Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
09/02/2023, 13:49
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
526KB
-
MD5
f1d9bd1d8f4c2932a917233165c8bde9
-
SHA1
a6488817ce9a198155a83f8a0d0b3c699cbcae70
-
SHA256
680519f8a1fb07b0c5d9e7479b69814522c8018281db3782cdbc53c68730e4c0
-
SHA512
1819ae0df65e46d1ed561e6ed48507996201206ac4a38ef1b5bdfba1f8194833a4b26ddf74c351e8c5c176b16a8119a05115de7a7beab844fe65ea05cc267eb2
-
SSDEEP
12288:wMrcy90P0TAOg0Z6sLmxyLYbWmhHe7FVNFF7r9j+XT:8yDZ+syCYbWmH0FJOD
Malware Config
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aAxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aAxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aAxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aAxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aAxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aAxl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection nika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nika.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation xriv.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 6 IoCs
pid Process 4092 bAxg.exe 3996 aAxl.exe 3508 nika.exe 2160 xriv.exe 404 mnolyk.exe 2652 mnolyk.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aAxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aAxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nika.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bAxg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" bAxg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3640 3996 WerFault.exe 81 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3576 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3996 aAxl.exe 3996 aAxl.exe 3508 nika.exe 3508 nika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3996 aAxl.exe Token: SeDebugPrivilege 3508 nika.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4180 wrote to memory of 4092 4180 file.exe 80 PID 4180 wrote to memory of 4092 4180 file.exe 80 PID 4180 wrote to memory of 4092 4180 file.exe 80 PID 4092 wrote to memory of 3996 4092 bAxg.exe 81 PID 4092 wrote to memory of 3996 4092 bAxg.exe 81 PID 4092 wrote to memory of 3996 4092 bAxg.exe 81 PID 4092 wrote to memory of 3508 4092 bAxg.exe 87 PID 4092 wrote to memory of 3508 4092 bAxg.exe 87 PID 4180 wrote to memory of 2160 4180 file.exe 88 PID 4180 wrote to memory of 2160 4180 file.exe 88 PID 4180 wrote to memory of 2160 4180 file.exe 88 PID 2160 wrote to memory of 404 2160 xriv.exe 89 PID 2160 wrote to memory of 404 2160 xriv.exe 89 PID 2160 wrote to memory of 404 2160 xriv.exe 89 PID 404 wrote to memory of 3576 404 mnolyk.exe 90 PID 404 wrote to memory of 3576 404 mnolyk.exe 90 PID 404 wrote to memory of 3576 404 mnolyk.exe 90 PID 404 wrote to memory of 4472 404 mnolyk.exe 92 PID 404 wrote to memory of 4472 404 mnolyk.exe 92 PID 404 wrote to memory of 4472 404 mnolyk.exe 92 PID 4472 wrote to memory of 1156 4472 cmd.exe 94 PID 4472 wrote to memory of 1156 4472 cmd.exe 94 PID 4472 wrote to memory of 1156 4472 cmd.exe 94 PID 4472 wrote to memory of 3292 4472 cmd.exe 95 PID 4472 wrote to memory of 3292 4472 cmd.exe 95 PID 4472 wrote to memory of 3292 4472 cmd.exe 95 PID 4472 wrote to memory of 2268 4472 cmd.exe 96 PID 4472 wrote to memory of 2268 4472 cmd.exe 96 PID 4472 wrote to memory of 2268 4472 cmd.exe 96 PID 4472 wrote to memory of 4232 4472 cmd.exe 97 PID 4472 wrote to memory of 4232 4472 cmd.exe 97 PID 4472 wrote to memory of 4232 4472 cmd.exe 97 PID 4472 wrote to memory of 3380 4472 cmd.exe 98 PID 4472 wrote to memory of 3380 4472 cmd.exe 98 PID 4472 wrote to memory of 3380 4472 cmd.exe 98 PID 4472 wrote to memory of 3132 4472 cmd.exe 99 PID 4472 wrote to memory of 3132 4472 cmd.exe 99 PID 4472 wrote to memory of 3132 4472 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bAxg.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bAxg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aAxl.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aAxl.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 10804⤵
- Program crash
PID:3640
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:3576
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1156
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:3292
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:2268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4232
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"5⤵PID:3380
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E5⤵PID:3132
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3996 -ip 39961⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:2652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
339KB
MD565f177cff95dab6d02895eb2f0d2fc69
SHA174f99bc2c61de46084ab1956a940e00a71252529
SHA2567fd1535c5db6789902c632c15ffa2fbb24aa188bf99d88dab816fb41d8009a23
SHA512bdece4c32b61360e8b5a0e5faf45e98ac5076e2c71873472664eebacb99c673ad076257e022810727c79a632e67095df7ea828bd7a01d27c5172d43ea381239e
-
Filesize
339KB
MD565f177cff95dab6d02895eb2f0d2fc69
SHA174f99bc2c61de46084ab1956a940e00a71252529
SHA2567fd1535c5db6789902c632c15ffa2fbb24aa188bf99d88dab816fb41d8009a23
SHA512bdece4c32b61360e8b5a0e5faf45e98ac5076e2c71873472664eebacb99c673ad076257e022810727c79a632e67095df7ea828bd7a01d27c5172d43ea381239e
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
261KB
MD593f60e9827c5e8f115d0c9696f49514f
SHA1445aa14face5e4e7a55eb828562e86fcbf7c66ad
SHA256f49c5ce742a6680dd2a996b945640e70fd85307cc3f884f66b4497db3cf23578
SHA51296d222cdadc156b1c0412cd4f1d7639e0c7db6609df9501080706fb885960982aeb12293c32c5d87f808934b50e09235c7a59222296accca58a70e9490c610aa
-
Filesize
261KB
MD593f60e9827c5e8f115d0c9696f49514f
SHA1445aa14face5e4e7a55eb828562e86fcbf7c66ad
SHA256f49c5ce742a6680dd2a996b945640e70fd85307cc3f884f66b4497db3cf23578
SHA51296d222cdadc156b1c0412cd4f1d7639e0c7db6609df9501080706fb885960982aeb12293c32c5d87f808934b50e09235c7a59222296accca58a70e9490c610aa
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91