Analysis
-
max time kernel
300s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
04/02/2024, 03:39
General
-
Target
496c9e3dca599f72f707270424f07ccd3037e419d7fed441e699db0c14140de1.exe
-
Size
294KB
-
MD5
99ea8a333d23ec742ec8a7263b1eae56
-
SHA1
6ee2160e4f2959b10e841a5257bf84d639cea728
-
SHA256
496c9e3dca599f72f707270424f07ccd3037e419d7fed441e699db0c14140de1
-
SHA512
4325985432a557b19e80a5b3e8ad9043208496adbb5e7f76924d81720f3abcb6190b9c687fd1927403fd61b78a7bc93f07f8f83063d6104c993c2f58a2198b4b
-
SSDEEP
6144:Y1uHh8eVTJQ4JRs43u9TmxhXDqJjBPfaP:iCVTJQ4PshmWtBnaP
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://humydrole.com/tmp/index.php
http://trunk-co.ru/tmp/index.php
http://weareelight.com/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\496c9e3dca599f72f707270424f07ccd3037e419d7fed441e699db0c14140de1.exe"C:\Users\Admin\AppData\Local\Temp\496c9e3dca599f72f707270424f07ccd3037e419d7fed441e699db0c14140de1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\925.exeC:\Users\Admin\AppData\Local\Temp\925.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 2481⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\taskeng.exetaskeng.exe {82EFD351-1557-4753-9EFC-170AA1EA9D90} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD50e4478c3fc345883f65dbd7158fe4e33
SHA1168d947195c1a35845813270f1c57786a6511792
SHA256157a5b6c177e500ee7716fded9ac4901b72082338f11c7679d0435d6f412cc30
SHA512b061036c3158500fd44440c9323903298634e826e479672e5a313fb5ba3f31de03717b8400959a8191bea5e91ad9618abbb14d5b1ff5864c14ea3be397ec3552
-
Filesize
469KB
MD5555b5949f8a9f335d16e1749746c1b27
SHA1ded7c6a6024506869475e4a9c3ce2570e921e61a
SHA2566410bc60052f38e9f58873a2241a3cdab6cc178c8f7ab05912991f6112e0c862
SHA512b86f1a0f73862403cc158fa16b013145e12ea86bfd2ef42d97f81051209c46711fdc503162c7e201eb8ddc62e948320de9d3ab20ff1ccc0e5c2ce5aee997ce02
-
Filesize
427KB
MD5c97e14573e40a432360f23865bfc530f
SHA1f41c03f5ec3530ab0581fa6cff58cac76172bb90
SHA2561ae25a140f71966641cd59b08adeb4fb093daf3f8249b59c7bba2dc9b9954609
SHA5127c4b9c846ade08d00cbef5852353345693b9a67424f1f8248b6f6d72da568489ff86c7d5af47abf837d72ccff5fe68c8a17af739aa7e2f9d47026fc1f1d23a8a
-
Filesize
121KB
MD53eab8fa8214dfa9a3edcb4940ab85039
SHA154b7cecf6789676b40aaad13ad486e4fd4694584
SHA2565b417dd7a992d40616bd7891fbd37e3ca803cce2e0daaa23e5b194728f54a4d2
SHA512355da234175adc004e38ec1398a6e9b8dcea6821909934e7f60dfae85cef66d0fe918922b79b06e963a4b21abd05ce1469bfde243fda77b1a97f3f8d783fa981
-
Filesize
50KB
MD5825154cf12f85d39bb641debad83c2dd
SHA1d2e0dcc64fa45d19b31978b3277319c30466a6c4
SHA256eb28c0a01076973fe1ac339f97d310f97eeb130dc14d401e977b8000fc886e25
SHA512a121ad388eb70b059235aa8548fb6a6824589b98a956b690d70de4cdf3808fa219c516e35029186b19467a1904a10a978e581fb7b36b21f8e852a993365e5cb7
-
Filesize
29KB
MD5e96135086c9310ac1cefc67d9e33d49e
SHA11b2f692e364b721397a3bb2b8ee1a2260bbc4fea
SHA2569fb4231e35b45315c895976fbd967adf75e816fb4c6b20995122384eeb2a4357
SHA512b507f4f42a85f6f6c845b1efbe2bf18a6d2393ec8d791666bb4aaa14f1f77ab15965624b53de34b7d0faccbd1b4cddcab20bb2e9fa13a2412c121ba743eb9474
-
Filesize
53KB
MD5f37d7661a711fb0f47860fcb39ad69f9
SHA1e4040ece30a073d7b1a85c87cd14b0df0eb17c54
SHA2563c2bfacbea581209087602932831d23c51f1f7933e2ec1ad1e94864b7b07466e
SHA512793709ac1c091811469e8b56812ad604ecfbd480f8984a5a97e7c423b5b23ecd50203462479ad58c743dd7b68fbac72d2449ac9602c9dd718cca89990e879968
-
Filesize
133KB
MD5e0e85a5cf5ac5232ef92e7fd103999be
SHA146c1491f896e4c1ebac152544e72bb16c44e93f8
SHA2563fb1a6c37d5ef68326c618e69a32d19a5b60cfbfb2b0c1a9542a7c09446ebd10
SHA512569ca424f7bfb471db864fcd1bb97de1854acf0c8c846fef6bbea036e329fcb70b79338e657a38961f0ff63b368694579ab1e686d10f04705652436f9002f0f6
-
Filesize
47KB
MD56de02ee87e1ae4438c94b3c14e2cc025
SHA12659d899ad5832db8902924406f1d782f780f061
SHA25694f2a0a9614aa872a4993a485e01b3dcf048f3353c35478b11270a24c909e25b
SHA512b5e6d6b8ad8b2010e2ca0de887c2eff8c411eedce54a95c16594a3a4d30a135e277779b97beb5044f383a686cdf09a139131fa597eda7761f6d590fee3db885d
-
Filesize
10KB
MD564b45efed60e6f8412b84d0961b2c00f
SHA1eb5a6862b79beb5560143c8a5a8a24636c5ac7f0
SHA2569e83272b88a418a39a0db8232d6064c081351024b0af36937732e3bd76caa175
SHA5122ee93e1a422c1f797aef1271becb50225cd84abc09e1926933cd833951063928b268c25553b7a82623443ffbf8094b923a9a778ecee9171ccef726a38f8b80f2
-
Filesize
8KB
MD5c5ad7ac92949511cf4afccef67fd21aa
SHA1683d1443a887114df520ab9e2b5cedd94cedb82d
SHA2563e3125c88020292ff7ccc4feeaa97ce0039837c8a2cfc80d527f12190ca9bc0c
SHA51277bb4b4a676666afcbe61a0150605d897ff067c821c21814ee26ec7fd806185606222bea5276209f1830b2ebd3d5882a9e1187ce21a8a18dac35f02ada1a4067
-
Filesize
1KB
MD5d9f9a6ffe3ec74093a3d0123bf843233
SHA1281e5f062ef74923978c73dcdefdac85be051490
SHA256557f5c8ce6f543153b5acd06c40d0ae87fd2493be551d94145fe48d8f4c630ff
SHA5128e0d8ca4bdd93715bbc9fb831bde9484f5b5acc772f444fc191b9c61231527d7a2b813e7c9be0c336763621369bf3fcb6c5229205571ca01f59872a61d451cef
-
Filesize
24KB
MD5c4502da7ce3fcc9357257ee0c4806d86
SHA1e6e685978f744642232e21d4e4c5820c340837a0
SHA2568304c565da21aad570f46a28d3af4687fec5e9f637e2eb1ccf2f9d132a28dac5
SHA512064c24ff63424badd51b64cacac751a8f7e91048f2f8e931ca5cb8497b8119c6d38967d5231d42a80f57a7cda3da1aad403b287daa3d4bd6381ec0a370a55450
-
Filesize
28KB
MD5ed8d1dd75cdc9060b7229bba35c726ac
SHA193a54baad3f8c7785aa70c3855aeb713b9802c9e
SHA256f96e917c90476482197efdc809f60c08c10ea1e1e2ef98471558054510767130
SHA5121235fac2656e24bc333cd600098ad672f2fd400932ec7b2ebe25bc8b0c707cc79e4373936d81245c3178e1280796bbc162ddb21969803d38b5c3b20a65557eac
-
Filesize
51KB
MD5b0002537e428ccab72e2e2209a3f78b9
SHA1480b2cb6d867a09f0e415c491547a2ebee152ddf
SHA256f2cd5af4f6aeaa0967e299d429e66fb97b4d9f6db1acfdc3276349575ed8568c
SHA51202057a31983836694e46746441ec66c6c571548cf68315373d1dd89b7b362fd883f6303fb2f871741bd7d2d3b3f0ed6a702d42151ab6c69cf47656085a55b459
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
88KB
-
Filesize
1024KB
-
Filesize
512KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
512KB
-
Filesize
1024KB
-
Filesize
3.8MB
-
Filesize
44KB
-
Filesize
3.8MB
-
Filesize
512KB
-
Filesize
444KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
444KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
512KB
-
Filesize
1024KB
-
Filesize
512KB
-
Filesize
232KB
-
Filesize
512KB