Analysis
-
max time kernel
175s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 16:08
Static task
static1
Behavioral task
behavioral1
Sample
83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe
Resource
win7-20221111-en
General
-
Target
83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe
-
Size
120KB
-
MD5
d550edee505e87d20bb5dcabc50812e4
-
SHA1
ea302cf5482451c2e6f77e89f96032dc39203ca6
-
SHA256
83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25
-
SHA512
cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168
-
SSDEEP
3072:ImjvpwkOIm1m1m1m1m1m1mP4p4YROPCM4msWHGm0H9p8yqa9uIe5AV5L1m1m1m1V:BAzkzm0YnRPI55
Malware Config
Signatures
-
Processes:
svchost.exe83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe -
Processes:
svchost.exe83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 268 svchost.exe 1304 svchost.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WordPad.exe svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exepid process 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe -
Processes:
83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" svchost.exe -
Processes:
83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exesvchost.exesvchost.exepid process 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 268 svchost.exe 1304 svchost.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exesvchost.exedescription pid process target process PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 1132 wrote to memory of 460 1132 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe PID 460 wrote to memory of 268 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe svchost.exe PID 460 wrote to memory of 268 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe svchost.exe PID 460 wrote to memory of 268 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe svchost.exe PID 460 wrote to memory of 268 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 268 wrote to memory of 1304 268 svchost.exe svchost.exe PID 460 wrote to memory of 1696 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe cmd.exe PID 460 wrote to memory of 1696 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe cmd.exe PID 460 wrote to memory of 1696 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe cmd.exe PID 460 wrote to memory of 1696 460 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
svchost.exe83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe"C:\Users\Admin\AppData\Local\Temp\83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe"C:\Users\Admin\AppData\Local\Temp\83f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25.exe"2⤵
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe4⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Melt.bat3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Melt.batFilesize
179B
MD55a784d526aabdcc2b9a6638deb81712b
SHA1d2aecaf1489f519b779bc65a46e7ab6e9423b221
SHA25652385805cb3e5c65dbc388ef15a6facc59f23ed36cb25806c4c615b7511c8873
SHA5128112ab517f00f7d8bfc597ca23829f11163ab6b53c3b443a17401a3048d17fbc0f74e291886013ec37cce02235d9d8d83ea6f00c1920fadc031aef54e82b0a7e
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
120KB
MD5d550edee505e87d20bb5dcabc50812e4
SHA1ea302cf5482451c2e6f77e89f96032dc39203ca6
SHA25683f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25
SHA512cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
120KB
MD5d550edee505e87d20bb5dcabc50812e4
SHA1ea302cf5482451c2e6f77e89f96032dc39203ca6
SHA25683f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25
SHA512cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
120KB
MD5d550edee505e87d20bb5dcabc50812e4
SHA1ea302cf5482451c2e6f77e89f96032dc39203ca6
SHA25683f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25
SHA512cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
120KB
MD5d550edee505e87d20bb5dcabc50812e4
SHA1ea302cf5482451c2e6f77e89f96032dc39203ca6
SHA25683f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25
SHA512cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
120KB
MD5d550edee505e87d20bb5dcabc50812e4
SHA1ea302cf5482451c2e6f77e89f96032dc39203ca6
SHA25683f71770cfba923d1e8de4dc54ccb5429321467e26085788fce7b34162668e25
SHA512cec2198e4d4d47c503f9670047dd207e76ee6b48b9046230c569457dd04d92183b93cc7d0e710590faa38b9824e7f9ef9c2007abd4745d22b34326e24764a168
-
memory/268-69-0x0000000000000000-mapping.dmp
-
memory/460-65-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/460-62-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/460-60-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/460-57-0x0000000000000000-mapping.dmp
-
memory/460-84-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1132-56-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1132-58-0x0000000000260000-0x0000000000266000-memory.dmpFilesize
24KB
-
memory/1304-75-0x0000000000000000-mapping.dmp
-
memory/1304-86-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1696-81-0x0000000000000000-mapping.dmp