Analysis Overview
SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
Threat Level: Known bad
The file 17a8f85f937d8106c020a366d7c6ccb4.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Amadey family
Aurora
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-24 13:31
Signatures
Amadey family
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-24 13:31
Reported
2023-02-24 13:33
Platform
win7-20230220-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Amadey
Aurora
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000005000\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe
"C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe"
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1eb2f325ea" /P "Admin:N"&&CACLS "..\1eb2f325ea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\1eb2f325ea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\1eb2f325ea" /P "Admin:R" /E
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
"C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\system32\taskeng.exe
taskeng.exe {2AFFDB63-3439-4465-846A-44CEDCB0AEC4} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Network
| Country | Destination | Domain | Proto |
| NL | 193.42.33.28:80 | 193.42.33.28 | tcp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| NL | 212.87.204.93:8081 | tcp |
Files
\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
\Users\Admin\AppData\Roaming\1000005000\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
\Users\Admin\AppData\Roaming\1000005000\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
| MD5 | 6a3c2fe239e67cd5804a699b9aa54b07 |
| SHA1 | 018091f0c903173dec18cd10e0e00889f0717d67 |
| SHA256 | 160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168 |
| SHA512 | aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-24 13:31
Reported
2023-02-24 13:33
Platform
win10v2004-20230220-en
Max time kernel
113s
Max time network
136s
Command Line
Signatures
Amadey
Aurora
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000005000\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe
"C:\Users\Admin\AppData\Local\Temp\17a8f85f937d8106c020a366d7c6ccb4.exe"
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1eb2f325ea" /P "Admin:N"&&CACLS "..\1eb2f325ea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\1eb2f325ea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\1eb2f325ea" /P "Admin:R" /E
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
"C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 193.42.33.28:80 | 193.42.33.28 | tcp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | 28.33.42.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | dc2b0f48d8f547d5ff7d67b371d850f0 |
| SHA1 | 84d02ddbf478bf7cfe9ccb466362860ee18b3839 |
| SHA256 | 0434c46910f48821a0a442b510260a3faea9404d7e6a8edd2cf44cc7dfea3890 |
| SHA512 | 3470ae3db7053a7e606a221f97f8cadf58500a746daaa4c763d714fe99df026d1c7858aaaf6d34ec1bbaa5305f8eead00101b6a7ac6f4d457425d04bcf92e8d7 |
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
| MD5 | dd7a4110e2dc0760efdd47ee918c0deb |
| SHA1 | 5ed5efe128e521023e0caf4fff9af747522c8166 |
| SHA256 | 550ad8794d9ec26bc7e09225cb1cbe648ee7c1c2349aabec8172f08bdec26084 |
| SHA512 | c928725e5f010d371727aadcc057da91378a0b24c66b2848217e9186dd319b6bf09c0859d7bf523ff1736fc41591eb25662a900fbe3977b63132a0c40dcd35dc |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |