Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:47

General

  • Target

    7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe

  • Size

    319KB

  • MD5

    6d8e57ec9fb40242960e48d22f43a496

  • SHA1

    bae3e231233d07ab1aa2262999e1934666a1a79a

  • SHA256

    7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761

  • SHA512

    7f411509e2a98d9fbd24805093b3cdecfaa0c2d16b7dc579b1fa1ec5b32786a796c1ccec4cd04078592954680dc9ce6638eccb2b51decf5ce46b6277f87458b6

  • SSDEEP

    6144:KLy+bnr+vp0yN90QEzrKEP3ve7yRfsK6KRFjEXtaBv7FlbeVeR4No5/Z:pMrvy90BKU/e7RK6KRdEXYp7f6VG4N2Z

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe
    "C:\Users\Admin\AppData\Local\Temp\7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2203497.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2203497.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:804
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3364
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:2500
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "saves.exe" /P "Admin:N"
              5⤵
                PID:2884
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "saves.exe" /P "Admin:R" /E
                5⤵
                  PID:4624
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:3160
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\b40d11255d" /P "Admin:N"
                    5⤵
                      PID:116
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\b40d11255d" /P "Admin:R" /E
                      5⤵
                        PID:4988
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5295777.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5295777.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1564
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4500
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4536

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2203497.exe

                Filesize

                337KB

                MD5

                3985448e035bbcd9303faacb4d2e1b79

                SHA1

                03bc49eec6f06d15fd325a34a9418d4611bea5fc

                SHA256

                5f15c1690c75307d9c4562700810191c8dc58f5e75b55ad8fead67ed5d5122fd

                SHA512

                a7f996e8a128dd423839ffc464329acd20fa28f278f54f4a0fdc43a063086da8a62c3cdc2390e259ef10881d3abb0049355b6f83d354441cbe82e17827fad129

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5295777.exe

                Filesize

                142KB

                MD5

                d0a76c920e396c48fbdb875731a212fb

                SHA1

                bb8ff71247df58f4a334f8d3f87b5bd6cd8b9843

                SHA256

                555172ac9ed0a7f740a129155e79992f4b57200d86ddce1d22da210ec296e12f

                SHA512

                a53d18d56a17c666426d1cc47e89331948ef86648ea50726af9137bb08c2e1e00a003366f2f69b4b8123a5436d6322ef1a97ab3df2df80dae7483c0e8fb1c8c4