Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2023, 06:56
Static task
static1
Behavioral task
behavioral1
Sample
c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe
Resource
win10v2004-20220812-en
General
-
Target
c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe
-
Size
574KB
-
MD5
d8d1710826e8fc96e7f34f6f21a6250b
-
SHA1
8c1078208189e7b9b1c8bb35cb6e3e548daf7689
-
SHA256
c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda
-
SHA512
2ee910e22c0fc4703455b555f4fd7419ded5a670f1341c1a1faab7f0920e66353ca037790e4749d5861f7a44d5483a9784de2b8fdc7a63c719fe1bba4088608a
-
SSDEEP
12288:NMrNy90v9TFBdCS0T+qYq7nk21u2613T3deqNEsr:kyizCS0TdYUktZTj
Malware Config
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aGxf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aGxf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aGxf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aGxf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aGxf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aGxf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nika.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation xriv.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
pid Process 3068 zhiga.exe 1696 aGxf.exe 1708 nika.exe 3100 xriv.exe 2100 mnolyk.exe 4344 mnolyk.exe 1772 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 2892 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aGxf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aGxf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce zhiga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" zhiga.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1608 1696 WerFault.exe 82 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1936 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1696 aGxf.exe 1696 aGxf.exe 1708 nika.exe 1708 nika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1696 aGxf.exe Token: SeDebugPrivilege 1708 nika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1572 wrote to memory of 3068 1572 c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe 81 PID 1572 wrote to memory of 3068 1572 c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe 81 PID 1572 wrote to memory of 3068 1572 c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe 81 PID 3068 wrote to memory of 1696 3068 zhiga.exe 82 PID 3068 wrote to memory of 1696 3068 zhiga.exe 82 PID 3068 wrote to memory of 1696 3068 zhiga.exe 82 PID 3068 wrote to memory of 1708 3068 zhiga.exe 86 PID 3068 wrote to memory of 1708 3068 zhiga.exe 86 PID 1572 wrote to memory of 3100 1572 c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe 87 PID 1572 wrote to memory of 3100 1572 c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe 87 PID 1572 wrote to memory of 3100 1572 c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe 87 PID 3100 wrote to memory of 2100 3100 xriv.exe 88 PID 3100 wrote to memory of 2100 3100 xriv.exe 88 PID 3100 wrote to memory of 2100 3100 xriv.exe 88 PID 2100 wrote to memory of 1936 2100 mnolyk.exe 89 PID 2100 wrote to memory of 1936 2100 mnolyk.exe 89 PID 2100 wrote to memory of 1936 2100 mnolyk.exe 89 PID 2100 wrote to memory of 4384 2100 mnolyk.exe 91 PID 2100 wrote to memory of 4384 2100 mnolyk.exe 91 PID 2100 wrote to memory of 4384 2100 mnolyk.exe 91 PID 4384 wrote to memory of 4312 4384 cmd.exe 93 PID 4384 wrote to memory of 4312 4384 cmd.exe 93 PID 4384 wrote to memory of 4312 4384 cmd.exe 93 PID 4384 wrote to memory of 536 4384 cmd.exe 94 PID 4384 wrote to memory of 536 4384 cmd.exe 94 PID 4384 wrote to memory of 536 4384 cmd.exe 94 PID 4384 wrote to memory of 1152 4384 cmd.exe 95 PID 4384 wrote to memory of 1152 4384 cmd.exe 95 PID 4384 wrote to memory of 1152 4384 cmd.exe 95 PID 4384 wrote to memory of 224 4384 cmd.exe 96 PID 4384 wrote to memory of 224 4384 cmd.exe 96 PID 4384 wrote to memory of 224 4384 cmd.exe 96 PID 4384 wrote to memory of 3944 4384 cmd.exe 97 PID 4384 wrote to memory of 3944 4384 cmd.exe 97 PID 4384 wrote to memory of 3944 4384 cmd.exe 97 PID 4384 wrote to memory of 960 4384 cmd.exe 98 PID 4384 wrote to memory of 960 4384 cmd.exe 98 PID 4384 wrote to memory of 960 4384 cmd.exe 98 PID 2100 wrote to memory of 2892 2100 mnolyk.exe 100 PID 2100 wrote to memory of 2892 2100 mnolyk.exe 100 PID 2100 wrote to memory of 2892 2100 mnolyk.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe"C:\Users\Admin\AppData\Local\Temp\c8a5e34b8845fcefcbedfe7136cfc130515cb1dfc46e7dc0d908006faeb4ebda.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zhiga.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zhiga.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aGxf.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aGxf.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 10804⤵
- Program crash
PID:1608
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:1936
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4312
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:536
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:1152
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:224
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"5⤵PID:3944
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E5⤵PID:960
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2892
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1696 -ip 16961⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:4344
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:1772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
387KB
MD5fe536efafb831e81c385d0a10ae73cdf
SHA18f456ac6163c2c3b9792844982e50410ea2fddbb
SHA256b16aa5d2d637aceda411ff0b0b9decf4de33e64b526773f34a56fe9afa7dc0a6
SHA5127aab8cd724ac63dbbdcd60ff91fa97d050c4201256170b6c295903ecb6ed8134493b90371301584506706c94f0c906b2745e9837050d29e1379765225f8104a0
-
Filesize
387KB
MD5fe536efafb831e81c385d0a10ae73cdf
SHA18f456ac6163c2c3b9792844982e50410ea2fddbb
SHA256b16aa5d2d637aceda411ff0b0b9decf4de33e64b526773f34a56fe9afa7dc0a6
SHA5127aab8cd724ac63dbbdcd60ff91fa97d050c4201256170b6c295903ecb6ed8134493b90371301584506706c94f0c906b2745e9837050d29e1379765225f8104a0
-
Filesize
347KB
MD566c5b39fa18f623718dece2985397f46
SHA1689242412e0c122f14d9b99c664e1c0dd87357eb
SHA256328f08a4ed6354539a8aee1b5904905239cd48d37f47037cb967770a89ee10fb
SHA512ab9f85c34c9879f17b55fd88c958759785be376edbe642c76b1909ce9510141a797ce692ac02b76ac30f04bdf1f90035ef0d6597ca971fdd993d083020d65dd8
-
Filesize
347KB
MD566c5b39fa18f623718dece2985397f46
SHA1689242412e0c122f14d9b99c664e1c0dd87357eb
SHA256328f08a4ed6354539a8aee1b5904905239cd48d37f47037cb967770a89ee10fb
SHA512ab9f85c34c9879f17b55fd88c958759785be376edbe642c76b1909ce9510141a797ce692ac02b76ac30f04bdf1f90035ef0d6597ca971fdd993d083020d65dd8
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba