Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/02/2023, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe
Resource
win10v2004-20220812-en
General
-
Target
3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe
-
Size
524KB
-
MD5
35097f5a7e8b691be78488834a9631d9
-
SHA1
bb01038b8ac5c1e84cbfb25eccece96e75384628
-
SHA256
3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41
-
SHA512
7cea68d082669311dd6efab23c2c7454830b5a1c52617ba062fb0a24c700a3a95cbc63902a39ee4bf1acf2c41d69d76881e60bebb16a5664322c7a74f1b1b005
-
SSDEEP
12288:AMrfy90pIx/GNdpjteZGjFIbRYOVtRszZ9VKSZ3:PyMXLpglbRftRsd9zZ3
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" abDx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" abDx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" abDx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection abDx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" abDx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" abDx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mika.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation vona.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
pid Process 4116 cbDn.exe 1168 abDx.exe 1512 mika.exe 4424 vona.exe 2392 mnolyk.exe 2116 mnolyk.exe 2012 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 2612 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features abDx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" abDx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mika.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cbDn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" cbDn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3716 1168 WerFault.exe 81 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3532 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1168 abDx.exe 1168 abDx.exe 1512 mika.exe 1512 mika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1168 abDx.exe Token: SeDebugPrivilege 1512 mika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 4660 wrote to memory of 4116 4660 3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe 80 PID 4660 wrote to memory of 4116 4660 3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe 80 PID 4660 wrote to memory of 4116 4660 3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe 80 PID 4116 wrote to memory of 1168 4116 cbDn.exe 81 PID 4116 wrote to memory of 1168 4116 cbDn.exe 81 PID 4116 wrote to memory of 1168 4116 cbDn.exe 81 PID 4116 wrote to memory of 1512 4116 cbDn.exe 88 PID 4116 wrote to memory of 1512 4116 cbDn.exe 88 PID 4660 wrote to memory of 4424 4660 3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe 92 PID 4660 wrote to memory of 4424 4660 3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe 92 PID 4660 wrote to memory of 4424 4660 3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe 92 PID 4424 wrote to memory of 2392 4424 vona.exe 93 PID 4424 wrote to memory of 2392 4424 vona.exe 93 PID 4424 wrote to memory of 2392 4424 vona.exe 93 PID 2392 wrote to memory of 3532 2392 mnolyk.exe 94 PID 2392 wrote to memory of 3532 2392 mnolyk.exe 94 PID 2392 wrote to memory of 3532 2392 mnolyk.exe 94 PID 2392 wrote to memory of 1236 2392 mnolyk.exe 96 PID 2392 wrote to memory of 1236 2392 mnolyk.exe 96 PID 2392 wrote to memory of 1236 2392 mnolyk.exe 96 PID 1236 wrote to memory of 1988 1236 cmd.exe 98 PID 1236 wrote to memory of 1988 1236 cmd.exe 98 PID 1236 wrote to memory of 1988 1236 cmd.exe 98 PID 1236 wrote to memory of 3668 1236 cmd.exe 99 PID 1236 wrote to memory of 3668 1236 cmd.exe 99 PID 1236 wrote to memory of 3668 1236 cmd.exe 99 PID 1236 wrote to memory of 2504 1236 cmd.exe 100 PID 1236 wrote to memory of 2504 1236 cmd.exe 100 PID 1236 wrote to memory of 2504 1236 cmd.exe 100 PID 1236 wrote to memory of 5016 1236 cmd.exe 101 PID 1236 wrote to memory of 5016 1236 cmd.exe 101 PID 1236 wrote to memory of 5016 1236 cmd.exe 101 PID 1236 wrote to memory of 4984 1236 cmd.exe 102 PID 1236 wrote to memory of 4984 1236 cmd.exe 102 PID 1236 wrote to memory of 4984 1236 cmd.exe 102 PID 1236 wrote to memory of 4944 1236 cmd.exe 103 PID 1236 wrote to memory of 4944 1236 cmd.exe 103 PID 1236 wrote to memory of 4944 1236 cmd.exe 103 PID 2392 wrote to memory of 2612 2392 mnolyk.exe 106 PID 2392 wrote to memory of 2612 2392 mnolyk.exe 106 PID 2392 wrote to memory of 2612 2392 mnolyk.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe"C:\Users\Admin\AppData\Local\Temp\3ba5afa8c35407b95d4273e16cdf492233c888d37a295e00877f59c077829b41.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cbDn.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cbDn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\abDx.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\abDx.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 10884⤵
- Program crash
PID:3716
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:3532
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1988
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:3668
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:2504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:5016
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵PID:4984
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵PID:4944
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2612
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1168 -ip 11681⤵PID:3764
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:2116
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:2012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
338KB
MD51acdb395303c81ce23bdff978d5e91ff
SHA1fea452dfae885cc4703201d582ad820b5e01a755
SHA25676c74c45c26f8a4a7d76e40d84608d6927d790f5b04499f327550674e93243bd
SHA51231cc7cb0e746b2e20a1049eccd633b1ad2a80353b88c02df5a1063d6130eac7a6fb446cc1fecb2be396e0a77c9939f8b917e4d6d95401c267e03802f058fca6e
-
Filesize
338KB
MD51acdb395303c81ce23bdff978d5e91ff
SHA1fea452dfae885cc4703201d582ad820b5e01a755
SHA25676c74c45c26f8a4a7d76e40d84608d6927d790f5b04499f327550674e93243bd
SHA51231cc7cb0e746b2e20a1049eccd633b1ad2a80353b88c02df5a1063d6130eac7a6fb446cc1fecb2be396e0a77c9939f8b917e4d6d95401c267e03802f058fca6e
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
Filesize
245KB
MD56e870598039cce621c7bb265ac99bb3f
SHA1708eacdfec2ded675d36c1eb3ea628797a366e10
SHA25670c16c54b87bf8d2f57b36c26064e8e03d6f80ceb82254e556be847a15caea95
SHA5126200818c2ca60b10f14dad31a55d4a89f51e0682f7459764608fd96e57663247f0daacf8c773501077ad47d5badd12e6829e5cfd65593366011bd1b4326117a4
-
Filesize
245KB
MD56e870598039cce621c7bb265ac99bb3f
SHA1708eacdfec2ded675d36c1eb3ea628797a366e10
SHA25670c16c54b87bf8d2f57b36c26064e8e03d6f80ceb82254e556be847a15caea95
SHA5126200818c2ca60b10f14dad31a55d4a89f51e0682f7459764608fd96e57663247f0daacf8c773501077ad47d5badd12e6829e5cfd65593366011bd1b4326117a4
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
Filesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3