Malware Analysis Report

2024-11-13 18:57

Sample ID 240216-a8mchach7s
Target 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f
SHA256 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f
Tags
amadey smokeloader pub3 backdoor spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f

Threat Level: Known bad

The file 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f was found to be: Known bad.

Malicious Activity Summary

amadey smokeloader pub3 backdoor spyware stealer trojan

Amadey

SmokeLoader

Downloads MZ/PE file

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-16 00:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 00:53

Reported

2024-02-16 00:55

Platform

win7-20231215-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B413.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B413.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B413.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\B413.exe
PID 1244 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\B413.exe
PID 1244 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\B413.exe
PID 1244 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\Temp\B413.exe
PID 2708 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\B413.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2708 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\B413.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2708 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\B413.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2708 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\B413.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2432 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2432 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2432 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2432 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2432 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1180 wrote to memory of 568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1180 wrote to memory of 568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1180 wrote to memory of 568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1180 wrote to memory of 568 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 568 wrote to memory of 1324 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 568 wrote to memory of 1324 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 568 wrote to memory of 1324 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1592 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1592 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1592 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1592 wrote to memory of 2812 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2432 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 2300 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2452 wrote to memory of 2300 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2452 wrote to memory of 2300 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2452 wrote to memory of 2300 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2300 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2300 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2300 wrote to memory of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2432 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2412 wrote to memory of 1984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2412 wrote to memory of 1984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2412 wrote to memory of 1984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2412 wrote to memory of 1984 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1984 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1984 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1984 wrote to memory of 1144 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2432 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe

"C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe"

C:\Users\Admin\AppData\Local\Temp\B413.exe

C:\Users\Admin\AppData\Local\Temp\B413.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 568 -s 312

C:\Windows\system32\taskeng.exe

taskeng.exe {771EE358-D2D3-4BBD-8120-82D206D41C88} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2300 -s 312

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1984 -s 312

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 sjyey.com udp
PE 190.187.52.42:80 sjyey.com tcp
PE 190.187.52.42:80 sjyey.com tcp
PE 190.187.52.42:80 sjyey.com tcp
PE 190.187.52.42:80 sjyey.com tcp
PE 190.187.52.42:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
KR 210.182.29.70:80 emgvod.com tcp
PE 190.187.52.42:80 sjyey.com tcp
PE 190.187.52.42:80 sjyey.com tcp
US 8.8.8.8:53 anfesq.com udp
US 8.8.8.8:53 cbinr.com udp
US 8.8.8.8:53 rimakc.ru udp
RU 91.189.114.4:80 rimakc.ru tcp
PA 190.219.88.10:80 cbinr.com tcp
PA 190.219.88.10:80 cbinr.com tcp
PE 190.187.52.42:80 cbinr.com tcp
PA 190.219.88.10:80 cbinr.com tcp
PE 190.187.52.42:80 cbinr.com tcp
US 8.8.8.8:53 anfesq.com udp
RU 91.189.114.4:80 rimakc.ru tcp
PA 190.219.88.10:80 cbinr.com tcp
RU 91.189.114.4:80 rimakc.ru tcp
US 8.8.8.8:53 anfesq.com udp
PA 190.219.88.10:80 cbinr.com tcp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp

Files

memory/2932-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2932-2-0x00000000001C0000-0x00000000001CB000-memory.dmp

memory/2932-3-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2932-5-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2932-7-0x00000000001C0000-0x00000000001CB000-memory.dmp

memory/1244-4-0x0000000002960000-0x0000000002976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B413.exe

MD5 4bb6852748ac936523f68322f1bae54a
SHA1 846ee2c620e655903aaa8e3f4ee0f9f27aec18f7
SHA256 f77d971f56a9101640c5fffc0121ba5f2f3c33e6f074e9d2b91c9af10da9c43d
SHA512 c13fe3c437d26caf9d4504f624d8e3ff7f5e370c476a047040d2f57a6e7905bbbd5c8023d304b2165fea2bb5ac24c5261c050a7dce39d4e79c8c2d360ddef74e

memory/2708-19-0x0000000000540000-0x0000000000640000-memory.dmp

memory/2708-20-0x00000000002F0000-0x000000000035F000-memory.dmp

memory/2708-21-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2708-22-0x00000000007F0000-0x00000000007F1000-memory.dmp

memory/2708-34-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2432-38-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2432-37-0x0000000000530000-0x0000000000630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\603059206200

MD5 f51d96c6c0a3e6b986d671c03407cfd2
SHA1 e0b0c6779108c6e818264c8589af38bf96df99f2
SHA256 b4324e22222736f62dfe8b7e5ed1ccebbccfb8eb2c358309884600f0aeefe042
SHA512 2ae59232fabbdc2231fc479589bd5eb353aba3c8c856355fca939defb81cab86c78e1926896b1267dbd2310988ff47c30f4ac20af18841f6089ad05f00602b3c

memory/2432-48-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

memory/2432-69-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2432-70-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2812-73-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2812-74-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2432-92-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2432-103-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

memory/2432-118-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2432-123-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2432-128-0x0000000000400000-0x0000000000471000-memory.dmp

memory/988-132-0x0000000000400000-0x0000000000471000-memory.dmp

memory/988-133-0x0000000000230000-0x0000000000330000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 00:53

Reported

2024-02-16 00:55

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D0CD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D0CD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D0CD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D0CD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D0CD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D0CD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D0CD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D0CD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D0CD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D0CD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D0CD.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D0CD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 1108 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0CD.exe
PID 2976 wrote to memory of 1108 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0CD.exe
PID 2976 wrote to memory of 1108 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0CD.exe
PID 1108 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\D0CD.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1108 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\D0CD.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1108 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\D0CD.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2524 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2524 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2524 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 2524 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1396 wrote to memory of 4080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1396 wrote to memory of 4080 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2524 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2184 wrote to memory of 4508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2184 wrote to memory of 4508 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2524 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4928 wrote to memory of 1624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4928 wrote to memory of 1624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2524 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2524 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe

"C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe"

C:\Users\Admin\AppData\Local\Temp\D0CD.exe

C:\Users\Admin\AppData\Local\Temp\D0CD.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1216

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1108 -ip 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1020

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1664

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2912 -ip 2912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1744

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1872 -ip 1872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 428

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2524 -ip 2524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1320

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 sjyey.com udp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
US 8.8.8.8:53 90.148.151.58.in-addr.arpa udp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
KR 58.151.148.90:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
KR 211.40.39.251:80 emgvod.com tcp
US 8.8.8.8:53 251.39.40.211.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
KR 58.151.148.90:80 emgvod.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 58.151.148.90:80 emgvod.com tcp
KR 58.151.148.90:80 emgvod.com tcp
KR 58.151.148.90:80 emgvod.com tcp
US 8.8.8.8:53 rimakc.ru udp
US 8.8.8.8:53 anfesq.com udp
US 8.8.8.8:53 cbinr.com udp
RU 91.189.114.4:80 rimakc.ru tcp
AR 190.195.60.212:80 cbinr.com tcp
AR 190.195.60.212:80 cbinr.com tcp
US 8.8.8.8:53 212.60.195.190.in-addr.arpa udp
AR 190.195.60.212:80 cbinr.com tcp
RU 91.189.114.4:80 rimakc.ru tcp
NL 52.142.223.178:80 tcp
AR 190.195.60.212:80 cbinr.com tcp
US 8.8.8.8:53 4.114.189.91.in-addr.arpa udp
US 8.8.8.8:53 anfesq.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
AR 190.195.60.212:80 cbinr.com tcp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp

Files

memory/4656-1-0x00000000004E0000-0x00000000005E0000-memory.dmp

memory/4656-2-0x0000000002050000-0x000000000205B000-memory.dmp

memory/4656-3-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2976-4-0x00000000026B0000-0x00000000026C6000-memory.dmp

memory/4656-5-0x0000000000400000-0x000000000044B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0CD.exe

MD5 4bb6852748ac936523f68322f1bae54a
SHA1 846ee2c620e655903aaa8e3f4ee0f9f27aec18f7
SHA256 f77d971f56a9101640c5fffc0121ba5f2f3c33e6f074e9d2b91c9af10da9c43d
SHA512 c13fe3c437d26caf9d4504f624d8e3ff7f5e370c476a047040d2f57a6e7905bbbd5c8023d304b2165fea2bb5ac24c5261c050a7dce39d4e79c8c2d360ddef74e

memory/1108-16-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1108-17-0x00000000020F0000-0x000000000215F000-memory.dmp

memory/1108-18-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2524-31-0x0000000000800000-0x0000000000900000-memory.dmp

memory/2524-33-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2524-32-0x0000000000750000-0x00000000007BF000-memory.dmp

memory/1108-34-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\791175113106

MD5 b017bc8192850a0787966507a08d7424
SHA1 4adb2e91f8dee87fcfa96778e7ae4428fe8330ff
SHA256 a1bfb6e77615fd1a4aeaa6936cd8de122871f51f4c840cb593bb4e1a9552f1ea
SHA512 bbfb792c5123f1c8df886fa9330657ce1555b32ea794676e33e96788fec8a55c891e8dea1644609a407c566c6acdd9d54c2db751760a8625fff0726e61b25efc

memory/2524-43-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2524-46-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2912-47-0x0000000000520000-0x0000000000620000-memory.dmp

memory/2912-48-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2524-50-0x0000000000800000-0x0000000000900000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

memory/2524-64-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2524-74-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2524-77-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

memory/2524-89-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1872-93-0x0000000000520000-0x0000000000620000-memory.dmp

memory/1872-94-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2524-96-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2524-98-0x0000000000400000-0x0000000000471000-memory.dmp