Overview

overview

10

Static

static

1

a21a9ad00b...c7.exe

windows7-x64

10

a21a9ad00b...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe

  • Size

    240KB

  • MD5

    600148d1ad2c7324ceb21a54d0d04b79

  • SHA1

    65f42d3291e39faf05712c2187cfb6f4b96bd0a8

  • SHA256

    a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7

  • SHA512

    d60eddd946b46b24d760a6b625f2425dbb3f2e973cd3aafdddf3ce69ddde77127314a601751b079687036b94b95f133dc5ee27dc01cf22d7b2aa6061cfd9e7b1

  • SSDEEP

    6144:xM5frpxdonyq4zaG2u5AO8eK0hJYPP8quqp:x6rp0/9u5eelh80quqp

Score
10/10
amadeyhealersmokeloaderbackdoordropperpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

3.89

C2

http://77.91.124.1/theme/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explothe.exe

  • strings_key

    36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

amadey

Version

3.83

C2

http://5.42.65.80/8bmeVwqx/index.php

Attributes
  • install_dir

    207aa4515d

  • install_file

    oneetx.exe

  • strings_key

    3e634dd0840c68ae2ced83c2be7bf0d4

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe
    "C:\Users\Admin\AppData\Local\Temp\a21a9ad00bae1a7f3bc9ae3af10e39a8dcf0d250b54471275011f46fa114f6c7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4860
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 272
      2⤵
      • Program crash
      PID:4516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 428 -ip 428
    1⤵
      PID:780
    • C:\Users\Admin\AppData\Local\Temp\5E72.exe
      C:\Users\Admin\AppData\Local\Temp\5E72.exe
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MW1Yh1mY.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MW1Yh1mY.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ju4nj6To.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ju4nj6To.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:5048
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kN0ja1QS.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kN0ja1QS.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3996
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dt3Gp2EY.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dt3Gp2EY.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:5076
              • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZU63NJ3.exe
                C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZU63NJ3.exe
                6⤵
                • Executes dropped EXE
                PID:4496
    • C:\Users\Admin\AppData\Local\Temp\7055.exe
      C:\Users\Admin\AppData\Local\Temp\7055.exe
      1⤵
      • Executes dropped EXE
      PID:1204
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\718E.bat" "
      1⤵
        PID:4832
      • C:\Users\Admin\AppData\Local\Temp\743F.exe
        C:\Users\Admin\AppData\Local\Temp\743F.exe
        1⤵
        • Executes dropped EXE
        PID:2220
      • C:\Users\Admin\AppData\Local\Temp\ABCB.exe
        C:\Users\Admin\AppData\Local\Temp\ABCB.exe
        1⤵
        • Executes dropped EXE
        PID:2468
      • C:\Users\Admin\AppData\Local\Temp\B8AD.exe
        C:\Users\Admin\AppData\Local\Temp\B8AD.exe
        1⤵
        • Executes dropped EXE
        PID:4344
      • C:\Users\Admin\AppData\Local\Temp\BC86.exe
        C:\Users\Admin\AppData\Local\Temp\BC86.exe
        1⤵
        • Executes dropped EXE
        PID:2296

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\5E72.exe
        Filesize

        1.2MB

        MD5

        e44f83be54950ad93ee96b6820a2ab47

        SHA1

        6b531a1247e6fdad6f7367568aa3705f8f03e4bf

        SHA256

        f799001727d2cedb689443caab9bd4e3275b94edaac9b83d921fbb89f854d99f

        SHA512

        34d8691ef75a5b433fab3e3b669d0fb89afe43e257cd4698b07e2d7be4d7d44e11c1204f7bf87eb6f2ea634638c19cc678b4f86676fd5308ebd23a5750c7b797

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5E72.exe
        Filesize

        1.2MB

        MD5

        e44f83be54950ad93ee96b6820a2ab47

        SHA1

        6b531a1247e6fdad6f7367568aa3705f8f03e4bf

        SHA256

        f799001727d2cedb689443caab9bd4e3275b94edaac9b83d921fbb89f854d99f

        SHA512

        34d8691ef75a5b433fab3e3b669d0fb89afe43e257cd4698b07e2d7be4d7d44e11c1204f7bf87eb6f2ea634638c19cc678b4f86676fd5308ebd23a5750c7b797

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7055.exe
        Filesize

        180KB

        MD5

        3f305144feb3040cf41b216841537ec2

        SHA1

        ae9066cc3b40be6250e7e6a90bcc2de160067b84

        SHA256

        89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

        SHA512

        ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7055.exe
        Filesize

        180KB

        MD5

        3f305144feb3040cf41b216841537ec2

        SHA1

        ae9066cc3b40be6250e7e6a90bcc2de160067b84

        SHA256

        89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

        SHA512

        ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\718E.bat
        Filesize

        79B

        MD5

        403991c4d18ac84521ba17f264fa79f2

        SHA1

        850cc068de0963854b0fe8f485d951072474fd45

        SHA256

        ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

        SHA512

        a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\743F.exe
        Filesize

        1.1MB

        MD5

        742788c3053c1eb30f6802a41a7d7ef4

        SHA1

        85ff7ec6d4eb3795e129cb89634ce36744d56521

        SHA256

        e9337dd1c62316c0f74988e85dc138cd9cbcb7fb6915c379b5d287f7d58f94ad

        SHA512

        50a95e5a481bf2ba3215991073504d8844c0a6e474fe023e293e0a4d7fa74da65b88f2f6639801ac1ee6d2b4df50d8c21033e10ef72bc115b7d825a5fc0031a7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ABCB.exe
        Filesize

        21KB

        MD5

        57543bf9a439bf01773d3d508a221fda

        SHA1

        5728a0b9f1856aa5183d15ba00774428be720c35

        SHA256

        70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

        SHA512

        28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ABCB.exe
        Filesize

        21KB

        MD5

        57543bf9a439bf01773d3d508a221fda

        SHA1

        5728a0b9f1856aa5183d15ba00774428be720c35

        SHA256

        70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

        SHA512

        28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\B8AD.exe
        Filesize

        229KB

        MD5

        78e5bc5b95cf1717fc889f1871f5daf6

        SHA1

        65169a87dd4a0121cd84c9094d58686be468a74a

        SHA256

        7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966

        SHA512

        d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\BC86.exe
        Filesize

        198KB

        MD5

        a64a886a695ed5fb9273e73241fec2f7

        SHA1

        363244ca05027c5beb938562df5b525a2428b405

        SHA256

        563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

        SHA512

        122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MW1Yh1mY.exe
        Filesize

        1.1MB

        MD5

        5128c99a52fdf8ee6d947325a1f90ae5

        SHA1

        ed01c32185723031b719b3f330ca7820e9d0b511

        SHA256

        cb99d732a92806406705c341b2ba4216f35292e23eebaf3cc091822d40d43694

        SHA512

        551113bb317d8c6b7d05a36ee2db331285a566f15c7301da9ba0ad90473ee95507bb0e33a44703db9eee0dd5834207ac3d31a3262c43fa46e8815ea5c3ed4e02

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MW1Yh1mY.exe
        Filesize

        1.1MB

        MD5

        5128c99a52fdf8ee6d947325a1f90ae5

        SHA1

        ed01c32185723031b719b3f330ca7820e9d0b511

        SHA256

        cb99d732a92806406705c341b2ba4216f35292e23eebaf3cc091822d40d43694

        SHA512

        551113bb317d8c6b7d05a36ee2db331285a566f15c7301da9ba0ad90473ee95507bb0e33a44703db9eee0dd5834207ac3d31a3262c43fa46e8815ea5c3ed4e02

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ju4nj6To.exe
        Filesize

        926KB

        MD5

        af873139a44c025699c12ad0479c2470

        SHA1

        294b1ff8c03369fc45775ec47a16fbe1b6b19614

        SHA256

        bb28586bbc782e066bc833b9336e9135bf8daeaac51d0946036c302cc516b7c7

        SHA512

        6091681f1effb0de34d4f999bce7d4b83c47d3beb69a80c988eb3ae1ad4e8fe92b3402e601a0e20e4bcd82682eebfc20d0d1b765da057b3b191dccfe9dccf7c9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ju4nj6To.exe
        Filesize

        926KB

        MD5

        af873139a44c025699c12ad0479c2470

        SHA1

        294b1ff8c03369fc45775ec47a16fbe1b6b19614

        SHA256

        bb28586bbc782e066bc833b9336e9135bf8daeaac51d0946036c302cc516b7c7

        SHA512

        6091681f1effb0de34d4f999bce7d4b83c47d3beb69a80c988eb3ae1ad4e8fe92b3402e601a0e20e4bcd82682eebfc20d0d1b765da057b3b191dccfe9dccf7c9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kN0ja1QS.exe
        Filesize

        514KB

        MD5

        dcf5e588e9820e48e5e080a82823118d

        SHA1

        9047d2e24b174dc312ae557f0f5db49c731b5f74

        SHA256

        c70bc9aac1dcab5368d65d4ad4374d657dc63815471c3ec75a8a40ec506e0050

        SHA512

        07bfcd91d883cf99c45232d244988f561c7b739633d729010ba59693f622fc6e851d650aa55fe3d6ece0cf372ef6c9dc7eccd7f7b383e988f38166a77c44241b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kN0ja1QS.exe
        Filesize

        514KB

        MD5

        dcf5e588e9820e48e5e080a82823118d

        SHA1

        9047d2e24b174dc312ae557f0f5db49c731b5f74

        SHA256

        c70bc9aac1dcab5368d65d4ad4374d657dc63815471c3ec75a8a40ec506e0050

        SHA512

        07bfcd91d883cf99c45232d244988f561c7b739633d729010ba59693f622fc6e851d650aa55fe3d6ece0cf372ef6c9dc7eccd7f7b383e988f38166a77c44241b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dt3Gp2EY.exe
        Filesize

        319KB

        MD5

        c20819a7fc0f63fb5bb9efb26634e018

        SHA1

        38ba4ba5a40b665460adf541a05b6902f64a0c18

        SHA256

        12582ccc37e37eb4b004571ad0c2089154c1601d1860ab1845826e1cabf27e69

        SHA512

        6f95724fc164bde772a0365e7faaf0df3b0761a8dac0c9b5d0e7d09b5b7dcf3c20fb828e15572e956bfbd72874be5d571963ae44d41539d3e18560584de65393

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dt3Gp2EY.exe
        Filesize

        319KB

        MD5

        c20819a7fc0f63fb5bb9efb26634e018

        SHA1

        38ba4ba5a40b665460adf541a05b6902f64a0c18

        SHA256

        12582ccc37e37eb4b004571ad0c2089154c1601d1860ab1845826e1cabf27e69

        SHA512

        6f95724fc164bde772a0365e7faaf0df3b0761a8dac0c9b5d0e7d09b5b7dcf3c20fb828e15572e956bfbd72874be5d571963ae44d41539d3e18560584de65393

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZU63NJ3.exe
        Filesize

        180KB

        MD5

        3f305144feb3040cf41b216841537ec2

        SHA1

        ae9066cc3b40be6250e7e6a90bcc2de160067b84

        SHA256

        89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

        SHA512

        ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZU63NJ3.exe
        Filesize

        180KB

        MD5

        3f305144feb3040cf41b216841537ec2

        SHA1

        ae9066cc3b40be6250e7e6a90bcc2de160067b84

        SHA256

        89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

        SHA512

        ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

        Download Submit

      • memory/2160-2-0x0000000006CC0000-0x0000000006CD6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4860-0-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4860-3-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4860-1-0x0000000000400000-0x0000000000409000-memory.dmp

        Filesize

        36KB

        Download