Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
23/07/2023, 14:48
General
-
Target
a0ed11766430f0d6aa62c640dfd7516381fee46b35264f5bb8a48327e592fa82.exe
-
Size
514KB
-
MD5
098895f81ddd26f7ec7fa089ae743548
-
SHA1
54ea18fa80fb0b0f9d61900ceea88cec8b011acc
-
SHA256
a0ed11766430f0d6aa62c640dfd7516381fee46b35264f5bb8a48327e592fa82
-
SHA512
e3d2f4e16a395135cf8c63e85c367e23e52ebcb0385bc394e04886d5cc6472a7af51e8a7be5049a9fd371c1d218a65672e668e4e53c6eafc0adb2fe96638248a
-
SSDEEP
12288:6MrTy90xSpCZGd+Y9CbKHkEnesBTwaoAjqZjeGpRC/qi:JycMEGX4bKHRwaoAXGmB
Malware Config
Extracted
amadey
3.85
77.91.68.3/home/love/index.php
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
news
77.91.68.68:19071
-
auth_value
99ba2ffe8d72ebe9fdc7e758c94db148
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ed11766430f0d6aa62c640dfd7516381fee46b35264f5bb8a48327e592fa82.exe"C:\Users\Admin\AppData\Local\Temp\a0ed11766430f0d6aa62c640dfd7516381fee46b35264f5bb8a48327e592fa82.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3025554.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3025554.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6718907.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6718907.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5235947.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5235947.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0875843.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0875843.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3355705.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3355705.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0851395.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0851395.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5CAD.exeC:\Users\Admin\AppData\Local\Temp\5CAD.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /Y .\Q75bP3R8.62⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5cadabf2f116b5bdc51dafa74b1cc9978
SHA100bae98a28e2ab96122d5e8e904d426bbbf92f61
SHA256a8f83d357da87a91b3ce3d6f92ec1e5d111ce02596c3a158808bbe6089d1a869
SHA512f3224db4edfa17a31307f17c6765a2177f7875c4a4a67a0b336798ef410bd418a22c49d2033a97e1a85415400dc9e4b564b54e13ad969eda636d12109ede954d
-
Filesize
229KB
MD5cadabf2f116b5bdc51dafa74b1cc9978
SHA100bae98a28e2ab96122d5e8e904d426bbbf92f61
SHA256a8f83d357da87a91b3ce3d6f92ec1e5d111ce02596c3a158808bbe6089d1a869
SHA512f3224db4edfa17a31307f17c6765a2177f7875c4a4a67a0b336798ef410bd418a22c49d2033a97e1a85415400dc9e4b564b54e13ad969eda636d12109ede954d
-
Filesize
229KB
MD5cadabf2f116b5bdc51dafa74b1cc9978
SHA100bae98a28e2ab96122d5e8e904d426bbbf92f61
SHA256a8f83d357da87a91b3ce3d6f92ec1e5d111ce02596c3a158808bbe6089d1a869
SHA512f3224db4edfa17a31307f17c6765a2177f7875c4a4a67a0b336798ef410bd418a22c49d2033a97e1a85415400dc9e4b564b54e13ad969eda636d12109ede954d
-
Filesize
229KB
MD5cadabf2f116b5bdc51dafa74b1cc9978
SHA100bae98a28e2ab96122d5e8e904d426bbbf92f61
SHA256a8f83d357da87a91b3ce3d6f92ec1e5d111ce02596c3a158808bbe6089d1a869
SHA512f3224db4edfa17a31307f17c6765a2177f7875c4a4a67a0b336798ef410bd418a22c49d2033a97e1a85415400dc9e4b564b54e13ad969eda636d12109ede954d
-
Filesize
229KB
MD5cadabf2f116b5bdc51dafa74b1cc9978
SHA100bae98a28e2ab96122d5e8e904d426bbbf92f61
SHA256a8f83d357da87a91b3ce3d6f92ec1e5d111ce02596c3a158808bbe6089d1a869
SHA512f3224db4edfa17a31307f17c6765a2177f7875c4a4a67a0b336798ef410bd418a22c49d2033a97e1a85415400dc9e4b564b54e13ad969eda636d12109ede954d
-
Filesize
1.6MB
MD582fac097e85ba11628a659a63ab0bcfb
SHA14053eefdef6eede0da3b3e7689467bab351a4cea
SHA2568cef3b4bb60c64dffc4d9e1ffc779262fab5f4321336ca14c946c96934a01282
SHA512d5ad469a9457558d5f9d9ab6876377ddd785d31edeaf51fb66f14cee0aacdf0b0d2fbea459dcf36eaf48518478cfcc60a7ac0ae29da9a4ed4f8045bfd69ab3a6
-
Filesize
1.6MB
MD582fac097e85ba11628a659a63ab0bcfb
SHA14053eefdef6eede0da3b3e7689467bab351a4cea
SHA2568cef3b4bb60c64dffc4d9e1ffc779262fab5f4321336ca14c946c96934a01282
SHA512d5ad469a9457558d5f9d9ab6876377ddd785d31edeaf51fb66f14cee0aacdf0b0d2fbea459dcf36eaf48518478cfcc60a7ac0ae29da9a4ed4f8045bfd69ab3a6
-
Filesize
173KB
MD578d1b852a8d987e3c2247eff562b3ae7
SHA140d5f4112e54fccb2923c83bdf6fbe5c1ec6a9c1
SHA2565208f8b3ac4810879c38392bc741e78be305627f4616e9edfc5ce090352be5d6
SHA512d0a9f5a84dd6774d7762e2f53dacf2cb49cc25e072cb316b4e4245bdd2fb8812ae10e983b49d7f3d1861dcabe4a15d50e06491f1aa3e253b75e1aacdce981636
-
Filesize
173KB
MD578d1b852a8d987e3c2247eff562b3ae7
SHA140d5f4112e54fccb2923c83bdf6fbe5c1ec6a9c1
SHA2565208f8b3ac4810879c38392bc741e78be305627f4616e9edfc5ce090352be5d6
SHA512d0a9f5a84dd6774d7762e2f53dacf2cb49cc25e072cb316b4e4245bdd2fb8812ae10e983b49d7f3d1861dcabe4a15d50e06491f1aa3e253b75e1aacdce981636
-
Filesize
359KB
MD57dfb781163cf8065bd3e405bf4c90044
SHA1b8a94acabe1754a81184d97646554f8d5c84b8b4
SHA25611880103662fbce59519002cc0a56fb016ae21e1c7d461af7a2dd2f814bc77c4
SHA51236d81f3a30f79870d413a760de40ee8cf247335a06306472c9b7257bdbed3716f4c5bc34e31e0ece99efe34fd9e064d1b1d0f4d6299a7c8e714e910e54206af1
-
Filesize
359KB
MD57dfb781163cf8065bd3e405bf4c90044
SHA1b8a94acabe1754a81184d97646554f8d5c84b8b4
SHA25611880103662fbce59519002cc0a56fb016ae21e1c7d461af7a2dd2f814bc77c4
SHA51236d81f3a30f79870d413a760de40ee8cf247335a06306472c9b7257bdbed3716f4c5bc34e31e0ece99efe34fd9e064d1b1d0f4d6299a7c8e714e910e54206af1
-
Filesize
34KB
MD59bf2b6fd053a27360c00ed8246eaa844
SHA17c6f11f533cc842a690cbce7cb4b1c2ec423a099
SHA2565bd83fc8c3d795db2dca450b8460144945ea29c752d22328ab6d241ab33c5b7f
SHA512e9e55544ddbc28d0996ca2e94c90f2d9c0dc3ff078be83a2d3b3d1d31b000e26406ec3e725604f7c396b1ef273d34eefb55d284570da10912e5e1430a3d1e790
-
Filesize
34KB
MD59bf2b6fd053a27360c00ed8246eaa844
SHA17c6f11f533cc842a690cbce7cb4b1c2ec423a099
SHA2565bd83fc8c3d795db2dca450b8460144945ea29c752d22328ab6d241ab33c5b7f
SHA512e9e55544ddbc28d0996ca2e94c90f2d9c0dc3ff078be83a2d3b3d1d31b000e26406ec3e725604f7c396b1ef273d34eefb55d284570da10912e5e1430a3d1e790
-
Filesize
235KB
MD509d47c9a330c6d478fd2dc3e036b99e7
SHA1c36e9d0f7e13cf41d22957c24bb788aeb874485e
SHA256947e4acd2884303503d0357e460ec6c01e008d97f4e12e46eb4b308b28e3dcea
SHA5122683888a4ce34cd1bda4a10d305498a8e26ee8f485d702e2109f6341fa9b8325b129569ec9220c07d993ebfd09c66fd444c8f84bb5f22c636a6e909510b808c3
-
Filesize
235KB
MD509d47c9a330c6d478fd2dc3e036b99e7
SHA1c36e9d0f7e13cf41d22957c24bb788aeb874485e
SHA256947e4acd2884303503d0357e460ec6c01e008d97f4e12e46eb4b308b28e3dcea
SHA5122683888a4ce34cd1bda4a10d305498a8e26ee8f485d702e2109f6341fa9b8325b129569ec9220c07d993ebfd09c66fd444c8f84bb5f22c636a6e909510b808c3
-
Filesize
12KB
MD50f7033aff0993700f66989816ad57b81
SHA1327faec490f6c51ae57a2daa230a6b4a1b35bd4e
SHA25620e6c7019ee61a40efe299a7ffd91b5cdf792feb15974a06f8fd5eee44339708
SHA5120b253bb512da63fef6675325c7511c54c4ba2182194f58d449ae195df9cffef436614e39c978c0c8ca385d758ea919c960105cf47bfad16e0bef006070cf47ed
-
Filesize
12KB
MD50f7033aff0993700f66989816ad57b81
SHA1327faec490f6c51ae57a2daa230a6b4a1b35bd4e
SHA25620e6c7019ee61a40efe299a7ffd91b5cdf792feb15974a06f8fd5eee44339708
SHA5120b253bb512da63fef6675325c7511c54c4ba2182194f58d449ae195df9cffef436614e39c978c0c8ca385d758ea919c960105cf47bfad16e0bef006070cf47ed
-
Filesize
229KB
MD5cadabf2f116b5bdc51dafa74b1cc9978
SHA100bae98a28e2ab96122d5e8e904d426bbbf92f61
SHA256a8f83d357da87a91b3ce3d6f92ec1e5d111ce02596c3a158808bbe6089d1a869
SHA512f3224db4edfa17a31307f17c6765a2177f7875c4a4a67a0b336798ef410bd418a22c49d2033a97e1a85415400dc9e4b564b54e13ad969eda636d12109ede954d
-
Filesize
229KB
MD5cadabf2f116b5bdc51dafa74b1cc9978
SHA100bae98a28e2ab96122d5e8e904d426bbbf92f61
SHA256a8f83d357da87a91b3ce3d6f92ec1e5d111ce02596c3a158808bbe6089d1a869
SHA512f3224db4edfa17a31307f17c6765a2177f7875c4a4a67a0b336798ef410bd418a22c49d2033a97e1a85415400dc9e4b564b54e13ad969eda636d12109ede954d
-
Filesize
1.2MB
MD54a936c987eba383047785d3c49d0d9de
SHA1f558e6ab4ea961e214133f2f5be017c3975310e7
SHA256ce9f2bfd863bbd21abb3cedfbeb253ebcf8218480faa86b4927ab9643fe955ec
SHA512877dbeff1ac6bed3e5e83eacb84f4af5ebea4efcf4c581c50b4b89813795329a3c5b72b4f350345636a5b4277792744d57530b68a73c4533795d4b300d5916ef
-
Filesize
1.2MB
MD54a936c987eba383047785d3c49d0d9de
SHA1f558e6ab4ea961e214133f2f5be017c3975310e7
SHA256ce9f2bfd863bbd21abb3cedfbeb253ebcf8218480faa86b4927ab9643fe955ec
SHA512877dbeff1ac6bed3e5e83eacb84f4af5ebea4efcf4c581c50b4b89813795329a3c5b72b4f350345636a5b4277792744d57530b68a73c4533795d4b300d5916ef
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
89KB
MD5dc587d08b8ca3cd62e5dc057d41a966b
SHA10ba6a88377c74a0c53b956d405ad17dd5f8c4164
SHA2567d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426
SHA5127300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9
-
Filesize
272B
MD5d867eabb1be5b45bc77bb06814e23640
SHA13139a51ce7e8462c31070363b9532c13cc52c82d
SHA25638c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349
SHA512afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
88KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
1.2MB
-
Filesize
24KB
-
Filesize
1004KB
-
Filesize
900KB
-
Filesize
900KB
-
Filesize
900KB
-
Filesize
900KB