Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
19/07/2023, 18:13
General
-
Target
786401ec3e6cb6ae5e1209e3ed92f1f28db0eb73a7f90a86e57554f4d838eab9.exe
-
Size
514KB
-
MD5
0a2aabcdbf071f963428e3cb2d5e4f02
-
SHA1
a045599f446d283a9bfe4c888358f1f87ac79046
-
SHA256
786401ec3e6cb6ae5e1209e3ed92f1f28db0eb73a7f90a86e57554f4d838eab9
-
SHA512
b2cab5fef3cc3e5da7beaa9e57438ed17bf3b267622462800352c5d12587bb71ee706b4512df6e1dc9fd6b25f627111c1b990d6188289d76e0f478a12166184b
-
SSDEEP
12288:xMrJy90LOARS47nKv5ckGmG/BLZyVhEmrtP:4yuOAQv5cF5YZtP
Malware Config
Extracted
amadey
3.85
77.91.68.3/home/love/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\786401ec3e6cb6ae5e1209e3ed92f1f28db0eb73a7f90a86e57554f4d838eab9.exe"C:\Users\Admin\AppData\Local\Temp\786401ec3e6cb6ae5e1209e3ed92f1f28db0eb73a7f90a86e57554f4d838eab9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0215717.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0215717.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7132320.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7132320.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2462322.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2462322.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9570555.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9570555.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7278070.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7278070.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3584346.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3584346.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\E79C.exeC:\Users\Admin\AppData\Local\Temp\E79C.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s 5D3KPV.L2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD5a3130aab1510f1d31b5ff10f96ecd6a4
SHA17ad78abda0b87051541a8310583b884675b0aa2c
SHA256bf62568202144aa9732b3adbeb61a8f70a7e44ac21ea883091e5af980fa117df
SHA512073844ca0201ffe8c3effc676ec04a85347bbd36242691035b1053e520f7325ebd72820803bede6201f8822a7d520833a93f15d6777abd462a3888910610bfa4
-
Filesize
227KB
MD5a3130aab1510f1d31b5ff10f96ecd6a4
SHA17ad78abda0b87051541a8310583b884675b0aa2c
SHA256bf62568202144aa9732b3adbeb61a8f70a7e44ac21ea883091e5af980fa117df
SHA512073844ca0201ffe8c3effc676ec04a85347bbd36242691035b1053e520f7325ebd72820803bede6201f8822a7d520833a93f15d6777abd462a3888910610bfa4
-
Filesize
227KB
MD5a3130aab1510f1d31b5ff10f96ecd6a4
SHA17ad78abda0b87051541a8310583b884675b0aa2c
SHA256bf62568202144aa9732b3adbeb61a8f70a7e44ac21ea883091e5af980fa117df
SHA512073844ca0201ffe8c3effc676ec04a85347bbd36242691035b1053e520f7325ebd72820803bede6201f8822a7d520833a93f15d6777abd462a3888910610bfa4
-
Filesize
227KB
MD5a3130aab1510f1d31b5ff10f96ecd6a4
SHA17ad78abda0b87051541a8310583b884675b0aa2c
SHA256bf62568202144aa9732b3adbeb61a8f70a7e44ac21ea883091e5af980fa117df
SHA512073844ca0201ffe8c3effc676ec04a85347bbd36242691035b1053e520f7325ebd72820803bede6201f8822a7d520833a93f15d6777abd462a3888910610bfa4
-
Filesize
227KB
MD5a3130aab1510f1d31b5ff10f96ecd6a4
SHA17ad78abda0b87051541a8310583b884675b0aa2c
SHA256bf62568202144aa9732b3adbeb61a8f70a7e44ac21ea883091e5af980fa117df
SHA512073844ca0201ffe8c3effc676ec04a85347bbd36242691035b1053e520f7325ebd72820803bede6201f8822a7d520833a93f15d6777abd462a3888910610bfa4
-
Filesize
227KB
MD5a3130aab1510f1d31b5ff10f96ecd6a4
SHA17ad78abda0b87051541a8310583b884675b0aa2c
SHA256bf62568202144aa9732b3adbeb61a8f70a7e44ac21ea883091e5af980fa117df
SHA512073844ca0201ffe8c3effc676ec04a85347bbd36242691035b1053e520f7325ebd72820803bede6201f8822a7d520833a93f15d6777abd462a3888910610bfa4
-
Filesize
1.2MB
MD5bb7c34d42d71dd1e9a92b4b400e998ea
SHA10d8542b6442d62aca5af03d5c7c1586f6f40cc41
SHA256b60be0ee20083b48e382ed6de402a52601c3a3593a3b7edb6324f3f8c754980e
SHA5123f93f86f65636a8ca0807565adb3198a137052a215ba0c6135dd26d0e3a79d39a784a65985a0cd086d6430549b7201640b10a30c447a593a0ac2d0251727a5e0
-
Filesize
1.2MB
MD5bb7c34d42d71dd1e9a92b4b400e998ea
SHA10d8542b6442d62aca5af03d5c7c1586f6f40cc41
SHA256b60be0ee20083b48e382ed6de402a52601c3a3593a3b7edb6324f3f8c754980e
SHA5123f93f86f65636a8ca0807565adb3198a137052a215ba0c6135dd26d0e3a79d39a784a65985a0cd086d6430549b7201640b10a30c447a593a0ac2d0251727a5e0
-
Filesize
1.2MB
MD5bb7c34d42d71dd1e9a92b4b400e998ea
SHA10d8542b6442d62aca5af03d5c7c1586f6f40cc41
SHA256b60be0ee20083b48e382ed6de402a52601c3a3593a3b7edb6324f3f8c754980e
SHA5123f93f86f65636a8ca0807565adb3198a137052a215ba0c6135dd26d0e3a79d39a784a65985a0cd086d6430549b7201640b10a30c447a593a0ac2d0251727a5e0
-
Filesize
1.6MB
MD53fa2bd828844c6baca150e7ea16e21a7
SHA154a64b4c5b726310b5f925a75c03960e78b24eba
SHA256666200e6da2d7ddd3c2fb0120c817bab6fed9a1b3f0add3ae77f2090c1afb497
SHA512af85884ba76ff35b4a58a9512330f9438946b1767fedadb9cfa6bbbe80dd8374df508db7c0db470f2732f63d0e6f78ed909e38b5a935824c787298cc1c8a1e49
-
Filesize
1.6MB
MD53fa2bd828844c6baca150e7ea16e21a7
SHA154a64b4c5b726310b5f925a75c03960e78b24eba
SHA256666200e6da2d7ddd3c2fb0120c817bab6fed9a1b3f0add3ae77f2090c1afb497
SHA512af85884ba76ff35b4a58a9512330f9438946b1767fedadb9cfa6bbbe80dd8374df508db7c0db470f2732f63d0e6f78ed909e38b5a935824c787298cc1c8a1e49
-
Filesize
173KB
MD55b0afbcc355cd231493e9783c01132d4
SHA1a5764919c510b2af345d5b4ee8f107302f5b059a
SHA256e2a3aa90958f6fe3de97cf14787ef8c3d03419d45ded259c4e64064e65f5f722
SHA512c83bf2a4aeb6818d8cfb816f7f777427103803b8b90d8a4768486d752dfbd8c7ce1796436941a04b7871738a0b577736c500cb694a9ce1a0be0065cbcc3024d2
-
Filesize
173KB
MD55b0afbcc355cd231493e9783c01132d4
SHA1a5764919c510b2af345d5b4ee8f107302f5b059a
SHA256e2a3aa90958f6fe3de97cf14787ef8c3d03419d45ded259c4e64064e65f5f722
SHA512c83bf2a4aeb6818d8cfb816f7f777427103803b8b90d8a4768486d752dfbd8c7ce1796436941a04b7871738a0b577736c500cb694a9ce1a0be0065cbcc3024d2
-
Filesize
359KB
MD5dcad3670a680944931781ea78dc13ebb
SHA11ab04bbcd45753fea491e063e60949c11fa8c64e
SHA25608c7e0ba8d85e8abcb2a2410cad187ca510c1070ff6696fb41a6b038332d0212
SHA512caf5a4a396c784e097c4ba24bc4a17ca17a49450bc02bbaba3397373c11497b4c4e4fa9553a3525e5168e80cfb970cecaacd2cc4879728dbae12ad2203314d59
-
Filesize
359KB
MD5dcad3670a680944931781ea78dc13ebb
SHA11ab04bbcd45753fea491e063e60949c11fa8c64e
SHA25608c7e0ba8d85e8abcb2a2410cad187ca510c1070ff6696fb41a6b038332d0212
SHA512caf5a4a396c784e097c4ba24bc4a17ca17a49450bc02bbaba3397373c11497b4c4e4fa9553a3525e5168e80cfb970cecaacd2cc4879728dbae12ad2203314d59
-
Filesize
32KB
MD5ab5792dd87d763ea14d79ce0711bb5ba
SHA19032c62fc2acecd7dac87b05709db08d1303905d
SHA2563ac5171068467ae8bed178a778484ae692b924e1e17d6826dceae29e84081339
SHA51274fa21a3da83325a714f971b352c0201fd2a62a5f1aadb09d6c91c2022b2f7e05477fd2257d6bd01daab5488132002215ed38ebcd5372ac19d02511208ddcf7a
-
Filesize
32KB
MD5ab5792dd87d763ea14d79ce0711bb5ba
SHA19032c62fc2acecd7dac87b05709db08d1303905d
SHA2563ac5171068467ae8bed178a778484ae692b924e1e17d6826dceae29e84081339
SHA51274fa21a3da83325a714f971b352c0201fd2a62a5f1aadb09d6c91c2022b2f7e05477fd2257d6bd01daab5488132002215ed38ebcd5372ac19d02511208ddcf7a
-
Filesize
235KB
MD5314ad6ca4ecebb27594d530cb38617da
SHA11fe9d6110cfd95479e1cc91a4b3d57dd0ea51071
SHA2562e34ad5842b3d0c76ec22fa7d5a85ba47b53f461dfd8010554d4d1bd1f21848c
SHA51209ccd1920314c47f8677c52a14afa8d83759364aeed6e6808cfd98e253c3d1b30455219253a94c8a021a044bcca2440c0862fe402dbd7dacc9335efd8b31d35d
-
Filesize
235KB
MD5314ad6ca4ecebb27594d530cb38617da
SHA11fe9d6110cfd95479e1cc91a4b3d57dd0ea51071
SHA2562e34ad5842b3d0c76ec22fa7d5a85ba47b53f461dfd8010554d4d1bd1f21848c
SHA51209ccd1920314c47f8677c52a14afa8d83759364aeed6e6808cfd98e253c3d1b30455219253a94c8a021a044bcca2440c0862fe402dbd7dacc9335efd8b31d35d
-
Filesize
14KB
MD5a91926da1d7fa3ae831fc8b321bae937
SHA1cd822b46284db1b74cc80fbd37d98c722cc7447d
SHA25604e8ddfe62bc9e78355cf1c519a4867e6391e3a5c6feef80078a1600a5f6e14a
SHA512031c5619ac5eb7ddd081cee0f15cc4616971a44150c5ee52ad1aefb59fe4ef71e5da3e14efaf579a4fdf90c8b28218b7d9c0d9d1a6362fe27841f06118f0edb6
-
Filesize
14KB
MD5a91926da1d7fa3ae831fc8b321bae937
SHA1cd822b46284db1b74cc80fbd37d98c722cc7447d
SHA25604e8ddfe62bc9e78355cf1c519a4867e6391e3a5c6feef80078a1600a5f6e14a
SHA512031c5619ac5eb7ddd081cee0f15cc4616971a44150c5ee52ad1aefb59fe4ef71e5da3e14efaf579a4fdf90c8b28218b7d9c0d9d1a6362fe27841f06118f0edb6
-
Filesize
227KB
MD5a3130aab1510f1d31b5ff10f96ecd6a4
SHA17ad78abda0b87051541a8310583b884675b0aa2c
SHA256bf62568202144aa9732b3adbeb61a8f70a7e44ac21ea883091e5af980fa117df
SHA512073844ca0201ffe8c3effc676ec04a85347bbd36242691035b1053e520f7325ebd72820803bede6201f8822a7d520833a93f15d6777abd462a3888910610bfa4
-
Filesize
227KB
MD5a3130aab1510f1d31b5ff10f96ecd6a4
SHA17ad78abda0b87051541a8310583b884675b0aa2c
SHA256bf62568202144aa9732b3adbeb61a8f70a7e44ac21ea883091e5af980fa117df
SHA512073844ca0201ffe8c3effc676ec04a85347bbd36242691035b1053e520f7325ebd72820803bede6201f8822a7d520833a93f15d6777abd462a3888910610bfa4
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
272B
MD5d867eabb1be5b45bc77bb06814e23640
SHA13139a51ce7e8462c31070363b9532c13cc52c82d
SHA25638c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349
SHA512afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59
-
Filesize
40KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
916KB
-
Filesize
1024KB
-
Filesize
1.2MB
-
Filesize
24KB
-
Filesize
1.2MB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
240KB
-
Filesize
7.7MB
-
Filesize
192KB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB