Overview

overview

10

Static

static

3

1b7cbee30e...8d.exe

windows10-2004-x64

10

1cb2277eea...2a.exe

windows10-2004-x64

10

26dae86d00...a2.exe

windows10-2004-x64

10

35cd974b16...ec.exe

windows10-2004-x64

10

45e7028a78...91.exe

windows10-2004-x64

10

4cd2f124df...48.exe

windows10-2004-x64

10

5fdef2b38d...0a.exe

windows10-2004-x64

10

7284e9e031...c7.exe

windows10-2004-x64

10

781c022afd...54.exe

windows10-2004-x64

10

84163f9b0d...a5.exe

windows10-2004-x64

10

90251e43cd...e4.exe

windows10-2004-x64

10

9a3023ff33...37.exe

windows10-2004-x64

10

b4b999d8f3...50.exe

windows7-x64

10

b4b999d8f3...50.exe

windows10-2004-x64

10

bdd93956fe...8b.exe

windows10-2004-x64

10

cf840721c0...70.exe

windows10-2004-x64

10

e52fb58b8a...f1.exe

windows10-2004-x64

10

ecfbac56ff...9e.exe

windows10-2004-x64

10

f0f492b9b0...9a.exe

windows10-2004-x64

10

f921df4c23...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1cb2277eead0aab1238acbbff542f7d6307542e95025dda95856efeb7bc12a2a.exe

  • Size

    320KB

  • MD5

    49302c87b30d9bcb659e9a43e23d1a35

  • SHA1

    158af98db3289bffa6b03298388b58c60767c686

  • SHA256

    1cb2277eead0aab1238acbbff542f7d6307542e95025dda95856efeb7bc12a2a

  • SHA512

    be18bcdcb8bbf1b2cae94571e87a1487d1eda7f269204a93cb782532114cff7872df250cd3cfaa0a1a8dea3b35a8a8de9b3026409019c0a28a2d854a8de9bbb6

  • SSDEEP

    6144:KCy+bnr+Hp0yN90QEIrKEP3ve7yRfsK6KRFjEXtaBv7uNC3QdGYHeZDSRA:KMrTy90SKU/e7RK6KRdEXYp7PQj0b

Score
10/10
amadeymystic59b440persistencestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cb2277eead0aab1238acbbff542f7d6307542e95025dda95856efeb7bc12a2a.exe
    "C:\Users\Admin\AppData\Local\Temp\1cb2277eead0aab1238acbbff542f7d6307542e95025dda95856efeb7bc12a2a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0162996.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0162996.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5084
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:2884
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4972
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:5064
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "saves.exe" /P "Admin:N"
              5⤵
                PID:4072
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "saves.exe" /P "Admin:R" /E
                5⤵
                  PID:5020
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:2448
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\b40d11255d" /P "Admin:N"
                    5⤵
                      PID:4040
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\b40d11255d" /P "Admin:R" /E
                      5⤵
                        PID:4764
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0401484.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0401484.exe
                  2⤵
                  • Executes dropped EXE
                  PID:3420
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4220
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:892
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:228

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l0162996.exe
                Filesize

                336KB

                MD5

                203d31724da362ad17ad5508a220ff41

                SHA1

                aa9b35b8baf97bbceaa15abab56a885cdf378f84

                SHA256

                631c64e2e865e763c704d3a3a0b9c58c428f1cc93ba022eabfeb846869bd8e6d

                SHA512

                5bc62fcd95096851f38c1c4e56b70a1347512e893466e2dba00e6c6f7f4ad2531d28eaf7711bc3907642c5d1ea6fcd9eb7feda2018635f50ebb56f92994671ca

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m0401484.exe
                Filesize

                141KB

                MD5

                a551f4027ec2c2a9e6444bb50f011d94

                SHA1

                56e5cc596e006ffa885463c91fb45fd33dd0385d

                SHA256

                4020fdfde2faff7ded9fe4bcbde17eac766bf54fb7764b251e5fe9147f4b91c0

                SHA512

                fad89eac2f771ccc3c35504d82da589f3ec9bbdab50a080e210581596ca876b1ff2aaf034b47e10869802ac5aa3f399c471707d15cb454633db6806a35bf6db8

                Download Submit