Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2023 13:24
General
-
Target
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exe
-
Size
227KB
-
MD5
17a8f85f937d8106c020a366d7c6ccb4
-
SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1
-
SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
-
SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
SSDEEP
3072:up/r/XWcqLhrksdsUrPYdBqaTl723DSVhdu1SAA8YcG9lKVf1svV+NhcmEx:uNzGcU9LPGQaTASlu1STVJGMV+4
Malware Config
Extracted
amadey
3.66
193.42.33.28/0bjdn2Z/index.php
Extracted
aurora
212.87.204.93:8081
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exemnolyk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 5 IoCs
Processes:
mnolyk.exebin.exemnolyk.exemnolyk.exemnolyk.exepid process 1632 mnolyk.exe 2196 bin.exe 1724 mnolyk.exe 4524 mnolyk.exe 3192 mnolyk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 4960 wmic.exe Token: SeSecurityPrivilege 4960 wmic.exe Token: SeTakeOwnershipPrivilege 4960 wmic.exe Token: SeLoadDriverPrivilege 4960 wmic.exe Token: SeSystemProfilePrivilege 4960 wmic.exe Token: SeSystemtimePrivilege 4960 wmic.exe Token: SeProfSingleProcessPrivilege 4960 wmic.exe Token: SeIncBasePriorityPrivilege 4960 wmic.exe Token: SeCreatePagefilePrivilege 4960 wmic.exe Token: SeBackupPrivilege 4960 wmic.exe Token: SeRestorePrivilege 4960 wmic.exe Token: SeShutdownPrivilege 4960 wmic.exe Token: SeDebugPrivilege 4960 wmic.exe Token: SeSystemEnvironmentPrivilege 4960 wmic.exe Token: SeRemoteShutdownPrivilege 4960 wmic.exe Token: SeUndockPrivilege 4960 wmic.exe Token: SeManageVolumePrivilege 4960 wmic.exe Token: 33 4960 wmic.exe Token: 34 4960 wmic.exe Token: 35 4960 wmic.exe Token: 36 4960 wmic.exe Token: SeIncreaseQuotaPrivilege 4960 wmic.exe Token: SeSecurityPrivilege 4960 wmic.exe Token: SeTakeOwnershipPrivilege 4960 wmic.exe Token: SeLoadDriverPrivilege 4960 wmic.exe Token: SeSystemProfilePrivilege 4960 wmic.exe Token: SeSystemtimePrivilege 4960 wmic.exe Token: SeProfSingleProcessPrivilege 4960 wmic.exe Token: SeIncBasePriorityPrivilege 4960 wmic.exe Token: SeCreatePagefilePrivilege 4960 wmic.exe Token: SeBackupPrivilege 4960 wmic.exe Token: SeRestorePrivilege 4960 wmic.exe Token: SeShutdownPrivilege 4960 wmic.exe Token: SeDebugPrivilege 4960 wmic.exe Token: SeSystemEnvironmentPrivilege 4960 wmic.exe Token: SeRemoteShutdownPrivilege 4960 wmic.exe Token: SeUndockPrivilege 4960 wmic.exe Token: SeManageVolumePrivilege 4960 wmic.exe Token: 33 4960 wmic.exe Token: 34 4960 wmic.exe Token: 35 4960 wmic.exe Token: 36 4960 wmic.exe Token: SeIncreaseQuotaPrivilege 3332 WMIC.exe Token: SeSecurityPrivilege 3332 WMIC.exe Token: SeTakeOwnershipPrivilege 3332 WMIC.exe Token: SeLoadDriverPrivilege 3332 WMIC.exe Token: SeSystemProfilePrivilege 3332 WMIC.exe Token: SeSystemtimePrivilege 3332 WMIC.exe Token: SeProfSingleProcessPrivilege 3332 WMIC.exe Token: SeIncBasePriorityPrivilege 3332 WMIC.exe Token: SeCreatePagefilePrivilege 3332 WMIC.exe Token: SeBackupPrivilege 3332 WMIC.exe Token: SeRestorePrivilege 3332 WMIC.exe Token: SeShutdownPrivilege 3332 WMIC.exe Token: SeDebugPrivilege 3332 WMIC.exe Token: SeSystemEnvironmentPrivilege 3332 WMIC.exe Token: SeRemoteShutdownPrivilege 3332 WMIC.exe Token: SeUndockPrivilege 3332 WMIC.exe Token: SeManageVolumePrivilege 3332 WMIC.exe Token: 33 3332 WMIC.exe Token: 34 3332 WMIC.exe Token: 35 3332 WMIC.exe Token: 36 3332 WMIC.exe Token: SeIncreaseQuotaPrivilege 3332 WMIC.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exemnolyk.execmd.exebin.execmd.execmd.exedescription pid process target process PID 4616 wrote to memory of 1632 4616 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exe mnolyk.exe PID 4616 wrote to memory of 1632 4616 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exe mnolyk.exe PID 4616 wrote to memory of 1632 4616 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exe mnolyk.exe PID 1632 wrote to memory of 5004 1632 mnolyk.exe schtasks.exe PID 1632 wrote to memory of 5004 1632 mnolyk.exe schtasks.exe PID 1632 wrote to memory of 5004 1632 mnolyk.exe schtasks.exe PID 1632 wrote to memory of 3680 1632 mnolyk.exe cmd.exe PID 1632 wrote to memory of 3680 1632 mnolyk.exe cmd.exe PID 1632 wrote to memory of 3680 1632 mnolyk.exe cmd.exe PID 3680 wrote to memory of 4916 3680 cmd.exe cmd.exe PID 3680 wrote to memory of 4916 3680 cmd.exe cmd.exe PID 3680 wrote to memory of 4916 3680 cmd.exe cmd.exe PID 3680 wrote to memory of 4036 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 4036 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 4036 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 3868 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 3868 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 3868 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 3876 3680 cmd.exe cmd.exe PID 3680 wrote to memory of 3876 3680 cmd.exe cmd.exe PID 3680 wrote to memory of 3876 3680 cmd.exe cmd.exe PID 3680 wrote to memory of 4936 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 4936 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 4936 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 4944 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 4944 3680 cmd.exe cacls.exe PID 3680 wrote to memory of 4944 3680 cmd.exe cacls.exe PID 1632 wrote to memory of 2196 1632 mnolyk.exe bin.exe PID 1632 wrote to memory of 2196 1632 mnolyk.exe bin.exe PID 1632 wrote to memory of 2196 1632 mnolyk.exe bin.exe PID 2196 wrote to memory of 4960 2196 bin.exe wmic.exe PID 2196 wrote to memory of 4960 2196 bin.exe wmic.exe PID 2196 wrote to memory of 4960 2196 bin.exe wmic.exe PID 2196 wrote to memory of 952 2196 bin.exe cmd.exe PID 2196 wrote to memory of 952 2196 bin.exe cmd.exe PID 2196 wrote to memory of 952 2196 bin.exe cmd.exe PID 952 wrote to memory of 3332 952 cmd.exe WMIC.exe PID 952 wrote to memory of 3332 952 cmd.exe WMIC.exe PID 952 wrote to memory of 3332 952 cmd.exe WMIC.exe PID 2196 wrote to memory of 2476 2196 bin.exe cmd.exe PID 2196 wrote to memory of 2476 2196 bin.exe cmd.exe PID 2196 wrote to memory of 2476 2196 bin.exe cmd.exe PID 2476 wrote to memory of 704 2476 cmd.exe WMIC.exe PID 2476 wrote to memory of 704 2476 cmd.exe WMIC.exe PID 2476 wrote to memory of 704 2476 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exe"C:\Users\Admin\AppData\Local\Temp\3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F3⤵
- Creates scheduled task(s)
PID:5004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1eb2f325ea" /P "Admin:N"&&CACLS "..\1eb2f325ea" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4916
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"4⤵PID:4036
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E4⤵PID:3868
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3876
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\1eb2f325ea" /P "Admin:N"4⤵PID:4936
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\1eb2f325ea" /P "Admin:R" /E4⤵PID:4944
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3332 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe1⤵
- Executes dropped EXE
PID:1724
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe1⤵
- Executes dropped EXE
PID:4524
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe1⤵
- Executes dropped EXE
PID:3192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD577e31b1123e94ce5720ceb729a425798
SHA12b65c95f27d8dca23864a3ed4f78490039ae27bf
SHA25668cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85
SHA5129c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD5386c014d0948d4fc41afa98cfca9022e
SHA1786cc52d9b962f55f92202c7d50c3707eb62607b
SHA256448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2
SHA51213d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exeFilesize
3.0MB
MD5af4268c094f2a9c6e6a85f8626b9a5c7
SHA17d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA25607b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA5122ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exeFilesize
3.0MB
MD5af4268c094f2a9c6e6a85f8626b9a5c7
SHA17d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA25607b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA5122ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exeFilesize
3.0MB
MD5af4268c094f2a9c6e6a85f8626b9a5c7
SHA17d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA25607b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA5122ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68