Malware Analysis Report

2024-11-13 18:56

Sample ID 240215-3z3mcabh5z
Target 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a
SHA256 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a
Tags
amadey smokeloader pub3 backdoor spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a

Threat Level: Known bad

The file 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a was found to be: Known bad.

Malicious Activity Summary

amadey smokeloader pub3 backdoor spyware stealer trojan

Amadey

SmokeLoader

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-15 23:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 23:57

Reported

2024-02-16 00:00

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C757.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\avctreh N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\avctreh N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\avctreh N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\avctreh N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\C757.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 3536 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 3536 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 456 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 456 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 456 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 456 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 456 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 456 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 456 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 456 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 456 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 456 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\C757.exe
PID 2344 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2344 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2344 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\C757.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3988 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3988 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3988 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3988 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3988 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3988 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3988 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3988 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3988 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3988 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 556 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 556 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 556 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 556 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 3496 wrote to memory of 1276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 3496 wrote to memory of 1276 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 556 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2356 wrote to memory of 4636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2356 wrote to memory of 4636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 792 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 792 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 792 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 792 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 792 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 792 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 792 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 792 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 792 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 792 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 556 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2176 wrote to memory of 1472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2176 wrote to memory of 1472 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 556 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 556 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1136 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe

"C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe"

C:\Users\Admin\AppData\Local\Temp\C757.exe

C:\Users\Admin\AppData\Local\Temp\C757.exe

C:\Users\Admin\AppData\Local\Temp\C757.exe

C:\Users\Admin\AppData\Local\Temp\C757.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Roaming\avctreh

C:\Users\Admin\AppData\Roaming\avctreh

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 sjyey.com udp
KR 123.140.161.243:80 sjyey.com tcp
KR 123.140.161.243:80 sjyey.com tcp
US 8.8.8.8:53 243.161.140.123.in-addr.arpa udp
KR 123.140.161.243:80 sjyey.com tcp
KR 123.140.161.243:80 sjyey.com tcp
KR 123.140.161.243:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
AR 190.195.60.212:80 emgvod.com tcp
US 8.8.8.8:53 212.60.195.190.in-addr.arpa udp
KR 123.140.161.243:80 sjyey.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 anfesq.com udp
US 8.8.8.8:53 cbinr.com udp
US 8.8.8.8:53 rimakc.ru udp
KR 123.140.161.243:80 cbinr.com tcp
RU 91.189.114.4:80 rimakc.ru tcp
KR 123.140.161.243:80 cbinr.com tcp
KR 123.140.161.243:80 cbinr.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
KR 123.140.161.243:80 cbinr.com tcp
KR 123.140.161.243:80 cbinr.com tcp
KR 123.140.161.243:80 cbinr.com tcp
RU 91.189.114.4:80 rimakc.ru tcp
KR 123.140.161.243:80 cbinr.com tcp
US 8.8.8.8:53 4.114.189.91.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
KR 123.140.161.243:80 cbinr.com tcp
US 8.8.8.8:53 anfesq.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp

Files

memory/2300-2-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2300-1-0x0000000000690000-0x0000000000790000-memory.dmp

memory/2300-3-0x0000000002190000-0x000000000219B000-memory.dmp

memory/3536-4-0x0000000001280000-0x0000000001296000-memory.dmp

memory/2300-5-0x0000000000400000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C757.exe

MD5 57a16daebdf4113651b1d0a1af3ebf96
SHA1 bf2dec1b7cdbe8548020f6e9c3002151fe6a20ee
SHA256 54fe7416808922eb895d5a5b56aa62db6c404bf95d9d689e4e6d464b2f9e58b4
SHA512 a20f4c5e9e3f3656171201e509d80dfc61b962c141512cd05945dad0129b181cc3516b21c43a76d1a04c13208760362187e894db198ecfc81664b75f744d58b6

memory/456-16-0x0000000000780000-0x0000000000880000-memory.dmp

memory/456-17-0x00000000006D0000-0x000000000073F000-memory.dmp

memory/2344-18-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2344-20-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2344-21-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2344-22-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2344-34-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3988-37-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/556-40-0x0000000000400000-0x0000000000471000-memory.dmp

memory/556-41-0x0000000000400000-0x0000000000471000-memory.dmp

memory/556-42-0x0000000000400000-0x0000000000471000-memory.dmp

memory/556-43-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\497073144238

MD5 b567fea2f064c6b697be5ffc72d10ad9
SHA1 b5b22d1d3b68737fee3a0e22327da3f3b2e19380
SHA256 ebf0cd7b2b3a87f289964038b6a527a7fb220a17b48c2653aa0b763422639a71
SHA512 279bfbfb7b2c391167388b9aacc42f2bf570d278482a844a2086294297468957b016031576a5e39d6cdc868990eaacce5fcada107a25f385f8c9b951dc2020e0

memory/556-56-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

memory/556-69-0x0000000000400000-0x0000000000471000-memory.dmp

memory/792-74-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/4540-77-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4540-78-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4540-79-0x0000000000400000-0x0000000000471000-memory.dmp

memory/556-81-0x0000000000400000-0x0000000000471000-memory.dmp

memory/556-84-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

memory/556-103-0x0000000000400000-0x0000000000471000-memory.dmp

memory/556-105-0x0000000000400000-0x0000000000471000-memory.dmp

memory/556-106-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1136-112-0x00000000007C0000-0x00000000008C0000-memory.dmp

memory/4688-115-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4688-116-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4688-117-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\avctreh

MD5 32e42bd81cfc8ea5fc638a5f43a749f0
SHA1 37df03feda3f4da9ef7c5d2bdc308bda6d1a9b49
SHA256 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a
SHA512 8a531a29a39b663fb17ccd0c6a72d17635254d3e8061b1ee949f8f9b4cace6106e6d9363f5a8d7b4b42119233c7edfac3a9a3bb5be9c3846617c26e692944e15

memory/5024-122-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/5024-123-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3536-124-0x00000000030C0000-0x00000000030D6000-memory.dmp

memory/5024-127-0x0000000000400000-0x000000000044C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 23:57

Reported

2024-02-16 00:00

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\afrrbdj N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\afrrbdj N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\afrrbdj N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\afrrbdj N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\afrrbdj N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1272 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1272 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1272 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1396 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\1B1F.exe C:\Users\Admin\AppData\Local\Temp\1B1F.exe
PID 1712 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\afrrbdj
PID 1712 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\afrrbdj
PID 1712 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\afrrbdj
PID 1712 wrote to memory of 2552 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\afrrbdj

Processes

C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe

"C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe"

C:\Users\Admin\AppData\Local\Temp\1B1F.exe

C:\Users\Admin\AppData\Local\Temp\1B1F.exe

C:\Users\Admin\AppData\Local\Temp\1B1F.exe

C:\Users\Admin\AppData\Local\Temp\1B1F.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {302ADBBB-324C-41DF-A6B5-B0F2CDEAD367} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\afrrbdj

C:\Users\Admin\AppData\Roaming\afrrbdj

Network

Country Destination Domain Proto
US 8.8.8.8:53 sjyey.com udp
KR 123.140.161.243:80 sjyey.com tcp
KR 123.140.161.243:80 sjyey.com tcp
KR 123.140.161.243:80 sjyey.com tcp
KR 123.140.161.243:80 sjyey.com tcp
KR 123.140.161.243:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
MX 187.156.75.116:80 emgvod.com tcp
KR 123.140.161.243:80 sjyey.com tcp
KR 123.140.161.243:80 sjyey.com tcp
KR 123.140.161.243:80 sjyey.com tcp
KR 123.140.161.243:80 sjyey.com tcp

Files

memory/3000-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/3000-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/3000-3-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3000-5-0x0000000000400000-0x000000000044C000-memory.dmp

memory/1272-4-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

memory/3000-8-0x00000000001B0000-0x00000000001BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B1F.exe

MD5 57a16daebdf4113651b1d0a1af3ebf96
SHA1 bf2dec1b7cdbe8548020f6e9c3002151fe6a20ee
SHA256 54fe7416808922eb895d5a5b56aa62db6c404bf95d9d689e4e6d464b2f9e58b4
SHA512 a20f4c5e9e3f3656171201e509d80dfc61b962c141512cd05945dad0129b181cc3516b21c43a76d1a04c13208760362187e894db198ecfc81664b75f744d58b6

C:\Users\Admin\AppData\Local\Temp\1B1F.exe

MD5 cd509076d6e471194363cfecc06c46b6
SHA1 d50dfba7b2ce5037145bc545172c887431f26da1
SHA256 de874c7f06632d5bf1556fa21ee917915d00e7143d6fe3721128c575fe4ac82c
SHA512 390d0b7b6a6eb0b879a29194e228c86c16a91a408ca9149a2065487fc7bfa66ecc65d4cffe4b39eda18e4ea51f71afe49ffbd5220135da5f56b889142ab66076

\Users\Admin\AppData\Local\Temp\1B1F.exe

MD5 b4149b4a35e02013e81f173b6e1c2c35
SHA1 7cd2908d39d22d3615b18c848941c3a6b39cc58c
SHA256 119cd393ce755ceae61df6fed0e80c135cc988b972307db5e19e4ee1955c9886
SHA512 a7de6b5cd059b13894266a02f4b05328add5dc3d9da449ec57a37f94844b32639b06d46df229b456c52177c9cd14fff95a8062be9f31223aefa68c8c3f78f77d

memory/1396-23-0x00000000004E0000-0x000000000054F000-memory.dmp

memory/2612-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1396-21-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/1396-25-0x00000000002F0000-0x00000000003F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\afrrbdj

MD5 32e42bd81cfc8ea5fc638a5f43a749f0
SHA1 37df03feda3f4da9ef7c5d2bdc308bda6d1a9b49
SHA256 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a
SHA512 8a531a29a39b663fb17ccd0c6a72d17635254d3e8061b1ee949f8f9b4cace6106e6d9363f5a8d7b4b42119233c7edfac3a9a3bb5be9c3846617c26e692944e15

memory/2552-30-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2552-29-0x0000000000270000-0x0000000000370000-memory.dmp

memory/1272-31-0x0000000002CB0000-0x0000000002CC6000-memory.dmp

memory/2552-34-0x0000000000400000-0x000000000044C000-memory.dmp