Resubmissions

16-02-2024 05:11

240216-fvbxhaac5s 10

16-02-2024 04:50

240216-ff8ypaae66 10

Analysis

  • max time kernel
    300s
  • max time network
    294s
  • platform
    windows10-1703_x64
  • resource
    win10-20240214-en
  • resource tags

    arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16-02-2024 04:50

General

  • Target

    c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe

  • Size

    236KB

  • MD5

    12feeee4bc19579083e686cf16dea6e3

  • SHA1

    156fef6e87be45f48055315cf134421655a3a727

  • SHA256

    c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9

  • SHA512

    b942d5c619c6fa490edd96e9aeabb008c630f12343de4b0f0b6924bea0d50770dadf3072c2c20b2012e75bf59d9a8c7025174793177df16b405605059b921346

  • SSDEEP

    3072:9nznk9/Gm+lK+SQCylz9uD4BfKVSHudaCzg25lXp0:Rg+lK+SR69uD4BfnHgn

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32
rc4.i32

Extracted

Family

amadey

Version

4.14

C2

http://anfesq.com

http://cbinr.com

http://rimakc.ru

Attributes
  • install_dir

    68fd3d7ade

  • install_file

    Utsysc.exe

  • strings_key

    27ec7fd6f50f63b8af0c1d3deefcc8fe

  • url_paths

    /forum/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe
    "C:\Users\Admin\AppData\Local\Temp\c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2528
  • C:\Users\Admin\AppData\Local\Temp\EB0C.exe
    C:\Users\Admin\AppData\Local\Temp\EB0C.exe
    1⤵
    • Executes dropped EXE
    PID:3084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 564
      2⤵
      • Program crash
      PID:3492
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 640
      2⤵
      • Program crash
      PID:2184
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 732
      2⤵
      • Program crash
      PID:4616
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 780
      2⤵
      • Program crash
      PID:4228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 808
      2⤵
      • Program crash
      PID:676
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 852
      2⤵
      • Program crash
      PID:644
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1044
      2⤵
      • Program crash
      PID:1492
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1072
      2⤵
      • Program crash
      PID:4244
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1104
      2⤵
      • Program crash
      PID:808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EB0C.exe

    Filesize

    384KB

    MD5

    e1dc6f36bc9f047f33b58c8c0fc2da89

    SHA1

    cf6dfe8eaa32971eb53f02d0dc7c8ac299968880

    SHA256

    6f861ffc77ac6529a50211ae09d7bbdf27b97b73e17f9c4cdb397e39dc85a767

    SHA512

    6387d154ca10f44aa3abb8ef9b653c99b7fa583d152ef51b5091fccce085c6459ecc799f0491e8e3fe197f8bcd30af2d6c8fae3973311b05930fd444be962f92

  • memory/2528-1-0x0000000000490000-0x0000000000590000-memory.dmp

    Filesize

    1024KB

  • memory/2528-2-0x00000000005B0000-0x00000000005BB000-memory.dmp

    Filesize

    44KB

  • memory/2528-3-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2528-5-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/3084-16-0x0000000000700000-0x0000000000800000-memory.dmp

    Filesize

    1024KB

  • memory/3084-17-0x00000000020A0000-0x000000000210F000-memory.dmp

    Filesize

    444KB

  • memory/3084-18-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/3084-21-0x00000000020A0000-0x000000000210F000-memory.dmp

    Filesize

    444KB

  • memory/3084-23-0x0000000000700000-0x0000000000800000-memory.dmp

    Filesize

    1024KB

  • memory/3328-4-0x0000000001480000-0x0000000001496000-memory.dmp

    Filesize

    88KB