amadey | 5e226d8262fc6a306a8623ff2317e80de04307b5a5893f24200377dfacb41830

Analysis

max time kernel
134s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe
Size

319KB
MD5

9ffe17af29c1d6b4a7c753348624c0a7
SHA1

e252ed955d1edfbc89afc53a0453b9af16b6fd4a
SHA256

8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed
SHA512

9dc8415111c176ba626eef704c4e3a4f3e2acceb46f529b359d811a6f0da154d1dd650493f0da812c38758ee5cb954ad3a88441e1bec0a5c987a5d3ebd9095ea
SSDEEP

6144:K8y+bnr+yp0yN90QEFrKEP3ve7yRfsK6KRFjEXtaBv7yZez3x81WO6:UMrGy90LKU/e7RK6KRdEXYp7YezB8kl

Score

10^/10

amadey mystic 59b440 persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral7/files/0x00070000000233f7-17.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	l7763482.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 5 IoCs

pid	Process
964	l7763482.exe
4708	saves.exe
1236	m5246380.exe
1072	saves.exe
456	saves.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2592	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 964	1980	8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe	83
PID 1980 wrote to memory of 964	1980	8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe	83
PID 1980 wrote to memory of 964	1980	8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe	83
PID 964 wrote to memory of 4708	964	l7763482.exe	84
PID 964 wrote to memory of 4708	964	l7763482.exe	84
PID 964 wrote to memory of 4708	964	l7763482.exe	84
PID 1980 wrote to memory of 1236	1980	8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe	85
PID 1980 wrote to memory of 1236	1980	8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe	85
PID 1980 wrote to memory of 1236	1980	8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe	85
PID 4708 wrote to memory of 2592	4708	saves.exe	86
PID 4708 wrote to memory of 2592	4708	saves.exe	86
PID 4708 wrote to memory of 2592	4708	saves.exe	86
PID 4708 wrote to memory of 2316	4708	saves.exe	88
PID 4708 wrote to memory of 2316	4708	saves.exe	88
PID 4708 wrote to memory of 2316	4708	saves.exe	88
PID 2316 wrote to memory of 748	2316	cmd.exe	90
PID 2316 wrote to memory of 748	2316	cmd.exe	90
PID 2316 wrote to memory of 748	2316	cmd.exe	90
PID 2316 wrote to memory of 2824	2316	cmd.exe	91
PID 2316 wrote to memory of 2824	2316	cmd.exe	91
PID 2316 wrote to memory of 2824	2316	cmd.exe	91
PID 2316 wrote to memory of 3572	2316	cmd.exe	92
PID 2316 wrote to memory of 3572	2316	cmd.exe	92
PID 2316 wrote to memory of 3572	2316	cmd.exe	92
PID 2316 wrote to memory of 5092	2316	cmd.exe	93
PID 2316 wrote to memory of 5092	2316	cmd.exe	93
PID 2316 wrote to memory of 5092	2316	cmd.exe	93
PID 2316 wrote to memory of 3752	2316	cmd.exe	94
PID 2316 wrote to memory of 3752	2316	cmd.exe	94
PID 2316 wrote to memory of 3752	2316	cmd.exe	94
PID 2316 wrote to memory of 2236	2316	cmd.exe	95
PID 2316 wrote to memory of 2236	2316	cmd.exe	95
PID 2316 wrote to memory of 2236	2316	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe
"C:\Users\Admin\AppData\Local\Temp\8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7763482.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7763482.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
    "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:748
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        5⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        5⤵
        
        PID:3572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        5⤵
        
        PID:3752
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        5⤵
        
        PID:2236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5246380.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5246380.exe
  2⤵
  - Executes dropped EXE
  PID:1236

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7763482.exe

Filesize
330KB

MD5
5cf59da88e05784c437700249a089c70

SHA1
fad30fd30e7522b056309bb277cc4f6aad2d5d06

SHA256
c781d55006ac4c90fc0e62e9034a5fd56d80205cb41efa8cd98dbf9437798e06

SHA512
f97b6202ae7556a90937ad5db20ce1fd96a47bb4690ec296c0f9fc137e632fd6c5c59d0aa321a3c68ae2ced3ead17712cdab523c1ca8f2ae934f0bdc6016f649

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5246380.exe

Filesize
140KB

MD5
8db6d938db922f00902a4a932e24d1c8

SHA1
0e863bf8577408eb4aa38d875df6f63a4c67d487

SHA256
1c11cbe430612147d0a4d27037950317eba64b3c2e669ce1cb17ac3dc0346590

SHA512
60312c62365d31c89b1eedb9ec4b0adb015b1baa837e202f08c4bdaa543b0f34b04c61631b9cb842497a86dcb58a2c7b770871e6b061af5986e7412b4db1585f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads