Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
07/02/2023, 02:03
Static task
static1
Behavioral task
behavioral1
Sample
aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe
Resource
win10-20220901-en
General
-
Target
aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe
-
Size
558KB
-
MD5
fc53f8da6891d6b39f7168dfcdc8ede9
-
SHA1
f63863d1e2f8a1921a9d24200640ea0e34b0460d
-
SHA256
aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e
-
SHA512
fc7de4b8fb9f8bae3e3557640a3f385c13f5fbe8f76e8755f9c5e3c16a10e156bb39dec47c4ca5f30cb8944e870378869838b5c26d6ce9b25fa31149e6ff3873
-
SSDEEP
12288:hMrvy90tleIv44bKZfTxCeRsOUIdO8TPXD7sS:Kya4xCeRsOtOWES
Malware Config
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aVKf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aVKf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aVKf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aVKf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aVKf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nika.exe -
Executes dropped EXE 7 IoCs
pid Process 3732 bVKg.exe 4204 aVKf.exe 4768 nika.exe 4156 xriv.exe 3932 mnolyk.exe 5116 mnolyk.exe 4780 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 4188 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aVKf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aVKf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" bVKg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bVKg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4204 aVKf.exe 4204 aVKf.exe 4768 nika.exe 4768 nika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4204 aVKf.exe Token: SeDebugPrivilege 4768 nika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2704 wrote to memory of 3732 2704 aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe 66 PID 2704 wrote to memory of 3732 2704 aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe 66 PID 2704 wrote to memory of 3732 2704 aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe 66 PID 3732 wrote to memory of 4204 3732 bVKg.exe 67 PID 3732 wrote to memory of 4204 3732 bVKg.exe 67 PID 3732 wrote to memory of 4204 3732 bVKg.exe 67 PID 3732 wrote to memory of 4768 3732 bVKg.exe 68 PID 3732 wrote to memory of 4768 3732 bVKg.exe 68 PID 2704 wrote to memory of 4156 2704 aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe 69 PID 2704 wrote to memory of 4156 2704 aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe 69 PID 2704 wrote to memory of 4156 2704 aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe 69 PID 4156 wrote to memory of 3932 4156 xriv.exe 70 PID 4156 wrote to memory of 3932 4156 xriv.exe 70 PID 4156 wrote to memory of 3932 4156 xriv.exe 70 PID 3932 wrote to memory of 4648 3932 mnolyk.exe 71 PID 3932 wrote to memory of 4648 3932 mnolyk.exe 71 PID 3932 wrote to memory of 4648 3932 mnolyk.exe 71 PID 3932 wrote to memory of 4308 3932 mnolyk.exe 72 PID 3932 wrote to memory of 4308 3932 mnolyk.exe 72 PID 3932 wrote to memory of 4308 3932 mnolyk.exe 72 PID 4308 wrote to memory of 1740 4308 cmd.exe 75 PID 4308 wrote to memory of 1740 4308 cmd.exe 75 PID 4308 wrote to memory of 1740 4308 cmd.exe 75 PID 4308 wrote to memory of 2152 4308 cmd.exe 76 PID 4308 wrote to memory of 2152 4308 cmd.exe 76 PID 4308 wrote to memory of 2152 4308 cmd.exe 76 PID 4308 wrote to memory of 3760 4308 cmd.exe 77 PID 4308 wrote to memory of 3760 4308 cmd.exe 77 PID 4308 wrote to memory of 3760 4308 cmd.exe 77 PID 4308 wrote to memory of 2072 4308 cmd.exe 78 PID 4308 wrote to memory of 2072 4308 cmd.exe 78 PID 4308 wrote to memory of 2072 4308 cmd.exe 78 PID 4308 wrote to memory of 3276 4308 cmd.exe 79 PID 4308 wrote to memory of 3276 4308 cmd.exe 79 PID 4308 wrote to memory of 3276 4308 cmd.exe 79 PID 4308 wrote to memory of 5092 4308 cmd.exe 80 PID 4308 wrote to memory of 5092 4308 cmd.exe 80 PID 4308 wrote to memory of 5092 4308 cmd.exe 80 PID 3932 wrote to memory of 4188 3932 mnolyk.exe 82 PID 3932 wrote to memory of 4188 3932 mnolyk.exe 82 PID 3932 wrote to memory of 4188 3932 mnolyk.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe"C:\Users\Admin\AppData\Local\Temp\aa50127fb98706509eaddec3ee18cea93b0b60ad5656c94ab1d436d9437e785e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bVKg.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bVKg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aVKf.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aVKf.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:4648
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1740
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:2152
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:3760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2072
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"5⤵PID:3276
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E5⤵PID:5092
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4188
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:5116
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:4780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
371KB
MD5ba927ad5e66ca269778e1941c88074ad
SHA11ad0dd5be2bd380c01563b3c81799b2ce93eacc1
SHA256204d35db29427d7ee1ac01ab4649fd68b0798c2cc75fcf5b9712d42e8c551380
SHA5128af3f7f7eef0918549f540015f9ef9182279867c388726dc68db5b8e2fe87ad0771cd2d0a374c42da2f4c751141d5bc7667c6fdc8e8ebc6dee26949c216d5d4d
-
Filesize
371KB
MD5ba927ad5e66ca269778e1941c88074ad
SHA11ad0dd5be2bd380c01563b3c81799b2ce93eacc1
SHA256204d35db29427d7ee1ac01ab4649fd68b0798c2cc75fcf5b9712d42e8c551380
SHA5128af3f7f7eef0918549f540015f9ef9182279867c388726dc68db5b8e2fe87ad0771cd2d0a374c42da2f4c751141d5bc7667c6fdc8e8ebc6dee26949c216d5d4d
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
341KB
MD5153833d9864a4194e1a8e2aa434195f8
SHA197aa030d9853b360e77c566fd8e1c04aa08c993e
SHA2560e55ddcf51453954e5140e9dc8c2d8f3c3666fd980beff61c7265e159e55742f
SHA512ba98ec2a2c7bb26c3f70c9c79ddd6ad332ffb8ee05533cb1b5be573a508c8e60ec50143a18a31c72947440202ea07aeab761a418672f3057465c4b669545b3ce
-
Filesize
341KB
MD5153833d9864a4194e1a8e2aa434195f8
SHA197aa030d9853b360e77c566fd8e1c04aa08c993e
SHA2560e55ddcf51453954e5140e9dc8c2d8f3c3666fd980beff61c7265e159e55742f
SHA512ba98ec2a2c7bb26c3f70c9c79ddd6ad332ffb8ee05533cb1b5be573a508c8e60ec50143a18a31c72947440202ea07aeab761a418672f3057465c4b669545b3ce
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba