c017bcbebdb59082e79f2409c23e991948262e7645f191ee1c70c5d9ce3aa9c0

Analysis

max time kernel
679s
max time network
682s
platform
windows7_x64
resource
win7v20210410
submitted
22-07-2021 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

1.7MB
MD5

a0c815817a5d6cd64ad038e72dedaee8
SHA1

5f9d3eab51421cd8997d4f5715052ce89e23e940
SHA256

c017bcbebdb59082e79f2409c23e991948262e7645f191ee1c70c5d9ce3aa9c0
SHA512

237a6b85ff1d64b641c761e8280ca199c30592ff589a13279c835cfca016f5006fb44c7fea3b483f505479eafee56963776fee5ea9ae01b640dc88ab31456b78

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Melagrani.exe.comMelagrani.exe.com

pid process

1728 Melagrani.exe.com
1384 Melagrani.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeMelagrani.exe.com

pid process

1748 cmd.exe
1728 Melagrani.exe.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1728	Melagrani.exe.com
1384	Melagrani.exe.com

pid	process
1748	cmd.exe
1728	Melagrani.exe.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Melagrani.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Melagrani.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Melagrani.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1784 PING.EXE

pid	process
1784	PING.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

setup_x86_x64_install.execmd.execmd.exeMelagrani.exe.com

description	pid	process	target process
PID 1116 wrote to memory of 1912	1116	setup_x86_x64_install.exe	cmd.exe
PID 1116 wrote to memory of 1912	1116	setup_x86_x64_install.exe	cmd.exe
PID 1116 wrote to memory of 1912	1116	setup_x86_x64_install.exe	cmd.exe
PID 1116 wrote to memory of 1912	1116	setup_x86_x64_install.exe	cmd.exe
PID 1912 wrote to memory of 1748	1912	cmd.exe	cmd.exe
PID 1912 wrote to memory of 1748	1912	cmd.exe	cmd.exe
PID 1912 wrote to memory of 1748	1912	cmd.exe	cmd.exe
PID 1912 wrote to memory of 1748	1912	cmd.exe	cmd.exe
PID 1748 wrote to memory of 1808	1748	cmd.exe	findstr.exe
PID 1748 wrote to memory of 1808	1748	cmd.exe	findstr.exe
PID 1748 wrote to memory of 1808	1748	cmd.exe	findstr.exe
PID 1748 wrote to memory of 1808	1748	cmd.exe	findstr.exe
PID 1748 wrote to memory of 1728	1748	cmd.exe	Melagrani.exe.com
PID 1748 wrote to memory of 1728	1748	cmd.exe	Melagrani.exe.com
PID 1748 wrote to memory of 1728	1748	cmd.exe	Melagrani.exe.com
PID 1748 wrote to memory of 1728	1748	cmd.exe	Melagrani.exe.com
PID 1748 wrote to memory of 1784	1748	cmd.exe	PING.EXE
PID 1748 wrote to memory of 1784	1748	cmd.exe	PING.EXE
PID 1748 wrote to memory of 1784	1748	cmd.exe	PING.EXE
PID 1748 wrote to memory of 1784	1748	cmd.exe	PING.EXE
PID 1728 wrote to memory of 1384	1728	Melagrani.exe.com	Melagrani.exe.com
PID 1728 wrote to memory of 1384	1728	Melagrani.exe.com	Melagrani.exe.com
PID 1728 wrote to memory of 1384	1728	Melagrani.exe.com	Melagrani.exe.com
PID 1728 wrote to memory of 1384	1728	Melagrani.exe.com	Melagrani.exe.com

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Acre.aif
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^iYipZByhMrTrdVmiJmndvRgOTQTYMcgcdqPsDGYnRXoZnMWbADbAYDzdJadpIuBsPbNdyoErAZnnIffuTcnoYNvNGmHlfPQKvRlqZGssZxZZtUHxrldjIzawqZJGBxNKpNeQyguj$" Miro.aif
4⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.com
Melagrani.exe.com M
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.com M
5⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1384

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.aif
MD5
937474effdd599262b2f398fac08f388

SHA1
1ff41cb556bb689f460b2c8c186233afd8ed424c

SHA256
2f76ddea8f492b4a87a086d19142cc49125991441fd9547c9a105ce38d65af95

SHA512
f38a8a5fc9fdc44961d22177952b8332da463675a9f81d99f79f717cd5115764255f608fb2a17aea626c9eb300a040f066497406f735ec5d3b121cbb2df955df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Avvelenate.aif
MD5
74c29d62e84f3fe998327dc5dee5384c

SHA1
cd982d331130fcd5841c50cf2f0c8c1fba6cbd22

SHA256
7439f310fc85bd7cc26aec4d74020bbeb6a8c2d64d8860bcd0cbd7dc0e797adc

SHA512
c966b7b935e200a1f06684cb733d59a28f586ba0e97d1235fd48be40a7bda07e7876c82b4d9cf5e5e76076c948c3f6efb87f31c47cb46176af1a808a445404f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\M
MD5
bc07edebaf76de0033db62ea82d4bef4

SHA1
9392c0edf15f99272fb4fded79973cc12f04c5ee

SHA256
fe9ebe6389b025640ed408606468a0dda75aeaeef2a87fad4d8707a5e9cf8162

SHA512
2d7eff401e54cf1cd2a9fe2bffc6c378835dffaa873238fba8dbaad1a0b4d4b14d9b639f0d88e132ee216a8114c90e47175853cebeb3e22c2416e2b0486126da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Miro.aif
MD5
6354bce948cc1f901609ea23a363055a

SHA1
66dd1f0006f27a9cb9f66ef64a207fb5dab815fa

SHA256
42548ebb670a736f0071b0839cd5edbd123123e4141d35cb453311be9fef163a

SHA512
04b8df20ba743501b2a7dcd128ae9f84a75ab054e8f65ff762d8a2f5643b59237d849a775e3945d8dab43ce93ce3205f15acebca8498c9500f276374343b2be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Riscalda.aif
MD5
bc07edebaf76de0033db62ea82d4bef4

SHA1
9392c0edf15f99272fb4fded79973cc12f04c5ee

SHA256
fe9ebe6389b025640ed408606468a0dda75aeaeef2a87fad4d8707a5e9cf8162

SHA512
2d7eff401e54cf1cd2a9fe2bffc6c378835dffaa873238fba8dbaad1a0b4d4b14d9b639f0d88e132ee216a8114c90e47175853cebeb3e22c2416e2b0486126da

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Melagrani.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1116-60-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1384-75-0x0000000000000000-mapping.dmp

Download
memory/1384-79-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1728-68-0x0000000000000000-mapping.dmp

Download
memory/1748-63-0x0000000000000000-mapping.dmp

Download
memory/1784-70-0x0000000000000000-mapping.dmp

Download
memory/1808-64-0x0000000000000000-mapping.dmp

Download
memory/1912-61-0x0000000000000000-mapping.dmp

Download