Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
103s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11/02/2023, 01:42
Static task
static1
Behavioral task
behavioral1
Sample
00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe
Resource
win10v2004-20220901-en
General
-
Target
00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe
-
Size
523KB
-
MD5
ab579f97eb8b15e47d0989e7d039eb19
-
SHA1
e26f4af24520b7c2acc2dbe75bc5acfbe9fc0439
-
SHA256
00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840
-
SHA512
e40aa44669dbbc009b7e962b6e379aa7a09bc3246fcb07f73f253fba7bdf6500c2429843aef227fa00834bedcf68aa3a98e4ebc2a604550cab112b7ee2cfb243
-
SSDEEP
12288:JMrPy90jhF4kq+8LVjantUDbCBIl6bF+Viz6DnYpEvWbvs/EzlqermwLW:qyUh5zuVj+WHCihiUnYtYEtBLW
Malware Config
Extracted
amadey
3.66
62.204.41.4/Gol478Ns/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aGC10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aGC10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection nMC20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" nMC20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" nMC20.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aGC10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aGC10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aGC10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aGC10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" nMC20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" nMC20.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" nMC20.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation vMJ21.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
pid Process 3064 bQP32.exe 4852 aGC10.exe 3924 nMC20.exe 2348 vMJ21.exe 1700 mnolyk.exe 2788 mnolyk.exe 5076 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 1084 rundll32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aGC10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aGC10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" nMC20.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bQP32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" bQP32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2180 4852 WerFault.exe 40 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3556 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4852 aGC10.exe 4852 aGC10.exe 3924 nMC20.exe 3924 nMC20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4852 aGC10.exe Token: SeDebugPrivilege 3924 nMC20.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 4884 wrote to memory of 3064 4884 00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe 39 PID 4884 wrote to memory of 3064 4884 00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe 39 PID 4884 wrote to memory of 3064 4884 00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe 39 PID 3064 wrote to memory of 4852 3064 bQP32.exe 40 PID 3064 wrote to memory of 4852 3064 bQP32.exe 40 PID 3064 wrote to memory of 4852 3064 bQP32.exe 40 PID 3064 wrote to memory of 3924 3064 bQP32.exe 91 PID 3064 wrote to memory of 3924 3064 bQP32.exe 91 PID 4884 wrote to memory of 2348 4884 00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe 93 PID 4884 wrote to memory of 2348 4884 00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe 93 PID 4884 wrote to memory of 2348 4884 00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe 93 PID 2348 wrote to memory of 1700 2348 vMJ21.exe 94 PID 2348 wrote to memory of 1700 2348 vMJ21.exe 94 PID 2348 wrote to memory of 1700 2348 vMJ21.exe 94 PID 1700 wrote to memory of 3556 1700 mnolyk.exe 95 PID 1700 wrote to memory of 3556 1700 mnolyk.exe 95 PID 1700 wrote to memory of 3556 1700 mnolyk.exe 95 PID 1700 wrote to memory of 4100 1700 mnolyk.exe 97 PID 1700 wrote to memory of 4100 1700 mnolyk.exe 97 PID 1700 wrote to memory of 4100 1700 mnolyk.exe 97 PID 4100 wrote to memory of 1948 4100 cmd.exe 99 PID 4100 wrote to memory of 1948 4100 cmd.exe 99 PID 4100 wrote to memory of 1948 4100 cmd.exe 99 PID 4100 wrote to memory of 3108 4100 cmd.exe 100 PID 4100 wrote to memory of 3108 4100 cmd.exe 100 PID 4100 wrote to memory of 3108 4100 cmd.exe 100 PID 4100 wrote to memory of 788 4100 cmd.exe 101 PID 4100 wrote to memory of 788 4100 cmd.exe 101 PID 4100 wrote to memory of 788 4100 cmd.exe 101 PID 4100 wrote to memory of 4992 4100 cmd.exe 102 PID 4100 wrote to memory of 4992 4100 cmd.exe 102 PID 4100 wrote to memory of 4992 4100 cmd.exe 102 PID 4100 wrote to memory of 3196 4100 cmd.exe 103 PID 4100 wrote to memory of 3196 4100 cmd.exe 103 PID 4100 wrote to memory of 3196 4100 cmd.exe 103 PID 4100 wrote to memory of 4300 4100 cmd.exe 104 PID 4100 wrote to memory of 4300 4100 cmd.exe 104 PID 4100 wrote to memory of 4300 4100 cmd.exe 104 PID 1700 wrote to memory of 1084 1700 mnolyk.exe 106 PID 1700 wrote to memory of 1084 1700 mnolyk.exe 106 PID 1700 wrote to memory of 1084 1700 mnolyk.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe"C:\Users\Admin\AppData\Local\Temp\00fb3bed3fd8fd8ea2b0963d6216575ffd85ef471b20b3242f21bd8c4f43b840.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bQP32.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bQP32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aGC10.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aGC10.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 10404⤵
- Program crash
PID:2180
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nMC20.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nMC20.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMJ21.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vMJ21.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:3556
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1948
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:3108
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4992
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"5⤵PID:3196
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E5⤵PID:4300
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
PID:1084
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4852 -ip 48521⤵PID:4152
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:2788
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe1⤵
- Executes dropped EXE
PID:5076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
337KB
MD5513d34f87edaf800bf6a476470dfc1fd
SHA1ba7b1a186df2220a2d62263de2702ac4e110496e
SHA256c111edad887d32b3139211b214cad2bfada9a12465b99c2c63bbbd6e8801c9e0
SHA512f998775022c54b633b5cf87eaa3de2ba7a9db3f755330255789e87c903e69aabbad9fff6f35a9f4ab782c183e8d29e048d9b05ee0ee5c393d064243b3ad0bc05
-
Filesize
337KB
MD5513d34f87edaf800bf6a476470dfc1fd
SHA1ba7b1a186df2220a2d62263de2702ac4e110496e
SHA256c111edad887d32b3139211b214cad2bfada9a12465b99c2c63bbbd6e8801c9e0
SHA512f998775022c54b633b5cf87eaa3de2ba7a9db3f755330255789e87c903e69aabbad9fff6f35a9f4ab782c183e8d29e048d9b05ee0ee5c393d064243b3ad0bc05
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
236KB
MD58bb923c4d81284daef7896e5682df6c6
SHA167e34a96b77e44b666c5479f540995bdeacf5de2
SHA2569b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21
SHA5122daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7
-
Filesize
245KB
MD52577882734e8f450e222e38640d3873e
SHA1a219964a39be8bc274ac0ff4dc28156a4c0a2cb7
SHA256cc38e728b60b151122ceaf44498f2b7a249e38ca15da8526df76764e52fd0514
SHA51253578d87afaef446c87bb0e876c865aba247516f5a95cd72b4dd00e06e75aba2b5ac56000865a4aa966fde844862bb4f8097ee444c5ee70aad0f15c831ab96e6
-
Filesize
245KB
MD52577882734e8f450e222e38640d3873e
SHA1a219964a39be8bc274ac0ff4dc28156a4c0a2cb7
SHA256cc38e728b60b151122ceaf44498f2b7a249e38ca15da8526df76764e52fd0514
SHA51253578d87afaef446c87bb0e876c865aba247516f5a95cd72b4dd00e06e75aba2b5ac56000865a4aa966fde844862bb4f8097ee444c5ee70aad0f15c831ab96e6
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba
-
Filesize
89KB
MD5c79b74d8fec5e7e2ba2f1789fd582a15
SHA178a1e5d99dbaccc5e07b125e1dfb280112cb3128
SHA256b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3
SHA5120debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba