25559a3f73bf2d86a333fb1f7d6c7b794576c276f5823d2a5f771a94259490d4

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09e4b4b943b6bb80d59b83fb8f6b9470.exe
Size

209KB
MD5

09e4b4b943b6bb80d59b83fb8f6b9470
SHA1

a57e6d9adcaf9076b060d2b033ecef428fe2f6a1
SHA256

25559a3f73bf2d86a333fb1f7d6c7b794576c276f5823d2a5f771a94259490d4
SHA512

10c9663771b6f1368e8172a0ea2edbc2b6dd9edcf2fe068a1f0ddaa1d8cc99fe79fef0482485ea010fba1b39002ba23686a52b80243d126a97c8ee6c205661bf
SSDEEP

3072:AligYAyRYjGkHgzC9fOlnCLRH6kP9ni5KRh2OPMcb6rky8+ZsiCF8dvNce:Ali5zglHgz62lCLRHG5I2OBmrJ8StP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2296	u.dll
2928	mpress.exe
2100	u.dll

Loads dropped DLL 6 IoCs

pid	Process
1308	cmd.exe
1308	cmd.exe
2296	u.dll
2296	u.dll
1308	cmd.exe
1308	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1308	2636	09e4b4b943b6bb80d59b83fb8f6b9470.exe	18
PID 2636 wrote to memory of 1308	2636	09e4b4b943b6bb80d59b83fb8f6b9470.exe	18
PID 2636 wrote to memory of 1308	2636	09e4b4b943b6bb80d59b83fb8f6b9470.exe	18
PID 2636 wrote to memory of 1308	2636	09e4b4b943b6bb80d59b83fb8f6b9470.exe	18
PID 1308 wrote to memory of 2296	1308	cmd.exe	19
PID 1308 wrote to memory of 2296	1308	cmd.exe	19
PID 1308 wrote to memory of 2296	1308	cmd.exe	19
PID 1308 wrote to memory of 2296	1308	cmd.exe	19
PID 2296 wrote to memory of 2928	2296	u.dll	21
PID 2296 wrote to memory of 2928	2296	u.dll	21
PID 2296 wrote to memory of 2928	2296	u.dll	21
PID 2296 wrote to memory of 2928	2296	u.dll	21
PID 1308 wrote to memory of 2100	1308	cmd.exe	20
PID 1308 wrote to memory of 2100	1308	cmd.exe	20
PID 1308 wrote to memory of 2100	1308	cmd.exe	20
PID 1308 wrote to memory of 2100	1308	cmd.exe	20
PID 1308 wrote to memory of 2936	1308	cmd.exe	33
PID 1308 wrote to memory of 2936	1308	cmd.exe	33
PID 1308 wrote to memory of 2936	1308	cmd.exe	33
PID 1308 wrote to memory of 2936	1308	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\09e4b4b943b6bb80d59b83fb8f6b9470.exe
"C:\Users\Admin\AppData\Local\Temp\09e4b4b943b6bb80d59b83fb8f6b9470.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\4AE5.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 09e4b4b943b6bb80d59b83fb8f6b9470.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\4B72.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\4B72.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4B73.tmp"
      4⤵
      Executes dropped EXE
      PID:2928
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2100
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4AE5.tmp\vir.bat

Filesize
2KB

MD5
f0bb502733d88b8d657a9522df60d24d

SHA1
0f9f73591aafa28300169df0dff51afda2f810fc

SHA256
ef6f9ac7c1d737f3e15fb76f77c624156eb6e0e53414fec00a897cef38180d9a

SHA512
98ceaf127856a0d44279204b38e613f84fb3d6f24b9d0e7981f9543b703dcee1655023629bde1ac436be5de6a939ddcdc4c7a3084786692e7e4e82d6cabc4f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B72.tmp\mpress.exe

Filesize
1KB

MD5
118ea5a89a8339f2b622717d48f9285b

SHA1
af38929dcc57a7148af3372008a294a80f3635b4

SHA256
5cb9cef7fa6145284b1593f53f788c5897c8e046fc90943ece566812ef453c62

SHA512
a97715b5b53f060ac8d00b170de05198d03871b95b1a8a0afd7b552e1814d271d74d2d52b22d20542e69c4aac2232a03ae8597958902bd05047031bb1009cf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4B72.tmp\mpress.exe

Filesize
28KB

MD5
8ad9607c7de707342b921eb040efc5b0

SHA1
89a0e9f6593b8d6ed43670653ea4585d2b673fbb

SHA256
9c7f5250c87bad0fbdc856661002b1946e3757054105426caf085a09d486828b

SHA512
0372680c583264bfbb973d5254726f645e1b3d39c2b92b3c390b010c61d3d63fb1b2ccfcd40cfda202f1afe51f9911c1e6e0067bbd490bd15ef338b3a7857513

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4B73.tmp

Filesize
1KB

MD5
889fa0ac82f2ce37dc33898e7f3deb0f

SHA1
0e1be5b3f293476875be62bde27c2092f732a48d

SHA256
4837308b8b91ac94a3dc0fd3d28c0f3c01d715ed47a493a15ebd2da6ffa3cc3e

SHA512
b1ab2bf48be957aef082596c47f4f89153c4190a58f0f91e6e8894e9961bf1c31691e466a4f6e567a4d4402c6f3b46e9d84564a31104eaf8e011167a78e71130

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4B73.tmp

Filesize
5KB

MD5
e0441d11dada6d1628168933e86e276c

SHA1
86a6a9a2dac09fe0694810d5d40a152db4290cbc

SHA256
ae4b96f929d1704067de46b9c579682d2581d6624cfb33afb5c06419ee9de004

SHA512
005267cbaa1ce9b2489d87c403ef39385c48727d5d7f2c5e5fb8658dde36a328460d9481edff7b52cb04f9343b58082a245b9066942a5dd878b658ef35d307ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4B73.tmp

Filesize
24KB

MD5
226830d6347aab2ea58f4e58bee748ca

SHA1
f5219318e736237941877549319524f9f0f4dc97

SHA256
6107be941b96931f172edb47742526c04dbe32156e71045650a4c9fe7369c326

SHA512
1603938d9f5c030625dc9778e06d1fdf98d0818818ea3240efe1a3122e7c9743e7b6403949df02716531cb8ddb5a1358fb7ece9594f32c08f4e0f466b1832824

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4D37.tmp

Filesize
41KB

MD5
f6e37b5b08d4514d8347cb5ed4e670f2

SHA1
0c42b901ed5f2e9e76822ccdab3299b714a89cf0

SHA256
41ac25ee169e9baeccb3d8ccaa3be68b912286125520e56d0ed9854608966a02

SHA512
03cb6ed9236b0e5b679ba92f4e5ca07a1874717af3dcb7f24237c7431bdacfebcfecd46df500083f40f626f5ddef4b18c12feb5338924522dfd9f32751b6f301

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
168KB

MD5
0e5d655f50c87a747c6748ef14b1db08

SHA1
9b54d58d4773990b4ec64e895191012502754651

SHA256
118edc1ca3761cee30edc7d5a98820f557c513047a6d36818273ac2d3044bd11

SHA512
b2d19f7fdccad896676e2f3190412c89dd7801ce7502271733d563984f5189b8b836cd3cf7139daa89bf9bbed2ee3bec1f66f1849d12a3cfdbfa55f89b023236

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
19KB

MD5
8d3cafb1c49a57f6fff62531d478821b

SHA1
866b4b506604ac8887cc0ce5fc062cefaa8a68e6

SHA256
d6d4ec577b0600491d8519296db1d79058ec566177920393485c827e923073e4

SHA512
1690633a406c8b0afc42b2902b611effbc4eb5a20880758aa47249de60115aadbda2681e5dff1f11901cd6209edfd87c5cf23ddecfc47d85dc1a66c1e9bc211e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
57KB

MD5
525b08812a0b4a17ae8b3594c227a4c7

SHA1
3b6f9ca9a1d98ea4b25301447e465b1eedb903ca

SHA256
fd2e5e784f65e21abc1051dca4be4c5c10ec3c48a7c6277b88ed311eb3735a4f

SHA512
d1cd2af1fab25bbddc05079cec3722d9efc3e327075531ab9ac6a793441962b848034baea04dc5c6816cbac5a80d05ce1034f69ab6e2f79b0aafcb282f307e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
131KB

MD5
d1511ea8f72dfae0602eb33930f04a4c

SHA1
2fa699a3453c6b371a12dea5dbb5bb7f7bcf3178

SHA256
12050b8d3f69bdcadd01a26a842aaf52dc6ce316f07b213c46d53f5f3f96d659

SHA512
fe9976349381ce9a4be31b68f8f8a4910285fcd84220b575eb0226e8b5a216f93b6c2fab531df367107a883c48ea96a43114a70b606dd7f96ed613fb8e7c1160

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
8115a59ab7c900ddf7b3784d27d6819d

SHA1
075dfde636f77b0d28327deb9cbe9dd45c399641

SHA256
8d114250d3860a8f85861e8febac6756b70d8c18d91816d170ba38b6f390de3e

SHA512
29036ce03380bdfe5519040544fb43a718f1fd2dc7530a9d808976d5da8f09ca06645c0bd5056cd6120e572e7b3e31c24bd03d98219135261e777c4c3859d4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
31d40eb5c2fc499f5a3eeaa50d7f00a7

SHA1
e0a68f908fa95cea346a5304a3a64e633520f095

SHA256
384f3b8069c836bd0c2dc4fa512ddd4aa3c223e112dc635fec42af965b369ff9

SHA512
2132a9cbdbd747ba6a5efa9d8a0c7760abbca4bc7f162c0635592ddf4e04a0d32c4995f77eca4fb78ec83360f63acfa6d417abb3f4f1e352e928238caa9710b4

Download Submit
\Users\Admin\AppData\Local\Temp\4B72.tmp\mpress.exe

Filesize
92KB

MD5
c880f937f3dee3a3fa35d7d3640b54ac

SHA1
3345ed7e212eafee3c48d94b4ed5bd78c62de919

SHA256
3bec6888eb372e15c606fa1d3382d6f8c468d7237175a7f7bb667f9693bb9747

SHA512
8973de6a675e3768d20e8a95f9035ab448b2acd7823c14e2028afb570026859fcd14be4e39c377fb6048943db6545ef56e947d9f4956034fc85a29198a45a28d

Download Submit
\Users\Admin\AppData\Local\Temp\4B72.tmp\mpress.exe

Filesize
21KB

MD5
653908003d5236e355daf65649747345

SHA1
d923d9ee12ae16d3a2fa8231e8f7a0cb9d49a736

SHA256
3a7a6e86bf802832e424c816031dc297358b66f549d61cdc9e7162cf2d1357df

SHA512
f9eb978e0023b2e945285cd9ea159c8486041d5c542947bfcc6aaa930d28a9d4c5e7b01dc0a17e43d4b8ce43c209c15fd9dc434006ca2f09abf7a114464fc942

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
39KB

MD5
e16c40f7af58d3de4a382b65cd816453

SHA1
0c416e247b371d71b7dc9e51129240905fc05902

SHA256
698771a45e563e227e1e13facb3a444a9453fcebf3c6a83e0e66b55f8efe09cf

SHA512
254ebc4e9c466d53481cce8897615aea62fd6fb8b9842546f2b776689c9f72b08860e25c3790f32f431f98d7445918065562e2b3c7ff8ed8f379c7ecf561f9c6

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
64KB

MD5
d3f5de48e29a3966e2a6916654b511c6

SHA1
5c5c1d4c4672779c7b7f55c90f808e566c0f9a54

SHA256
200729364bbcb98929a724d5bb98df9bff2189aea37c761f4cc2356a55da4923

SHA512
6b955e8c3db58b998217d7b895888a9f2461bdc67b9bbc7fc7083ea0d1be810ca43ee4859c07093076b8065e5515fce8028d76b15a12222d23fb58760acc538e

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
123KB

MD5
3517617e6d5a9470be633dc519d96bc3

SHA1
bda7fca2c3727f2b8e9b42f4655b9937ef103e9d

SHA256
2600cf95469b1c78491a82cf8479b3a8c5577a574fd362e489a763b359cbcafb

SHA512
9519494a66be487f3c10a03b4910493d007bb8067cb8fd76a07dc851e63c7c47e9c8a10e282f5b963c367dd8fd3d9b3e2d900c1fa3dd0055db76d8b4abf593a0

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
46KB

MD5
30393f8f1261c05241f686e653a86404

SHA1
f35f2f9e546724b1473605ce042660dd605250cf

SHA256
1a3e2a0a00b7551ce12b77adce75e2d34ec01254a4fff6de40fecf1c0bfe9336

SHA512
8cdcde4578b1b3a53d02e05a9675dc21fc00f78db426cf8cc6b4770da9517191223b819dfb627721a8f9ed6f1e52cbcd4d79d6a815cb577e83a6e94e3ff3c827

Download Submit
memory/2296-65-0x0000000001D50000-0x0000000001D84000-memory.dmp

Filesize
208KB

Download
memory/2296-69-0x0000000001D50000-0x0000000001D84000-memory.dmp

Filesize
208KB

Download
memory/2636-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2636-108-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2928-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2928-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads