Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2023, 23:15
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
524KB
-
MD5
56261e0eec9cf06f0cec7be6dd273f76
-
SHA1
66cad4bbe85128af0d1c4dedad50861a523f4329
-
SHA256
b7120f670580add5d656f32ae0180c8dfd138ca9989403e649d5d642987cec6d
-
SHA512
7c98a2326b0766be552eb90a1a745571afefc5abcb1158c4ce25db8ebb0b0f8eb95a5a029e70d76eba5874119ea0ccb076276c2037f20cf65ae03162f69844bb
-
SSDEEP
12288:nMrOy90zV1m1TW3aOZK5CDlzo0yxz87Mv5ikj:ByIgTOZoCu0yxz87MxB
Malware Config
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aROf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aROf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aROf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aROf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aROf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aROf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection nika.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation xriv.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
pid Process 3928 bkyg.exe 3408 aROf.exe 1876 nika.exe 1120 xriv.exe 3416 mnolyk.exe 552 mnolyk.exe 4180 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 3472 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aROf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aROf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bkyg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" bkyg.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5036 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4136 3408 WerFault.exe 81 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 832 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3408 aROf.exe 3408 aROf.exe 1876 nika.exe 1876 nika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3408 aROf.exe Token: SeDebugPrivilege 1876 nika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 4800 wrote to memory of 3928 4800 file.exe 80 PID 4800 wrote to memory of 3928 4800 file.exe 80 PID 4800 wrote to memory of 3928 4800 file.exe 80 PID 3928 wrote to memory of 3408 3928 bkyg.exe 81 PID 3928 wrote to memory of 3408 3928 bkyg.exe 81 PID 3928 wrote to memory of 3408 3928 bkyg.exe 81 PID 3928 wrote to memory of 1876 3928 bkyg.exe 87 PID 3928 wrote to memory of 1876 3928 bkyg.exe 87 PID 4800 wrote to memory of 1120 4800 file.exe 88 PID 4800 wrote to memory of 1120 4800 file.exe 88 PID 4800 wrote to memory of 1120 4800 file.exe 88 PID 1120 wrote to memory of 3416 1120 xriv.exe 89 PID 1120 wrote to memory of 3416 1120 xriv.exe 89 PID 1120 wrote to memory of 3416 1120 xriv.exe 89 PID 3416 wrote to memory of 832 3416 mnolyk.exe 90 PID 3416 wrote to memory of 832 3416 mnolyk.exe 90 PID 3416 wrote to memory of 832 3416 mnolyk.exe 90 PID 3416 wrote to memory of 3876 3416 mnolyk.exe 92 PID 3416 wrote to memory of 3876 3416 mnolyk.exe 92 PID 3416 wrote to memory of 3876 3416 mnolyk.exe 92 PID 3876 wrote to memory of 1312 3876 cmd.exe 94 PID 3876 wrote to memory of 1312 3876 cmd.exe 94 PID 3876 wrote to memory of 1312 3876 cmd.exe 94 PID 3876 wrote to memory of 896 3876 cmd.exe 95 PID 3876 wrote to memory of 896 3876 cmd.exe 95 PID 3876 wrote to memory of 896 3876 cmd.exe 95 PID 3876 wrote to memory of 3724 3876 cmd.exe 96 PID 3876 wrote to memory of 3724 3876 cmd.exe 96 PID 3876 wrote to memory of 3724 3876 cmd.exe 96 PID 3876 wrote to memory of 3232 3876 cmd.exe 97 PID 3876 wrote to memory of 3232 3876 cmd.exe 97 PID 3876 wrote to memory of 3232 3876 cmd.exe 97 PID 3876 wrote to memory of 3056 3876 cmd.exe 98 PID 3876 wrote to memory of 3056 3876 cmd.exe 98 PID 3876 wrote to memory of 3056 3876 cmd.exe 98 PID 3876 wrote to memory of 1584 3876 cmd.exe 99 PID 3876 wrote to memory of 1584 3876 cmd.exe 99 PID 3876 wrote to memory of 1584 3876 cmd.exe 99 PID 3416 wrote to memory of 3472 3416 mnolyk.exe 106 PID 3416 wrote to memory of 3472 3416 mnolyk.exe 106 PID 3416 wrote to memory of 3472 3416 mnolyk.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bkyg.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bkyg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aROf.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aROf.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 10724⤵
- Program crash
PID:4136
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:832
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1312
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:896
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:3724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3232
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"5⤵PID:3056
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E5⤵PID:1584
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
PID:3472
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3408 -ip 34081⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:552
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:4180
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
338KB
MD5c7bda00bc1c76bf74c91eaa1170da84b
SHA1c8bd38031da22e7ecbe98aad1c2b86b0b15a9c7f
SHA2560d70445e9ef5aa1be4187bde8b373a70c8cc3b9c3079a4d9fe5d748b6ba2e387
SHA512ab03d295f666e7fade9c0cecd0dc3c31a132462611faf8ff5b0d43c7832122e10e6f78b99869290c2359cfcc762e92c9ad3279510f843395dc43aef57b5cff49
-
Filesize
338KB
MD5c7bda00bc1c76bf74c91eaa1170da84b
SHA1c8bd38031da22e7ecbe98aad1c2b86b0b15a9c7f
SHA2560d70445e9ef5aa1be4187bde8b373a70c8cc3b9c3079a4d9fe5d748b6ba2e387
SHA512ab03d295f666e7fade9c0cecd0dc3c31a132462611faf8ff5b0d43c7832122e10e6f78b99869290c2359cfcc762e92c9ad3279510f843395dc43aef57b5cff49
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
245KB
MD58f5badcff5388fa6ec775cb03bdfcac7
SHA18362c0609300df2fc67ae3c83a77f4e91ef57889
SHA25670b145fc517c040de5ba500f288869c2bbf5778122283286de4dd8c5e51ee473
SHA51200612a21f131460669f7f1714fcebd4f911ab19bf5f8162e239cc5cb79c396bda30fe960dc3967be33afb951ae17582490a36d096b251e9149a54669512224ee
-
Filesize
245KB
MD58f5badcff5388fa6ec775cb03bdfcac7
SHA18362c0609300df2fc67ae3c83a77f4e91ef57889
SHA25670b145fc517c040de5ba500f288869c2bbf5778122283286de4dd8c5e51ee473
SHA51200612a21f131460669f7f1714fcebd4f911ab19bf5f8162e239cc5cb79c396bda30fe960dc3967be33afb951ae17582490a36d096b251e9149a54669512224ee
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba