Analysis
-
max time kernel
213s -
max time network
228s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
19-11-2023 21:40
General
-
Target
aaa4b955227b94eca939dbc0afaa558fce10a81d4021a016076414c9dbe83ed2.exe
-
Size
1.6MB
-
MD5
c28f9c8113172c2adb98c510a070a0f4
-
SHA1
5566c8c299cabf6c8558d71e72df39fd00b85383
-
SHA256
aaa4b955227b94eca939dbc0afaa558fce10a81d4021a016076414c9dbe83ed2
-
SHA512
fe2017b25bf7c1faa9dfcb9cab1c3e6d79efe74cd132a0395e0907b8b9595283fc8cabbe7d1c5b426622cef40dc19433fa73b1b65cf9cafb6ea7dd415a6ac0ea
-
SSDEEP
49152:OGV+PKmx+2JnKBb9EIoyLUKYgMfjWUaPR:7V+PoiK1W7yL8rra
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload 4 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 10 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaa4b955227b94eca939dbc0afaa558fce10a81d4021a016076414c9dbe83ed2.exe"C:\Users\Admin\AppData\Local\Temp\aaa4b955227b94eca939dbc0afaa558fce10a81d4021a016076414c9dbe83ed2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\At1FG96.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\At1FG96.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UA8ci07.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UA8ci07.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lx4ig89.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lx4ig89.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ey2LY57.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ey2LY57.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\tP9oS68.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\tP9oS68.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1eo91NJ9.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1eo91NJ9.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 5968⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 5968⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2EH4758.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2EH4758.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 5609⤵
- Program crash
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 6128⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3hC55qI.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3hC55qI.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4lQ486Xs.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4lQ486Xs.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 5846⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ge6UQ0.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ge6UQ0.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 948 -ip 9481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1084 -ip 10841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 768 -ip 7681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2104 -ip 21041⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1.4MB
MD58e2d8dfa03de6c15532bfaacec420f81
SHA1101fb2741ffd483e3a011d5b4a45a396f1283cdc
SHA256f69f176f2f7d0f61cb0cc2cc2290a0395a83b2cfc87b03e4ef67d2a9d82a25a7
SHA5120e9c9c91561f38cb51acc7dafd14f3f9d4d1da9c00c28a4964cf0627d4c85748192fd373770c1be2adcb74cd53030cefc8338832b0c87d9427b0774c0240b916
-
Filesize
1.4MB
MD58e2d8dfa03de6c15532bfaacec420f81
SHA1101fb2741ffd483e3a011d5b4a45a396f1283cdc
SHA256f69f176f2f7d0f61cb0cc2cc2290a0395a83b2cfc87b03e4ef67d2a9d82a25a7
SHA5120e9c9c91561f38cb51acc7dafd14f3f9d4d1da9c00c28a4964cf0627d4c85748192fd373770c1be2adcb74cd53030cefc8338832b0c87d9427b0774c0240b916
-
Filesize
1.2MB
MD55bf7a7ec740f4a33001915c2b07485ce
SHA16edee108d86bd7d1f2cc92a513e11a7748d3ac41
SHA256269b4486d82e60999c5e7eae527d80b5c941db368d72443e8c7b674cbcbb9990
SHA512e5cea63fb5f2c85509ca0fca641fd79c245d8cc042edcdbbdc6ebdeb5cc9399f88ae1ae2e5dfe61b943a2d0281ad72b9fd8a3a20750c6eec91e83ccc72254547
-
Filesize
1.2MB
MD55bf7a7ec740f4a33001915c2b07485ce
SHA16edee108d86bd7d1f2cc92a513e11a7748d3ac41
SHA256269b4486d82e60999c5e7eae527d80b5c941db368d72443e8c7b674cbcbb9990
SHA512e5cea63fb5f2c85509ca0fca641fd79c245d8cc042edcdbbdc6ebdeb5cc9399f88ae1ae2e5dfe61b943a2d0281ad72b9fd8a3a20750c6eec91e83ccc72254547
-
Filesize
220KB
MD55403a3b8ea0569f5f6986142aa71fcd3
SHA120804d0d7fa0a86f330cd1a87bb0e53570aa2959
SHA25699337baac4ec3a4528a3c703b921990f1ad0db3aef7a1d19bdec4b86a3c931a0
SHA512f230a243d2e9399659fa83cebc893815c6894bd9de4f69e5a15b3ac8a875ff68830872d8c95b6117924615c8527d478bac979560be4c5bb7ad2568f696cdecb5
-
Filesize
220KB
MD55403a3b8ea0569f5f6986142aa71fcd3
SHA120804d0d7fa0a86f330cd1a87bb0e53570aa2959
SHA25699337baac4ec3a4528a3c703b921990f1ad0db3aef7a1d19bdec4b86a3c931a0
SHA512f230a243d2e9399659fa83cebc893815c6894bd9de4f69e5a15b3ac8a875ff68830872d8c95b6117924615c8527d478bac979560be4c5bb7ad2568f696cdecb5
-
Filesize
1.0MB
MD59b8a72174c6d6c1740d713a296713419
SHA1f83dbca8390f6639e38cc14b3fdd2bdeeb03860c
SHA256b1319dce360ce568b30c5ff733f26136194f4a15259ca866df794caf631a2cd5
SHA512eefab9c479778019a299c77b9313e60a0006d3e518fb643deb0ad471d655b6fcd31882dffc9a2010c15630cee0ef1e8d5c94b8a72b8b317e83db106096407bf4
-
Filesize
1.0MB
MD59b8a72174c6d6c1740d713a296713419
SHA1f83dbca8390f6639e38cc14b3fdd2bdeeb03860c
SHA256b1319dce360ce568b30c5ff733f26136194f4a15259ca866df794caf631a2cd5
SHA512eefab9c479778019a299c77b9313e60a0006d3e518fb643deb0ad471d655b6fcd31882dffc9a2010c15630cee0ef1e8d5c94b8a72b8b317e83db106096407bf4
-
Filesize
1.1MB
MD5c474cb24af058ec68f12ecedb0bd6087
SHA1ba1cdb7706fc2085052d82a3ed402aa443a164d7
SHA2568cbcd459d3ec3e02afb56c45998ee13d21a8cd608872d3a4b34a4e50271691e6
SHA512cd55dee64cdebd241f7c2346eb1a623c039efbcc2d692c779d7fbe7a6b398ac2650f3ce9a7b19d9f0e7ae1c297703161872fbef045c089b052ec97c09a6cccaa
-
Filesize
1.1MB
MD5c474cb24af058ec68f12ecedb0bd6087
SHA1ba1cdb7706fc2085052d82a3ed402aa443a164d7
SHA2568cbcd459d3ec3e02afb56c45998ee13d21a8cd608872d3a4b34a4e50271691e6
SHA512cd55dee64cdebd241f7c2346eb1a623c039efbcc2d692c779d7fbe7a6b398ac2650f3ce9a7b19d9f0e7ae1c297703161872fbef045c089b052ec97c09a6cccaa
-
Filesize
650KB
MD50d2e8b4cc91449798dae7881676471a6
SHA1a705fb3fc05731ebc75f2c2e6957a1877e402226
SHA2560f6d6bf2af20f9651df6f17925a9df22c13c8d24bf7b53679f4e716ef659532d
SHA512e36e749c04f9d2750d730906133dcddd55128fa608142b65a6c232ce30fa462b22f026f9c55a85e46a21793d4bf9546940613140400002ec86be272757dfb3e8
-
Filesize
650KB
MD50d2e8b4cc91449798dae7881676471a6
SHA1a705fb3fc05731ebc75f2c2e6957a1877e402226
SHA2560f6d6bf2af20f9651df6f17925a9df22c13c8d24bf7b53679f4e716ef659532d
SHA512e36e749c04f9d2750d730906133dcddd55128fa608142b65a6c232ce30fa462b22f026f9c55a85e46a21793d4bf9546940613140400002ec86be272757dfb3e8
-
Filesize
30KB
MD558ce829f506526dcb4ec4fc3df96d013
SHA13789722432e84ae7f4db840cb855d704abc7df90
SHA2565eab54a985d161e4f851a716f3d5ee2e02802c49e24fa8325cd42f309b6791d1
SHA512a8a227925a7e3d47f7a247e878a24a4c64ef3ae451b8a61a83bc4c8b44e25236eab74fcc0e51851988c6f9e21a5dde0d27a39b36a0b1d3b2a8e2e190d1f9b8bc
-
Filesize
30KB
MD558ce829f506526dcb4ec4fc3df96d013
SHA13789722432e84ae7f4db840cb855d704abc7df90
SHA2565eab54a985d161e4f851a716f3d5ee2e02802c49e24fa8325cd42f309b6791d1
SHA512a8a227925a7e3d47f7a247e878a24a4c64ef3ae451b8a61a83bc4c8b44e25236eab74fcc0e51851988c6f9e21a5dde0d27a39b36a0b1d3b2a8e2e190d1f9b8bc
-
Filesize
525KB
MD528174f6760ee5c5e8ac8acbf27d41861
SHA11189d4f74f91b8f62ce845e9763f2fe667c6d99f
SHA2567555a24ade99fcbe9b7b0df34c69d363f04154abb5e24b470171720ed182123c
SHA512e26335cc1daca7dfe83076ce421ddef76e40490241e3ad119434058991ff3a783ba68e679785dd2c2e516ff192aa1c5d6b645d12f6454ebf82f060cd9c5c6a04
-
Filesize
525KB
MD528174f6760ee5c5e8ac8acbf27d41861
SHA11189d4f74f91b8f62ce845e9763f2fe667c6d99f
SHA2567555a24ade99fcbe9b7b0df34c69d363f04154abb5e24b470171720ed182123c
SHA512e26335cc1daca7dfe83076ce421ddef76e40490241e3ad119434058991ff3a783ba68e679785dd2c2e516ff192aa1c5d6b645d12f6454ebf82f060cd9c5c6a04
-
Filesize
890KB
MD5e978c7e1a5be84e958419fdcecd0e1f0
SHA116990d1c40986a496472fe3221d9ceb981e25f4a
SHA256e72e37b2e1966aa59d99102486d99e0cded9faded978cdb8e7b1e59e49c4cb14
SHA5129fb36bc7791fa24cd8e87ab2fbe02079361f299a84866882b945fab775e44408d112543aced0735cb4aa6267fe8c325925a20ca643cd47b2bb3e07a2ba49484a
-
Filesize
890KB
MD5e978c7e1a5be84e958419fdcecd0e1f0
SHA116990d1c40986a496472fe3221d9ceb981e25f4a
SHA256e72e37b2e1966aa59d99102486d99e0cded9faded978cdb8e7b1e59e49c4cb14
SHA5129fb36bc7791fa24cd8e87ab2fbe02079361f299a84866882b945fab775e44408d112543aced0735cb4aa6267fe8c325925a20ca643cd47b2bb3e07a2ba49484a
-
Filesize
1.1MB
MD58a4f92e7bae66ff53f4af5d0b94d7f0b
SHA14a3e2802afd48fddcad3b3badc28261aac260ea7
SHA256791eedb3d2a4b678426283d48a53a6b1d9a1e059d5ca71c942b4b854ea4f2cc5
SHA5121d2140f8792e3ab56e1fbd956f4b2cc7a31efa698284644a858c43e373b2053840d76870a45eeac43cae5eca9bd6b9c2b1f5704e26b0b2c0732f0bec0fe96027
-
Filesize
1.1MB
MD58a4f92e7bae66ff53f4af5d0b94d7f0b
SHA14a3e2802afd48fddcad3b3badc28261aac260ea7
SHA256791eedb3d2a4b678426283d48a53a6b1d9a1e059d5ca71c942b4b854ea4f2cc5
SHA5121d2140f8792e3ab56e1fbd956f4b2cc7a31efa698284644a858c43e373b2053840d76870a45eeac43cae5eca9bd6b9c2b1f5704e26b0b2c0732f0bec0fe96027
-
Filesize
220KB
MD55403a3b8ea0569f5f6986142aa71fcd3
SHA120804d0d7fa0a86f330cd1a87bb0e53570aa2959
SHA25699337baac4ec3a4528a3c703b921990f1ad0db3aef7a1d19bdec4b86a3c931a0
SHA512f230a243d2e9399659fa83cebc893815c6894bd9de4f69e5a15b3ac8a875ff68830872d8c95b6117924615c8527d478bac979560be4c5bb7ad2568f696cdecb5
-
Filesize
220KB
MD55403a3b8ea0569f5f6986142aa71fcd3
SHA120804d0d7fa0a86f330cd1a87bb0e53570aa2959
SHA25699337baac4ec3a4528a3c703b921990f1ad0db3aef7a1d19bdec4b86a3c931a0
SHA512f230a243d2e9399659fa83cebc893815c6894bd9de4f69e5a15b3ac8a875ff68830872d8c95b6117924615c8527d478bac979560be4c5bb7ad2568f696cdecb5
-
Filesize
220KB
MD55403a3b8ea0569f5f6986142aa71fcd3
SHA120804d0d7fa0a86f330cd1a87bb0e53570aa2959
SHA25699337baac4ec3a4528a3c703b921990f1ad0db3aef7a1d19bdec4b86a3c931a0
SHA512f230a243d2e9399659fa83cebc893815c6894bd9de4f69e5a15b3ac8a875ff68830872d8c95b6117924615c8527d478bac979560be4c5bb7ad2568f696cdecb5
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
248KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
40KB