Analysis
-
max time kernel
679s -
max time network
682s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 23:25
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7v20210410
General
-
Target
setup_x86_x64_install.exe
-
Size
1.7MB
-
MD5
a0c815817a5d6cd64ad038e72dedaee8
-
SHA1
5f9d3eab51421cd8997d4f5715052ce89e23e940
-
SHA256
c017bcbebdb59082e79f2409c23e991948262e7645f191ee1c70c5d9ce3aa9c0
-
SHA512
237a6b85ff1d64b641c761e8280ca199c30592ff589a13279c835cfca016f5006fb44c7fea3b483f505479eafee56963776fee5ea9ae01b640dc88ab31456b78
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Melagrani.exe.comMelagrani.exe.compid process 1728 Melagrani.exe.com 1384 Melagrani.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeMelagrani.exe.compid process 1748 cmd.exe 1728 Melagrani.exe.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Melagrani.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Melagrani.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Melagrani.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
setup_x86_x64_install.execmd.execmd.exeMelagrani.exe.comdescription pid process target process PID 1116 wrote to memory of 1912 1116 setup_x86_x64_install.exe cmd.exe PID 1116 wrote to memory of 1912 1116 setup_x86_x64_install.exe cmd.exe PID 1116 wrote to memory of 1912 1116 setup_x86_x64_install.exe cmd.exe PID 1116 wrote to memory of 1912 1116 setup_x86_x64_install.exe cmd.exe PID 1912 wrote to memory of 1748 1912 cmd.exe cmd.exe PID 1912 wrote to memory of 1748 1912 cmd.exe cmd.exe PID 1912 wrote to memory of 1748 1912 cmd.exe cmd.exe PID 1912 wrote to memory of 1748 1912 cmd.exe cmd.exe PID 1748 wrote to memory of 1808 1748 cmd.exe findstr.exe PID 1748 wrote to memory of 1808 1748 cmd.exe findstr.exe PID 1748 wrote to memory of 1808 1748 cmd.exe findstr.exe PID 1748 wrote to memory of 1808 1748 cmd.exe findstr.exe PID 1748 wrote to memory of 1728 1748 cmd.exe Melagrani.exe.com PID 1748 wrote to memory of 1728 1748 cmd.exe Melagrani.exe.com PID 1748 wrote to memory of 1728 1748 cmd.exe Melagrani.exe.com PID 1748 wrote to memory of 1728 1748 cmd.exe Melagrani.exe.com PID 1748 wrote to memory of 1784 1748 cmd.exe PING.EXE PID 1748 wrote to memory of 1784 1748 cmd.exe PING.EXE PID 1748 wrote to memory of 1784 1748 cmd.exe PING.EXE PID 1748 wrote to memory of 1784 1748 cmd.exe PING.EXE PID 1728 wrote to memory of 1384 1728 Melagrani.exe.com Melagrani.exe.com PID 1728 wrote to memory of 1384 1728 Melagrani.exe.com Melagrani.exe.com PID 1728 wrote to memory of 1384 1728 Melagrani.exe.com Melagrani.exe.com PID 1728 wrote to memory of 1384 1728 Melagrani.exe.com Melagrani.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Acre.aif2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^iYipZByhMrTrdVmiJmndvRgOTQTYMcgcdqPsDGYnRXoZnMWbADbAYDzdJadpIuBsPbNdyoErAZnnIffuTcnoYNvNGmHlfPQKvRlqZGssZxZZtUHxrldjIzawqZJGBxNKpNeQyguj$" Miro.aif4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.comMelagrani.exe.com M4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.com M5⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.aifMD5
937474effdd599262b2f398fac08f388
SHA11ff41cb556bb689f460b2c8c186233afd8ed424c
SHA2562f76ddea8f492b4a87a086d19142cc49125991441fd9547c9a105ce38d65af95
SHA512f38a8a5fc9fdc44961d22177952b8332da463675a9f81d99f79f717cd5115764255f608fb2a17aea626c9eb300a040f066497406f735ec5d3b121cbb2df955df
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avvelenate.aifMD5
74c29d62e84f3fe998327dc5dee5384c
SHA1cd982d331130fcd5841c50cf2f0c8c1fba6cbd22
SHA2567439f310fc85bd7cc26aec4d74020bbeb6a8c2d64d8860bcd0cbd7dc0e797adc
SHA512c966b7b935e200a1f06684cb733d59a28f586ba0e97d1235fd48be40a7bda07e7876c82b4d9cf5e5e76076c948c3f6efb87f31c47cb46176af1a808a445404f9
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MMD5
bc07edebaf76de0033db62ea82d4bef4
SHA19392c0edf15f99272fb4fded79973cc12f04c5ee
SHA256fe9ebe6389b025640ed408606468a0dda75aeaeef2a87fad4d8707a5e9cf8162
SHA5122d7eff401e54cf1cd2a9fe2bffc6c378835dffaa873238fba8dbaad1a0b4d4b14d9b639f0d88e132ee216a8114c90e47175853cebeb3e22c2416e2b0486126da
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Miro.aifMD5
6354bce948cc1f901609ea23a363055a
SHA166dd1f0006f27a9cb9f66ef64a207fb5dab815fa
SHA25642548ebb670a736f0071b0839cd5edbd123123e4141d35cb453311be9fef163a
SHA51204b8df20ba743501b2a7dcd128ae9f84a75ab054e8f65ff762d8a2f5643b59237d849a775e3945d8dab43ce93ce3205f15acebca8498c9500f276374343b2be4
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riscalda.aifMD5
bc07edebaf76de0033db62ea82d4bef4
SHA19392c0edf15f99272fb4fded79973cc12f04c5ee
SHA256fe9ebe6389b025640ed408606468a0dda75aeaeef2a87fad4d8707a5e9cf8162
SHA5122d7eff401e54cf1cd2a9fe2bffc6c378835dffaa873238fba8dbaad1a0b4d4b14d9b639f0d88e132ee216a8114c90e47175853cebeb3e22c2416e2b0486126da
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/1116-60-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1384-75-0x0000000000000000-mapping.dmp
-
memory/1384-79-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1728-68-0x0000000000000000-mapping.dmp
-
memory/1748-63-0x0000000000000000-mapping.dmp
-
memory/1784-70-0x0000000000000000-mapping.dmp
-
memory/1808-64-0x0000000000000000-mapping.dmp
-
memory/1912-61-0x0000000000000000-mapping.dmp