Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2023, 05:51
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
352KB
-
MD5
b1146ec9318c55479bd80be9ae6410ad
-
SHA1
3b73d97d82c088c9b9e4343b1eb231b3097b146d
-
SHA256
fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53
-
SHA512
9bd3c136c40c2858fda2eeab233f07271d975b539efb35d88c3a6a609c0a0e8a0396b0b315e9f97365b9261a8edab01d2debf1f35424a02c8325d158a5af018c
-
SSDEEP
6144:T/LomuF9DSbA2q8tL9mrDhvW6UvSCXK/o9/CJTk637eQfnd5SCyHCB:jGFI28ahvPUXXko9CJb7d5S
Malware Config
Extracted
amadey
3.66
193.233.20.2/Bn89hku/index.php
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4376 mnolyk.exe 4040 mnolyk.exe 3020 mnolyk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 26 IoCs
pid pid_target Process procid_target 1036 4604 WerFault.exe 82 1100 4604 WerFault.exe 82 1356 4604 WerFault.exe 82 1744 4604 WerFault.exe 82 2736 4604 WerFault.exe 82 4244 4604 WerFault.exe 82 1532 4604 WerFault.exe 82 3844 4376 WerFault.exe 95 1652 4376 WerFault.exe 95 204 4376 WerFault.exe 95 8 4376 WerFault.exe 95 3480 4376 WerFault.exe 95 1376 4376 WerFault.exe 95 3636 4376 WerFault.exe 95 4600 4376 WerFault.exe 95 720 4376 WerFault.exe 95 3648 4376 WerFault.exe 95 3940 4376 WerFault.exe 95 3176 4376 WerFault.exe 95 2028 4376 WerFault.exe 95 2676 4376 WerFault.exe 95 1744 4376 WerFault.exe 95 1280 4040 WerFault.exe 145 1496 4376 WerFault.exe 95 2580 3020 WerFault.exe 150 116 4376 WerFault.exe 95 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1900 schtasks.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4604 wrote to memory of 4376 4604 file.exe 95 PID 4604 wrote to memory of 4376 4604 file.exe 95 PID 4604 wrote to memory of 4376 4604 file.exe 95 PID 4376 wrote to memory of 1900 4376 mnolyk.exe 112 PID 4376 wrote to memory of 1900 4376 mnolyk.exe 112 PID 4376 wrote to memory of 1900 4376 mnolyk.exe 112 PID 4376 wrote to memory of 3692 4376 mnolyk.exe 118 PID 4376 wrote to memory of 3692 4376 mnolyk.exe 118 PID 4376 wrote to memory of 3692 4376 mnolyk.exe 118 PID 3692 wrote to memory of 3784 3692 cmd.exe 123 PID 3692 wrote to memory of 3784 3692 cmd.exe 123 PID 3692 wrote to memory of 3784 3692 cmd.exe 123 PID 3692 wrote to memory of 4676 3692 cmd.exe 122 PID 3692 wrote to memory of 4676 3692 cmd.exe 122 PID 3692 wrote to memory of 4676 3692 cmd.exe 122 PID 3692 wrote to memory of 3876 3692 cmd.exe 124 PID 3692 wrote to memory of 3876 3692 cmd.exe 124 PID 3692 wrote to memory of 3876 3692 cmd.exe 124 PID 3692 wrote to memory of 1796 3692 cmd.exe 125 PID 3692 wrote to memory of 1796 3692 cmd.exe 125 PID 3692 wrote to memory of 1796 3692 cmd.exe 125 PID 3692 wrote to memory of 2424 3692 cmd.exe 126 PID 3692 wrote to memory of 2424 3692 cmd.exe 126 PID 3692 wrote to memory of 2424 3692 cmd.exe 126 PID 3692 wrote to memory of 2812 3692 cmd.exe 127 PID 3692 wrote to memory of 2812 3692 cmd.exe 127 PID 3692 wrote to memory of 2812 3692 cmd.exe 127
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 8962⤵
- Program crash
PID:1036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 9722⤵
- Program crash
PID:1100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 9802⤵
- Program crash
PID:1356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 11042⤵
- Program crash
PID:1744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 10762⤵
- Program crash
PID:2736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 10922⤵
- Program crash
PID:4244
-
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 5883⤵
- Program crash
PID:3844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 7763⤵
- Program crash
PID:1652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 7683⤵
- Program crash
PID:204
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 9483⤵
- Program crash
PID:8
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 9483⤵
- Program crash
PID:3480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 9483⤵
- Program crash
PID:1376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 10123⤵
- Program crash
PID:3636
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F3⤵
- Creates scheduled task(s)
PID:1900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 8923⤵
- Program crash
PID:4600
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 6203⤵
- Program crash
PID:720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"4⤵PID:4676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3784
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E4⤵PID:3876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1796
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"4⤵PID:2424
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E4⤵PID:2812
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 7763⤵
- Program crash
PID:3648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 5883⤵
- Program crash
PID:3940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 11883⤵
- Program crash
PID:3176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 8163⤵
- Program crash
PID:2028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 13883⤵
- Program crash
PID:2676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 9963⤵
- Program crash
PID:1744
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 9883⤵
- Program crash
PID:1496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 12883⤵
- Program crash
PID:116
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 9242⤵
- Program crash
PID:1532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4604 -ip 46041⤵PID:4732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4604 -ip 46041⤵PID:1736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4604 -ip 46041⤵PID:4088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 46041⤵PID:1064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4604 -ip 46041⤵PID:4084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4604 -ip 46041⤵PID:4368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4604 -ip 46041⤵PID:4928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4376 -ip 43761⤵PID:3988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4376 -ip 43761⤵PID:2968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4376 -ip 43761⤵PID:116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4376 -ip 43761⤵PID:1008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4376 -ip 43761⤵PID:1852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4376 -ip 43761⤵PID:3108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4376 -ip 43761⤵PID:3568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4376 -ip 43761⤵PID:3460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4376 -ip 43761⤵PID:4348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4376 -ip 43761⤵PID:1596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4376 -ip 43761⤵PID:2888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4376 -ip 43761⤵PID:1400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4376 -ip 43761⤵PID:1536
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4376 -ip 43761⤵PID:4576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4376 -ip 43761⤵PID:4336
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:4040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 3282⤵
- Program crash
PID:1280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4040 -ip 40401⤵PID:1344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4376 -ip 43761⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 3162⤵
- Program crash
PID:2580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3020 -ip 30201⤵PID:968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4376 -ip 43761⤵PID:2172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
352KB
MD5b1146ec9318c55479bd80be9ae6410ad
SHA13b73d97d82c088c9b9e4343b1eb231b3097b146d
SHA256fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53
SHA5129bd3c136c40c2858fda2eeab233f07271d975b539efb35d88c3a6a609c0a0e8a0396b0b315e9f97365b9261a8edab01d2debf1f35424a02c8325d158a5af018c
-
Filesize
352KB
MD5b1146ec9318c55479bd80be9ae6410ad
SHA13b73d97d82c088c9b9e4343b1eb231b3097b146d
SHA256fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53
SHA5129bd3c136c40c2858fda2eeab233f07271d975b539efb35d88c3a6a609c0a0e8a0396b0b315e9f97365b9261a8edab01d2debf1f35424a02c8325d158a5af018c
-
Filesize
352KB
MD5b1146ec9318c55479bd80be9ae6410ad
SHA13b73d97d82c088c9b9e4343b1eb231b3097b146d
SHA256fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53
SHA5129bd3c136c40c2858fda2eeab233f07271d975b539efb35d88c3a6a609c0a0e8a0396b0b315e9f97365b9261a8edab01d2debf1f35424a02c8325d158a5af018c
-
Filesize
352KB
MD5b1146ec9318c55479bd80be9ae6410ad
SHA13b73d97d82c088c9b9e4343b1eb231b3097b146d
SHA256fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53
SHA5129bd3c136c40c2858fda2eeab233f07271d975b539efb35d88c3a6a609c0a0e8a0396b0b315e9f97365b9261a8edab01d2debf1f35424a02c8325d158a5af018c