Overview

overview

10

Static

static

3

072894a720...70.exe

windows10-2004-x64

10

075e0048e6...e5.exe

windows10-2004-x64

10

131b78a330...7b.exe

windows10-2004-x64

10

56b0ed98e3...54.exe

windows10-2004-x64

10

807255749f...62.exe

windows7-x64

10

807255749f...62.exe

windows10-2004-x64

10

8a8433aeba...ed.exe

windows10-2004-x64

10

8cae2c42df...9a.exe

windows7-x64

10

8cae2c42df...9a.exe

windows10-2004-x64

10

d730c48963...34.exe

windows10-2004-x64

10

e98954290c...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe

  • Size

    319KB

  • MD5

    9ffe17af29c1d6b4a7c753348624c0a7

  • SHA1

    e252ed955d1edfbc89afc53a0453b9af16b6fd4a

  • SHA256

    8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed

  • SHA512

    9dc8415111c176ba626eef704c4e3a4f3e2acceb46f529b359d811a6f0da154d1dd650493f0da812c38758ee5cb954ad3a88441e1bec0a5c987a5d3ebd9095ea

  • SSDEEP

    6144:K8y+bnr+yp0yN90QEFrKEP3ve7yRfsK6KRFjEXtaBv7yZez3x81WO6:UMrGy90LKU/e7RK6KRdEXYp7YezB8kl

Score
10/10
amadeymystic59b440persistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe
    "C:\Users\Admin\AppData\Local\Temp\8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7763482.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7763482.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4708
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:2592
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:748
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "saves.exe" /P "Admin:N"
              5⤵
                PID:2824
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "saves.exe" /P "Admin:R" /E
                5⤵
                  PID:3572
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:5092
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\b40d11255d" /P "Admin:N"
                    5⤵
                      PID:3752
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\b40d11255d" /P "Admin:R" /E
                      5⤵
                        PID:2236
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5246380.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5246380.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1236
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1072
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:456

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Scheduled Task/Job

              1
              T1053

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Scheduled Task/Job

              1
              T1053

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Scheduled Task/Job

              1
              T1053

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l7763482.exe
                Filesize

                330KB

                MD5

                5cf59da88e05784c437700249a089c70

                SHA1

                fad30fd30e7522b056309bb277cc4f6aad2d5d06

                SHA256

                c781d55006ac4c90fc0e62e9034a5fd56d80205cb41efa8cd98dbf9437798e06

                SHA512

                f97b6202ae7556a90937ad5db20ce1fd96a47bb4690ec296c0f9fc137e632fd6c5c59d0aa321a3c68ae2ced3ead17712cdab523c1ca8f2ae934f0bdc6016f649

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5246380.exe
                Filesize

                140KB

                MD5

                8db6d938db922f00902a4a932e24d1c8

                SHA1

                0e863bf8577408eb4aa38d875df6f63a4c67d487

                SHA256

                1c11cbe430612147d0a4d27037950317eba64b3c2e669ce1cb17ac3dc0346590

                SHA512

                60312c62365d31c89b1eedb9ec4b0adb015b1baa837e202f08c4bdaa543b0f34b04c61631b9cb842497a86dcb58a2c7b770871e6b061af5986e7412b4db1585f

                Download Submit