Analysis
-
max time kernel
54s -
max time network
60s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
12/10/2023, 11:41
Errors
General
-
Target
1fbbcceb2d82de62eeb2e7b6c768d6bed22cd906e265e76bc075608a145bc861.exe
-
Size
2.9MB
-
MD5
a400a179ad65094f7b320970bcc8cfe8
-
SHA1
fab9c984c6fa4cf0dc60158b431e8791f61540a5
-
SHA256
1fbbcceb2d82de62eeb2e7b6c768d6bed22cd906e265e76bc075608a145bc861
-
SHA512
1f9bf266d19bf316831b9e0eb632b9703bfea26fed0e478f9133130e5da80ca10ce1e5ebc9f14de0100680117d3623f32ca82923417713003a453a6650481419
-
SSDEEP
49152:2j9i4yt+QafH5qHpAiyv3DJtgfH2K7PjtKn4u+0WHm1GpXKmVTof5lZNlaHzeq7M:4uKng06m1GpXqGzef
Malware Config
Extracted
amadey
3.89
http://77.91.68.52/mac/index.php
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fbbcceb2d82de62eeb2e7b6c768d6bed22cd906e265e76bc075608a145bc861.exe"C:\Users\Admin\AppData\Local\Temp\1fbbcceb2d82de62eeb2e7b6c768d6bed22cd906e265e76bc075608a145bc861.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2155605.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2155605.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8334303.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8334303.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0413831.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0413831.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9062995.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9062995.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2468755.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2468755.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 5808⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2254940.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2254940.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 5529⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 5888⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9020131.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9020131.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 1487⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0635224.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0635224.exe5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k shutdown -s -t 07⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 08⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9938380.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9938380.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 1482⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3792 -ip 37921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1976 -ip 19761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4932 -ip 49321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3580 -ip 35801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4228 -ip 42281⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3949855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD58f02c02b56095e18f7f171cdc1a252a1
SHA1dfd6119b58378ca96f48e7922e23d70fc0c0f7bf
SHA256fa87c710ce9ca6703beda7dbd9f886dd1555d4e2b75f97f5fc5e9e7cd641f426
SHA5124410a35690f5aab135f86a3a7012c445adb656f5a37ea8e867797802312b50fa3f70921e84a1f22fcb845150ac849eead6168456b451a874d10acc81fa286a58
-
Filesize
1.5MB
MD58f02c02b56095e18f7f171cdc1a252a1
SHA1dfd6119b58378ca96f48e7922e23d70fc0c0f7bf
SHA256fa87c710ce9ca6703beda7dbd9f886dd1555d4e2b75f97f5fc5e9e7cd641f426
SHA5124410a35690f5aab135f86a3a7012c445adb656f5a37ea8e867797802312b50fa3f70921e84a1f22fcb845150ac849eead6168456b451a874d10acc81fa286a58
-
Filesize
1.1MB
MD52cad1f33461f4a69d883bee9dcce2f81
SHA1a7b14fdde04ec6ce635d543d7fddb400c8034321
SHA256426e1de44b6ae699cb5bf53ab30653ad81516c3fdc65621c852d78ff7147140f
SHA51295f89436f2b9ba3aa72ed67aea37c480e86b2a71f5745e8fcaa1e8ca03586180b49134ea4cb65a8c8abf5a62e47cb50ce2f7b869716e35d319178bdb4775dbb4
-
Filesize
1.1MB
MD52cad1f33461f4a69d883bee9dcce2f81
SHA1a7b14fdde04ec6ce635d543d7fddb400c8034321
SHA256426e1de44b6ae699cb5bf53ab30653ad81516c3fdc65621c852d78ff7147140f
SHA51295f89436f2b9ba3aa72ed67aea37c480e86b2a71f5745e8fcaa1e8ca03586180b49134ea4cb65a8c8abf5a62e47cb50ce2f7b869716e35d319178bdb4775dbb4
-
Filesize
1.1MB
MD544d7b9b6955a2d0684a757ccbe02ccfa
SHA1e6b9a34859a3fabda472b3b004c35008e38af901
SHA256f82a8dfb3f35f0e8c1b7775df165337121c37781b836c13713f2c94547026e75
SHA512523e6b70c214802f2c6fba7edc2c94209d52e97c33812b5a2810af9a803aea85324efad73b290f4976babee060531947c37a3b45f964642e02cad27c36f476bc
-
Filesize
1.1MB
MD544d7b9b6955a2d0684a757ccbe02ccfa
SHA1e6b9a34859a3fabda472b3b004c35008e38af901
SHA256f82a8dfb3f35f0e8c1b7775df165337121c37781b836c13713f2c94547026e75
SHA512523e6b70c214802f2c6fba7edc2c94209d52e97c33812b5a2810af9a803aea85324efad73b290f4976babee060531947c37a3b45f964642e02cad27c36f476bc
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
918KB
MD575e51a89365c57c7a4dcea8935b8c181
SHA1602e4ca634b5771507654eaff4c48fbca3f6f274
SHA25655a180185964aa2967410d431fdd5bf87b8ec405944626de5a9628672cd3b877
SHA512514ad378ea5ea3e37159e4cf19555e3a7cb80a877ba9d9c75f8b8a8c942cfa042338ac09ce413976c3a0752f3e29a905e6f26b9521ea7be86e667d53d1c611a1
-
Filesize
918KB
MD575e51a89365c57c7a4dcea8935b8c181
SHA1602e4ca634b5771507654eaff4c48fbca3f6f274
SHA25655a180185964aa2967410d431fdd5bf87b8ec405944626de5a9628672cd3b877
SHA512514ad378ea5ea3e37159e4cf19555e3a7cb80a877ba9d9c75f8b8a8c942cfa042338ac09ce413976c3a0752f3e29a905e6f26b9521ea7be86e667d53d1c611a1
-
Filesize
922KB
MD568a87f73877c04bac023494f98b5fae1
SHA15fcddeedd1dfb1a01bd3edbe3ba77711670015cf
SHA25681c0f80be8c3e9438769c98eeacdc124e90253423da7c26039c7d7c81056750c
SHA51268a7dcd66bad5f82f4c06d922ea7e0f56025b32bb46dc1af6d2372845f3fed8bb2d8d919438e209419316d8fe3cca0436cdec4db5bacdabb53f333ce0cccbea9
-
Filesize
922KB
MD568a87f73877c04bac023494f98b5fae1
SHA15fcddeedd1dfb1a01bd3edbe3ba77711670015cf
SHA25681c0f80be8c3e9438769c98eeacdc124e90253423da7c26039c7d7c81056750c
SHA51268a7dcd66bad5f82f4c06d922ea7e0f56025b32bb46dc1af6d2372845f3fed8bb2d8d919438e209419316d8fe3cca0436cdec4db5bacdabb53f333ce0cccbea9
-
Filesize
534KB
MD599c93b0bb1a7e67ff9e90832f346c432
SHA11c6ab8765147a6d3dc53439af25b3b2712f58743
SHA256841756bd843eaa498b62a0aa699eab4a9266f2e001d3162edc652799fc0d4e60
SHA5121aa88de4dd1212bfdb2e591808c92ad6d0617c228109fc74e30d1ad140d85eeb120859752b7b823edf8979555a996c0df5e6d0568d0fd3611b1f6b4e9dec4f29
-
Filesize
534KB
MD599c93b0bb1a7e67ff9e90832f346c432
SHA11c6ab8765147a6d3dc53439af25b3b2712f58743
SHA256841756bd843eaa498b62a0aa699eab4a9266f2e001d3162edc652799fc0d4e60
SHA5121aa88de4dd1212bfdb2e591808c92ad6d0617c228109fc74e30d1ad140d85eeb120859752b7b823edf8979555a996c0df5e6d0568d0fd3611b1f6b4e9dec4f29
-
Filesize
899KB
MD5cd9b6e7057c49e6a3636dfde15cbc80d
SHA11eef1217f486d0d51e4843138b483119a1b54fd5
SHA2565c0e07835d80a15286aa8ceebcbcf871379ae545d52ddcbfe6f9001b74d43ff0
SHA51234d52597a09616f7c6d2bb36f17cdf215ce0780ee9c37b759dd6594c76b7f5adf96fe0c43ba90fcde43b8be393c50cec10a11fde47600426240cb997976f0a2e
-
Filesize
899KB
MD5cd9b6e7057c49e6a3636dfde15cbc80d
SHA11eef1217f486d0d51e4843138b483119a1b54fd5
SHA2565c0e07835d80a15286aa8ceebcbcf871379ae545d52ddcbfe6f9001b74d43ff0
SHA51234d52597a09616f7c6d2bb36f17cdf215ce0780ee9c37b759dd6594c76b7f5adf96fe0c43ba90fcde43b8be393c50cec10a11fde47600426240cb997976f0a2e
-
Filesize
1.1MB
MD5438fb444e7b4caa82ef1a0a819128933
SHA179ee7fab4f0730d0a6557eed598e28a67dbef436
SHA2564761d344bdfa72287ba5cd184aa3307cb0c75b3fc6da8c3eac9b63ac6cb4e9e6
SHA5129bc7795adf4f830ec7447d84589bcf8fa09ef2fb6809fa4e102fb4621a4132d59b08f55be14faa952fee7ea25a3bf24a560b0b6180eb06a0258bd44341e0006c
-
Filesize
1.1MB
MD5438fb444e7b4caa82ef1a0a819128933
SHA179ee7fab4f0730d0a6557eed598e28a67dbef436
SHA2564761d344bdfa72287ba5cd184aa3307cb0c75b3fc6da8c3eac9b63ac6cb4e9e6
SHA5129bc7795adf4f830ec7447d84589bcf8fa09ef2fb6809fa4e102fb4621a4132d59b08f55be14faa952fee7ea25a3bf24a560b0b6180eb06a0258bd44341e0006c
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB