amadey | d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc

General

Target

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Size

424KB
MD5

13e5872e9b7c47090e035dc228c5589f
SHA1

c55a9708091f19b5fc5baf7c37beb99d8d3bf760
SHA256

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
SHA512

260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
SSDEEP

6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz

Score

10^/10

amadey xmrig evasion execution miner persistence trojan upx

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1764-45-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1764-44-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1764-50-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1764-51-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1764-48-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1764-49-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1764-47-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1764-52-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1764-55-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1764-56-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1764-57-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 6 IoCs

Processes:

Hkbsse.exeblob.exevxfagazdltye.exeHkbsse.exeHkbsse.exeHkbsse.exe

pid process

4840 Hkbsse.exe
4980 blob.exe
3992 vxfagazdltye.exe
3812 Hkbsse.exe
5076 Hkbsse.exe
4080 Hkbsse.exe

pid	process
4840	Hkbsse.exe
4980	blob.exe
3992	vxfagazdltye.exe
3812	Hkbsse.exe
5076	Hkbsse.exe
4080	Hkbsse.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1764-39-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-42-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-40-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-41-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-45-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-44-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-43-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-50-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-51-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-48-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-49-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-47-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-52-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-55-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-56-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1764-57-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hkbsse.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\blob.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\blob.exe"	Hkbsse.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vxfagazdltye.exe

description pid process target process

PID 3992 set thread context of 1764 3992 vxfagazdltye.exe conhost.exe
Drops file in Windows directory 1 IoCs

Processes:

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe

description ioc process

File created C:\Windows\Tasks\Hkbsse.job d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

652 sc.exe
3292 sc.exe
3100 sc.exe
428 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3992 set thread context of 1764	3992	vxfagazdltye.exe	conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe

pid	process
652	sc.exe
3292	sc.exe
3100	sc.exe
428	sc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

blob.exevxfagazdltye.exe

pid	process
4980	blob.exe
4980	blob.exe
4980	blob.exe
4980	blob.exe
4980	blob.exe
4980	blob.exe
4980	blob.exe
4980	blob.exe
3992	vxfagazdltye.exe
3992	vxfagazdltye.exe
3992	vxfagazdltye.exe
3992	vxfagazdltye.exe
3992	vxfagazdltye.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	2664	powercfg.exe
Token: SeCreatePagefilePrivilege	2664	powercfg.exe
Token: SeShutdownPrivilege	2412	powercfg.exe
Token: SeCreatePagefilePrivilege	2412	powercfg.exe
Token: SeShutdownPrivilege	5092	powercfg.exe
Token: SeCreatePagefilePrivilege	5092	powercfg.exe
Token: SeShutdownPrivilege	1232	powercfg.exe
Token: SeCreatePagefilePrivilege	1232	powercfg.exe
Token: SeLockMemoryPrivilege	1764	conhost.exe
Token: SeShutdownPrivilege	1412	powercfg.exe
Token: SeCreatePagefilePrivilege	1412	powercfg.exe
Token: SeShutdownPrivilege	1780	powercfg.exe
Token: SeCreatePagefilePrivilege	1780	powercfg.exe
Token: SeShutdownPrivilege	4340	powercfg.exe
Token: SeCreatePagefilePrivilege	4340	powercfg.exe
Token: SeShutdownPrivilege	4068	powercfg.exe
Token: SeCreatePagefilePrivilege	4068	powercfg.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exeHkbsse.exevxfagazdltye.exe

description	pid	process	target process
PID 4864 wrote to memory of 4840	4864	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe	Hkbsse.exe
PID 4864 wrote to memory of 4840	4864	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe	Hkbsse.exe
PID 4864 wrote to memory of 4840	4864	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe	Hkbsse.exe
PID 4840 wrote to memory of 4980	4840	Hkbsse.exe	blob.exe
PID 4840 wrote to memory of 4980	4840	Hkbsse.exe	blob.exe
PID 3992 wrote to memory of 1764	3992	vxfagazdltye.exe	conhost.exe
PID 3992 wrote to memory of 1764	3992	vxfagazdltye.exe	conhost.exe
PID 3992 wrote to memory of 1764	3992	vxfagazdltye.exe	conhost.exe
PID 3992 wrote to memory of 1764	3992	vxfagazdltye.exe	conhost.exe
PID 3992 wrote to memory of 1764	3992	vxfagazdltye.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
"C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
  "C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe
    "C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4980
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2412
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2664
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1232
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5092
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "YCSDKNAW"
      4⤵
      Launches sc.exe
      PID:652
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "YCSDKNAW" binpath= "C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3292
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3100
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "YCSDKNAW"
      4⤵
      Launches sc.exe
      PID:428

C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe
C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1764

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3812

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe

Filesize
2.5MB

MD5
fbfbe4ee13baecac3e7d16bec24cf079

SHA1
360caf2bb458bee7e65c316099a868b929839d25

SHA256
3d65e5f78fa228a79d279fd903b45e584effe6b680d3a3adcb582985de62d01e

SHA512
8f5d849e739430cdc560f9dbda5f2f72a07ed0493054298b0d195cf50c972e9a24effdb71cadeea6ced14663fc1268f4a0f45234f37aac334638ffcd8057b28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\394516847340

Filesize
80KB

MD5
a8fdfdf26dcad60f886aec9595dcfd46

SHA1
2dbe7159488d60ae981dd7fec3aa28927bcca8ae

SHA256
f6d893ead163813295d7ad9f7dfedf20e2fcf9d6a6e9b63d598df857a8d13fcf

SHA512
887bd9c3b64bbec30b1fa1b13e117ca7d28da9e8673ef42c80fa8560fb7d0964975edc05229b9af85f23db22e3881b85a5e7cfe1009fd1b698faf48c4023f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe

Filesize
424KB

MD5
13e5872e9b7c47090e035dc228c5589f

SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760

SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc

SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e

Download Submit
memory/1764-43-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-51-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-40-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-41-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-45-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-46-0x000001F29F0D0000-0x000001F29F0F0000-memory.dmp

Filesize
128KB

Download
memory/1764-44-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-39-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-50-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-42-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-48-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-49-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-47-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-52-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-55-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-56-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1764-57-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads