amadey | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe
Size

319KB
MD5

6d8e57ec9fb40242960e48d22f43a496
SHA1

bae3e231233d07ab1aa2262999e1934666a1a79a
SHA256

7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761
SHA512

7f411509e2a98d9fbd24805093b3cdecfaa0c2d16b7dc579b1fa1ec5b32786a796c1ccec4cd04078592954680dc9ce6638eccb2b51decf5ce46b6277f87458b6
SSDEEP

6144:KLy+bnr+vp0yN90QEzrKEP3ve7yRfsK6KRFjEXtaBv7FlbeVeR4No5/Z:pMrvy90BKU/e7RK6KRdEXYp7f6VG4N2Z

Score

10^/10

amadey mystic 59b440 persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5295777.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

saves.exeb2203497.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	saves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	b2203497.exe

Executes dropped EXE 5 IoCs

Processes:

b2203497.exesaves.exec5295777.exesaves.exesaves.exe

pid process

1844 b2203497.exe
1768 saves.exe
1564 c5295777.exe
4500 saves.exe
4536 saves.exe

pid	process
1844	b2203497.exe
1768	saves.exe
1564	c5295777.exe
4500	saves.exe
4536	saves.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

804 schtasks.exe

pid	process
804	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exeb2203497.exesaves.execmd.exe

description	pid	process	target process
PID 3212 wrote to memory of 1844	3212	7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe	b2203497.exe
PID 3212 wrote to memory of 1844	3212	7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe	b2203497.exe
PID 3212 wrote to memory of 1844	3212	7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe	b2203497.exe
PID 1844 wrote to memory of 1768	1844	b2203497.exe	saves.exe
PID 1844 wrote to memory of 1768	1844	b2203497.exe	saves.exe
PID 1844 wrote to memory of 1768	1844	b2203497.exe	saves.exe
PID 3212 wrote to memory of 1564	3212	7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe	c5295777.exe
PID 3212 wrote to memory of 1564	3212	7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe	c5295777.exe
PID 3212 wrote to memory of 1564	3212	7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe	c5295777.exe
PID 1768 wrote to memory of 804	1768	saves.exe	schtasks.exe
PID 1768 wrote to memory of 804	1768	saves.exe	schtasks.exe
PID 1768 wrote to memory of 804	1768	saves.exe	schtasks.exe
PID 1768 wrote to memory of 3364	1768	saves.exe	cmd.exe
PID 1768 wrote to memory of 3364	1768	saves.exe	cmd.exe
PID 1768 wrote to memory of 3364	1768	saves.exe	cmd.exe
PID 3364 wrote to memory of 2500	3364	cmd.exe	cmd.exe
PID 3364 wrote to memory of 2500	3364	cmd.exe	cmd.exe
PID 3364 wrote to memory of 2500	3364	cmd.exe	cmd.exe
PID 3364 wrote to memory of 2884	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 2884	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 2884	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 4624	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 4624	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 4624	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 3160	3364	cmd.exe	cmd.exe
PID 3364 wrote to memory of 3160	3364	cmd.exe	cmd.exe
PID 3364 wrote to memory of 3160	3364	cmd.exe	cmd.exe
PID 3364 wrote to memory of 116	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 116	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 116	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 4988	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 4988	3364	cmd.exe	cacls.exe
PID 3364 wrote to memory of 4988	3364	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe
"C:\Users\Admin\AppData\Local\Temp\7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2203497.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2203497.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
4⤵
- Creates scheduled task(s)
PID:804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2500

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:N"
5⤵
PID:2884

C:\Windows\SysWOW64\cacls.exe
CACLS "saves.exe" /P "Admin:R" /E
5⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3160

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:N"
5⤵
PID:116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\b40d11255d" /P "Admin:R" /E
5⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5295777.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5295777.exe
2⤵
- Executes dropped EXE
PID:1564

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2203497.exe
Filesize
337KB

MD5
3985448e035bbcd9303faacb4d2e1b79

SHA1
03bc49eec6f06d15fd325a34a9418d4611bea5fc

SHA256
5f15c1690c75307d9c4562700810191c8dc58f5e75b55ad8fead67ed5d5122fd

SHA512
a7f996e8a128dd423839ffc464329acd20fa28f278f54f4a0fdc43a063086da8a62c3cdc2390e259ef10881d3abb0049355b6f83d354441cbe82e17827fad129

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5295777.exe
Filesize
142KB

MD5
d0a76c920e396c48fbdb875731a212fb

SHA1
bb8ff71247df58f4a334f8d3f87b5bd6cd8b9843

SHA256
555172ac9ed0a7f740a129155e79992f4b57200d86ddce1d22da210ec296e12f

SHA512
a53d18d56a17c666426d1cc47e89331948ef86648ea50726af9137bb08c2e1e00a003366f2f69b4b8123a5436d6322ef1a97ab3df2df80dae7483c0e8fb1c8c4

Download Submit