Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
-
submitted
08-07-2023 14:12
General
-
Target
file.exe
-
Size
439KB
-
MD5
db5dea81bb668fa4386d2ea8ecbe9e1c
-
SHA1
642f1d9423d883854a06f50b03619c16fe33281a
-
SHA256
abd8284914e8bc1309c13903e7b41b1af552c80598982c9e8fbe35e88eda9315
-
SHA512
b7a0a78a34d2a1f00385b58fd172e4d0c9224c9d1020fe656a7bc4414dadc4ab24e40ad6736f905208747c8d048da0f4efea1af965c12a218d46305f90721fad
-
SSDEEP
12288:kehYGKhh2CbBZ0MjA7Yhsd7R6jOP1tcrEQf:ZiGKPZbYBYhsd7dtF
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
smokeloader
pub5
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11796175.exe"C:\Users\Admin\AppData\Local\Temp\11796175.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:R" /E5⤵
-
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4FBCEFF4-7C2B-49E7-9C61-406A2C29D0C3} S-1-5-21-1305762978-1813183296-1799492538-1000:CQOQSKLT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD560343acf2d83027ad0fb572dedc1f337
SHA153f46bd099eaf92bbefbf2132cc349dd1f948b59
SHA2567eb9a5e5d20ca69bafa8c49f8795255782f7169410a1ab4c2c2dff8168ad8df6
SHA51230ae852bb655c71dd6b4d493b2ddc7f292f57f2f3914161dd994117e5b83c2d0a0a29f11b45e9b3647c8de71ceff770e744a7d8dcd10b6c47ebe374dc7ab5c13
-
Filesize
231KB
MD560343acf2d83027ad0fb572dedc1f337
SHA153f46bd099eaf92bbefbf2132cc349dd1f948b59
SHA2567eb9a5e5d20ca69bafa8c49f8795255782f7169410a1ab4c2c2dff8168ad8df6
SHA51230ae852bb655c71dd6b4d493b2ddc7f292f57f2f3914161dd994117e5b83c2d0a0a29f11b45e9b3647c8de71ceff770e744a7d8dcd10b6c47ebe374dc7ab5c13
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
231KB
MD560343acf2d83027ad0fb572dedc1f337
SHA153f46bd099eaf92bbefbf2132cc349dd1f948b59
SHA2567eb9a5e5d20ca69bafa8c49f8795255782f7169410a1ab4c2c2dff8168ad8df6
SHA51230ae852bb655c71dd6b4d493b2ddc7f292f57f2f3914161dd994117e5b83c2d0a0a29f11b45e9b3647c8de71ceff770e744a7d8dcd10b6c47ebe374dc7ab5c13
-
Filesize
231KB
MD560343acf2d83027ad0fb572dedc1f337
SHA153f46bd099eaf92bbefbf2132cc349dd1f948b59
SHA2567eb9a5e5d20ca69bafa8c49f8795255782f7169410a1ab4c2c2dff8168ad8df6
SHA51230ae852bb655c71dd6b4d493b2ddc7f292f57f2f3914161dd994117e5b83c2d0a0a29f11b45e9b3647c8de71ceff770e744a7d8dcd10b6c47ebe374dc7ab5c13
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
88KB
-
Filesize
464KB
-
Filesize
36KB
-
Filesize
496KB