Analysis
-
max time kernel
151s -
max time network
75s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 20:47
Static task
static1
Behavioral task
behavioral1
Sample
c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe
Resource
win10v2004-20220812-en
General
-
Target
c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe
-
Size
224KB
-
MD5
0e97f4018017fa79735900f77b584e11
-
SHA1
0dd7660095af458baabf7735fab93c2045eed0c0
-
SHA256
c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8
-
SHA512
632e2bec00cea958010a5947df48ce0447b7df7d64730b1bfbb90853837bebfd12f43c9181a7becee51579fed74361ab9d3f537923cbfa2aaf407442074ffd44
-
SSDEEP
3072:iXyqNsMoBuVZVpl2mclbj4Uvx+8ysNOu+2eRcKksU61JkkX39RLrw4ySKUbax2+l:9qN5Rp4LnbmlrZW
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" merad.exe -
Executes dropped EXE 1 IoCs
pid Process 2040 merad.exe -
Loads dropped DLL 2 IoCs
pid Process 1660 c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe 1660 c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe -
Adds Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /d" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /y" merad.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /h" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /i" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /t" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /l" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /f" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /v" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /x" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /r" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /u" c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /w" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /q" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /n" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /c" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /o" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /p" merad.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /m" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /s" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /e" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /a" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /u" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /z" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /g" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /j" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /k" merad.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\merad = "C:\\Users\\Admin\\merad.exe /b" merad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1660 c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe 2040 merad.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1660 c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe 2040 merad.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1660 wrote to memory of 2040 1660 c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe 27 PID 1660 wrote to memory of 2040 1660 c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe 27 PID 1660 wrote to memory of 2040 1660 c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe 27 PID 1660 wrote to memory of 2040 1660 c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe"C:\Users\Admin\AppData\Local\Temp\c64528f10864d31235edaa0f0d00703011f758841e0f2a70ec86f0b2e50f30b8.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\merad.exe"C:\Users\Admin\merad.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2040
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD525323dc81196427bf196ea808d96a72b
SHA12d60ac9f9ec13d0fbb50810b9c84995bbcc8e4ed
SHA256d663421d61ebb9d7c9e9ad333c78111786b55c3bb4fa7cbb710e6bae2079606c
SHA51227ff48e1462ec3281099819ad7f3aa248c62bef2e47f0f1be00fdbe831fb2233b3f89818cbf11b9cc83382df88f2b899818e215c84026b2689cbdbd0cb3f7710
-
Filesize
224KB
MD525323dc81196427bf196ea808d96a72b
SHA12d60ac9f9ec13d0fbb50810b9c84995bbcc8e4ed
SHA256d663421d61ebb9d7c9e9ad333c78111786b55c3bb4fa7cbb710e6bae2079606c
SHA51227ff48e1462ec3281099819ad7f3aa248c62bef2e47f0f1be00fdbe831fb2233b3f89818cbf11b9cc83382df88f2b899818e215c84026b2689cbdbd0cb3f7710
-
Filesize
224KB
MD525323dc81196427bf196ea808d96a72b
SHA12d60ac9f9ec13d0fbb50810b9c84995bbcc8e4ed
SHA256d663421d61ebb9d7c9e9ad333c78111786b55c3bb4fa7cbb710e6bae2079606c
SHA51227ff48e1462ec3281099819ad7f3aa248c62bef2e47f0f1be00fdbe831fb2233b3f89818cbf11b9cc83382df88f2b899818e215c84026b2689cbdbd0cb3f7710
-
Filesize
224KB
MD525323dc81196427bf196ea808d96a72b
SHA12d60ac9f9ec13d0fbb50810b9c84995bbcc8e4ed
SHA256d663421d61ebb9d7c9e9ad333c78111786b55c3bb4fa7cbb710e6bae2079606c
SHA51227ff48e1462ec3281099819ad7f3aa248c62bef2e47f0f1be00fdbe831fb2233b3f89818cbf11b9cc83382df88f2b899818e215c84026b2689cbdbd0cb3f7710