Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
22-07-2023 07:05
General
-
Target
53992c55e805806269a09601bd2c635b1b7d78e7bb9cf6acd890a9e26345bbd6.exe
-
Size
514KB
-
MD5
1e4668bd71bc6d5f8175fb3c32b3c7ab
-
SHA1
a0832da21867d05422129a97f0a130e38784a5ca
-
SHA256
53992c55e805806269a09601bd2c635b1b7d78e7bb9cf6acd890a9e26345bbd6
-
SHA512
5e33b6b466e0a19cb3e25a02de4afaa7afafd71f800270bc14d5df94eda534f6e3d2c012014d39a65124aa4aa0fbb9ea95a1b6a48b401774d690f8869143e925
-
SSDEEP
12288:WMriy90KP6ws3k6UsbLTSRIfFv20AyW6hGqeO/Z0r:0yzP5s3k6VbLTSRAgyXkO/Z0r
Malware Config
Extracted
amadey
3.85
77.91.68.3/home/love/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grom
77.91.68.68:19071
-
auth_value
9ec3129bff410b89097d656d7abc33dc
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 4 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\53992c55e805806269a09601bd2c635b1b7d78e7bb9cf6acd890a9e26345bbd6.exe"C:\Users\Admin\AppData\Local\Temp\53992c55e805806269a09601bd2c635b1b7d78e7bb9cf6acd890a9e26345bbd6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3769527.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3769527.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3880402.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3880402.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5902940.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5902940.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0297427.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0297427.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0940143.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c0940143.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0591779.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0591779.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4C42.exeC:\Users\Admin\AppData\Local\Temp\4C42.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\C~4FhR.CPl",5⤵
- Loads dropped DLL
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD562deefa7387f3f29105a335ae3ec7bf0
SHA1f16a6c94ba084e6ec2697fa0ab131ac8f512b893
SHA256e54b2a76cead8fbd58e9bd51776ed6d2f1dd8ee75f889d31107b6c00d23bb07e
SHA51234b7c5903348399d0a599696157450578ba159d182d20ccc1680eb08d8cb5916e4165bf14ce4a6e2da9b2324fed898f07cc307d578394398b11d57d7df0d78d5
-
Filesize
228KB
MD562deefa7387f3f29105a335ae3ec7bf0
SHA1f16a6c94ba084e6ec2697fa0ab131ac8f512b893
SHA256e54b2a76cead8fbd58e9bd51776ed6d2f1dd8ee75f889d31107b6c00d23bb07e
SHA51234b7c5903348399d0a599696157450578ba159d182d20ccc1680eb08d8cb5916e4165bf14ce4a6e2da9b2324fed898f07cc307d578394398b11d57d7df0d78d5
-
Filesize
228KB
MD562deefa7387f3f29105a335ae3ec7bf0
SHA1f16a6c94ba084e6ec2697fa0ab131ac8f512b893
SHA256e54b2a76cead8fbd58e9bd51776ed6d2f1dd8ee75f889d31107b6c00d23bb07e
SHA51234b7c5903348399d0a599696157450578ba159d182d20ccc1680eb08d8cb5916e4165bf14ce4a6e2da9b2324fed898f07cc307d578394398b11d57d7df0d78d5
-
Filesize
228KB
MD562deefa7387f3f29105a335ae3ec7bf0
SHA1f16a6c94ba084e6ec2697fa0ab131ac8f512b893
SHA256e54b2a76cead8fbd58e9bd51776ed6d2f1dd8ee75f889d31107b6c00d23bb07e
SHA51234b7c5903348399d0a599696157450578ba159d182d20ccc1680eb08d8cb5916e4165bf14ce4a6e2da9b2324fed898f07cc307d578394398b11d57d7df0d78d5
-
Filesize
228KB
MD562deefa7387f3f29105a335ae3ec7bf0
SHA1f16a6c94ba084e6ec2697fa0ab131ac8f512b893
SHA256e54b2a76cead8fbd58e9bd51776ed6d2f1dd8ee75f889d31107b6c00d23bb07e
SHA51234b7c5903348399d0a599696157450578ba159d182d20ccc1680eb08d8cb5916e4165bf14ce4a6e2da9b2324fed898f07cc307d578394398b11d57d7df0d78d5
-
Filesize
1.5MB
MD576fd6676743cf24b0f2011f4ca153f51
SHA1d90dbad79132048524d3c6f4fafdc1dff1128070
SHA256ae6b43b8b3a5c1e1f03671fb09015a59e3224dcf3f8b7aa84183407d4f111b92
SHA5123d091278b1e359ebc8406b6422527768705a54ea7b7b0c1aacd31c9ecdcb24ba3bf0269e55dc72a666cce7ac5cc3ca4165d13c783f9bf871d223fccfa4025de5
-
Filesize
1.5MB
MD576fd6676743cf24b0f2011f4ca153f51
SHA1d90dbad79132048524d3c6f4fafdc1dff1128070
SHA256ae6b43b8b3a5c1e1f03671fb09015a59e3224dcf3f8b7aa84183407d4f111b92
SHA5123d091278b1e359ebc8406b6422527768705a54ea7b7b0c1aacd31c9ecdcb24ba3bf0269e55dc72a666cce7ac5cc3ca4165d13c783f9bf871d223fccfa4025de5
-
Filesize
1.3MB
MD59f0cd2d6ab20bfe5e37bcf5e3f7d156e
SHA113dafab2c1f38b8e7ddeef055436f42ef175d384
SHA256e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498
SHA512bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7
-
Filesize
173KB
MD532f628d1440b31ecc3f73caacd1c1b2f
SHA186fd57da244cfea3fd8eda34fcc66093c3af1420
SHA2561a2583d6ccd1ee040c1b8815e3f020245b333d4068750b04c98a9fceec456b0c
SHA512444720059ef9c810e09ec8ded1db84651363bc133c057fe9917c0fed15eb7ef0158c04f153a45fe6333c4c2e431057544ff16d05539b1556a972e424a03a9776
-
Filesize
173KB
MD532f628d1440b31ecc3f73caacd1c1b2f
SHA186fd57da244cfea3fd8eda34fcc66093c3af1420
SHA2561a2583d6ccd1ee040c1b8815e3f020245b333d4068750b04c98a9fceec456b0c
SHA512444720059ef9c810e09ec8ded1db84651363bc133c057fe9917c0fed15eb7ef0158c04f153a45fe6333c4c2e431057544ff16d05539b1556a972e424a03a9776
-
Filesize
359KB
MD586cbe274e327619feee56ef7789e6674
SHA15cf563bc945259490c78cd7d26364114d3164c1c
SHA2567bd95596eb826f754650c15fb378dc248717c881ceac1ac7517ebd37882b4e74
SHA512928ab5310d4c495441c42b0d137277885282d867c9d37ba883ca4241775ad9a6b9d0c78c11bcee32bda4abde5016ca1d9911d0667812999c67246b364113cd62
-
Filesize
359KB
MD586cbe274e327619feee56ef7789e6674
SHA15cf563bc945259490c78cd7d26364114d3164c1c
SHA2567bd95596eb826f754650c15fb378dc248717c881ceac1ac7517ebd37882b4e74
SHA512928ab5310d4c495441c42b0d137277885282d867c9d37ba883ca4241775ad9a6b9d0c78c11bcee32bda4abde5016ca1d9911d0667812999c67246b364113cd62
-
Filesize
33KB
MD5dd5af750020891e5e3b4e7bb61c04435
SHA1042600215aadfe13276c6549e3dfd84e42caa84b
SHA256b85639adddbb7dbbc153f1f30b1c77552a2cd8c76134dcbdf738dfbca1cd04eb
SHA512049d2fb60bf0195a222d78a97db06cdb814a37cd6a3cd6874b61687859b4ea0bd134a53c9ee130998e480f07517d0684ec5632c0f72d017851c025c32a594b85
-
Filesize
33KB
MD5dd5af750020891e5e3b4e7bb61c04435
SHA1042600215aadfe13276c6549e3dfd84e42caa84b
SHA256b85639adddbb7dbbc153f1f30b1c77552a2cd8c76134dcbdf738dfbca1cd04eb
SHA512049d2fb60bf0195a222d78a97db06cdb814a37cd6a3cd6874b61687859b4ea0bd134a53c9ee130998e480f07517d0684ec5632c0f72d017851c025c32a594b85
-
Filesize
234KB
MD58e158d61f3a79b40359d89dfcf0ce876
SHA1c3814e6252b399e1fcfe7e932213e3af81f1f330
SHA256d705af8ad0c6e9fe48bff34c80373c955ca07786fa910e1cceb86a25e7bd2281
SHA5129098a6706d2173900d4c4f004bda6c8fc7192ebf59ed6bf1cace25dad4c35281cde67fe285cf5ca592b4d372bf1dd9641dca83fe4e844f3fc7fc2be738c7047e
-
Filesize
234KB
MD58e158d61f3a79b40359d89dfcf0ce876
SHA1c3814e6252b399e1fcfe7e932213e3af81f1f330
SHA256d705af8ad0c6e9fe48bff34c80373c955ca07786fa910e1cceb86a25e7bd2281
SHA5129098a6706d2173900d4c4f004bda6c8fc7192ebf59ed6bf1cace25dad4c35281cde67fe285cf5ca592b4d372bf1dd9641dca83fe4e844f3fc7fc2be738c7047e
-
Filesize
11KB
MD547d5c86e75767f13480f9baf67b522d4
SHA1073fcc4f1ebedd251981c2d2f9643984701fb186
SHA256105235b53041f057a0304f1b4f4973ce8259b289e47bd6e727cd2580b10ca7c2
SHA5127f74a1387eaa283cd8c85e68a2e49f422da5a350b5bb74eff1339912071e05a280b648a3431948aac6534c686f1f8ea1b07913c4ebdb697484f35b2d7fbf5fbe
-
Filesize
11KB
MD547d5c86e75767f13480f9baf67b522d4
SHA1073fcc4f1ebedd251981c2d2f9643984701fb186
SHA256105235b53041f057a0304f1b4f4973ce8259b289e47bd6e727cd2580b10ca7c2
SHA5127f74a1387eaa283cd8c85e68a2e49f422da5a350b5bb74eff1339912071e05a280b648a3431948aac6534c686f1f8ea1b07913c4ebdb697484f35b2d7fbf5fbe
-
Filesize
228KB
MD562deefa7387f3f29105a335ae3ec7bf0
SHA1f16a6c94ba084e6ec2697fa0ab131ac8f512b893
SHA256e54b2a76cead8fbd58e9bd51776ed6d2f1dd8ee75f889d31107b6c00d23bb07e
SHA51234b7c5903348399d0a599696157450578ba159d182d20ccc1680eb08d8cb5916e4165bf14ce4a6e2da9b2324fed898f07cc307d578394398b11d57d7df0d78d5
-
Filesize
228KB
MD562deefa7387f3f29105a335ae3ec7bf0
SHA1f16a6c94ba084e6ec2697fa0ab131ac8f512b893
SHA256e54b2a76cead8fbd58e9bd51776ed6d2f1dd8ee75f889d31107b6c00d23bb07e
SHA51234b7c5903348399d0a599696157450578ba159d182d20ccc1680eb08d8cb5916e4165bf14ce4a6e2da9b2324fed898f07cc307d578394398b11d57d7df0d78d5
-
Filesize
1.3MB
MD59f0cd2d6ab20bfe5e37bcf5e3f7d156e
SHA113dafab2c1f38b8e7ddeef055436f42ef175d384
SHA256e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498
SHA512bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7
-
Filesize
1.3MB
MD59f0cd2d6ab20bfe5e37bcf5e3f7d156e
SHA113dafab2c1f38b8e7ddeef055436f42ef175d384
SHA256e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498
SHA512bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7
-
Filesize
1.3MB
MD59f0cd2d6ab20bfe5e37bcf5e3f7d156e
SHA113dafab2c1f38b8e7ddeef055436f42ef175d384
SHA256e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498
SHA512bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7
-
Filesize
1.3MB
MD59f0cd2d6ab20bfe5e37bcf5e3f7d156e
SHA113dafab2c1f38b8e7ddeef055436f42ef175d384
SHA256e1ab9f9baaf156a0f791c76e393621bb3af38d2483aadfab91345d4c0d4fa498
SHA512bd1668d8938083dddd628f209f2f921439c723d7dbeaa8b9b094282cc1e809b34d8f0294c777a9718922f9ac6d86138327ae9fee56561848779d783e186e7df7
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
272B
MD5d867eabb1be5b45bc77bb06814e23640
SHA13139a51ce7e8462c31070363b9532c13cc52c82d
SHA25638c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349
SHA512afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59
-
Filesize
24KB
-
Filesize
1016KB
-
Filesize
1016KB
-
Filesize
1016KB
-
Filesize
1.1MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
7.7MB
-
Filesize
192KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
24KB
-
Filesize
1016KB
-
Filesize
1016KB
-
Filesize
1016KB
-
Filesize
1016KB
-
Filesize
1.1MB
-
Filesize
1.3MB