File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/9aac489e-1beb-4fdc-a1c0-53051d675bd7
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 09, 2024, 12:22:43
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	miner amadey botnet stealer silentcryptominer upx xmrig
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:	3D72CCCDA140B72E690D89E56EC63DAD
SHA1:	989E41A07021B5DD2F7350D3338513F31C83473F
SHA256:	3A435BADC9097D180656F2D32C117E144A2B22E55DA240416059795AA5241FE5
SSDEEP:	98304:aaGO1NyeRyfqtTzOIaiS8ECCILe7/ZIYhtgFd1pzWhCkcp9y6uKd2lLOkkcPfmK+:F9/xDlV8sYY5Q9NqmUVg3G

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:11:06 18:14:03+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	47104
InitializedDataSize:	5436416
UninitializedDataSize:	-
EntryPoint:	0x1729840
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(628) svchost.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:	write	Name:	C:\Users\admin\Desktop\Setup.exe
Value: 534143500100000000000000070000002800000000EE05010000000001000000000000000000000A7320000050BB64EDDDACD5010000000000000000
(PID) Process:	(748) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:	write	Name:	SecureTimeHigh
Value: A75D0DB407D9DA01
(PID) Process:	(748) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:	write	Name:	SecureTimeEstimated
Value: A7F54852FFD8DA01
(PID) Process:	(748) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:	write	Name:	SecureTimeLow
Value: A78D84F0F6D8DA01
(PID) Process:	(748) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:	write	Name:	SecureTimeTickCount
Value: 6ECF080000000000
(PID) Process:	(748) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:	write	Name:	SecureTimeConfidence
Value: 0
(PID) Process:	(2964) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider
Operation:	write	Name:	StartTime
Value: D001B31EA232DB01
(PID) Process:	(5488) MoUsoCoreWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
Operation:	write	Name:	NextRefreshTime
Value: 8910071693010000
(PID) Process:	(816) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:	write	Name:	RebootRequired
Value: 0
(PID) Process:	(1264) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{309BA321-F7C8-46A4-BA50-5FAC484229CB}
Operation:	write	Name:	DynamicInfo
Value: 03000000C8B7E523AAB7D80140B40117A232DB010000000000000000E9D9CA1EA232DB01

PID	Process	Filename		Type
2708	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0ahzpjzw.ns3.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1688	svchost.exe	C:\Windows\Prefetch\SVCHOST.EXE-6C525542.pf		binary
		MD5:28C6A235D306AE023DE7F404CC8EEDF0	SHA256:5E6A37EACB522E4C2671DE963F033302C3D9B30495AE62B6B5056C90B33B94CD
1688	svchost.exe	C:\Windows\Prefetch\HOST.EXE-F5D74C61.pf		binary
		MD5:5E88736138F6E199A784F484A2F97A3C	SHA256:F554D3EDD5ABADDE31375FA253244F0B64305F870B5233CB733244D03A151013
1688	svchost.exe	C:\Windows\Prefetch\SETUP.EXE-21984F31.pf		binary
		MD5:445B5908DE75373FF7CE1BD4CFF015CD	SHA256:38FD415C7F6DEE288AE242694AB7976DB2A528C1E00684E0B33AE9076AB04BFD
2708	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_05md1c35.ine.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2708	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:1CA33BE50ED9B21DB8203B87589565E8	SHA256:CF6DD300DD15F82099D2E0AF569EAF6B56DD19A0A72422808F29052CC012C8EC
1688	svchost.exe	C:\Windows\Prefetch\POWERCFG.EXE-668FA411.pf		binary
		MD5:E0A3B753C50BEE546429D11077235FB1	SHA256:0E09B850704F3783BAE060A55B606ED78614FA5E0A20DB2379867C5A6036D047
1688	svchost.exe	C:\Windows\Prefetch\WAASMEDICAGENT.EXE-ED0D7511.pf		binary
		MD5:DB56D944FB4619453A0B1DCD77DA658D	SHA256:651510E50E11545AAD0BAD157DAF96DDA1B49DDDDEA9FE2EE1729B3F3143FD56
4032	Setup.exe	C:\Windows\System32\drivers\etc\hosts		text
		MD5:D720A734B2CBDE357E6361121AFAEFD0	SHA256:BF6F1889D0C694B623C2FC9C6B7A96E31239EB7FAD1E3E5ED09D046684320634
6152	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hxzyepr5.tab.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1744	RUXIMICS.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1744	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	404	31.31.196.17:80	http://panelslk.pro/api/endpoint.php	unknown	—	—	malicious
—	—	POST	404	31.31.196.17:80	http://panelslk.pro/api/endpoint.php	unknown	—	—	malicious
—	—	POST	404	31.31.196.17:80	http://panelslk.pro/api/endpoint.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	184.86.251.24:443	—	Akamai International B.V.	DE	unknown
6944	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1744	RUXIMICS.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6944	svchost.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1744	RUXIMICS.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6944	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
pool.hashvault.pro	45.76.89.70 95.179.241.203	whitelisted
panelslk.pro	31.31.196.17	malicious
self.events.data.microsoft.com	52.168.112.67	whitelisted

PID	Process	Class	Message
2172	svchost.exe	Crypto Currency Mining Activity Detected	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
3864	dialer.exe	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin
—	—	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
—	—	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3
—	—	Crypto Currency Mining Activity Detected	ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
—	—	Crypto Currency Mining Activity Detected	MINER [ANY.RUN] SilentCryptoMiner HTTP Request to UnamWebPanel
—	—	Crypto Currency Mining Activity Detected	ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
—	—	Crypto Currency Mining Activity Detected	MINER [ANY.RUN] SilentCryptoMiner HTTP Request to UnamWebPanel
3864	dialer.exe	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin

General Info

Setup.exe

3D72CCCDA140B72E690D89E56EC63DAD

989E41A07021B5DD2F7350D3338513F31C83473F

3A435BADC9097D180656F2D32C117E144A2B22E55DA240416059795AA5241FE5

98304:aaGO1NyeRyfqtTzOIaiS8ECCILe7/ZIYhtgFd1pzWhCkcp9y6uKd2lLOkkcPfmK+:F9/xDlV8sYY5Q9NqmUVg3G

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds extension to the Windows Defender exclusion list

Application was injected by another process

Runs injected code in another process

MINER has been detected (SURICATA)

XMRIG has been detected (YARA)

Connects to the CnC server

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Starts process via Powershell

Manipulates environment variables

Script adds exclusion extension to Windows Defender

Script adds exclusion path to Windows Defender

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Process uninstalls Windows update

Uses powercfg.exe to modify the power settings

Executes as Windows Service

Executable content was dropped or overwritten

Drops a system driver (possible attempt to evade defenses)

Crypto Currency Mining Activity Detected

Potential Corporate Privacy Violation

INFO

Checks supported languages

Reads the software policy settings

Creates files in the program directory

The process uses the downloaded file

Script raised an exception (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats