Analysis
-
max time kernel
111s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 16:08
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
574KB
-
MD5
e806c1d0e9ff7faab3b856beae8e07e6
-
SHA1
0443f8724eca91059443b4b9e7a1e6e40d39de87
-
SHA256
12bdc7c780c21d245ef142f764c9ed71605cdefe8c35f91253d5ac4adff59a38
-
SHA512
2abc31945040d2bf4d50a6cb88964d345ef2635a0f66c9fe2520b57cf94348558ac07848481b36f28caa31855953c0974742e514a4ab1c4192c49852f0cb8921
-
SSDEEP
12288:1Mr5y90uT5UP9ryzUJyJWKyeAUOH7MkfW3i1NH:Myk9rKUVUA3H9fe8
Malware Config
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Signatures
-
Processes:
aFff.exenika.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aFff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aFff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aFff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aFff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aFff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aFff.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xriv.exemnolyk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation xriv.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
Processes:
bFfg.exeaFff.exenika.exexriv.exemnolyk.exemnolyk.exemnolyk.exepid process 4872 bFfg.exe 4884 aFff.exe 2820 nika.exe 2752 xriv.exe 4012 mnolyk.exe 3524 mnolyk.exe 1996 mnolyk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3992 rundll32.exe -
Processes:
aFff.exenika.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aFff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aFff.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nika.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
file.exebFfg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bFfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" bFfg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4888 4884 WerFault.exe aFff.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
aFff.exenika.exepid process 4884 aFff.exe 4884 aFff.exe 2820 nika.exe 2820 nika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aFff.exenika.exedescription pid process Token: SeDebugPrivilege 4884 aFff.exe Token: SeDebugPrivilege 2820 nika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
file.exebFfg.exexriv.exemnolyk.execmd.exedescription pid process target process PID 4908 wrote to memory of 4872 4908 file.exe bFfg.exe PID 4908 wrote to memory of 4872 4908 file.exe bFfg.exe PID 4908 wrote to memory of 4872 4908 file.exe bFfg.exe PID 4872 wrote to memory of 4884 4872 bFfg.exe aFff.exe PID 4872 wrote to memory of 4884 4872 bFfg.exe aFff.exe PID 4872 wrote to memory of 4884 4872 bFfg.exe aFff.exe PID 4872 wrote to memory of 2820 4872 bFfg.exe nika.exe PID 4872 wrote to memory of 2820 4872 bFfg.exe nika.exe PID 4908 wrote to memory of 2752 4908 file.exe xriv.exe PID 4908 wrote to memory of 2752 4908 file.exe xriv.exe PID 4908 wrote to memory of 2752 4908 file.exe xriv.exe PID 2752 wrote to memory of 4012 2752 xriv.exe mnolyk.exe PID 2752 wrote to memory of 4012 2752 xriv.exe mnolyk.exe PID 2752 wrote to memory of 4012 2752 xriv.exe mnolyk.exe PID 4012 wrote to memory of 2856 4012 mnolyk.exe schtasks.exe PID 4012 wrote to memory of 2856 4012 mnolyk.exe schtasks.exe PID 4012 wrote to memory of 2856 4012 mnolyk.exe schtasks.exe PID 4012 wrote to memory of 2196 4012 mnolyk.exe cmd.exe PID 4012 wrote to memory of 2196 4012 mnolyk.exe cmd.exe PID 4012 wrote to memory of 2196 4012 mnolyk.exe cmd.exe PID 2196 wrote to memory of 1104 2196 cmd.exe cmd.exe PID 2196 wrote to memory of 1104 2196 cmd.exe cmd.exe PID 2196 wrote to memory of 1104 2196 cmd.exe cmd.exe PID 2196 wrote to memory of 2636 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 2636 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 2636 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 1756 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 1756 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 1756 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 4220 2196 cmd.exe cmd.exe PID 2196 wrote to memory of 4220 2196 cmd.exe cmd.exe PID 2196 wrote to memory of 4220 2196 cmd.exe cmd.exe PID 2196 wrote to memory of 4060 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 4060 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 4060 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 212 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 212 2196 cmd.exe cacls.exe PID 2196 wrote to memory of 212 2196 cmd.exe cacls.exe PID 4012 wrote to memory of 3992 4012 mnolyk.exe rundll32.exe PID 4012 wrote to memory of 3992 4012 mnolyk.exe rundll32.exe PID 4012 wrote to memory of 3992 4012 mnolyk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bFfg.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bFfg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aFff.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aFff.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 10804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4884 -ip 48841⤵
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bFfg.exeFilesize
387KB
MD5df2660410033792739d6daafafa93c99
SHA1afb8ff968ee383596916836da2f2e6e026d6a88d
SHA256b006c911bd5df416544f2518c67bc0da9198e7dd9f076ff02b722f94ea1cce65
SHA51261edbd5af6658adef540025f7162f26da82409e885746318a61ab5a51446e07168f3ffcfaa025c635c520231034e78d27c2b9f35b9e518816f8096ac4d5594a9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bFfg.exeFilesize
387KB
MD5df2660410033792739d6daafafa93c99
SHA1afb8ff968ee383596916836da2f2e6e026d6a88d
SHA256b006c911bd5df416544f2518c67bc0da9198e7dd9f076ff02b722f94ea1cce65
SHA51261edbd5af6658adef540025f7162f26da82409e885746318a61ab5a51446e07168f3ffcfaa025c635c520231034e78d27c2b9f35b9e518816f8096ac4d5594a9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeFilesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aFff.exeFilesize
362KB
MD506cd36b877f459b5baa0861208528840
SHA15c795caabd2048789a396726983278fd62fdc5d1
SHA25694d4519180435f776f80cdfe95a41c174ed5d13f1689c555d5cb924f332dcf15
SHA512f6586b7224c0ec94bc38bdada26004030febababe51e8262418c0483abeda8df85acbfdeae6dff4ea983da258cbf37c943f3674d793efe28f1fe030b3c5a1225
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aFff.exeFilesize
362KB
MD506cd36b877f459b5baa0861208528840
SHA15c795caabd2048789a396726983278fd62fdc5d1
SHA25694d4519180435f776f80cdfe95a41c174ed5d13f1689c555d5cb924f332dcf15
SHA512f6586b7224c0ec94bc38bdada26004030febababe51e8262418c0483abeda8df85acbfdeae6dff4ea983da258cbf37c943f3674d793efe28f1fe030b3c5a1225
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
memory/212-164-0x0000000000000000-mapping.dmp
-
memory/1104-159-0x0000000000000000-mapping.dmp
-
memory/1756-161-0x0000000000000000-mapping.dmp
-
memory/2196-158-0x0000000000000000-mapping.dmp
-
memory/2636-160-0x0000000000000000-mapping.dmp
-
memory/2752-151-0x0000000000000000-mapping.dmp
-
memory/2820-150-0x00007FF80F1C0000-0x00007FF80FC81000-memory.dmpFilesize
10.8MB
-
memory/2820-149-0x00007FF80F1C0000-0x00007FF80FC81000-memory.dmpFilesize
10.8MB
-
memory/2820-148-0x0000000000710000-0x000000000071A000-memory.dmpFilesize
40KB
-
memory/2820-145-0x0000000000000000-mapping.dmp
-
memory/2856-157-0x0000000000000000-mapping.dmp
-
memory/3992-166-0x0000000000000000-mapping.dmp
-
memory/4012-154-0x0000000000000000-mapping.dmp
-
memory/4060-163-0x0000000000000000-mapping.dmp
-
memory/4220-162-0x0000000000000000-mapping.dmp
-
memory/4872-132-0x0000000000000000-mapping.dmp
-
memory/4884-142-0x00000000007B4000-0x00000000007D4000-memory.dmpFilesize
128KB
-
memory/4884-143-0x00000000007B4000-0x00000000007D4000-memory.dmpFilesize
128KB
-
memory/4884-141-0x0000000004D20000-0x00000000052C4000-memory.dmpFilesize
5.6MB
-
memory/4884-140-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/4884-144-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/4884-139-0x0000000000590000-0x00000000005BD000-memory.dmpFilesize
180KB
-
memory/4884-138-0x00000000007B4000-0x00000000007D4000-memory.dmpFilesize
128KB
-
memory/4884-135-0x0000000000000000-mapping.dmp