Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
12-03-2024 02:03
General
-
Target
067950a7b80f52fc946a13bf4fd389ea8cbbc043658d33aaff9e3680e1dadd46.exe
-
Size
283KB
-
MD5
f44d23b0b845ca4388424f9d5be32890
-
SHA1
d46eac4684455e34a396eba79ddb01441359ebb6
-
SHA256
067950a7b80f52fc946a13bf4fd389ea8cbbc043658d33aaff9e3680e1dadd46
-
SHA512
a8943cc756b9c3339efb3fe8e24e0c24f4e285012a731b4e8e2f5e940a37d246879d469e1ee9825805670fd63f905cec91b1dcde6d01ee0aea72fe7abe711ede
-
SSDEEP
3072:c+tpp4K1PAppyBA1Q8EkKXU1iKL4i2Dva2ICXIIKcKU1KpVT/wV9tmX3m:cud14pEWC5/Hi2KCY5mUpVTEy
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
UPX dump on OEP (original entry point) 11 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\067950a7b80f52fc946a13bf4fd389ea8cbbc043658d33aaff9e3680e1dadd46.exe"C:\Users\Admin\AppData\Local\Temp\067950a7b80f52fc946a13bf4fd389ea8cbbc043658d33aaff9e3680e1dadd46.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\EA20.exeC:\Users\Admin\AppData\Local\Temp\EA20.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\979F.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\979F.dll2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\F643.exeC:\Users\Admin\AppData\Local\Temp\F643.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F643.exeC:\Users\Admin\AppData\Local\Temp\F643.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD58ad5c815ea30b4bb9f76a25873350c69
SHA18731bcf8a7b8bd9c1688e1347cb0629cd672eb3c
SHA2560e8b3fd97fa9544dae27c14c28e887457033a785cc892b734cdc049113c38295
SHA51241c4ba676452d2a1447a34798c1c87fd4506707cf68082878cb1f95f0882ded7e075c2b574faf85c3976d7bf94bb4dcb3463442c5ec7f4cf8af4b26d56c165a1
-
Filesize
2.8MB
MD5b0fb18cfcac1983582e7fd67b2843ce8
SHA1ca29cf7cee80be38c5d667d5e8c00e6ea11b3294
SHA2564132c2587cfe85b944d95835d8d0bf92a08a0f831ea26a45c826146048347f45
SHA5124d9e1b14ef1a8adc15d38846c0a4e1d762e76fd944c76621ef6ac3a8482d14e40cfd4d7a14853d7a99cca2a99aa438eba996e842f1172f5f9a8f34ba1d97daf9
-
Filesize
1.8MB
MD560396068f6e960003173c9c3c8457dea
SHA1e03ccbfc85695e45657a17d67fdc07b724138013
SHA256decdd13661e2cfdc00ce9f3cdc1e5602960ed620022aa1fb7894cdf1bb15b677
SHA5125fc959c6f931b7ea05b08d53fbbba4e659d1f035201fceb2dabdeb7321942e1290b80e4338348ea8c5d7ef0d53f75ae7534e3c181e458d85a1c691ebaaebcebc
-
Filesize
1.8MB
MD5996c2b1fb60f980ea6618aeefbe4cebf
SHA1a8553f7f723132a1d35f7a57cae1a2e267cbc2ac
SHA256f91c0a4753cdb98cce0ade020917fdefe7a8daf88d23b4c07595de741402ca50
SHA5124af8fb921a332c5ac3d43b85bc23c859e431702e00852537bf1831c7af8b990d880808d044a1317873c77fbdecb1af7c97bed9edd9e2185bcbfa390c463f9056
-
Filesize
681KB
MD582129878fbdaae18f2dd7cdf8b273a37
SHA160f115ee74403cc2fcf550911f7a547a3dcb2482
SHA256dd7190f80688f898019834ddc8d685c48d93d0d71e39d309c05f6f38971928c4
SHA5129925f40f41d86824c3f630a197fa850c475a815f89aa1ffeec7906d9aa2a807f31448cc487460a9058db64e786c61509b1e87609b530b32f049f7e5101fc1735
-
Filesize
310KB
MD5dec92e7bf943946141b2a999fb0257a2
SHA11a1a53eb69b98ad5a03b84a805102ed8506c38d4
SHA25624c4de03b80b1b8d69c946a6d4182a308322e6f8a812272c1f6eff742216d95a
SHA5121eb56e10298e02ab14632637e9bb50f46fa7a357c3dccebe49935308a8e07e6fc88882a1ef32b57205abe0514dc1c9cdb96a79f3de462abe4aa37a68c4f63fbc
-
Filesize
1.2MB
MD547699f8651c2f50120170810e2d5b3dd
SHA13d6427904204359df583d71f8eeb063d5f362cb8
SHA25683af37a1bd314be2b029ca77bd12b071509c9906be9200c390fc0a780575bdbc
SHA5121025890eb85091b6879d0f7837a3e5943c184dee7781ab41c6ec466b8da0b35353618cbc2109e40a586f689aee224c82ae17d566755a0833a4b0d7d0946ed799
-
Filesize
452KB
MD5bffa42eff5a23fe379d394d0a73376f8
SHA143d179f9e6e2974c3d68f067bbaebec167586ac3
SHA256bbb9d3a013602777241db4cce0e8fdbf71c0b0d5eba2b77b61a6fd5062dd9c8a
SHA512b8d2579e2d0641f863cddf3ff753a10b5fcb7761b4218b05c5900c3f072cb103bea10c53415fd11dba8c35698c93973fabb26c3c918ebfc9382aae3c209199aa
-
Filesize
367KB
MD5dc8362e6644665f1c8796f7338f1e7f9
SHA18a27958a727caae8a8c81ff54d6e2b54186ba59a
SHA256a60edd35df7cb08d66844c06f385299e488290a961b4163bef12f8dd668b869a
SHA51288bcc8db5b1f983991028f051d491dba3856468d193cf93037bd355a2a3a9f48727de51cda92b41b03419e1511c554efd5d6ccb98613c861653ac0a3a64fd091
-
Filesize
88KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4KB
-
Filesize
4.3MB
-
Filesize
1.1MB
-
Filesize
4.3MB
-
Filesize
24KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
22.2MB
-
Filesize
22.2MB
-
Filesize
44KB
-
Filesize
1.1MB
-
Filesize
2.8MB
-
Filesize
24KB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
1.1MB