Analysis
-
max time kernel
115s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
02-04-2024 10:10
General
-
Target
3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe
-
Size
1.5MB
-
MD5
ce40fcc1f95b0c6d4f7a21c08d49a17c
-
SHA1
703099eee297196e642eba4781f9542ba8fbfed8
-
SHA256
3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a
-
SHA512
968632c5d9f97024d2ae63bd9794d351ad1d5a43ba5da392c01e6c7a7a035a2e4e9d1ceb084baf108b2bb39bd1d2d410fd0dbcc5ed5c26afe3bc847b3042c9be
-
SSDEEP
49152:ncNhZC2U+qtQFaQmk+YP4RHugqtrW+P2Zf:AC2URaas+YP4RHdqtrv2Z
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload 1 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe"C:\Users\Admin\AppData\Local\Temp\3dddb80ed9de80b4d7c31ecd952500294af3f235a6a0c52a5adfcb35a07a8a7a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MN8Pv64.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MN8Pv64.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX2ON51.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BX2ON51.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YA0cB39.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YA0cB39.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cj7aK37.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cj7aK37.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE97zh4.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AE97zh4.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hF6730.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2hF6730.exe6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3SO24vn.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3SO24vn.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4gY147xN.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4gY147xN.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5qE0fa6.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5qE0fa6.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fw0zU1.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fw0zU1.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DFB8.tmp\DFB9.tmp\DFBA.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Fw0zU1.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3944 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4760 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=3536 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4480 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6004 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:11⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD5d47666e1f07f52778be724e662338044
SHA1b2f5093c41f44323f0e8550d00969fe97b76847d
SHA25666f72bf041a3911680050b9ff6cf8cdaaff3349362d1cd7ebf7602f33699c574
SHA512ead36e28c25a02d4a6d17ac6dec8175ed4b35253258228388a8cc6dc3188da3bb1b9cb2999c9ac25937fb3ec157d885ba79ccb1c0b8a69ce9456966215f2db16
-
Filesize
1.4MB
MD5e6a959a8b4e1460212bb7847bbc4e7aa
SHA1a554e55ccacdd3da181ef8a2c5764e8a6a2faefc
SHA25664ef4bf30e14fc9fa71c10bd085d39654dc5f7903b911f4e90a9b351c2c41882
SHA512e3ad98d9c24e5aacc05273ad80a4efddfcd3be836ea2156bcbac6eacb0fe53ea4096ce667f69517bfc823810ddc4a9bfcddb571aaff8c05c29d56f668bfdde18
-
Filesize
219KB
MD5f33a619c22fe75839239ff060d6880fa
SHA162f648780a48a3e4d9b274bf0109b4527d006e53
SHA256af2e1cfc88e8ef97dc862794ce3f6a3b8e44efb6bbf2e46c7fd968102fdc5255
SHA5129e88cb5079a5555bcc8f3c7d35131e2acf20784bec7e295191bd9869d078ef5b2d02ec63e981e31b5069078415f261d9825b9355893afde07df9a097179e05ad
-
Filesize
1.2MB
MD5d50b0507b058a106ac6f96fd9d765f2d
SHA160ec65bdc063c63218da2458133772a7822346af
SHA2562b885fc30cc3c30ae20e89c7aa71d0828af4eefbb7e270af4b57c22e8222da4b
SHA51234771d8635ab739417aaf1db1cfbe109d78150337ab06f9cc6c52981f9f96f6fcac5ec6c81b91d607a16d5ad33f05972afc67341b259e5bb0c2e57898e57335c
-
Filesize
1.9MB
MD5926dada2729ee3a9e410b6f0cf1ca34c
SHA13602347ae5c2349d9749d81c678b59a352394ffd
SHA2569cc90bd83223d97d6f337f68499a749cb894c5bf83a5292fe874112ce0c31d91
SHA51231d64261a36ef38b517f7e9d43b623bfe8407e7d1822f9e4719ab6e1cae36c2dc50e4c92e3aef8147083c8a7315cf9613a2db4b315abd80fd0774304625adbcd
-
Filesize
697KB
MD55a15f93d379eea5239d227eab848e488
SHA1bab931de798a3aa783762e6cc9241549d5915de9
SHA2566c60966b2c933b87eadc968cdd6a9d78b16f1cc32ef11538402df6c898cb29b2
SHA5127cad21630a4bb709de194305ff56eb30c14bf1fd0df2cc0e7aa991bcb090fe05515d8d48530cb528012271ac597b715af9f33dcf625bce8cf6b6ffd01d389d2f
-
Filesize
30KB
MD5b0cfa65bbeb6129a5355ba5fd9f1ac11
SHA187f37aee9fb0bb45a79f0c8e9677ac6f5203951f
SHA2561989dcd6e167bbb15aa5cd8107d7e9d9eee7e165da35fdbae1ccf21458ac8b88
SHA512fc06f52c36dbc302c2f6b58861b620844069e67170929800b7746da5f6fb6c9e9e7ff13bcefceb6a2fb76c26ae292c0cad96fdfd00e5fd5580a5e8838dae01d1
-
Filesize
572KB
MD5b8d477f33ea17a69c51403aef076e358
SHA1e52bd3eaf40652073fbdeba394daf257534663c0
SHA25609aadb08c937d8c1f1e3606b483a1d4f88b57c29b829157e462f1393a97fa109
SHA51278dbd3ca775547f87d670f8f3edf2ff43b73b9cab2c486a62d6e589de4538a9604332d1b538c46214b107c72864caf9a5b216fc90787977b54eb613a1fbd3285
-
Filesize
1.6MB
MD51a426cb8f9ac97c1bea72cab4f1c2546
SHA132e7fa3372dc121c27e1f66c3ef1122af1ceb3d6
SHA2562852e1a8a77e92bf2f3f79c01f4b61c75e5b62f9d9a2da9d76011b9727092b6d
SHA512059cf67e3e5f2dd1fcd0b6c9b0cb36421febc8364c107ae2bbbb0d3539ebb0ab042a2ba8f206aeede561c1eab387ae467a49dfeb2ce22854e38a090b9df7bf0b
-
Filesize
180KB
MD5ddf6b527f049362343494f4de88d6343
SHA12f78fcedcfd8bec5865f9415cb06b2a208a15c56
SHA256ee8a7c06a995129e7052b677acfd62142746430eaad70b4c62639c86396de09a
SHA512a74a7c5acddc16b82e79db12978412d33a1cc330cf9df3a876685c3c01f6c63c999ec11fb8e42a55e0e9165587a8eabcb5fa14841e4cc585aca378948e8a9361
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
36KB