amadey | d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc

General

Target

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Size

424KB
MD5

13e5872e9b7c47090e035dc228c5589f
SHA1

c55a9708091f19b5fc5baf7c37beb99d8d3bf760
SHA256

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc
SHA512

260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e
SSDEEP

6144:9O1rkNbOFsBuztTfSoRgxX+j14TGYoij7aR1XPQg9TU5YGmvST3h68BoKupOdCHP:3xBuBTExX+AoLzTUKdvST/BoKupOjUz

Score

10^/10

amadey xmrig evasion execution miner persistence trojan upx

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4496-38-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-45-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-44-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-43-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-42-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-41-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-39-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-48-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-50-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-52-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4496-51-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 8 IoCs

Processes:

Hkbsse.exeblob.exevxfagazdltye.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exeHkbsse.exe

pid process

1180 Hkbsse.exe
4620 blob.exe
4604 vxfagazdltye.exe
3668 Hkbsse.exe
932 Hkbsse.exe
1208 Hkbsse.exe
4396 Hkbsse.exe
4368 Hkbsse.exe

pid	process
1180	Hkbsse.exe
4620	blob.exe
4604	vxfagazdltye.exe
3668	Hkbsse.exe
932	Hkbsse.exe
1208	Hkbsse.exe
4396	Hkbsse.exe
4368	Hkbsse.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4496-33-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-36-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-34-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-38-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-45-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-44-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-43-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-42-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-41-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-39-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-37-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-35-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-48-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-50-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-52-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4496-51-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hkbsse.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\blob.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001001\\blob.exe"	Hkbsse.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vxfagazdltye.exe

description pid process target process

PID 4604 set thread context of 4496 4604 vxfagazdltye.exe conhost.exe
Drops file in Windows directory 1 IoCs

Processes:

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe

description ioc process

File created C:\Windows\Tasks\Hkbsse.job d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

512 sc.exe
4420 sc.exe
4544 sc.exe
4124 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4604 set thread context of 4496	4604	vxfagazdltye.exe	conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe

pid	process
512	sc.exe
4420	sc.exe
4544	sc.exe
4124	sc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

blob.exevxfagazdltye.exe

pid	process
4620	blob.exe
4620	blob.exe
4620	blob.exe
4620	blob.exe
4620	blob.exe
4620	blob.exe
4620	blob.exe
4620	blob.exe
4604	vxfagazdltye.exe
4604	vxfagazdltye.exe
4604	vxfagazdltye.exe
4604	vxfagazdltye.exe
4604	vxfagazdltye.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	4588	powercfg.exe
Token: SeCreatePagefilePrivilege	4588	powercfg.exe
Token: SeShutdownPrivilege	4752	powercfg.exe
Token: SeCreatePagefilePrivilege	4752	powercfg.exe
Token: SeShutdownPrivilege	864	powercfg.exe
Token: SeCreatePagefilePrivilege	864	powercfg.exe
Token: SeShutdownPrivilege	4220	powercfg.exe
Token: SeCreatePagefilePrivilege	4220	powercfg.exe
Token: SeShutdownPrivilege	1440	powercfg.exe
Token: SeCreatePagefilePrivilege	1440	powercfg.exe
Token: SeLockMemoryPrivilege	4496	conhost.exe
Token: SeShutdownPrivilege	2896	powercfg.exe
Token: SeCreatePagefilePrivilege	2896	powercfg.exe
Token: SeShutdownPrivilege	2848	powercfg.exe
Token: SeCreatePagefilePrivilege	2848	powercfg.exe
Token: SeShutdownPrivilege	4308	powercfg.exe
Token: SeCreatePagefilePrivilege	4308	powercfg.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exeHkbsse.exevxfagazdltye.exe

description	pid	process	target process
PID 2752 wrote to memory of 1180	2752	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe	Hkbsse.exe
PID 2752 wrote to memory of 1180	2752	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe	Hkbsse.exe
PID 2752 wrote to memory of 1180	2752	d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe	Hkbsse.exe
PID 1180 wrote to memory of 4620	1180	Hkbsse.exe	blob.exe
PID 1180 wrote to memory of 4620	1180	Hkbsse.exe	blob.exe
PID 4604 wrote to memory of 4496	4604	vxfagazdltye.exe	conhost.exe
PID 4604 wrote to memory of 4496	4604	vxfagazdltye.exe	conhost.exe
PID 4604 wrote to memory of 4496	4604	vxfagazdltye.exe	conhost.exe
PID 4604 wrote to memory of 4496	4604	vxfagazdltye.exe	conhost.exe
PID 4604 wrote to memory of 4496	4604	vxfagazdltye.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe
"C:\Users\Admin\AppData\Local\Temp\d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
"C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4620

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "YCSDKNAW"
4⤵
- Launches sc.exe
PID:512

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "YCSDKNAW" binpath= "C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe" start= "auto"
4⤵
- Launches sc.exe
PID:4420

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:4544

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "YCSDKNAW"
4⤵
- Launches sc.exe
PID:4124

C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe
C:\ProgramData\anoomxjjawjf\vxfagazdltye.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:932

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:1208

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000001001\blob.exe

Filesize
2.5MB

MD5
fbfbe4ee13baecac3e7d16bec24cf079

SHA1
360caf2bb458bee7e65c316099a868b929839d25

SHA256
3d65e5f78fa228a79d279fd903b45e584effe6b680d3a3adcb582985de62d01e

SHA512
8f5d849e739430cdc560f9dbda5f2f72a07ed0493054298b0d195cf50c972e9a24effdb71cadeea6ced14663fc1268f4a0f45234f37aac334638ffcd8057b28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5641a448ac\Hkbsse.exe

Filesize
424KB

MD5
13e5872e9b7c47090e035dc228c5589f

SHA1
c55a9708091f19b5fc5baf7c37beb99d8d3bf760

SHA256
d6cfb9d6c862be5a244eb5e4c6339312f74b7eb57cad8d08f56e3de0024b2bbc

SHA512
260671baa8f30e2364b21ab0a9cd3d8a104f76032ebfd3684150d8c318b9cb759b246ae8df25274e864053a6d55bdb77e028452b1d91999b37efc291f8ee815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\699363923187

Filesize
66KB

MD5
06c6553ad85d6a071483b0ec74f86e65

SHA1
c59416e40c7e98cf7b4478514cf01b4b7774cfbd

SHA256
7b0d36f377d53a4275f36f0019ac92517e8f57cf2cf61cfb4c2bcc4fccd95a76

SHA512
4eb21dae26829d70a7a9f02a9bfd23575cc75c524d40db58e4866fc0e8464ab8a61ea2de286dd115882c474b015e311bd9263d6ecfd3c7ff6b89ad3770e49edf

Download Submit
memory/4496-43-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-41-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-34-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-38-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-40-0x00000217674C0000-0x00000217674E0000-memory.dmp

Filesize
128KB

Download
memory/4496-45-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-44-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-33-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-42-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-36-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-39-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-37-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-35-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-48-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-50-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-52-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4496-51-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads