amadey | 3456b77611c137ccede6291ae88dca2b535ae5593c8842db3cee8c9742f3660b

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	a4326138.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4326138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4326138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4326138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4326138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4326138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4326138.exe

Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4326138.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

defense_evasion trojan

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	a4326138.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	a4326138.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Smokeloader family
smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	b2142649.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	pdates.exe

Executes dropped EXE 7 IoCs

pid	Process
2168	v7144898.exe
3584	a4326138.exe
4420	b2142649.exe
372	pdates.exe
3836	c3938692.exe
968	pdates.exe
4220	pdates.exe

Windows security modification 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4326138.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	v6240371.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7144898.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6240371.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v7144898.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2142649.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c3938692.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c3938692.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c3938692.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c3938692.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3584	a4326138.exe
3584	a4326138.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	a4326138.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4420	b2142649.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 2168	4744	v6240371.exe	85
PID 4744 wrote to memory of 2168	4744	v6240371.exe	85
PID 4744 wrote to memory of 2168	4744	v6240371.exe	85
PID 2168 wrote to memory of 3584	2168	v7144898.exe	86
PID 2168 wrote to memory of 3584	2168	v7144898.exe	86
PID 2168 wrote to memory of 4420	2168	v7144898.exe	87
PID 2168 wrote to memory of 4420	2168	v7144898.exe	87
PID 2168 wrote to memory of 4420	2168	v7144898.exe	87
PID 4420 wrote to memory of 372	4420	b2142649.exe	88
PID 4420 wrote to memory of 372	4420	b2142649.exe	88
PID 4420 wrote to memory of 372	4420	b2142649.exe	88
PID 4744 wrote to memory of 3836	4744	v6240371.exe	89
PID 4744 wrote to memory of 3836	4744	v6240371.exe	89
PID 4744 wrote to memory of 3836	4744	v6240371.exe	89
PID 372 wrote to memory of 4568	372	pdates.exe	90
PID 372 wrote to memory of 4568	372	pdates.exe	90
PID 372 wrote to memory of 4568	372	pdates.exe	90
PID 372 wrote to memory of 3960	372	pdates.exe	92
PID 372 wrote to memory of 3960	372	pdates.exe	92
PID 372 wrote to memory of 3960	372	pdates.exe	92
PID 3960 wrote to memory of 4600	3960	cmd.exe	94
PID 3960 wrote to memory of 4600	3960	cmd.exe	94
PID 3960 wrote to memory of 4600	3960	cmd.exe	94
PID 3960 wrote to memory of 3636	3960	cmd.exe	95
PID 3960 wrote to memory of 3636	3960	cmd.exe	95
PID 3960 wrote to memory of 3636	3960	cmd.exe	95
PID 3960 wrote to memory of 3832	3960	cmd.exe	96
PID 3960 wrote to memory of 3832	3960	cmd.exe	96
PID 3960 wrote to memory of 3832	3960	cmd.exe	96
PID 3960 wrote to memory of 380	3960	cmd.exe	97
PID 3960 wrote to memory of 380	3960	cmd.exe	97
PID 3960 wrote to memory of 380	3960	cmd.exe	97
PID 3960 wrote to memory of 4052	3960	cmd.exe	98
PID 3960 wrote to memory of 4052	3960	cmd.exe	98
PID 3960 wrote to memory of 4052	3960	cmd.exe	98
PID 3960 wrote to memory of 4436	3960	cmd.exe	99
PID 3960 wrote to memory of 4436	3960	cmd.exe	99
PID 3960 wrote to memory of 4436	3960	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\v6240371.exe
"C:\Users\Admin\AppData\Local\Temp\v6240371.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7144898.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7144898.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4326138.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4326138.exe
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - Modifies Windows Defender Real-time Protection settings
    - Modifies Windows Defender TamperProtection settings
    - Modifies Windows Defender notification settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2142649.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2142649.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
      "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:372
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4568
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3960
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:380
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3938692.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3938692.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  PID:3836

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:968

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry