34d0f
SHA1455d1356c4468824436e12dce4ffac66978b3521
SHA25626773f4b456f97d3ffa64aa3e705b42837103343bbc433dc0af635cf97579079
SHA512e652909b4560ee0a7ccf9e161056bf85399d8b15bc5087770c3659bc0295a1c97bb6705528c2bef04f5cd940b43238eef5703d72d6863ad1ded0b8483be1b0c9
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
235KB
MD55be5a732113282a7824ceb2a359b6468
SHA10d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7
SHA25600b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee
SHA512a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c
-
Filesize
714KB
MD58139edcd8671b9d9c7406a9d3840dcbc
SHA1236e54a52f78b62868b5e987068ca20235fee733
SHA25624cb382a240229b53ce418f0347d46ebb074fb04bc443aa92462e05c94a90db7
SHA5120f9516fdab13a7cf91586406ca59542fbb29ff41469991d293196c59e1b69b71a8979c68e9cdb9615ae3cc8dac28bb37943400ab85cfac1f0e1626636db41b17
-
Filesize
714KB
MD58139edcd8671b9d9c7406a9d3840dcbc
SHA1236e54a52f78b62868b5e987068ca20235fee733
SHA25624cb382a240229b53ce418f0347d46ebb074fb04bc443aa92462e05c94a90db7
SHA5120f9516fdab13a7cf91586406ca59542fbb29ff41469991d293196c59e1b69b71a8979c68e9cdb9615ae3cc8dac28bb37943400ab85cfac1f0e1626636db41b17
-
Filesize
367KB
MD5f49c7a029cd55e390570e3a1dfaf1612
SHA14db6d31063c5a1d611b47c02e13a01ea52c04388
SHA256f6882c20312f9e005ea4954a01e9e53dad39a3cec99bebdf3f87f695356fa37b
SHA51287b6e399f32f45211e20fdfe23252a7d60c758781302a448ca04d1c2108438b507a7a81867dd78716860fb2166147a142bd3eda052d19bdf28dac3220b9fc68c
-
Filesize
367KB
MD5f49c7a029cd55e390570e3a1dfaf1612
SHA14db6d31063c5a1d611b47c02e13a01ea52c04388
SHA256f6882c20312f9e005ea4954a01e9e53dad39a3cec99bebdf3f87f695356fa37b
SHA51287b6e399f32f45211e20fdfe23252a7d60c758781302a448ca04d1c2108438b507a7a81867dd78716860fb2166147a142bd3eda052d19bdf28dac3220b9fc68c
-
Filesize
357KB
MD5c535c9302209f071fbaa5946157e1527
SHA13fdb74d5251d22776abb66d1b0e42af3f8ff3e9e
SHA25646556cecb42a6813fc4e15f1c3a16cedf7698bbc9a9ee7459da4b778c67b2d05
SHA5127c80090829a42dc6f0c8ffbe4513a5e18d053fbc23df095413e3c88ca3a042c331998b267bcc9333f836a3adc8f0c253f00a6b3f97078ee3e06ad723548ffe1e
-
Filesize
357KB
MD5c535c9302209f071fbaa5946157e1527
SHA13fdb74d5251d22776abb66d1b0e42af3f8ff3e9e
SHA25646556cecb42a6813fc4e15f1c3a16cedf7698bbc9a9ee7459da4b778c67b2d05
SHA5127c80090829a42dc6f0c8ffbe4513a5e18d053fbc23df095413e3c88ca3a042c331998b267bcc9333f836a3adc8f0c253f00a6b3f97078ee3e06ad723548ffe1e
-
Filesize
309KB
MD54cf9a087703b0404c33a309c02247319
SHA13059339f5d92d22e3edb359c28865e4578c45db8
SHA2560a22f607da5bb93676591657f8417f665d7c433bfd2b558cf2e641ad736b6f32
SHA5124a2015355cc84c786cbf218295062a2f4bfe4fbf82ca8eecacb7d41dc028d7026b63474d3c3532bf6d3033a866dffde4785d7320ac4ae02c39f3008e455a29fc
-
Filesize
309KB
MD54cf9a087703b0404c33a309c02247319
SHA13059339f5d92d22e3edb359c28865e4578c45db8
SHA2560a22f607da5bb93676591657f8417f665d7c433bfd2b558cf2e641ad736b6f32
SHA5124a2015355cc84c786cbf218295062a2f4bfe4fbf82ca8eecacb7d41dc028d7026b63474d3c3532bf6d3033a866dffde4785d7320ac4ae02c39f3008e455a29fc
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
36KB
-
Filesize
1.5MB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
5.6MB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB