File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/9aac489e-1beb-4fdc-a1c0-53051d675bd7
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	November 09, 2024, 12:22:43
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	miner amadey botnet stealer silentcryptominer upx xmrig
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 10 sections
MD5:	3D72CCCDA140B72E690D89E56EC63DAD
SHA1:	989E41A07021B5DD2F7350D3338513F31C83473F
SHA256:	3A435BADC9097D180656F2D32C117E144A2B22E55DA240416059795AA5241FE5
SSDEEP:	98304:aaGO1NyeRyfqtTzOIaiS8ECCILe7/ZIYhtgFd1pzWhCkcp9y6uKd2lLOkkcPfmK+:F9/xDlV8sYY5Q9NqmUVg3G

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2024:11:06 18:14:03+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14
CodeSize:	47104
InitializedDataSize:	5436416
UninitializedDataSize:	-
EntryPoint:	0x1729840
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI


(PID) Process:	(628) svchost.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
Operation:	write	Name:	C:\Users\admin\Desktop\Setup.exe
Value: 534143500100000000000000070000002800000000EE05010000000001000000000000000000000A7320000050BB64EDDDACD5010000000000000000
(PID) Process:	(748) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:	write	Name:	SecureTimeHigh
Value: A75D0DB407D9DA01
(PID) Process:	(748) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:	write	Name:	SecureTimeEstimated
Value: A7F54852FFD8DA01
(PID) Process:	(748) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:	write	Name:	SecureTimeLow
Value: A78D84F0F6D8DA01
(PID) Process:	(748) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:	write	Name:	SecureTimeTickCount
Value: 6ECF080000000000
(PID) Process:	(748) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:	write	Name:	SecureTimeConfidence
Value: 0
(PID) Process:	(2964) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider
Operation:	write	Name:	StartTime
Value: D001B31EA232DB01
(PID) Process:	(5488) MoUsoCoreWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator
Operation:	write	Name:	NextRefreshTime
Value: 8910071693010000
(PID) Process:	(816) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\StateVariables
Operation:	write	Name:	RebootRequired
Value: 0
(PID) Process:	(1264) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{309BA321-F7C8-46A4-BA50-5FAC484229CB}
Operation:	write	Name:	DynamicInfo
Value: 03000000C8B7E523AAB7D80140B40117A232DB010000000000000000E9D9CA1EA232DB01

PID	Process	Filename		Type
2708	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0ahzpjzw.ns3.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1688	svchost.exe	C:\Windows\Prefetch\SVCHOST.EXE-6C525542.pf		binary
		MD5:28C6A235D306AE023DE7F404CC8EEDF0	SHA256:5E6A37EACB522E4C2671DE963F033302C3D9B30495AE62B6B5056C90B33B94CD
1264	svchost.exe	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work		xml
		MD5:C6086D02F8CE044F5FA07A98303DC7EB	SHA256:8901D9C9AEA465DA4EA7AA874610A90B8CF0A71EBA0E321CF9675FCEEE0B54A0
1264	svchost.exe	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work		xml
		MD5:5FADF13CCFBDCC5DD728380F7A615B28	SHA256:FF1F73395F6B5B22D5FDA367521FE0DCC31FF252849B7FA85FA346B953A40451
1688	svchost.exe	C:\Windows\Prefetch\SC.EXE-945D79AE.pf		binary
		MD5:37698BB6013E066480FD48E6A743DCC5	SHA256:C0FCA97B7453C5F4EA16221AF0B5EF40007EEBC26F0B2067DF72BA35D9CB5562
2708	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:1CA33BE50ED9B21DB8203B87589565E8	SHA256:CF6DD300DD15F82099D2E0AF569EAF6B56DD19A0A72422808F29052CC012C8EC
1264	svchost.exe	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work		xml
		MD5:4838EE953DAB2C7A1BF57E0C6620A79D	SHA256:22C798E00C4793749EAC39CFB6EA3DD75112FD4453A3706E839038A64504D45D
2708	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_05md1c35.ine.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1264	svchost.exe	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan		xml
		MD5:11954764DE4745B35A42219A7C5E2DCA	SHA256:997FCF971A38394C30D9E5CA0C6B36E782630E83B52D2664C56F1DEFBA54CB6C
4032	Setup.exe	C:\Windows\System32\drivers\etc\hosts		text
		MD5:D720A734B2CBDE357E6361121AFAEFD0	SHA256:BF6F1889D0C694B623C2FC9C6B7A96E31239EB7FAD1E3E5ED09D046684320634

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1744	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	404	31.31.196.17:80	http://panelslk.pro/api/endpoint.php	unknown	—	—	malicious
5488	MoUsoCoreWorker.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1744	RUXIMICS.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	404	31.31.196.17:80	http://panelslk.pro/api/endpoint.php	unknown	—	—	malicious
—	—	POST	404	31.31.196.17:80	http://panelslk.pro/api/endpoint.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	184.86.251.24:443	—	Akamai International B.V.	DE	unknown
6944	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1744	RUXIMICS.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6944	svchost.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5488	MoUsoCoreWorker.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1744	RUXIMICS.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6944	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
pool.hashvault.pro	45.76.89.70 95.179.241.203	whitelisted
panelslk.pro	31.31.196.17	malicious
self.events.data.microsoft.com	52.168.112.67	whitelisted

PID	Process	Class	Message
2172	svchost.exe	Crypto Currency Mining Activity Detected	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)
3864	dialer.exe	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin
—	—	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
—	—	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3
—	—	Crypto Currency Mining Activity Detected	ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
—	—	Crypto Currency Mining Activity Detected	MINER [ANY.RUN] SilentCryptoMiner HTTP Request to UnamWebPanel
—	—	Crypto Currency Mining Activity Detected	ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request
—	—	Crypto Currency Mining Activity Detected	MINER [ANY.RUN] SilentCryptoMiner HTTP Request to UnamWebPanel
3864	dialer.exe	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin

General Info

Setup.exe

3D72CCCDA140B72E690D89E56EC63DAD

989E41A07021B5DD2F7350D3338513F31C83473F

3A435BADC9097D180656F2D32C117E144A2B22E55DA240416059795AA5241FE5

98304:aaGO1NyeRyfqtTzOIaiS8ECCILe7/ZIYhtgFd1pzWhCkcp9y6uKd2lLOkkcPfmK+:F9/xDlV8sYY5Q9NqmUVg3G

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was injected by another process

Adds extension to the Windows Defender exclusion list

Runs injected code in another process

XMRIG has been detected (YARA)

MINER has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Manipulates environment variables

Starts process via Powershell

Starts SC.EXE for service management

Script adds exclusion extension to Windows Defender

Process uninstalls Windows update

Uses powercfg.exe to modify the power settings

Starts CMD.EXE for commands execution

Script adds exclusion path to Windows Defender

Executable content was dropped or overwritten

Executes as Windows Service

Drops a system driver (possible attempt to evade defenses)

Crypto Currency Mining Activity Detected

Potential Corporate Privacy Violation

INFO

Creates files in the program directory

Reads the software policy settings

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Checks supported languages

The process uses the downloaded file

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats