fdd6f27c9cb4dae48f6ca4290543780ccf7dd9a7999545c1086e933c240b622e

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

merrinati.exe
Size

1.3MB
MD5

45704959e2d309ca096e3104e770313d
SHA1

00bad92e5857b6fe5b0ee3abe90da5e47407bcd2
SHA256

fdd6f27c9cb4dae48f6ca4290543780ccf7dd9a7999545c1086e933c240b622e
SHA512

8e362fa23703714cc5a450434fc9dfdc36a24bc3da56708053e911e5e4de3f73c250b4ddcec833af88a083bd87c05d697c15309cb2851106fd25b98e57424d83
SSDEEP

24576:MZhoiQ9lUi6S4mdU8dyQnX82ZT8M9ETQh/7aHMnKIg06u:Tv9lUi6dmd9nLYM1h/7aqKxu

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	1a557.exe

Executes dropped EXE 3 IoCs

pid	Process
1432	1a557.exe
1268	WindowsInput.exe
640	AudioDriver64.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	1a557.exe
File opened for modification	C:\Windows\SysWOW64\WindowsInput.InstallLog	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe
640	AudioDriver64.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	AudioDriver64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
640	AudioDriver64.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1432	2532	merrinati.exe	82
PID 2532 wrote to memory of 1432	2532	merrinati.exe	82
PID 2532 wrote to memory of 1432	2532	merrinati.exe	82
PID 1432 wrote to memory of 1268	1432	1a557.exe	86
PID 1432 wrote to memory of 1268	1432	1a557.exe	86
PID 1432 wrote to memory of 640	1432	1a557.exe	91
PID 1432 wrote to memory of 640	1432	1a557.exe	91
PID 1432 wrote to memory of 640	1432	1a557.exe	91

C:\Users\Admin\AppData\Local\Temp\merrinati.exe
"C:\Users\Admin\AppData\Local\Temp\merrinati.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\1a557.exe
  C:\Users\Admin\AppData\Local\Temp\1a557.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1268
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1a557.exe

Filesize
842KB

MD5
ba349b4bf0dc890f8d96b53b54c2942a

SHA1
a934352c046ec81d0a7d8673b751955cf9c7958a

SHA256
76330537394ecbe2feb0b85b11975454d03735d6737960a1a810315a8afe0c49

SHA512
0a65412a43509339b112c2db699f82d4e1de82b48aa1ac2669227877e453c1541f9dd82816ef07b329f2132a6029af54341d8755db8a83cb1d55442e12d10b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a557.exe

Filesize
842KB

MD5
ba349b4bf0dc890f8d96b53b54c2942a

SHA1
a934352c046ec81d0a7d8673b751955cf9c7958a

SHA256
76330537394ecbe2feb0b85b11975454d03735d6737960a1a810315a8afe0c49

SHA512
0a65412a43509339b112c2db699f82d4e1de82b48aa1ac2669227877e453c1541f9dd82816ef07b329f2132a6029af54341d8755db8a83cb1d55442e12d10b94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver64.exe

Filesize
842KB

MD5
ba349b4bf0dc890f8d96b53b54c2942a

SHA1
a934352c046ec81d0a7d8673b751955cf9c7958a

SHA256
76330537394ecbe2feb0b85b11975454d03735d6737960a1a810315a8afe0c49

SHA512
0a65412a43509339b112c2db699f82d4e1de82b48aa1ac2669227877e453c1541f9dd82816ef07b329f2132a6029af54341d8755db8a83cb1d55442e12d10b94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver64.exe

Filesize
842KB

MD5
ba349b4bf0dc890f8d96b53b54c2942a

SHA1
a934352c046ec81d0a7d8673b751955cf9c7958a

SHA256
76330537394ecbe2feb0b85b11975454d03735d6737960a1a810315a8afe0c49

SHA512
0a65412a43509339b112c2db699f82d4e1de82b48aa1ac2669227877e453c1541f9dd82816ef07b329f2132a6029af54341d8755db8a83cb1d55442e12d10b94

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver64.exe

Filesize
842KB

MD5
ba349b4bf0dc890f8d96b53b54c2942a

SHA1
a934352c046ec81d0a7d8673b751955cf9c7958a

SHA256
76330537394ecbe2feb0b85b11975454d03735d6737960a1a810315a8afe0c49

SHA512
0a65412a43509339b112c2db699f82d4e1de82b48aa1ac2669227877e453c1541f9dd82816ef07b329f2132a6029af54341d8755db8a83cb1d55442e12d10b94

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
597B

MD5
c2291863df7c2d3038ce3c22fa276506

SHA1
7b7d2bc07a6c35523807342c747c9b6a19f3184e

SHA256
14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

SHA512
00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
memory/640-82-0x0000000005E10000-0x0000000005FD2000-memory.dmp

Filesize
1.8MB

Download
memory/640-79-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/640-77-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/640-81-0x0000000005A60000-0x0000000005A78000-memory.dmp

Filesize
96KB

Download
memory/640-86-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/640-85-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/640-83-0x0000000005D80000-0x0000000005D90000-memory.dmp

Filesize
64KB

Download
memory/640-84-0x0000000006270000-0x000000000627A000-memory.dmp

Filesize
40KB

Download
memory/1268-28-0x000000001B1E0000-0x000000001B200000-memory.dmp

Filesize
128KB

Download
memory/1268-27-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

Filesize
96KB

Download
memory/1268-29-0x00007FFBF5D90000-0x00007FFBF6731000-memory.dmp

Filesize
9.6MB

Download
memory/1268-45-0x000000001C3C0000-0x000000001C45C000-memory.dmp

Filesize
624KB

Download
memory/1268-31-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/1268-32-0x00007FFBF5D90000-0x00007FFBF6731000-memory.dmp

Filesize
9.6MB

Download
memory/1268-62-0x00007FFBF5D90000-0x00007FFBF6731000-memory.dmp

Filesize
9.6MB

Download
memory/1268-36-0x000000001B4F0000-0x000000001B514000-memory.dmp

Filesize
144KB

Download
memory/1268-44-0x000000001BE50000-0x000000001C31E000-memory.dmp

Filesize
4.8MB

Download
memory/1432-30-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/1432-33-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1432-15-0x0000000005A10000-0x0000000005A1C000-memory.dmp

Filesize
48KB

Download
memory/1432-65-0x00000000060B0000-0x00000000060FE000-memory.dmp

Filesize
312KB

Download
memory/1432-66-0x0000000006120000-0x0000000006138000-memory.dmp

Filesize
96KB

Download
memory/1432-14-0x0000000005A60000-0x0000000005A82000-memory.dmp

Filesize
136KB

Download
memory/1432-13-0x00000000059F0000-0x00000000059F8000-memory.dmp

Filesize
32KB

Download
memory/1432-12-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/1432-11-0x0000000005010000-0x000000000505C000-memory.dmp

Filesize
304KB

Download
memory/1432-10-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/1432-80-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/1432-9-0x0000000005340000-0x00000000058E4000-memory.dmp

Filesize
5.6MB

Download
memory/1432-8-0x0000000004B80000-0x0000000004B8A000-memory.dmp

Filesize
40KB

Download
memory/1432-7-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1432-6-0x0000000000150000-0x0000000000228000-memory.dmp

Filesize
864KB

Download
memory/1432-5-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2532-3-0x00007FF73C4D0000-0x00007FF73C53C000-memory.dmp

Filesize
432KB

Download