Malware Analysis Report

2024-11-13 18:57

Sample ID 240217-dt4vsaac9t
Target 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c
SHA256 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c
Tags
amadey smokeloader pub3 backdoor spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c

Threat Level: Known bad

The file 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c was found to be: Known bad.

Malicious Activity Summary

amadey smokeloader pub3 backdoor spyware stealer trojan

Amadey

SmokeLoader

Downloads MZ/PE file

Deletes itself

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-17 03:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-17 03:18

Reported

2024-02-17 03:21

Platform

win7-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\brviahd N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\brviahd N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\brviahd N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\brviahd N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 1260 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 1260 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 1260 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2572 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\EC90.exe
PID 2696 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2696 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2696 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2696 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\EC90.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 2960 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1584 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1584 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 1640 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1640 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1640 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1640 wrote to memory of 1528 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1640 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\brviahd
PID 1640 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\brviahd
PID 1640 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\brviahd
PID 1640 wrote to memory of 1776 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\brviahd
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1528 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 1584 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 1584 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 2284 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2284 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2284 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 2284 wrote to memory of 1636 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe

"C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe"

C:\Users\Admin\AppData\Local\Temp\EC90.exe

C:\Users\Admin\AppData\Local\Temp\EC90.exe

C:\Users\Admin\AppData\Local\Temp\EC90.exe

C:\Users\Admin\AppData\Local\Temp\EC90.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\system32\taskeng.exe

taskeng.exe {668818FA-664B-4766-B17C-E0366DEFEAD2} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Roaming\brviahd

C:\Users\Admin\AppData\Roaming\brviahd

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1636 -s 312

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1888 -s 312

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2024 -s 312

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 sjyey.com udp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
US 8.8.8.8:53 emgvod.com udp
PE 190.187.52.42:80 emgvod.com tcp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
US 8.8.8.8:53 anfesq.com udp
US 8.8.8.8:53 cbinr.com udp
US 8.8.8.8:53 rimakc.ru udp
RU 91.189.114.4:80 rimakc.ru tcp
UY 179.26.248.248:80 cbinr.com tcp
UY 179.26.248.248:80 cbinr.com tcp
UY 179.26.248.248:80 cbinr.com tcp
US 8.8.8.8:53 anfesq.com udp
US 8.8.8.8:53 anfesq.com udp
UY 179.26.248.248:80 cbinr.com tcp
UY 179.26.248.248:80 cbinr.com tcp

Files

memory/2452-1-0x0000000000950000-0x0000000000A50000-memory.dmp

memory/2452-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2452-3-0x0000000000400000-0x000000000082A000-memory.dmp

memory/2452-5-0x0000000000400000-0x000000000082A000-memory.dmp

memory/1260-4-0x0000000002B80000-0x0000000002B96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC90.exe

MD5 bfb5ddcb6390a75513f57e8e6741683d
SHA1 32616bc90620c42d831a5561997d4c357823e561
SHA256 a4b90e49aed58d08aebd377c832aafd35faa77cbec6c5c50bc998a2408eecb3a
SHA512 5a603c56a9ba1457df3636e42bb5c5c45d7b5087541ddff7bf422942daa6f8267420e527cfd8a2204efe2e66af0c4ef64a45a6851d8bc6aca3ef150927a8dca6

memory/2572-21-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/2696-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2572-23-0x00000000002D0000-0x000000000033F000-memory.dmp

memory/2696-24-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2696-27-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2696-28-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2696-29-0x0000000001F70000-0x0000000001F71000-memory.dmp

memory/2696-41-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2960-47-0x0000000000960000-0x0000000000A60000-memory.dmp

memory/1584-52-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1584-53-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1584-54-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\523118073713

MD5 14aa3ccb9e2e31ffad36609cf0fb763a
SHA1 0fbb6b359ab20686138ca931169e828154521587
SHA256 ee7310972e1b398dafbf8e98f6a3cf4d20918668e07b85ccea7fceaa71d18e92
SHA512 da91601646702dfe6aa24e3d98395dadbf52003a3f690da8651085e97699181cbef00ab6a630e8db27fb02740a3ff5722f59548e78f1d606b461036e28041115

memory/1584-71-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\brviahd

MD5 1bbb36353f9be7af566534cd0b0dcba5
SHA1 00dcdcc08f6dbad9b00b35f64e238afbfd2ee746
SHA256 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c
SHA512 6902911d8440f1462baa083261ddb497d60d553f89de3c06eb1a16ec344f56762d3cc9d75b09dca764b2dab0a4edea8d3b9b4f5e7eac7eb5e39d211c7f95110a

memory/1528-81-0x0000000000940000-0x0000000000A40000-memory.dmp

memory/1776-82-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/1776-83-0x0000000000400000-0x000000000082A000-memory.dmp

memory/1104-90-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1260-92-0x0000000003960000-0x0000000003976000-memory.dmp

memory/1776-93-0x0000000000400000-0x000000000082A000-memory.dmp

memory/1584-96-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 add94ea6485ea5080fcd9563cae51db2
SHA1 c1bb7ff7b0e239b584bd17cdad6901795f08e703
SHA256 a7821448e98c35df534ade07d5a53f20c3b3049a13bdd31a54b3916aaff74e27
SHA512 c7ba6cc1966aa71ea88b399d12aa4cd879353a15d0bf734fafc7c3c85ce223fcd51e193cd6d2d1ed5702b1a7bb77acb4d586d5fa783f48e90b142a33eff26faf

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 1137bb03ae308656ce5a7d6dc3e44a62
SHA1 8495e66bb8ab43225bedc2b016de16b970f04ddf
SHA256 e904a49bc1530bb7395e69f8c713b3276e91b2cca10e7ff30003f87b82d9e559
SHA512 c5ec27e9a1e6abd820e49c135409698a8007cde19bc49e613c8a86294a6a2749c37d027f7b60523d073ed1efc39024be96140c25adf9cbe7b1420ce66cb94345

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 ff9aa175b4b77b10d43c77e7ce8d5b37
SHA1 dfd3d756923dc850cad6427cf230cec80e1a1647
SHA256 791a2f15f10894ab1db23574ef7549e7d403206164e8d5c657dc590e045e404d
SHA512 fffc1892db180bbae4c7df6cf56bdeb9c53b398cb6e335c37fc58c0083f06ddd54b020dc18b0ac8c00b04d2cb6f426435c29003033f651cdeea5f80451398bd6

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 642e888509ee8f1b6649a9e253bc01e5
SHA1 86d25b84c6eb2f085c6710f31156a8599b1c86f5
SHA256 6b535d72da5d408105380666c610b5c18aefd5c88f160580068a9e9435d4c53c
SHA512 65f3c555918208452a98643bab177b84b6e3b91bf64dc25978d61ad830ac5655bcf46cb929dce909b17159f8f214f61e74ac4903c48890e9ada2edc15366c637

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 16df68cd6173e5d055ba7297f1bcdee6
SHA1 bfc8878803a38db72870a890fe0898a7bcb15c34
SHA256 a1e631d3d2b6d0bfcdca37cf560bd00c2a364bd8a14fafcc0cac04fa1eb6cc67
SHA512 c3801a570c6fc2150210cc85df8fadabd80b2cfee7bc24a7f8207ca07103be785956750da521a67c0493ca468ac6b1af80b9680570f5bd6bc21fc0eda9e7de3f

memory/1584-124-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2156-127-0x0000000000270000-0x0000000000370000-memory.dmp

memory/1892-134-0x0000000000400000-0x0000000000471000-memory.dmp

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 15d9b810b01a0a4cbe660ff3b667f9b0
SHA1 4300edafb30fd52f76134956338f5d943119b386
SHA256 25d0923b76df4795f9057e29a9e076ef314d5e46ef7b000df4931c23cdd92b2e
SHA512 dca44f8460c51358449144a9c52742c6cc752b064ad22769a390b25db11dccb13caa50358c3509db01c1ae7be5646d07de7f5a777f7adca716d34d0ac8d700e5

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 fab84bd3014cc7fc627d1db4b34e1b9d
SHA1 b11c4598da8bd734656e89933c99a56bba17e01b
SHA256 bea964e9c0e30ec3870520dcc2d7abae12dafcb73ee9fa588d6d94e581251a41
SHA512 c87ba7c7c928b942ae85d31f5215b35f4f01f0a3c92b23aa63a9d3ceb7356bef61f165cb7825352c847aea83407b54b24f5d7f0c22bb130ec2615f5a2ad0a51b

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 c502c6201c4f93f3954978e850bc300e
SHA1 568fae8484e92a3c7df771a1368359890ecdeadf
SHA256 3fab7b1af00cf5e4b8d6dbaad33377fa706d69f377bc5ad8c18f492051c65d51
SHA512 64b275a34db90b84dd14d6b56e3a8d361b335658c09ac22bb58865da9d555f31094142ffd7838246a6f78f1879f0ab2d8d785933deb483238c874de9c0f09841

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f7d5570210040d50bc30fa58f5aa2fe4
SHA1 400b7462f2acfba2ae9d50818b4119d698cd91ae
SHA256 069fcd9de9967b349ea4898b7977ebfff9b857c28f3f299a398a8489b6d0b6cf
SHA512 5479eb5b4e2e072393645bf2f89d7c682fa0d6698ed891c025f0cf8fc7bdab5970ad628de2ddfaa8431e3a09b4f34218a3c6ab6240250ae15269a2c9c65983c0

memory/1584-146-0x0000000000400000-0x0000000000471000-memory.dmp

\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 a464bd7c7530c9830024c9e86d9a5a29
SHA1 5125f134a83e7c80c2403724eb05309c026d6a86
SHA256 79373bf2fef857cddea968317471354a9520e2f39b28ecabb8a6c4048c00e822
SHA512 504b5c7e6177c5676ac7c1f102a12fdcc779db8ff7ce0c5b13f6741d40c04e0191ee6b8529b5386c2eb49f46110a16bf0c8371560c2509cabd3b4a83d7c5560c

memory/1584-157-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-17 03:18

Reported

2024-02-17 03:21

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\460D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wrrjccb N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wrrjccb N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wrrjccb N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wrrjccb N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\460D.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3528 wrote to memory of 1420 N/A N/A C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 3528 wrote to memory of 1420 N/A N/A C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 3528 wrote to memory of 1420 N/A N/A C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 1420 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 1420 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 1420 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 1420 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 1420 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 1420 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 1420 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 1420 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 1420 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 1420 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\460D.exe
PID 4744 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 4744 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 4744 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\460D.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3516 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3516 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3516 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3516 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3516 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3516 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3516 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3516 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3516 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 3516 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 4436 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4436 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4436 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\schtasks.exe
PID 4436 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4352 wrote to memory of 4408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4352 wrote to memory of 4408 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4436 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4940 wrote to memory of 4624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4940 wrote to memory of 4624 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4436 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 848 wrote to memory of 4736 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 848 wrote to memory of 4736 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4436 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 876 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 876 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 876 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 876 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 876 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 876 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 876 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 876 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 876 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 876 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
PID 4436 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe
PID 4436 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe C:\Windows\SysWOW64\rundll32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe

"C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe"

C:\Users\Admin\AppData\Local\Temp\460D.exe

C:\Users\Admin\AppData\Local\Temp\460D.exe

C:\Users\Admin\AppData\Local\Temp\460D.exe

C:\Users\Admin\AppData\Local\Temp\460D.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Users\Admin\AppData\Roaming\wrrjccb

C:\Users\Admin\AppData\Roaming\wrrjccb

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 sjyey.com udp
BA 109.175.29.39:80 sjyey.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
US 8.8.8.8:53 39.29.175.109.in-addr.arpa udp
US 8.8.8.8:53 emgvod.com udp
KR 211.171.233.126:80 emgvod.com tcp
US 8.8.8.8:53 126.233.171.211.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
BA 109.175.29.39:80 sjyey.com tcp
US 8.8.8.8:53 cbinr.com udp
US 8.8.8.8:53 rimakc.ru udp
US 8.8.8.8:53 anfesq.com udp
RU 91.189.114.4:80 rimakc.ru tcp
BA 109.175.29.39:80 cbinr.com tcp
BA 109.175.29.39:80 cbinr.com tcp
BA 109.175.29.39:80 cbinr.com tcp
RU 91.189.114.4:80 rimakc.ru tcp
US 8.8.8.8:53 4.114.189.91.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
BA 109.175.29.39:80 cbinr.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
BA 109.175.29.39:80 cbinr.com tcp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 tceducn.com udp
US 8.8.8.8:53 arrunda.ru udp
US 8.8.8.8:53 soetegem.com udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/3012-1-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/3012-2-0x0000000000900000-0x000000000090B000-memory.dmp

memory/3012-3-0x0000000000400000-0x000000000082A000-memory.dmp

memory/3528-4-0x0000000002A10000-0x0000000002A26000-memory.dmp

memory/3012-5-0x0000000000400000-0x000000000082A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\460D.exe

MD5 bfb5ddcb6390a75513f57e8e6741683d
SHA1 32616bc90620c42d831a5561997d4c357823e561
SHA256 a4b90e49aed58d08aebd377c832aafd35faa77cbec6c5c50bc998a2408eecb3a
SHA512 5a603c56a9ba1457df3636e42bb5c5c45d7b5087541ddff7bf422942daa6f8267420e527cfd8a2204efe2e66af0c4ef64a45a6851d8bc6aca3ef150927a8dca6

memory/1420-16-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

memory/1420-17-0x00000000009E0000-0x0000000000A4F000-memory.dmp

memory/4744-18-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4744-20-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4744-21-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4744-22-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4744-37-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\wrrjccb

MD5 1bbb36353f9be7af566534cd0b0dcba5
SHA1 00dcdcc08f6dbad9b00b35f64e238afbfd2ee746
SHA256 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c
SHA512 6902911d8440f1462baa083261ddb497d60d553f89de3c06eb1a16ec344f56762d3cc9d75b09dca764b2dab0a4edea8d3b9b4f5e7eac7eb5e39d211c7f95110a

memory/3516-43-0x0000000000890000-0x0000000000990000-memory.dmp

memory/4436-45-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4436-46-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4436-47-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4436-48-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4488-58-0x0000000000A00000-0x0000000000B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\969412972279

MD5 94a2e7bb1774f72c59677fe503102cac
SHA1 7bb79ef18f89229e114b359bf3034614f911e8f3
SHA256 101ec5f41b1704c1adb7d78f933b5f0eb2c0baed357cdc03adecdcb4ea372499
SHA512 37ab5e4925000cafe8677d566cc030cbc2fda0d8e8713c1e3a83c80048e7c08d79bede3823e5cb15b7f3c99b352f42318f97ac7ab17b1a99329305db4b7032ab

memory/4488-59-0x0000000000400000-0x000000000082A000-memory.dmp

memory/3528-71-0x0000000004840000-0x0000000004856000-memory.dmp

memory/4488-74-0x0000000000400000-0x000000000082A000-memory.dmp

memory/4436-75-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 f01f5bc76b9596e0cfeab8a272cba3a5
SHA1 19cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA256 83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512 ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

memory/4436-90-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4436-93-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4436-96-0x0000000000400000-0x0000000000471000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

MD5 4194e9b8b694b1e9b672c36f0d868e32
SHA1 252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA256 97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512 f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

memory/4436-110-0x0000000000400000-0x0000000000471000-memory.dmp

memory/876-111-0x0000000000A90000-0x0000000000B90000-memory.dmp

memory/556-114-0x0000000000400000-0x0000000000471000-memory.dmp

memory/556-115-0x0000000000400000-0x0000000000471000-memory.dmp

memory/556-117-0x0000000000400000-0x0000000000471000-memory.dmp

memory/556-116-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4436-120-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4436-121-0x0000000000400000-0x0000000000471000-memory.dmp