Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 14:15
Static task
static1
Behavioral task
behavioral1
Sample
c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
Resource
win7-20241010-en
General
-
Target
c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe
-
Size
2.8MB
-
MD5
62cfbf48cbec19b909d15fc91d70cb47
-
SHA1
1c900301e2fa4b10cc69fb53c160f27254c607c6
-
SHA256
c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b
-
SHA512
952f885a05b2474d76cf53607323c06646908470bf30770f2c639c5440421b1ad8c8a130807b0ad38ca88267dff2d52cbdc790aaff827b8e422d04b2148e878c
-
SSDEEP
49152:2r4wwAxziwgFtvyMcy4MmjQfcMIQVzhzsSWSbnDBQkk:2r7wOefvyMc1MmUflFWSbnDBQkk
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Extracted
smokeloader
pub3
Signatures
-
Amadey family
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 2 IoCs
pid Process 1476 axplong.exe 2092 5e03eb45da.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine axplong.exe -
Loads dropped DLL 7 IoCs
pid Process 2244 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 2244 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 1476 axplong.exe 1476 axplong.exe 3056 WerFault.exe 3056 WerFault.exe 3056 WerFault.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2244 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 1476 axplong.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3056 2092 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5e03eb45da.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2244 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 1476 axplong.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2244 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2244 wrote to memory of 1476 2244 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 30 PID 2244 wrote to memory of 1476 2244 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 30 PID 2244 wrote to memory of 1476 2244 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 30 PID 2244 wrote to memory of 1476 2244 c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe 30 PID 1476 wrote to memory of 2092 1476 axplong.exe 32 PID 1476 wrote to memory of 2092 1476 axplong.exe 32 PID 1476 wrote to memory of 2092 1476 axplong.exe 32 PID 1476 wrote to memory of 2092 1476 axplong.exe 32 PID 2092 wrote to memory of 3056 2092 5e03eb45da.exe 33 PID 2092 wrote to memory of 3056 2092 5e03eb45da.exe 33 PID 2092 wrote to memory of 3056 2092 5e03eb45da.exe 33 PID 2092 wrote to memory of 3056 2092 5e03eb45da.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe"C:\Users\Admin\AppData\Local\Temp\c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\1006786001\5e03eb45da.exe"C:\Users\Admin\AppData\Local\Temp\1006786001\5e03eb45da.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1364⤵
- Loads dropped DLL
- Program crash
PID:3056
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418KB
MD578550f31347263e7e577f6996e33bffa
SHA128b31ae0eeb6d6e7386cd01b11a3881614ce23c3
SHA25660fbe8cb9c1985f16403d83b1874a7b01a1341b1d835225ec0d66d3ef769e134
SHA5121dad1e4df168d05e6ea478f333edac08ad8a7a6d5d386c8c0eefef5b107bb432f3d87801a20ee98ec6849ee680ba0296bf9bb45628c4af989a7d478907a7b471
-
Filesize
2.8MB
MD562cfbf48cbec19b909d15fc91d70cb47
SHA11c900301e2fa4b10cc69fb53c160f27254c607c6
SHA256c507f450ad1b6173f54279f63f93d878545560bd234a19acb442a22a40d9e28b
SHA512952f885a05b2474d76cf53607323c06646908470bf30770f2c639c5440421b1ad8c8a130807b0ad38ca88267dff2d52cbdc790aaff827b8e422d04b2148e878c