Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
08/02/2023, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe
Resource
win10-20220812-en
General
-
Target
a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe
-
Size
567KB
-
MD5
acb7186c421bf69e5bea05489020bd80
-
SHA1
3b967e911a1c8a22440843d0e09c9b4882029c06
-
SHA256
a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90
-
SHA512
44174868966271bef1f36fbbde672026e95d4873776c6aec80f0a9a4a2c7332a303634697c1c579e05854a819ef2b3e2f224e7ee90d5bf8c6b0a964f5c57f966
-
SSDEEP
12288:6Mrwy907uAkg7AOVbagUHC0qo36ZZmCRBFzyd:Sy6k0AORagEqo36yu+d
Malware Config
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" alBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" alBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" alBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" alBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" alBf.exe -
Executes dropped EXE 7 IoCs
pid Process 3380 blBg.exe 5088 alBf.exe 3608 nika.exe 5072 xriv.exe 5008 mnolyk.exe 2264 mnolyk.exe 4956 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 4748 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features alBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" alBf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nika.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce blBg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" blBg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4448 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5088 alBf.exe 5088 alBf.exe 3608 nika.exe 3608 nika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5088 alBf.exe Token: SeDebugPrivilege 3608 nika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2620 wrote to memory of 3380 2620 a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe 67 PID 2620 wrote to memory of 3380 2620 a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe 67 PID 2620 wrote to memory of 3380 2620 a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe 67 PID 3380 wrote to memory of 5088 3380 blBg.exe 66 PID 3380 wrote to memory of 5088 3380 blBg.exe 66 PID 3380 wrote to memory of 5088 3380 blBg.exe 66 PID 3380 wrote to memory of 3608 3380 blBg.exe 68 PID 3380 wrote to memory of 3608 3380 blBg.exe 68 PID 2620 wrote to memory of 5072 2620 a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe 69 PID 2620 wrote to memory of 5072 2620 a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe 69 PID 2620 wrote to memory of 5072 2620 a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe 69 PID 5072 wrote to memory of 5008 5072 xriv.exe 70 PID 5072 wrote to memory of 5008 5072 xriv.exe 70 PID 5072 wrote to memory of 5008 5072 xriv.exe 70 PID 5008 wrote to memory of 4448 5008 mnolyk.exe 71 PID 5008 wrote to memory of 4448 5008 mnolyk.exe 71 PID 5008 wrote to memory of 4448 5008 mnolyk.exe 71 PID 5008 wrote to memory of 648 5008 mnolyk.exe 72 PID 5008 wrote to memory of 648 5008 mnolyk.exe 72 PID 5008 wrote to memory of 648 5008 mnolyk.exe 72 PID 648 wrote to memory of 224 648 cmd.exe 75 PID 648 wrote to memory of 224 648 cmd.exe 75 PID 648 wrote to memory of 224 648 cmd.exe 75 PID 648 wrote to memory of 3300 648 cmd.exe 76 PID 648 wrote to memory of 3300 648 cmd.exe 76 PID 648 wrote to memory of 3300 648 cmd.exe 76 PID 648 wrote to memory of 2660 648 cmd.exe 77 PID 648 wrote to memory of 2660 648 cmd.exe 77 PID 648 wrote to memory of 2660 648 cmd.exe 77 PID 648 wrote to memory of 1400 648 cmd.exe 78 PID 648 wrote to memory of 1400 648 cmd.exe 78 PID 648 wrote to memory of 1400 648 cmd.exe 78 PID 648 wrote to memory of 3316 648 cmd.exe 79 PID 648 wrote to memory of 3316 648 cmd.exe 79 PID 648 wrote to memory of 3316 648 cmd.exe 79 PID 648 wrote to memory of 4504 648 cmd.exe 80 PID 648 wrote to memory of 4504 648 cmd.exe 80 PID 648 wrote to memory of 4504 648 cmd.exe 80 PID 5008 wrote to memory of 4748 5008 mnolyk.exe 81 PID 5008 wrote to memory of 4748 5008 mnolyk.exe 81 PID 5008 wrote to memory of 4748 5008 mnolyk.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe"C:\Users\Admin\AppData\Local\Temp\a41109209031442397e78b8a5b9fd72b4fc9a8a3112e4248a3037dd23da08e90.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\blBg.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\blBg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:4448
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:224
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:3300
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:2660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1400
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"5⤵PID:3316
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E5⤵PID:4504
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4748
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\alBf.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\alBf.exe1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:2264
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:4956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
381KB
MD57ad925b5dcd534c725a19b49686fa723
SHA1f51dbd558df6eb51d04eb1e6558fce477939f042
SHA256a0ecbeec4e1558c334cd998f32e7eb8d2c734a6b11bccfd0d7f480b248d5c117
SHA5123876a63dbf396508b997ad384034a8e87b3d2ce1b11bd02c0ec9d61411c295b1fa27995c145fffa503efcd60075b94814e96fe8d575d9ee2a3c8af6548dbdc45
-
Filesize
381KB
MD57ad925b5dcd534c725a19b49686fa723
SHA1f51dbd558df6eb51d04eb1e6558fce477939f042
SHA256a0ecbeec4e1558c334cd998f32e7eb8d2c734a6b11bccfd0d7f480b248d5c117
SHA5123876a63dbf396508b997ad384034a8e87b3d2ce1b11bd02c0ec9d61411c295b1fa27995c145fffa503efcd60075b94814e96fe8d575d9ee2a3c8af6548dbdc45
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
362KB
MD5de4166164886abfc0a2860d62abb2298
SHA16da185d1f8d6ecf7ec4528dcd1bb27a0f4ca5094
SHA25636543071eed8fff982be3473bcbc66d2a4ae00f2a6017f3ac58b009f7eb19bae
SHA512e2e1cce29ee160894178c00b14e9fdd6cd192430376e041fcbe75f44693b764bfce39dd667b45bbf9418204c2b3af83a0041dbd19d8546124d4e84e3fc7f5a00
-
Filesize
362KB
MD5de4166164886abfc0a2860d62abb2298
SHA16da185d1f8d6ecf7ec4528dcd1bb27a0f4ca5094
SHA25636543071eed8fff982be3473bcbc66d2a4ae00f2a6017f3ac58b009f7eb19bae
SHA512e2e1cce29ee160894178c00b14e9fdd6cd192430376e041fcbe75f44693b764bfce39dd667b45bbf9418204c2b3af83a0041dbd19d8546124d4e84e3fc7f5a00
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba