Analysis
-
max time kernel
113s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2023 13:31
Behavioral task
behavioral1
Sample
17a8f85f937d8106c020a366d7c6ccb4.exe
Resource
win7-20230220-en
General
-
Target
17a8f85f937d8106c020a366d7c6ccb4.exe
-
Size
227KB
-
MD5
17a8f85f937d8106c020a366d7c6ccb4
-
SHA1
43ef57b2adf9115c51041b5baba5a1565501b1a1
-
SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
-
SHA512
ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
SSDEEP
3072:up/r/XWcqLhrksdsUrPYdBqaTl723DSVhdu1SAA8YcG9lKVf1svV+NhcmEx:uNzGcU9LPGQaTASlu1STVJGMV+4
Malware Config
Extracted
amadey
3.66
193.42.33.28/0bjdn2Z/index.php
Extracted
aurora
212.87.204.93:8081
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mnolyk.exe17a8f85f937d8106c020a366d7c6ccb4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation mnolyk.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 17a8f85f937d8106c020a366d7c6ccb4.exe -
Executes dropped EXE 4 IoCs
Processes:
mnolyk.exebin.exemnolyk.exemnolyk.exepid process 1456 mnolyk.exe 2328 bin.exe 4224 mnolyk.exe 2880 mnolyk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 3924 wmic.exe Token: SeSecurityPrivilege 3924 wmic.exe Token: SeTakeOwnershipPrivilege 3924 wmic.exe Token: SeLoadDriverPrivilege 3924 wmic.exe Token: SeSystemProfilePrivilege 3924 wmic.exe Token: SeSystemtimePrivilege 3924 wmic.exe Token: SeProfSingleProcessPrivilege 3924 wmic.exe Token: SeIncBasePriorityPrivilege 3924 wmic.exe Token: SeCreatePagefilePrivilege 3924 wmic.exe Token: SeBackupPrivilege 3924 wmic.exe Token: SeRestorePrivilege 3924 wmic.exe Token: SeShutdownPrivilege 3924 wmic.exe Token: SeDebugPrivilege 3924 wmic.exe Token: SeSystemEnvironmentPrivilege 3924 wmic.exe Token: SeRemoteShutdownPrivilege 3924 wmic.exe Token: SeUndockPrivilege 3924 wmic.exe Token: SeManageVolumePrivilege 3924 wmic.exe Token: 33 3924 wmic.exe Token: 34 3924 wmic.exe Token: 35 3924 wmic.exe Token: 36 3924 wmic.exe Token: SeIncreaseQuotaPrivilege 3924 wmic.exe Token: SeSecurityPrivilege 3924 wmic.exe Token: SeTakeOwnershipPrivilege 3924 wmic.exe Token: SeLoadDriverPrivilege 3924 wmic.exe Token: SeSystemProfilePrivilege 3924 wmic.exe Token: SeSystemtimePrivilege 3924 wmic.exe Token: SeProfSingleProcessPrivilege 3924 wmic.exe Token: SeIncBasePriorityPrivilege 3924 wmic.exe Token: SeCreatePagefilePrivilege 3924 wmic.exe Token: SeBackupPrivilege 3924 wmic.exe Token: SeRestorePrivilege 3924 wmic.exe Token: SeShutdownPrivilege 3924 wmic.exe Token: SeDebugPrivilege 3924 wmic.exe Token: SeSystemEnvironmentPrivilege 3924 wmic.exe Token: SeRemoteShutdownPrivilege 3924 wmic.exe Token: SeUndockPrivilege 3924 wmic.exe Token: SeManageVolumePrivilege 3924 wmic.exe Token: 33 3924 wmic.exe Token: 34 3924 wmic.exe Token: 35 3924 wmic.exe Token: 36 3924 wmic.exe Token: SeIncreaseQuotaPrivilege 4132 WMIC.exe Token: SeSecurityPrivilege 4132 WMIC.exe Token: SeTakeOwnershipPrivilege 4132 WMIC.exe Token: SeLoadDriverPrivilege 4132 WMIC.exe Token: SeSystemProfilePrivilege 4132 WMIC.exe Token: SeSystemtimePrivilege 4132 WMIC.exe Token: SeProfSingleProcessPrivilege 4132 WMIC.exe Token: SeIncBasePriorityPrivilege 4132 WMIC.exe Token: SeCreatePagefilePrivilege 4132 WMIC.exe Token: SeBackupPrivilege 4132 WMIC.exe Token: SeRestorePrivilege 4132 WMIC.exe Token: SeShutdownPrivilege 4132 WMIC.exe Token: SeDebugPrivilege 4132 WMIC.exe Token: SeSystemEnvironmentPrivilege 4132 WMIC.exe Token: SeRemoteShutdownPrivilege 4132 WMIC.exe Token: SeUndockPrivilege 4132 WMIC.exe Token: SeManageVolumePrivilege 4132 WMIC.exe Token: 33 4132 WMIC.exe Token: 34 4132 WMIC.exe Token: 35 4132 WMIC.exe Token: 36 4132 WMIC.exe Token: SeIncreaseQuotaPrivilege 4132 WMIC.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
17a8f85f937d8106c020a366d7c6ccb4.exemnolyk.execmd.exebin.execmd.execmd.exedescription pid process target process PID 5056 wrote to memory of 1456 5056 17a8f85f937d8106c020a366d7c6ccb4.exe mnolyk.exe PID 5056 wrote to memory of 1456 5056 17a8f85f937d8106c020a366d7c6ccb4.exe mnolyk.exe PID 5056 wrote to memory of 1456 5056 17a8f85f937d8106c020a366d7c6ccb4.exe mnolyk.exe PID 1456 wrote to memory of 1748 1456 mnolyk.exe schtasks.exe PID 1456 wrote to memory of 1748 1456 mnolyk.exe schtasks.exe PID 1456 wrote to memory of 1748 1456 mnolyk.exe schtasks.exe PID 1456 wrote to memory of 4668 1456 mnolyk.exe cmd.exe PID 1456 wrote to memory of 4668 1456 mnolyk.exe cmd.exe PID 1456 wrote to memory of 4668 1456 mnolyk.exe cmd.exe PID 4668 wrote to memory of 3772 4668 cmd.exe cmd.exe PID 4668 wrote to memory of 3772 4668 cmd.exe cmd.exe PID 4668 wrote to memory of 3772 4668 cmd.exe cmd.exe PID 4668 wrote to memory of 3420 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 3420 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 3420 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 4032 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 4032 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 4032 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 4268 4668 cmd.exe cmd.exe PID 4668 wrote to memory of 4268 4668 cmd.exe cmd.exe PID 4668 wrote to memory of 4268 4668 cmd.exe cmd.exe PID 4668 wrote to memory of 4700 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 4700 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 4700 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 2360 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 2360 4668 cmd.exe cacls.exe PID 4668 wrote to memory of 2360 4668 cmd.exe cacls.exe PID 1456 wrote to memory of 2328 1456 mnolyk.exe bin.exe PID 1456 wrote to memory of 2328 1456 mnolyk.exe bin.exe PID 1456 wrote to memory of 2328 1456 mnolyk.exe bin.exe PID 2328 wrote to memory of 3924 2328 bin.exe wmic.exe PID 2328 wrote to memory of 3924 2328 bin.exe wmic.exe PID 2328 wrote to memory of 3924 2328 bin.exe wmic.exe PID 2328 wrote to memory of 5096 2328 bin.exe cmd.exe PID 2328 wrote to memory of 5096 2328 bin.exe cmd.exe PID 2328 wrote to memory of 5096 2328 bin.exe cmd.exe PID 5096 wrote to memory of 4132 5096 cmd.exe WMIC.exe PID 5096 wrote to memory of 4132 5096 cmd.exe WMIC.exe PID 5096 wrote to memory of 4132 5096 cmd.exe WMIC.exe PID 2328 wrote to memory of 3588 2328 bin.exe cmd.exe PID 2328 wrote to memory of 3588 2328 bin.exe cmd.exe PID 2328 wrote to memory of 3588 2328 bin.exe cmd.exe PID 3588 wrote to memory of 616 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 616 3588 cmd.exe WMIC.exe PID 3588 wrote to memory of 616 3588 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe"C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F3⤵
- Creates scheduled task(s)
PID:1748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1eb2f325ea" /P "Admin:N"&&CACLS "..\1eb2f325ea" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3772
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"4⤵PID:3420
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E4⤵PID:4032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4268
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\1eb2f325ea" /P "Admin:N"4⤵PID:4700
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\1eb2f325ea" /P "Admin:R" /E4⤵PID:2360
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4132 -
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵PID:616
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe1⤵
- Executes dropped EXE
PID:4224
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe1⤵
- Executes dropped EXE
PID:2880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exeFilesize
227KB
MD517a8f85f937d8106c020a366d7c6ccb4
SHA143ef57b2adf9115c51041b5baba5a1565501b1a1
SHA2563f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
SHA512ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD5dd7a4110e2dc0760efdd47ee918c0deb
SHA15ed5efe128e521023e0caf4fff9af747522c8166
SHA256550ad8794d9ec26bc7e09225cb1cbe648ee7c1c2349aabec8172f08bdec26084
SHA512c928725e5f010d371727aadcc057da91378a0b24c66b2848217e9186dd319b6bf09c0859d7bf523ff1736fc41591eb25662a900fbe3977b63132a0c40dcd35dc
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD5dc2b0f48d8f547d5ff7d67b371d850f0
SHA184d02ddbf478bf7cfe9ccb466362860ee18b3839
SHA2560434c46910f48821a0a442b510260a3faea9404d7e6a8edd2cf44cc7dfea3890
SHA5123470ae3db7053a7e606a221f97f8cadf58500a746daaa4c763d714fe99df026d1c7858aaaf6d34ec1bbaa5305f8eead00101b6a7ac6f4d457425d04bcf92e8d7
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exeFilesize
3.0MB
MD5af4268c094f2a9c6e6a85f8626b9a5c7
SHA17d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA25607b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA5122ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exeFilesize
3.0MB
MD5af4268c094f2a9c6e6a85f8626b9a5c7
SHA17d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA25607b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA5122ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68
-
C:\Users\Admin\AppData\Roaming\1000005000\bin.exeFilesize
3.0MB
MD5af4268c094f2a9c6e6a85f8626b9a5c7
SHA17d6b6083ec9081f52517cc7952dfb0c1c416e395
SHA25607b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165
SHA5122ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68