Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
21/07/2023, 00:24
General
-
Target
c75730e6ecdf31924dd7032a6d297977f7ed25cc132d94cb0b7661b28227c9cc.exe
-
Size
515KB
-
MD5
4fc39596b7228e67f0e678c1693056e4
-
SHA1
58460cbf87d2adb38a9a793282daca564493bba1
-
SHA256
c75730e6ecdf31924dd7032a6d297977f7ed25cc132d94cb0b7661b28227c9cc
-
SHA512
3044bf4145f56870460b45d2da5f2db13dc1658f30b349a401b00f8fc7a91ec2c1ad22ccbf1006854dea737f6ba9bdafcc6f006b6d66518463ecf915c5f28bf1
-
SSDEEP
12288:kMrxy909VGG/wI7w5J+s1FxEG3zUVcGmtkKfZwNq0j:9yeGG9wmsHaG3WmtjM
Malware Config
Extracted
amadey
3.85
77.91.68.3/home/love/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c75730e6ecdf31924dd7032a6d297977f7ed25cc132d94cb0b7661b28227c9cc.exe"C:\Users\Admin\AppData\Local\Temp\c75730e6ecdf31924dd7032a6d297977f7ed25cc132d94cb0b7661b28227c9cc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2567856.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2567856.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3603994.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3603994.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3753455.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3753455.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3326940.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b3326940.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9751406.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9751406.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2788823.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2788823.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\E0E5.exeC:\Users\Admin\AppData\Local\Temp\E0E5.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\TO0BIO.Oxm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\TO0BIO.Oxm3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\TO0BIO.Oxm4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\TO0BIO.Oxm5⤵
- Loads dropped DLL
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
227KB
MD5ccba58864f27b3f6f8a9e50236cdf658
SHA188255fed4c01ab90d502a364bd8bf162affc55af
SHA25668dc1ae733b29f39aa7989b22c64f51ada810d08ccc17865f72469dc6ce1020a
SHA512b981caa3adaec36fabe31d768b5905ea301489085b366e46fb4f17b14b8fceee093df4f88adb336ca54c7eee732b071e846ee81b5a4a39e09043b571ec8090d5
-
Filesize
227KB
MD5ccba58864f27b3f6f8a9e50236cdf658
SHA188255fed4c01ab90d502a364bd8bf162affc55af
SHA25668dc1ae733b29f39aa7989b22c64f51ada810d08ccc17865f72469dc6ce1020a
SHA512b981caa3adaec36fabe31d768b5905ea301489085b366e46fb4f17b14b8fceee093df4f88adb336ca54c7eee732b071e846ee81b5a4a39e09043b571ec8090d5
-
Filesize
227KB
MD5ccba58864f27b3f6f8a9e50236cdf658
SHA188255fed4c01ab90d502a364bd8bf162affc55af
SHA25668dc1ae733b29f39aa7989b22c64f51ada810d08ccc17865f72469dc6ce1020a
SHA512b981caa3adaec36fabe31d768b5905ea301489085b366e46fb4f17b14b8fceee093df4f88adb336ca54c7eee732b071e846ee81b5a4a39e09043b571ec8090d5
-
Filesize
227KB
MD5ccba58864f27b3f6f8a9e50236cdf658
SHA188255fed4c01ab90d502a364bd8bf162affc55af
SHA25668dc1ae733b29f39aa7989b22c64f51ada810d08ccc17865f72469dc6ce1020a
SHA512b981caa3adaec36fabe31d768b5905ea301489085b366e46fb4f17b14b8fceee093df4f88adb336ca54c7eee732b071e846ee81b5a4a39e09043b571ec8090d5
-
Filesize
227KB
MD5ccba58864f27b3f6f8a9e50236cdf658
SHA188255fed4c01ab90d502a364bd8bf162affc55af
SHA25668dc1ae733b29f39aa7989b22c64f51ada810d08ccc17865f72469dc6ce1020a
SHA512b981caa3adaec36fabe31d768b5905ea301489085b366e46fb4f17b14b8fceee093df4f88adb336ca54c7eee732b071e846ee81b5a4a39e09043b571ec8090d5
-
Filesize
227KB
MD5ccba58864f27b3f6f8a9e50236cdf658
SHA188255fed4c01ab90d502a364bd8bf162affc55af
SHA25668dc1ae733b29f39aa7989b22c64f51ada810d08ccc17865f72469dc6ce1020a
SHA512b981caa3adaec36fabe31d768b5905ea301489085b366e46fb4f17b14b8fceee093df4f88adb336ca54c7eee732b071e846ee81b5a4a39e09043b571ec8090d5
-
Filesize
1.7MB
MD5734e6bdc5f35873e72aa15f02e0ad491
SHA199ba405d200d639adc6d0bdb29a49a01b45b81a6
SHA256dc3495cee180ad126eeb4b6dac0e8464129309dee957750984265115478181fa
SHA512a389657dccbcba5a9c55bcd76e169f8b67e590d49ac19c498e47e3baa5c35b706f07977074107271ae7a99a79a52c5b3c6819661d2640137d6c629fd69651c33
-
Filesize
1.7MB
MD5734e6bdc5f35873e72aa15f02e0ad491
SHA199ba405d200d639adc6d0bdb29a49a01b45b81a6
SHA256dc3495cee180ad126eeb4b6dac0e8464129309dee957750984265115478181fa
SHA512a389657dccbcba5a9c55bcd76e169f8b67e590d49ac19c498e47e3baa5c35b706f07977074107271ae7a99a79a52c5b3c6819661d2640137d6c629fd69651c33
-
Filesize
175KB
MD5d6f80d2aee7156ff1140e24978b4e113
SHA1f5a368cf106761150ea2be437e85eb35952db1cc
SHA256e82438a3f56a967fc9efccf700d6c1a4468ffa028f248ee6abb32a59328d21fd
SHA5126927e65bbdc42a3bfd2bb96012ca85fd69110ef49e5e73a834563a7846583c36fb2ae345a82be503cb8c85ce3a43a4f155bf79c2e5b2ca048a33e456b2515e3a
-
Filesize
175KB
MD5d6f80d2aee7156ff1140e24978b4e113
SHA1f5a368cf106761150ea2be437e85eb35952db1cc
SHA256e82438a3f56a967fc9efccf700d6c1a4468ffa028f248ee6abb32a59328d21fd
SHA5126927e65bbdc42a3bfd2bb96012ca85fd69110ef49e5e73a834563a7846583c36fb2ae345a82be503cb8c85ce3a43a4f155bf79c2e5b2ca048a33e456b2515e3a
-
Filesize
359KB
MD536d7acac3ddd453b04d510334f62c996
SHA1b51d8f8711c126ce86eab284f67e52c2fa428784
SHA2566095aa8cfdd5e00cc36164196e5411bc3844470c9472e6996dc5365286c382ba
SHA512fa7831b2587d9d0aa63cddc74642c9c63918e007d18c595baf229f743c9dafeba30080d590b67257f865c37f5a961c0c44498f854ff24bc9f8e630a0dd881245
-
Filesize
359KB
MD536d7acac3ddd453b04d510334f62c996
SHA1b51d8f8711c126ce86eab284f67e52c2fa428784
SHA2566095aa8cfdd5e00cc36164196e5411bc3844470c9472e6996dc5365286c382ba
SHA512fa7831b2587d9d0aa63cddc74642c9c63918e007d18c595baf229f743c9dafeba30080d590b67257f865c37f5a961c0c44498f854ff24bc9f8e630a0dd881245
-
Filesize
32KB
MD5779ae32521109e8e5b3f68f6e7a0f722
SHA14368d7b2d6936dfe594ca8a3ee4df4d8b892c84f
SHA256387de16482053ba1fa68605c4dbf388712c68267f3ce6e862347935960203d2a
SHA512b783c9434bbefaa07241be443cad9453004c89cf98be7e84bb3e7f567fc8a08fd5d49ce09026979dda8fb0da144eea8bfb4bbe07dc0693a429aac7963f21212e
-
Filesize
32KB
MD5779ae32521109e8e5b3f68f6e7a0f722
SHA14368d7b2d6936dfe594ca8a3ee4df4d8b892c84f
SHA256387de16482053ba1fa68605c4dbf388712c68267f3ce6e862347935960203d2a
SHA512b783c9434bbefaa07241be443cad9453004c89cf98be7e84bb3e7f567fc8a08fd5d49ce09026979dda8fb0da144eea8bfb4bbe07dc0693a429aac7963f21212e
-
Filesize
235KB
MD550174f96b319c890ea81b3389fa2c863
SHA1c4581854d9347aaa7351154263bfc804a0642d39
SHA25664b75dda35c396e62f66be56bab0e1e8e5368da2764e47552025e3a9a8bffe2f
SHA512f58c73672b21e88420c69bc74052f9b748f85ac0ab17f51035630af35c58580923b81226467d0a9ad5e414bade9f821c03c684c05306074cddadac4add32db0d
-
Filesize
235KB
MD550174f96b319c890ea81b3389fa2c863
SHA1c4581854d9347aaa7351154263bfc804a0642d39
SHA25664b75dda35c396e62f66be56bab0e1e8e5368da2764e47552025e3a9a8bffe2f
SHA512f58c73672b21e88420c69bc74052f9b748f85ac0ab17f51035630af35c58580923b81226467d0a9ad5e414bade9f821c03c684c05306074cddadac4add32db0d
-
Filesize
15KB
MD5c9b18018deccd6c78434f1c0a28253fb
SHA158af1e197bd1322972b2f9fc1aadc885f5e05216
SHA25650379ca9ae720c2d2695216aa6746f0ff9e36892f88dd095c8064832dd15cb8e
SHA512c9ecb5ec6718bdfeedabbee390e3da9a79214c0d4a257a5236f71478e1d912f916518cd49508df0197ad1d78afbef76342ccadfd92f4f333c56cf5a05061225a
-
Filesize
15KB
MD5c9b18018deccd6c78434f1c0a28253fb
SHA158af1e197bd1322972b2f9fc1aadc885f5e05216
SHA25650379ca9ae720c2d2695216aa6746f0ff9e36892f88dd095c8064832dd15cb8e
SHA512c9ecb5ec6718bdfeedabbee390e3da9a79214c0d4a257a5236f71478e1d912f916518cd49508df0197ad1d78afbef76342ccadfd92f4f333c56cf5a05061225a
-
Filesize
227KB
MD5ccba58864f27b3f6f8a9e50236cdf658
SHA188255fed4c01ab90d502a364bd8bf162affc55af
SHA25668dc1ae733b29f39aa7989b22c64f51ada810d08ccc17865f72469dc6ce1020a
SHA512b981caa3adaec36fabe31d768b5905ea301489085b366e46fb4f17b14b8fceee093df4f88adb336ca54c7eee732b071e846ee81b5a4a39e09043b571ec8090d5
-
Filesize
227KB
MD5ccba58864f27b3f6f8a9e50236cdf658
SHA188255fed4c01ab90d502a364bd8bf162affc55af
SHA25668dc1ae733b29f39aa7989b22c64f51ada810d08ccc17865f72469dc6ce1020a
SHA512b981caa3adaec36fabe31d768b5905ea301489085b366e46fb4f17b14b8fceee093df4f88adb336ca54c7eee732b071e846ee81b5a4a39e09043b571ec8090d5
-
Filesize
1.2MB
MD56678ff541ad68a47a8bbbe217ab739f8
SHA13a43e3a903f217b3dae55837877bfa53f6db0019
SHA256f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17
SHA512b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6
-
Filesize
1.2MB
MD56678ff541ad68a47a8bbbe217ab739f8
SHA13a43e3a903f217b3dae55837877bfa53f6db0019
SHA256f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17
SHA512b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6
-
Filesize
1.2MB
MD56678ff541ad68a47a8bbbe217ab739f8
SHA13a43e3a903f217b3dae55837877bfa53f6db0019
SHA256f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17
SHA512b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
272B
MD5d867eabb1be5b45bc77bb06814e23640
SHA13139a51ce7e8462c31070363b9532c13cc52c82d
SHA25638c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349
SHA512afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59
-
Filesize
992KB
-
Filesize
24KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
24KB
-
Filesize
892KB
-
Filesize
992KB
-
Filesize
1.2MB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB