Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24-02-2023 13:31
Behavioral task
behavioral1
Sample
17a8f85f937d8106c020a366d7c6ccb4.exe
Resource
win7-20230220-en
General
-
Target
17a8f85f937d8106c020a366d7c6ccb4.exe
-
Size
227KB
-
MD5
17a8f85f937d8106c020a366d7c6ccb4
-
SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1
-
SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
-
SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
SSDEEP
3072:up/r/XWcqLhrksdsUrPYdBqaTl723DSVhdu1SAA8YcG9lKVf1svV+NhcmEx:uNzGcU9LPGQaTASlu1STVJGMV+4
Malware Config
Extracted
amadey
3.66
193.42.33.28/0bjdn2Z/index.php
Extracted
aurora
212.87.204.93:8081
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
mnolyk.exebin.exemnolyk.exemnolyk.exepid process 1204 mnolyk.exe 1768 bin.exe 1048 mnolyk.exe 1172 mnolyk.exe -
Loads dropped DLL 3 IoCs
Processes:
17a8f85f937d8106c020a366d7c6ccb4.exemnolyk.exepid process 1560 17a8f85f937d8106c020a366d7c6ccb4.exe 1204 mnolyk.exe 1204 mnolyk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1764 wmic.exe Token: SeSecurityPrivilege 1764 wmic.exe Token: SeTakeOwnershipPrivilege 1764 wmic.exe Token: SeLoadDriverPrivilege 1764 wmic.exe Token: SeSystemProfilePrivilege 1764 wmic.exe Token: SeSystemtimePrivilege 1764 wmic.exe Token: SeProfSingleProcessPrivilege 1764 wmic.exe Token: SeIncBasePriorityPrivilege 1764 wmic.exe Token: SeCreatePagefilePrivilege 1764 wmic.exe Token: SeBackupPrivilege 1764 wmic.exe Token: SeRestorePrivilege 1764 wmic.exe Token: SeShutdownPrivilege 1764 wmic.exe Token: SeDebugPrivilege 1764 wmic.exe Token: SeSystemEnvironmentPrivilege 1764 wmic.exe Token: SeRemoteShutdownPrivilege 1764 wmic.exe Token: SeUndockPrivilege 1764 wmic.exe Token: SeManageVolumePrivilege 1764 wmic.exe Token: 33 1764 wmic.exe Token: 34 1764 wmic.exe Token: 35 1764 wmic.exe Token: SeIncreaseQuotaPrivilege 1764 wmic.exe Token: SeSecurityPrivilege 1764 wmic.exe Token: SeTakeOwnershipPrivilege 1764 wmic.exe Token: SeLoadDriverPrivilege 1764 wmic.exe Token: SeSystemProfilePrivilege 1764 wmic.exe Token: SeSystemtimePrivilege 1764 wmic.exe Token: SeProfSingleProcessPrivilege 1764 wmic.exe Token: SeIncBasePriorityPrivilege 1764 wmic.exe Token: SeCreatePagefilePrivilege 1764 wmic.exe Token: SeBackupPrivilege 1764 wmic.exe Token: SeRestorePrivilege 1764 wmic.exe Token: SeShutdownPrivilege 1764 wmic.exe Token: SeDebugPrivilege 1764 wmic.exe Token: SeSystemEnvironmentPrivilege 1764 wmic.exe Token: SeRemoteShutdownPrivilege 1764 wmic.exe Token: SeUndockPrivilege 1764 wmic.exe Token: SeManageVolumePrivilege 1764 wmic.exe Token: 33 1764 wmic.exe Token: 34 1764 wmic.exe Token: 35 1764 wmic.exe Token: SeIncreaseQuotaPrivilege 928 WMIC.exe Token: SeSecurityPrivilege 928 WMIC.exe Token: SeTakeOwnershipPrivilege 928 WMIC.exe Token: SeLoadDriverPrivilege 928 WMIC.exe Token: SeSystemProfilePrivilege 928 WMIC.exe Token: SeSystemtimePrivilege 928 WMIC.exe Token: SeProfSingleProcessPrivilege 928 WMIC.exe Token: SeIncBasePriorityPrivilege 928 WMIC.exe Token: SeCreatePagefilePrivilege 928 WMIC.exe Token: SeBackupPrivilege 928 WMIC.exe Token: SeRestorePrivilege 928 WMIC.exe Token: SeShutdownPrivilege 928 WMIC.exe Token: SeDebugPrivilege 928 WMIC.exe Token: SeSystemEnvironmentPrivilege 928 WMIC.exe Token: SeRemoteShutdownPrivilege 928 WMIC.exe Token: SeUndockPrivilege 928 WMIC.exe Token: SeManageVolumePrivilege 928 WMIC.exe Token: 33 928 WMIC.exe Token: 34 928 WMIC.exe Token: 35 928 WMIC.exe Token: SeIncreaseQuotaPrivilege 928 WMIC.exe Token: SeSecurityPrivilege 928 WMIC.exe Token: SeTakeOwnershipPrivilege 928 WMIC.exe Token: SeLoadDriverPrivilege 928 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
17a8f85f937d8106c020a366d7c6ccb4.exemnolyk.execmd.exebin.execmd.execmd.exetaskeng.exedescription pid process target process PID 1560 wrote to memory of 1204 1560 17a8f85f937d8106c020a366d7c6ccb4.exe mnolyk.exe PID 1560 wrote to memory of 1204 1560 17a8f85f937d8106c020a366d7c6ccb4.exe mnolyk.exe PID 1560 wrote to memory of 1204 1560 17a8f85f937d8106c020a366d7c6ccb4.exe mnolyk.exe PID 1560 wrote to memory of 1204 1560 17a8f85f937d8106c020a366d7c6ccb4.exe mnolyk.exe PID 1204 wrote to memory of 560 1204 mnolyk.exe schtasks.exe PID 1204 wrote to memory of 560 1204 mnolyk.exe schtasks.exe PID 1204 wrote to memory of 560 1204 mnolyk.exe schtasks.exe PID 1204 wrote to memory of 560 1204 mnolyk.exe schtasks.exe PID 1204 wrote to memory of 652 1204 mnolyk.exe cmd.exe PID 1204 wrote to memory of 652 1204 mnolyk.exe cmd.exe PID 1204 wrote to memory of 652 1204 mnolyk.exe cmd.exe PID 1204 wrote to memory of 652 1204 mnolyk.exe cmd.exe PID 652 wrote to memory of 672 652 cmd.exe cmd.exe PID 652 wrote to memory of 672 652 cmd.exe cmd.exe PID 652 wrote to memory of 672 652 cmd.exe cmd.exe PID 652 wrote to memory of 672 652 cmd.exe cmd.exe PID 652 wrote to memory of 1164 652 cmd.exe cacls.exe PID 652 wrote to memory of 1164 652 cmd.exe cacls.exe PID 652 wrote to memory of 1164 652 cmd.exe cacls.exe PID 652 wrote to memory of 1164 652 cmd.exe cacls.exe PID 652 wrote to memory of 1992 652 cmd.exe cacls.exe PID 652 wrote to memory of 1992 652 cmd.exe cacls.exe PID 652 wrote to memory of 1992 652 cmd.exe cacls.exe PID 652 wrote to memory of 1992 652 cmd.exe cacls.exe PID 652 wrote to memory of 364 652 cmd.exe cmd.exe PID 652 wrote to memory of 364 652 cmd.exe cmd.exe PID 652 wrote to memory of 364 652 cmd.exe cmd.exe PID 652 wrote to memory of 364 652 cmd.exe cmd.exe PID 652 wrote to memory of 1752 652 cmd.exe cacls.exe PID 652 wrote to memory of 1752 652 cmd.exe cacls.exe PID 652 wrote to memory of 1752 652 cmd.exe cacls.exe PID 652 wrote to memory of 1752 652 cmd.exe cacls.exe PID 652 wrote to memory of 752 652 cmd.exe cacls.exe PID 652 wrote to memory of 752 652 cmd.exe cacls.exe PID 652 wrote to memory of 752 652 cmd.exe cacls.exe PID 652 wrote to memory of 752 652 cmd.exe cacls.exe PID 1204 wrote to memory of 1768 1204 mnolyk.exe bin.exe PID 1204 wrote to memory of 1768 1204 mnolyk.exe bin.exe PID 1204 wrote to memory of 1768 1204 mnolyk.exe bin.exe PID 1204 wrote to memory of 1768 1204 mnolyk.exe bin.exe PID 1768 wrote to memory of 1764 1768 bin.exe wmic.exe PID 1768 wrote to memory of 1764 1768 bin.exe wmic.exe PID 1768 wrote to memory of 1764 1768 bin.exe wmic.exe PID 1768 wrote to memory of 1764 1768 bin.exe wmic.exe PID 1768 wrote to memory of 1624 1768 bin.exe cmd.exe PID 1768 wrote to memory of 1624 1768 bin.exe cmd.exe PID 1768 wrote to memory of 1624 1768 bin.exe cmd.exe PID 1768 wrote to memory of 1624 1768 bin.exe cmd.exe PID 1624 wrote to memory of 928 1624 cmd.exe WMIC.exe PID 1624 wrote to memory of 928 1624 cmd.exe WMIC.exe PID 1624 wrote to memory of 928 1624 cmd.exe WMIC.exe PID 1624 wrote to memory of 928 1624 cmd.exe WMIC.exe PID 1768 wrote to memory of 1716 1768 bin.exe cmd.exe PID 1768 wrote to memory of 1716 1768 bin.exe cmd.exe PID 1768 wrote to memory of 1716 1768 bin.exe cmd.exe PID 1768 wrote to memory of 1716 1768 bin.exe cmd.exe PID 1716 wrote to memory of 1276 1716 cmd.exe WMIC.exe PID 1716 wrote to memory of 1276 1716 cmd.exe WMIC.exe PID 1716 wrote to memory of 1276 1716 cmd.exe WMIC.exe PID 1716 wrote to memory of 1276 1716 cmd.exe WMIC.exe PID 1660 wrote to memory of 1048 1660 taskeng.exe mnolyk.exe PID 1660 wrote to memory of 1048 1660 taskeng.exe mnolyk.exe PID 1660 wrote to memory of 1048 1660 taskeng.exe mnolyk.exe PID 1660 wrote to memory of 1048 1660 taskeng.exe mnolyk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe"C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F3⤵
- Creates scheduled task(s)
PID:560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1eb2f325ea" /P "Admin:N"&&CACLS "..\1eb2f325ea" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:672
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"4⤵PID:1164
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E4⤵PID:1992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:364
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\1eb2f325ea" /P "Admin:N"4⤵PID:1752
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\1eb2f325ea" /P "Admin:R" /E4⤵PID:752
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵PID:1276
-
C:\Windows\system32\taskeng.exetaskeng.exe {2AFFDB63-3439-4465-846A-44CEDCB0AEC4} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe2⤵
- Executes dropped EXE
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe2⤵
- Executes dropped EXE
PID:1172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmotFilesize
71KB
MD56a3c2fe239e67cd5804a699b9aa54b07
SHA1018091f0c903173dec18cd10e0e00889f0717d67
SHA256160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168
SHA512aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exeFilesize
3.0MB
MD5af4268c094f2a9c6e6a85f8626b9a5c7
SHA17d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA25607b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA5122ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exeFilesize
3.0MB
MD5af4268c094f2a9c6e6a85f8626b9a5c7
SHA17d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA25607b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA5122ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
\Users\Admin\AppData\Roaming\1000005000\bin.exeFilesize
3.0MB
MD5af4268c094f2a9c6e6a85f8626b9a5c7
SHA17d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA25607b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA5122ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
\Users\Admin\AppData\Roaming\1000005000\bin.exeFilesize
3.0MB
MD5af4268c094f2a9c6e6a85f8626b9a5c7
SHA17d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA25607b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA5122ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68