Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
23/07/2023, 12:34
General
-
Target
64af8d186102209388ba76498ae512437417ab12d96b8e016f81eceec2162c10.exe
-
Size
514KB
-
MD5
4374d617f9fc03e2a59d59a9b9490f24
-
SHA1
426ec3963c383355316ddf2031dd2262d583164d
-
SHA256
64af8d186102209388ba76498ae512437417ab12d96b8e016f81eceec2162c10
-
SHA512
9561106efed3a3e4a2edb5ed41abb551f1391caa8ebaa582e485d96768915bd4d41683475c3a39e43b780b3f196109d23d58654b67f5e745121ad593ccb47f69
-
SSDEEP
12288:hMrwy90RZ+6jql44002AXV0EpuqA3K0oa19:dy+c6+y400JKeuqA3Ia19
Malware Config
Extracted
amadey
3.85
77.91.68.3/home/love/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
news
77.91.68.68:19071
-
auth_value
99ba2ffe8d72ebe9fdc7e758c94db148
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\64af8d186102209388ba76498ae512437417ab12d96b8e016f81eceec2162c10.exe"C:\Users\Admin\AppData\Local\Temp\64af8d186102209388ba76498ae512437417ab12d96b8e016f81eceec2162c10.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1373906.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1373906.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9191673.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9191673.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5764287.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5764287.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6755652.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6755652.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9807982.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9807982.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2497513.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2497513.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FD85.exeC:\Users\Admin\AppData\Local\Temp\FD85.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\FMBYUxx.i2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FMBYUxx.i3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FMBYUxx.i4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FMBYUxx.i5⤵
- Loads dropped DLL
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD598feb6295d22818929af29d1da7fcfbc
SHA127bfa6b6be5e7cbce602a2f17b211fb815227969
SHA2562d19af2d439f0a7a7b379276b954f37cf5692458b3f227c7aadd63b82d06a647
SHA5122661759da85b6bd60f8040d58dc7f42b0b33be7a5367e3b7ad890ce7da243baa7002a3b769277556d828d0403d756c26259801292fa828d310f05deb7838c2f9
-
Filesize
229KB
MD598feb6295d22818929af29d1da7fcfbc
SHA127bfa6b6be5e7cbce602a2f17b211fb815227969
SHA2562d19af2d439f0a7a7b379276b954f37cf5692458b3f227c7aadd63b82d06a647
SHA5122661759da85b6bd60f8040d58dc7f42b0b33be7a5367e3b7ad890ce7da243baa7002a3b769277556d828d0403d756c26259801292fa828d310f05deb7838c2f9
-
Filesize
229KB
MD598feb6295d22818929af29d1da7fcfbc
SHA127bfa6b6be5e7cbce602a2f17b211fb815227969
SHA2562d19af2d439f0a7a7b379276b954f37cf5692458b3f227c7aadd63b82d06a647
SHA5122661759da85b6bd60f8040d58dc7f42b0b33be7a5367e3b7ad890ce7da243baa7002a3b769277556d828d0403d756c26259801292fa828d310f05deb7838c2f9
-
Filesize
229KB
MD598feb6295d22818929af29d1da7fcfbc
SHA127bfa6b6be5e7cbce602a2f17b211fb815227969
SHA2562d19af2d439f0a7a7b379276b954f37cf5692458b3f227c7aadd63b82d06a647
SHA5122661759da85b6bd60f8040d58dc7f42b0b33be7a5367e3b7ad890ce7da243baa7002a3b769277556d828d0403d756c26259801292fa828d310f05deb7838c2f9
-
Filesize
229KB
MD598feb6295d22818929af29d1da7fcfbc
SHA127bfa6b6be5e7cbce602a2f17b211fb815227969
SHA2562d19af2d439f0a7a7b379276b954f37cf5692458b3f227c7aadd63b82d06a647
SHA5122661759da85b6bd60f8040d58dc7f42b0b33be7a5367e3b7ad890ce7da243baa7002a3b769277556d828d0403d756c26259801292fa828d310f05deb7838c2f9
-
Filesize
1.4MB
MD54eff891015ae93efceec9f236308bdd9
SHA19d18a2ed4f5cb3c353efea5d1b4ed2b84692174a
SHA256dbb71d6f7c1499ea37df5aaf35c3d98ed38b946242c4824008e4d14f10d7a6ca
SHA512b1fc052d1806d641a8ff3a1c55794fde8f6cb55f3b8bafbbcbb5d4dce9c8be095d436314091b45cddec3a038a5d33cc34d5260d02375c321548cffef5587d7e9
-
Filesize
1.4MB
MD54eff891015ae93efceec9f236308bdd9
SHA19d18a2ed4f5cb3c353efea5d1b4ed2b84692174a
SHA256dbb71d6f7c1499ea37df5aaf35c3d98ed38b946242c4824008e4d14f10d7a6ca
SHA512b1fc052d1806d641a8ff3a1c55794fde8f6cb55f3b8bafbbcbb5d4dce9c8be095d436314091b45cddec3a038a5d33cc34d5260d02375c321548cffef5587d7e9
-
Filesize
1.2MB
MD56722eaab0761b53f1c5c73c27df6254a
SHA15aef530dd6bc9b528c25abcc3e86f44c2afa9ecf
SHA256838c9af48b2c43e0998fdbf58e5d64b48851e225a2f670e9388d31487f913e36
SHA51223a248da74bb96a9c72d40bc00812d0f6751ea8bf5f1bcc054788cc6ba3ace6c848ee0712fa11ec7f74a19ba968dfbbfa7323c153318c9535866f3bcf7f2d56e
-
Filesize
1.2MB
MD56722eaab0761b53f1c5c73c27df6254a
SHA15aef530dd6bc9b528c25abcc3e86f44c2afa9ecf
SHA256838c9af48b2c43e0998fdbf58e5d64b48851e225a2f670e9388d31487f913e36
SHA51223a248da74bb96a9c72d40bc00812d0f6751ea8bf5f1bcc054788cc6ba3ace6c848ee0712fa11ec7f74a19ba968dfbbfa7323c153318c9535866f3bcf7f2d56e
-
Filesize
1.2MB
MD56722eaab0761b53f1c5c73c27df6254a
SHA15aef530dd6bc9b528c25abcc3e86f44c2afa9ecf
SHA256838c9af48b2c43e0998fdbf58e5d64b48851e225a2f670e9388d31487f913e36
SHA51223a248da74bb96a9c72d40bc00812d0f6751ea8bf5f1bcc054788cc6ba3ace6c848ee0712fa11ec7f74a19ba968dfbbfa7323c153318c9535866f3bcf7f2d56e
-
Filesize
173KB
MD5aa089d694bc4e0325704ccec759547d6
SHA1114e04a083ebf92c864d167547d0596477ffaa89
SHA2560420b206725a90d1bec288e9b3b58b84ad6116dbcc803e456cafaad4e2360d88
SHA512b122cbb8f138f9133fb0569109c97f1ffeb8926a923714b9679d63901cfcd6098ed7f51a4ddcd5e12946a74a566a1487884b18eb129a7b7bc1d7bf5b2525c66c
-
Filesize
173KB
MD5aa089d694bc4e0325704ccec759547d6
SHA1114e04a083ebf92c864d167547d0596477ffaa89
SHA2560420b206725a90d1bec288e9b3b58b84ad6116dbcc803e456cafaad4e2360d88
SHA512b122cbb8f138f9133fb0569109c97f1ffeb8926a923714b9679d63901cfcd6098ed7f51a4ddcd5e12946a74a566a1487884b18eb129a7b7bc1d7bf5b2525c66c
-
Filesize
359KB
MD5fb761dd47d2e7f0f0719db806119f225
SHA16323baa0334f60067e7ac770353559c5ac40800d
SHA2564bcc6c34571f178e04d8380be16c289ac76f76704c421789e38e68323cf816c1
SHA512b0cbf65e5d90aabb969ec9127dfae6e1d6c1af3feae6c02aea070eb4addce263ac43d91f5f27d333dc6275147989d01f63368bb66d59d31f577557a1d2b08d6d
-
Filesize
359KB
MD5fb761dd47d2e7f0f0719db806119f225
SHA16323baa0334f60067e7ac770353559c5ac40800d
SHA2564bcc6c34571f178e04d8380be16c289ac76f76704c421789e38e68323cf816c1
SHA512b0cbf65e5d90aabb969ec9127dfae6e1d6c1af3feae6c02aea070eb4addce263ac43d91f5f27d333dc6275147989d01f63368bb66d59d31f577557a1d2b08d6d
-
Filesize
34KB
MD574ef6e7b1fde4d7fce4198b3f7329cc6
SHA1720423b4e7456d9aa1c8409e0686ea716dd262b4
SHA2569f55a93b9542f160e1a4e6fc11309ecc312db664739d0ab6a57cd5ba362ca22f
SHA5125463fcdbe38141ba8593ddc47ce6d585db68bc63cf2b1ab3374b00069588eae448d27d4165bd27bbb3dac374eaf69b7928211939f6af867404112e60a63410fe
-
Filesize
34KB
MD574ef6e7b1fde4d7fce4198b3f7329cc6
SHA1720423b4e7456d9aa1c8409e0686ea716dd262b4
SHA2569f55a93b9542f160e1a4e6fc11309ecc312db664739d0ab6a57cd5ba362ca22f
SHA5125463fcdbe38141ba8593ddc47ce6d585db68bc63cf2b1ab3374b00069588eae448d27d4165bd27bbb3dac374eaf69b7928211939f6af867404112e60a63410fe
-
Filesize
235KB
MD55b35719912497307c6ec8aab38f3773d
SHA1671f4eba4d993b0fb4ab9e21b146f093987bc7ea
SHA256e466e3cae1d5ed774ffb54a5100bc4f1b1a1168c9bbaa388f2d37134b56f1238
SHA512b70faa2aa2b6e36252666c268a82eacdd88251712df5dcd227ba2b58839eae096bbf55085ed6652ca84748dc745027c246dd1da76705bdcb85a6c5e6258d0e07
-
Filesize
235KB
MD55b35719912497307c6ec8aab38f3773d
SHA1671f4eba4d993b0fb4ab9e21b146f093987bc7ea
SHA256e466e3cae1d5ed774ffb54a5100bc4f1b1a1168c9bbaa388f2d37134b56f1238
SHA512b70faa2aa2b6e36252666c268a82eacdd88251712df5dcd227ba2b58839eae096bbf55085ed6652ca84748dc745027c246dd1da76705bdcb85a6c5e6258d0e07
-
Filesize
12KB
MD5b9332776254f973ec28c9b5d33d02899
SHA1beec566cad6bcb7012fb126f4337956f0b72ba7b
SHA2560951b34c7d989cddd57649ce2816cce149fa4aad43845bfb6bb3aedd9c126341
SHA51209687c130d464e7d9028f1bbc17cdc59f9a23f6b7bba51e80d49877520c1cd7556624ceeda7990e88d4f35dfd5f6baf9e9c36a8665fb35042c101bc1ef53d97e
-
Filesize
12KB
MD5b9332776254f973ec28c9b5d33d02899
SHA1beec566cad6bcb7012fb126f4337956f0b72ba7b
SHA2560951b34c7d989cddd57649ce2816cce149fa4aad43845bfb6bb3aedd9c126341
SHA51209687c130d464e7d9028f1bbc17cdc59f9a23f6b7bba51e80d49877520c1cd7556624ceeda7990e88d4f35dfd5f6baf9e9c36a8665fb35042c101bc1ef53d97e
-
Filesize
229KB
MD598feb6295d22818929af29d1da7fcfbc
SHA127bfa6b6be5e7cbce602a2f17b211fb815227969
SHA2562d19af2d439f0a7a7b379276b954f37cf5692458b3f227c7aadd63b82d06a647
SHA5122661759da85b6bd60f8040d58dc7f42b0b33be7a5367e3b7ad890ce7da243baa7002a3b769277556d828d0403d756c26259801292fa828d310f05deb7838c2f9
-
Filesize
229KB
MD598feb6295d22818929af29d1da7fcfbc
SHA127bfa6b6be5e7cbce602a2f17b211fb815227969
SHA2562d19af2d439f0a7a7b379276b954f37cf5692458b3f227c7aadd63b82d06a647
SHA5122661759da85b6bd60f8040d58dc7f42b0b33be7a5367e3b7ad890ce7da243baa7002a3b769277556d828d0403d756c26259801292fa828d310f05deb7838c2f9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
272B
MD5d867eabb1be5b45bc77bb06814e23640
SHA13139a51ce7e8462c31070363b9532c13cc52c82d
SHA25638c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349
SHA512afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59
-
Filesize
24KB
-
Filesize
900KB
-
Filesize
900KB
-
Filesize
900KB
-
Filesize
900KB
-
Filesize
1004KB
-
Filesize
1.2MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
900KB
-
Filesize
900KB
-
Filesize
900KB
-
Filesize
1004KB
-
Filesize
24KB
-
Filesize
1.0MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
240KB
-
Filesize
192KB