Overview

overview

10

Static

static

1

64e6358c28...76.exe

windows7-x64

5

64e6358c28...76.exe

windows10-2004-x64

Analysis

  • max time kernel
    84s
  • max time network
    91s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 19:01

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    64e6358c281b0cc66b257f99d511388f36597a06d5cbd782e6b5978509885d76.exe

  • Size

    1.4MB

  • MD5

    d177aa72f010360d299b1f855727ab0d

  • SHA1

    60792231c1383d8d915d148fa736c57dd56d66b9

  • SHA256

    64e6358c281b0cc66b257f99d511388f36597a06d5cbd782e6b5978509885d76

  • SHA512

    76094ed76227c9f9ffece4571cbaad90b14cb799ed00a83754151261e2c8135e89c65efd41d3112aba7ef1dd1332f403294169a2c1efea1951bb7de9a00f9b89

  • SSDEEP

    24576:x09QRSFJChNA2nlO7my2I24GJ/Y1HEDGdDpa1dDDSRMGC/1lwrsOjc0SpIaalAmj:x09QRSFnv2rpY1HeGu1lLBnyviQA2OkP

Score
10/10
amadeyhealermysticsmokeloaderbackdoordropperevasionpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52/mac/index.php

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 4 IoCs
  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64e6358c281b0cc66b257f99d511388f36597a06d5cbd782e6b5978509885d76.exe
    "C:\Users\Admin\AppData\Local\Temp\64e6358c281b0cc66b257f99d511388f36597a06d5cbd782e6b5978509885d76.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:5112
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9009849.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9009849.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3568
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3499559.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3499559.exe
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3356
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1889536.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1889536.exe
              5⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of WriteProcessMemory
              PID:2248
              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6443132.exe
                C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6443132.exe
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of WriteProcessMemory
                PID:4136
                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6637908.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6637908.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:1276
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    8⤵
                    • Modifies Windows Defender Real-time Protection settings
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2304
                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0160908.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0160908.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:2604
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    8⤵
                      PID:988
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 540
                        9⤵
                        • Program crash
                        PID:2980
                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7161988.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7161988.exe
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:752
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    7⤵
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1052
              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0297043.exe
                C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0297043.exe
                5⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4156
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k shutdown -s -t 0
                  6⤵
                    PID:3964
                    • C:\Windows\SysWOW64\shutdown.exe
                      shutdown -s -t 0
                      7⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 988 -ip 988
          1⤵
            PID:4692
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x4 /state0:0xa39f7055 /state1:0x41c64e6d
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:1756

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9009849.exe
                  Filesize

                  1.0MB

                  MD5

                  dd13cf02f58da6e98b4667dd0e0bf043

                  SHA1

                  97d32f60517b875679eae6b89e685706e3bc749b

                  SHA256

                  49c77d6abb0c8137d1803c795fc672246cad5e15eda5faf68ba04b8f5e65bc49

                  SHA512

                  d572f7d73bfc299d2005ebbbc6644703a30d5243055e3d2f25b88a0e005fef8298031e924ac1c9199dbee97e4388994c3d64d5ffc1f72d7b164b08085e3cebdf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9009849.exe
                  Filesize

                  1.0MB

                  MD5

                  dd13cf02f58da6e98b4667dd0e0bf043

                  SHA1

                  97d32f60517b875679eae6b89e685706e3bc749b

                  SHA256

                  49c77d6abb0c8137d1803c795fc672246cad5e15eda5faf68ba04b8f5e65bc49

                  SHA512

                  d572f7d73bfc299d2005ebbbc6644703a30d5243055e3d2f25b88a0e005fef8298031e924ac1c9199dbee97e4388994c3d64d5ffc1f72d7b164b08085e3cebdf

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3499559.exe
                  Filesize

                  777KB

                  MD5

                  2689d08e7ba6bed1b56492a751ae7972

                  SHA1

                  8c8d5b7de48a1636f8cf3d060a94927e461ddead

                  SHA256

                  5bafb30e377c714e7d0672e8bb60f2e02e8182938b2265bda2aaf02702df8d4b

                  SHA512

                  1711e7e640e5ece5f94386d3c66cb4f71f2feee60f2aeff03290384533abe35140555198d4b5d3fb05c84ff08b82530fb3f7580dc8f6b930f133a7fd8290eeba

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3499559.exe
                  Filesize

                  777KB

                  MD5

                  2689d08e7ba6bed1b56492a751ae7972

                  SHA1

                  8c8d5b7de48a1636f8cf3d060a94927e461ddead

                  SHA256

                  5bafb30e377c714e7d0672e8bb60f2e02e8182938b2265bda2aaf02702df8d4b

                  SHA512

                  1711e7e640e5ece5f94386d3c66cb4f71f2feee60f2aeff03290384533abe35140555198d4b5d3fb05c84ff08b82530fb3f7580dc8f6b930f133a7fd8290eeba

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0297043.exe
                  Filesize

                  219KB

                  MD5

                  c256a814d3f9d02d73029580dfe882b3

                  SHA1

                  e11e9ea937183139753f3b0d5e71c8301d000896

                  SHA256

                  53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

                  SHA512

                  1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0297043.exe
                  Filesize

                  219KB

                  MD5

                  c256a814d3f9d02d73029580dfe882b3

                  SHA1

                  e11e9ea937183139753f3b0d5e71c8301d000896

                  SHA256

                  53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

                  SHA512

                  1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1889536.exe
                  Filesize

                  594KB

                  MD5

                  9e51572399d2a74a0c92de00968a1756

                  SHA1

                  580401d1f831e78b3df1b5e128ddcf8745c8d8af

                  SHA256

                  02eedaf8248e2bf166391b0734b0704ab4e380b3191234bbb502f21d854443a2

                  SHA512

                  2a572331b5dca24c03c23671fc304214dbd6b9491c336483bdd67a58f7949cb62cf07bc5ddcf4c9acc786141aef2bd3f25658068d302f50f73c8cba073078b2d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1889536.exe
                  Filesize

                  594KB

                  MD5

                  9e51572399d2a74a0c92de00968a1756

                  SHA1

                  580401d1f831e78b3df1b5e128ddcf8745c8d8af

                  SHA256

                  02eedaf8248e2bf166391b0734b0704ab4e380b3191234bbb502f21d854443a2

                  SHA512

                  2a572331b5dca24c03c23671fc304214dbd6b9491c336483bdd67a58f7949cb62cf07bc5ddcf4c9acc786141aef2bd3f25658068d302f50f73c8cba073078b2d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7161988.exe
                  Filesize

                  261KB

                  MD5

                  2fc4ad367b2e5c44e9fc68b2f3bc85cd

                  SHA1

                  7aafb964af102c879a0ac65dbbd7304968e6efca

                  SHA256

                  530f636c206607ad161df103d6a43037c23ddb4f0f154aaeb9e7a15944751b11

                  SHA512

                  7554f36823cfbc8bd007d1a6eac41180448878b17514aee1e48977206a2edace1a071f405416f823dcbfb20559f9d254a7557bc5f0f55098b87d347f0ced8948

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7161988.exe
                  Filesize

                  261KB

                  MD5

                  2fc4ad367b2e5c44e9fc68b2f3bc85cd

                  SHA1

                  7aafb964af102c879a0ac65dbbd7304968e6efca

                  SHA256

                  530f636c206607ad161df103d6a43037c23ddb4f0f154aaeb9e7a15944751b11

                  SHA512

                  7554f36823cfbc8bd007d1a6eac41180448878b17514aee1e48977206a2edace1a071f405416f823dcbfb20559f9d254a7557bc5f0f55098b87d347f0ced8948

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6443132.exe
                  Filesize

                  351KB

                  MD5

                  a1d613d0670a31642408a4d4e98ff222

                  SHA1

                  b81044c185e68dce93b1630f4f2d6600c02c9cc6

                  SHA256

                  70d108921f9c400d8067865665a6840c848c1ce6153c3d6777de1a44a9b628b2

                  SHA512

                  e61d01da1f97053a9a61c93324d38c92758baff225103bf47dd1ceab0ec930f6ec95f2f38c16556e90ceb2f6e4788629e313642f1fbd8806693e63bc36c9af20

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6443132.exe
                  Filesize

                  351KB

                  MD5

                  a1d613d0670a31642408a4d4e98ff222

                  SHA1

                  b81044c185e68dce93b1630f4f2d6600c02c9cc6

                  SHA256

                  70d108921f9c400d8067865665a6840c848c1ce6153c3d6777de1a44a9b628b2

                  SHA512

                  e61d01da1f97053a9a61c93324d38c92758baff225103bf47dd1ceab0ec930f6ec95f2f38c16556e90ceb2f6e4788629e313642f1fbd8806693e63bc36c9af20

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6637908.exe
                  Filesize

                  242KB

                  MD5

                  0745c1707dee1d86f1c02f4060602a36

                  SHA1

                  8df84e85b97205d07fcf42a6f090a88d05d26201

                  SHA256

                  1ea82558e3598f88b842d3e05adf68842033f12c7e7aac0aacbc232a0773b3c5

                  SHA512

                  9adaef7f570722f11e8a3ecdc9669d6ea984111dae4ec1d2b2a22ca9926fde5e9830e9a661a37b75ca4b65aa837890f54dc986701b1b1ea09ec1f03aa5313c65

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6637908.exe
                  Filesize

                  242KB

                  MD5

                  0745c1707dee1d86f1c02f4060602a36

                  SHA1

                  8df84e85b97205d07fcf42a6f090a88d05d26201

                  SHA256

                  1ea82558e3598f88b842d3e05adf68842033f12c7e7aac0aacbc232a0773b3c5

                  SHA512

                  9adaef7f570722f11e8a3ecdc9669d6ea984111dae4ec1d2b2a22ca9926fde5e9830e9a661a37b75ca4b65aa837890f54dc986701b1b1ea09ec1f03aa5313c65

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0160908.exe
                  Filesize

                  371KB

                  MD5

                  10e5614eaf9eb385cb6b977da681cf68

                  SHA1

                  c117459cec6ac08bc0f79a7d76bd50d02d582111

                  SHA256

                  d4ea78236836d63caababc87dcce544721954c49a69cc3f65cca5b35ce5fa9e4

                  SHA512

                  c737e10d329f499321e3c5fffbdd15beb62fae990ad97f8e430fa0bc9134eb694a7b763cbcfc7dabdd7132a80b98d6978edc2b1167329da682bd883af3e5d216

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0160908.exe
                  Filesize

                  371KB

                  MD5

                  10e5614eaf9eb385cb6b977da681cf68

                  SHA1

                  c117459cec6ac08bc0f79a7d76bd50d02d582111

                  SHA256

                  d4ea78236836d63caababc87dcce544721954c49a69cc3f65cca5b35ce5fa9e4

                  SHA512

                  c737e10d329f499321e3c5fffbdd15beb62fae990ad97f8e430fa0bc9134eb694a7b763cbcfc7dabdd7132a80b98d6978edc2b1167329da682bd883af3e5d216

                  Download Submit

                • memory/988-48-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/988-44-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/988-46-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/988-45-0x0000000000400000-0x0000000000428000-memory.dmp

                  Filesize

                  160KB

                  Download

                • memory/1052-52-0x0000000000400000-0x0000000000409000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/1052-54-0x0000000000400000-0x0000000000409000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/1700-3-0x0000000000400000-0x000000000053A000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/1700-53-0x0000000000400000-0x000000000053A000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/1700-2-0x0000000000400000-0x000000000053A000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/1700-0-0x0000000000400000-0x000000000053A000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/1700-1-0x0000000000400000-0x000000000053A000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/2304-43-0x0000000074A70000-0x0000000075220000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2304-39-0x0000000000400000-0x000000000040A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2304-58-0x0000000074A70000-0x0000000075220000-memory.dmp

                  Filesize

                  7.7MB

                  Download