Analysis
-
max time kernel
53s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
16/07/2023, 10:41
General
-
Target
1c3c0a47393dcff39003db858e612e36e01d82c14f7a92e3e9695d96db8ee703.exe
-
Size
515KB
-
MD5
8f25624c92159734dba331282162820c
-
SHA1
ceb7ff08bb821a12563aa65e622c2aa35a505330
-
SHA256
1c3c0a47393dcff39003db858e612e36e01d82c14f7a92e3e9695d96db8ee703
-
SHA512
d71142757f49365499fc28431bb894ed5312d792fa60ed3bc434e3543dc497daaf8b64f1220ba1321aa84772575b21c4520042cd0cee0ebc5659ccd9319f6d2d
-
SSDEEP
12288:JMrNy90MsiQ6N0SZgmIqSBx0t5p7+W/kxkD1iNG:cyhM6Nri5rgzco1EG
Malware Config
Extracted
amadey
3.85
77.91.68.3/home/love/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
zahar
77.91.68.56:19071
-
auth_value
94c55a31fcf1761f07eeb4a0c6fb74fa
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 4 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 14 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 57 IoCs
-
Suspicious use of SendNotifyMessage 55 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c3c0a47393dcff39003db858e612e36e01d82c14f7a92e3e9695d96db8ee703.exe"C:\Users\Admin\AppData\Local\Temp\1c3c0a47393dcff39003db858e612e36e01d82c14f7a92e3e9695d96db8ee703.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0629581.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0629581.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5614525.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5614525.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1030884.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1030884.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5661693.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5661693.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7795227.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7795227.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8513209.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8513209.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5da4f69c96dbeb614ba5950bd52b2146e
SHA1303df70a1ab917167ba80f7cc2fe228d413dfe63
SHA2564436549d6c949405488f3d5a3b197453117f4400290cf87060b835ebfe57a8af
SHA5128e2924fda782c95acb4713e965f243582132df1a8177d88f34bf8c586da3223e8d3f6539a5391dff89673bc831579bd50a8f9c1e430cc86ff797ebda5fc95ad1
-
Filesize
224KB
MD5da4f69c96dbeb614ba5950bd52b2146e
SHA1303df70a1ab917167ba80f7cc2fe228d413dfe63
SHA2564436549d6c949405488f3d5a3b197453117f4400290cf87060b835ebfe57a8af
SHA5128e2924fda782c95acb4713e965f243582132df1a8177d88f34bf8c586da3223e8d3f6539a5391dff89673bc831579bd50a8f9c1e430cc86ff797ebda5fc95ad1
-
Filesize
224KB
MD5da4f69c96dbeb614ba5950bd52b2146e
SHA1303df70a1ab917167ba80f7cc2fe228d413dfe63
SHA2564436549d6c949405488f3d5a3b197453117f4400290cf87060b835ebfe57a8af
SHA5128e2924fda782c95acb4713e965f243582132df1a8177d88f34bf8c586da3223e8d3f6539a5391dff89673bc831579bd50a8f9c1e430cc86ff797ebda5fc95ad1
-
Filesize
173KB
MD5a5ef056d8c4c98622c99526a89009f2d
SHA1ae68d015cd37d32d18b9969889b2fca571bcaf61
SHA25619022efa04133c06bae657b3104f6eec787a09753b8fcb42cedfa0e25339a86b
SHA512d7c0cae97e8fc9683dd04fbbf8b533f97fb2502b5064d134e828f2be8b6d023ac3354eb3a694dc9188d327d34bf41fdd4a998025539c9b31bf3617348fdf5fa2
-
Filesize
173KB
MD5a5ef056d8c4c98622c99526a89009f2d
SHA1ae68d015cd37d32d18b9969889b2fca571bcaf61
SHA25619022efa04133c06bae657b3104f6eec787a09753b8fcb42cedfa0e25339a86b
SHA512d7c0cae97e8fc9683dd04fbbf8b533f97fb2502b5064d134e828f2be8b6d023ac3354eb3a694dc9188d327d34bf41fdd4a998025539c9b31bf3617348fdf5fa2
-
Filesize
359KB
MD527c6a7954bf0f8eeca7aa5dd307b0434
SHA1499e984f6e7a7a2e4678447d0968e25f1b361bf4
SHA2564fc9176a2b18965a624d24f1e988ba107592dbe39c439fe607b3bb05becc7e2f
SHA5121ea12fd32f03f8a0eeab2c5ac46463342caa0d04dafd0d42521c7cf0298abab274aa9eadb746f3cd1c3f87547e700ca711bd22a69753babf171dd0a343d60fc6
-
Filesize
359KB
MD527c6a7954bf0f8eeca7aa5dd307b0434
SHA1499e984f6e7a7a2e4678447d0968e25f1b361bf4
SHA2564fc9176a2b18965a624d24f1e988ba107592dbe39c439fe607b3bb05becc7e2f
SHA5121ea12fd32f03f8a0eeab2c5ac46463342caa0d04dafd0d42521c7cf0298abab274aa9eadb746f3cd1c3f87547e700ca711bd22a69753babf171dd0a343d60fc6
-
Filesize
30KB
MD55adf0473ce6d01c162d35cf777c680af
SHA1c14d769108048d67c2e1af87a4b61eda4b1fce42
SHA2561841b86fc91b0aed2589eb6ecb858415132ded89b4b428da22f60877b03561b3
SHA5124d0966d9ba2783d7416a1b972889e775f9e21387357ae83018f6d7869df0ef3c571068e0d6e754377b22cf0bb9168a57f1a74f1389f62961922e9fea6d7f4b72
-
Filesize
30KB
MD55adf0473ce6d01c162d35cf777c680af
SHA1c14d769108048d67c2e1af87a4b61eda4b1fce42
SHA2561841b86fc91b0aed2589eb6ecb858415132ded89b4b428da22f60877b03561b3
SHA5124d0966d9ba2783d7416a1b972889e775f9e21387357ae83018f6d7869df0ef3c571068e0d6e754377b22cf0bb9168a57f1a74f1389f62961922e9fea6d7f4b72
-
Filesize
30KB
MD55adf0473ce6d01c162d35cf777c680af
SHA1c14d769108048d67c2e1af87a4b61eda4b1fce42
SHA2561841b86fc91b0aed2589eb6ecb858415132ded89b4b428da22f60877b03561b3
SHA5124d0966d9ba2783d7416a1b972889e775f9e21387357ae83018f6d7869df0ef3c571068e0d6e754377b22cf0bb9168a57f1a74f1389f62961922e9fea6d7f4b72
-
Filesize
235KB
MD58aadee481e7aeabd706ea440eb81f651
SHA13a488ffdc9d871d6f84b8c5e2dcf6c8e14d1cd56
SHA2560503b2d75c54225c54443fa7b013e677d8c4ea8332505cff0b5ea353db16141c
SHA512633092d4a8a912c045be2b178875ee74a9e93f5f02857dfac345ed10997e552fc7b0cc7264ec8b388454881b301bd912e91df0c80410e640a264e8e705b19489
-
Filesize
235KB
MD58aadee481e7aeabd706ea440eb81f651
SHA13a488ffdc9d871d6f84b8c5e2dcf6c8e14d1cd56
SHA2560503b2d75c54225c54443fa7b013e677d8c4ea8332505cff0b5ea353db16141c
SHA512633092d4a8a912c045be2b178875ee74a9e93f5f02857dfac345ed10997e552fc7b0cc7264ec8b388454881b301bd912e91df0c80410e640a264e8e705b19489
-
Filesize
11KB
MD5ce4652fc037f77e3b677bacec367051a
SHA1676cba8545628ea5fdea64ea475a150d9a0f1045
SHA25681e4fbcda9c37eb6080f50cffe2288a26f4e82060e24b8d94d2ee17d0387bd08
SHA512bc8a7206dfa21f6c49882d2a516c03f4424dad984b45adcb90ca080dc80ea4b344deebbc2df615178a33d8bc9666615ba2871f231d02f0886efab5b02786687b
-
Filesize
11KB
MD5ce4652fc037f77e3b677bacec367051a
SHA1676cba8545628ea5fdea64ea475a150d9a0f1045
SHA25681e4fbcda9c37eb6080f50cffe2288a26f4e82060e24b8d94d2ee17d0387bd08
SHA512bc8a7206dfa21f6c49882d2a516c03f4424dad984b45adcb90ca080dc80ea4b344deebbc2df615178a33d8bc9666615ba2871f231d02f0886efab5b02786687b
-
Filesize
224KB
MD5da4f69c96dbeb614ba5950bd52b2146e
SHA1303df70a1ab917167ba80f7cc2fe228d413dfe63
SHA2564436549d6c949405488f3d5a3b197453117f4400290cf87060b835ebfe57a8af
SHA5128e2924fda782c95acb4713e965f243582132df1a8177d88f34bf8c586da3223e8d3f6539a5391dff89673bc831579bd50a8f9c1e430cc86ff797ebda5fc95ad1
-
Filesize
224KB
MD5da4f69c96dbeb614ba5950bd52b2146e
SHA1303df70a1ab917167ba80f7cc2fe228d413dfe63
SHA2564436549d6c949405488f3d5a3b197453117f4400290cf87060b835ebfe57a8af
SHA5128e2924fda782c95acb4713e965f243582132df1a8177d88f34bf8c586da3223e8d3f6539a5391dff89673bc831579bd50a8f9c1e430cc86ff797ebda5fc95ad1
-
Filesize
224KB
MD5da4f69c96dbeb614ba5950bd52b2146e
SHA1303df70a1ab917167ba80f7cc2fe228d413dfe63
SHA2564436549d6c949405488f3d5a3b197453117f4400290cf87060b835ebfe57a8af
SHA5128e2924fda782c95acb4713e965f243582132df1a8177d88f34bf8c586da3223e8d3f6539a5391dff89673bc831579bd50a8f9c1e430cc86ff797ebda5fc95ad1
-
Filesize
224KB
MD5da4f69c96dbeb614ba5950bd52b2146e
SHA1303df70a1ab917167ba80f7cc2fe228d413dfe63
SHA2564436549d6c949405488f3d5a3b197453117f4400290cf87060b835ebfe57a8af
SHA5128e2924fda782c95acb4713e965f243582132df1a8177d88f34bf8c586da3223e8d3f6539a5391dff89673bc831579bd50a8f9c1e430cc86ff797ebda5fc95ad1
-
Filesize
173KB
MD5a5ef056d8c4c98622c99526a89009f2d
SHA1ae68d015cd37d32d18b9969889b2fca571bcaf61
SHA25619022efa04133c06bae657b3104f6eec787a09753b8fcb42cedfa0e25339a86b
SHA512d7c0cae97e8fc9683dd04fbbf8b533f97fb2502b5064d134e828f2be8b6d023ac3354eb3a694dc9188d327d34bf41fdd4a998025539c9b31bf3617348fdf5fa2
-
Filesize
173KB
MD5a5ef056d8c4c98622c99526a89009f2d
SHA1ae68d015cd37d32d18b9969889b2fca571bcaf61
SHA25619022efa04133c06bae657b3104f6eec787a09753b8fcb42cedfa0e25339a86b
SHA512d7c0cae97e8fc9683dd04fbbf8b533f97fb2502b5064d134e828f2be8b6d023ac3354eb3a694dc9188d327d34bf41fdd4a998025539c9b31bf3617348fdf5fa2
-
Filesize
359KB
MD527c6a7954bf0f8eeca7aa5dd307b0434
SHA1499e984f6e7a7a2e4678447d0968e25f1b361bf4
SHA2564fc9176a2b18965a624d24f1e988ba107592dbe39c439fe607b3bb05becc7e2f
SHA5121ea12fd32f03f8a0eeab2c5ac46463342caa0d04dafd0d42521c7cf0298abab274aa9eadb746f3cd1c3f87547e700ca711bd22a69753babf171dd0a343d60fc6
-
Filesize
359KB
MD527c6a7954bf0f8eeca7aa5dd307b0434
SHA1499e984f6e7a7a2e4678447d0968e25f1b361bf4
SHA2564fc9176a2b18965a624d24f1e988ba107592dbe39c439fe607b3bb05becc7e2f
SHA5121ea12fd32f03f8a0eeab2c5ac46463342caa0d04dafd0d42521c7cf0298abab274aa9eadb746f3cd1c3f87547e700ca711bd22a69753babf171dd0a343d60fc6
-
Filesize
30KB
MD55adf0473ce6d01c162d35cf777c680af
SHA1c14d769108048d67c2e1af87a4b61eda4b1fce42
SHA2561841b86fc91b0aed2589eb6ecb858415132ded89b4b428da22f60877b03561b3
SHA5124d0966d9ba2783d7416a1b972889e775f9e21387357ae83018f6d7869df0ef3c571068e0d6e754377b22cf0bb9168a57f1a74f1389f62961922e9fea6d7f4b72
-
Filesize
30KB
MD55adf0473ce6d01c162d35cf777c680af
SHA1c14d769108048d67c2e1af87a4b61eda4b1fce42
SHA2561841b86fc91b0aed2589eb6ecb858415132ded89b4b428da22f60877b03561b3
SHA5124d0966d9ba2783d7416a1b972889e775f9e21387357ae83018f6d7869df0ef3c571068e0d6e754377b22cf0bb9168a57f1a74f1389f62961922e9fea6d7f4b72
-
Filesize
30KB
MD55adf0473ce6d01c162d35cf777c680af
SHA1c14d769108048d67c2e1af87a4b61eda4b1fce42
SHA2561841b86fc91b0aed2589eb6ecb858415132ded89b4b428da22f60877b03561b3
SHA5124d0966d9ba2783d7416a1b972889e775f9e21387357ae83018f6d7869df0ef3c571068e0d6e754377b22cf0bb9168a57f1a74f1389f62961922e9fea6d7f4b72
-
Filesize
235KB
MD58aadee481e7aeabd706ea440eb81f651
SHA13a488ffdc9d871d6f84b8c5e2dcf6c8e14d1cd56
SHA2560503b2d75c54225c54443fa7b013e677d8c4ea8332505cff0b5ea353db16141c
SHA512633092d4a8a912c045be2b178875ee74a9e93f5f02857dfac345ed10997e552fc7b0cc7264ec8b388454881b301bd912e91df0c80410e640a264e8e705b19489
-
Filesize
235KB
MD58aadee481e7aeabd706ea440eb81f651
SHA13a488ffdc9d871d6f84b8c5e2dcf6c8e14d1cd56
SHA2560503b2d75c54225c54443fa7b013e677d8c4ea8332505cff0b5ea353db16141c
SHA512633092d4a8a912c045be2b178875ee74a9e93f5f02857dfac345ed10997e552fc7b0cc7264ec8b388454881b301bd912e91df0c80410e640a264e8e705b19489
-
Filesize
11KB
MD5ce4652fc037f77e3b677bacec367051a
SHA1676cba8545628ea5fdea64ea475a150d9a0f1045
SHA25681e4fbcda9c37eb6080f50cffe2288a26f4e82060e24b8d94d2ee17d0387bd08
SHA512bc8a7206dfa21f6c49882d2a516c03f4424dad984b45adcb90ca080dc80ea4b344deebbc2df615178a33d8bc9666615ba2871f231d02f0886efab5b02786687b
-
Filesize
224KB
MD5da4f69c96dbeb614ba5950bd52b2146e
SHA1303df70a1ab917167ba80f7cc2fe228d413dfe63
SHA2564436549d6c949405488f3d5a3b197453117f4400290cf87060b835ebfe57a8af
SHA5128e2924fda782c95acb4713e965f243582132df1a8177d88f34bf8c586da3223e8d3f6539a5391dff89673bc831579bd50a8f9c1e430cc86ff797ebda5fc95ad1
-
Filesize
224KB
MD5da4f69c96dbeb614ba5950bd52b2146e
SHA1303df70a1ab917167ba80f7cc2fe228d413dfe63
SHA2564436549d6c949405488f3d5a3b197453117f4400290cf87060b835ebfe57a8af
SHA5128e2924fda782c95acb4713e965f243582132df1a8177d88f34bf8c586da3223e8d3f6539a5391dff89673bc831579bd50a8f9c1e430cc86ff797ebda5fc95ad1
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
40KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
24KB