General
-
Target
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
-
Size
416KB
-
Sample
240826-fnpj1sxgrp
-
MD5
f5d7b79ee6b6da6b50e536030bcc3b59
-
SHA1
751b555a8eede96d55395290f60adc43b28ba5e2
-
SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
-
SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
SSDEEP
12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
Behavioral task
behavioral1
Sample
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459.exe
Resource
win7-20240704-en
Malware Config
Extracted
amadey
4.41
ec08f7
http://185.215.113.26
-
install_dir
054fdc5f70
-
install_file
Hkbsse.exe
-
strings_key
783c46f70668d3eed42e83c9f00fc0f5
-
url_paths
/Dem7kTu/index.php
Targets
-
-
Target
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
-
Size
416KB
-
MD5
f5d7b79ee6b6da6b50e536030bcc3b59
-
SHA1
751b555a8eede96d55395290f60adc43b28ba5e2
-
SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459
-
SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46
-
SSDEEP
12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-