457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565

Analysis

max time kernel
163s
max time network
113s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe
Size

372KB
MD5

0669e20bc2b7413d6922703062e062c3
SHA1

91d27f75ddfd7b245b6c09f2ecaab8c5ab7e4a11
SHA256

457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565
SHA512

a1c46657e77cd489f9c90672cbb33394066ec54735cb3ca203d4b1e1e1a4aba2177e5d886d1031b8367c674a2f03b0243038ef6f5c607d24f38a94094bda7b38
SSDEEP

6144:pl+Cd34MXtksceFm9aqFKT6Gb8iz/DCaiCJPoel9WenNaH+VJ91sXgpEVGP:K/qksceSYjv+alPoel9/04eAP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
660	server.exe
1796	server.exe

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1696	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe
1696	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 660 set thread context of 1796	660	server.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe
660	server.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1560 wrote to memory of 1696	1560	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	28
PID 1696 wrote to memory of 660	1696	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	29
PID 1696 wrote to memory of 660	1696	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	29
PID 1696 wrote to memory of 660	1696	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	29
PID 1696 wrote to memory of 660	1696	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	29
PID 1696 wrote to memory of 1632	1696	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	30
PID 1696 wrote to memory of 1632	1696	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	30
PID 1696 wrote to memory of 1632	1696	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	30
PID 1696 wrote to memory of 1632	1696	457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe	30
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32
PID 660 wrote to memory of 1796	660	server.exe	32

C:\Users\Admin\AppData\Local\Temp\457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe
"C:\Users\Admin\AppData\Local\Temp\457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe
  C:\Users\Admin\AppData\Local\Temp\457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\server.exe
    "C:\Users\Admin\AppData\Local\server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Users\Admin\AppData\Local\server.exe
      C:\Users\Admin\AppData\Local\server.exe
      4⤵
      Executes dropped EXE
      PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\melt.bat" "
    3⤵
    - Deletes itself
    PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\melt.bat

Filesize
155B

MD5
e8ece8d98498b8d7e86875c52d09269a

SHA1
599961219a289c602c03e057975c02df3b85eb1b

SHA256
63f2fa7a7f4734fbb87050690f9bf26f3a5e0577f9c4eef965431d61e3ca95e4

SHA512
8e42b469a0d910231d630977830a3900c7929d03e4a658ba050089afaea8b8356afd0cd142617bafe403597a25a03d155ff50c9e84064ee9a4768571bf09c6de

Download Submit
C:\Users\Admin\AppData\Local\server.exe

Filesize
372KB

MD5
0669e20bc2b7413d6922703062e062c3

SHA1
91d27f75ddfd7b245b6c09f2ecaab8c5ab7e4a11

SHA256
457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565

SHA512
a1c46657e77cd489f9c90672cbb33394066ec54735cb3ca203d4b1e1e1a4aba2177e5d886d1031b8367c674a2f03b0243038ef6f5c607d24f38a94094bda7b38

Download Submit
C:\Users\Admin\AppData\Local\server.exe

Filesize
372KB

MD5
0669e20bc2b7413d6922703062e062c3

SHA1
91d27f75ddfd7b245b6c09f2ecaab8c5ab7e4a11

SHA256
457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565

SHA512
a1c46657e77cd489f9c90672cbb33394066ec54735cb3ca203d4b1e1e1a4aba2177e5d886d1031b8367c674a2f03b0243038ef6f5c607d24f38a94094bda7b38

Download Submit
C:\Users\Admin\AppData\Local\server.exe

Filesize
372KB

MD5
0669e20bc2b7413d6922703062e062c3

SHA1
91d27f75ddfd7b245b6c09f2ecaab8c5ab7e4a11

SHA256
457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565

SHA512
a1c46657e77cd489f9c90672cbb33394066ec54735cb3ca203d4b1e1e1a4aba2177e5d886d1031b8367c674a2f03b0243038ef6f5c607d24f38a94094bda7b38

Download Submit
\Users\Admin\AppData\Local\server.exe

Filesize
372KB

MD5
0669e20bc2b7413d6922703062e062c3

SHA1
91d27f75ddfd7b245b6c09f2ecaab8c5ab7e4a11

SHA256
457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565

SHA512
a1c46657e77cd489f9c90672cbb33394066ec54735cb3ca203d4b1e1e1a4aba2177e5d886d1031b8367c674a2f03b0243038ef6f5c607d24f38a94094bda7b38

Download Submit
\Users\Admin\AppData\Local\server.exe

Filesize
372KB

MD5
0669e20bc2b7413d6922703062e062c3

SHA1
91d27f75ddfd7b245b6c09f2ecaab8c5ab7e4a11

SHA256
457e574c618ce574e4da279a4b6532cebed956ee0a430f6f48b60e9aef971565

SHA512
a1c46657e77cd489f9c90672cbb33394066ec54735cb3ca203d4b1e1e1a4aba2177e5d886d1031b8367c674a2f03b0243038ef6f5c607d24f38a94094bda7b38

Download Submit
memory/660-98-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/660-83-0x0000000000000000-mapping.dmp

Download
memory/660-112-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/660-87-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/660-100-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1560-57-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1560-54-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1560-56-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1560-55-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/1560-78-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1560-58-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1560-61-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1632-88-0x0000000000000000-mapping.dmp

Download
memory/1696-67-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-70-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-77-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1696-79-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-76-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-75-0x000000000043E834-mapping.dmp

Download
memory/1696-74-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-90-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-72-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-80-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-69-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-63-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1696-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-109-0x000000000043E834-mapping.dmp

Download
memory/1796-114-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-115-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1796-116-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download