Overview

overview

10

Static

static

3

e2f322ac4a...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2024 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe

  • Size

    279KB

  • MD5

    020c54cab2f3ef59732b60d2faef5051

  • SHA1

    7c0a3a19dbc658b841068684e5442d7894ae7eda

  • SHA256

    e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16

  • SHA512

    6820aaf46f29589deafccc38a37366fa2e187128c2503e6bbbce845474136f705aa72db35803599a7291f20a039b6542d71daef96dab185aeea52455b6ddccef

  • SSDEEP

    6144:KMy+bnr+Qp0yN90QE/Ml7Vo2dT6c0C752jb4ueelteAYW9D:EMrMy90BMb7dJdl2jb4C8W9D

Score
10/10
amadeymysticpersistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe
    "C:\Users\Admin\AppData\Local\Temp\e2f322ac4a8a79027c4badbf6b534ebe7c6b56b234d3d8fb38ff17d2acdbfd16.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0360849.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0360849.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4100
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:2808
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:2616
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "explonde.exe" /P "Admin:N"
              5⤵
                PID:872
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "explonde.exe" /P "Admin:R" /E
                5⤵
                  PID:1924
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:2124
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\fefffe8cea" /P "Admin:N"
                    5⤵
                      PID:4908
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\fefffe8cea" /P "Admin:R" /E
                      5⤵
                        PID:4936
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8875008.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8875008.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2320
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:3592
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:5040

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0360849.exe
                Filesize

                219KB

                MD5

                13eee1f46859b85907d82b14ddf0caa7

                SHA1

                d4c157df5ab479f3c2f43cb5ebdadcb504689693

                SHA256

                489999b8af918ee1d16e19519ebdc80c65b9950ce1411e1dce0f884434683f60

                SHA512

                d1b6a7cfa485e33be97f903e7eb2473f1dd1bb25cff45792589d4b416b01c4634ed5791e227eb28627c82ccc17322df7f951466d4a31652a58299f5d423b23d3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8875008.exe
                Filesize

                141KB

                MD5

                a1fc6f1ac5d2b8e23b357116062fbc2f

                SHA1

                61e971e0e06954dad2fcaac014a302c0cdbf6985

                SHA256

                383126e4814f381d663aa1a90bc686edbb5e93cff42a3c38b61d9e45a2cf8ad5

                SHA512

                e894c0c27743e513f43e21d57eaacf5ad7255c2370101d289dee80e41cab6dfcf7dba601f4d35344f89bddfb7533678155b437bc2db2d7227c42c07ed4b9a78d

                Download Submit