5fc5f09e956b2bd837f82d7ac00c05373111f6f9f4c443da32f3a102f49099f2

Analysis

max time kernel
142s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 18:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b7c0afb76cc1303a8f1038603c720f2.exe
Size

208KB
MD5

0b7c0afb76cc1303a8f1038603c720f2
SHA1

9410966e8f2605a3da0ff4fc1918b710d593ea13
SHA256

5fc5f09e956b2bd837f82d7ac00c05373111f6f9f4c443da32f3a102f49099f2
SHA512

817ffa7de21221fe05f683b5ecb5dff6b52aceb74ddba616e49a81d4d7a7e32c5633689113367aaa556d59320ec52a347f1e60a05492def21b46206621ddf054
SSDEEP

6144:RlNgwyZYsR2ctyfw3l/9iG48C5BOVBZwKT:RhYYsR2ctyohU8C5wBZwKT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2456	u.dll
2224	mpress.exe
2360	u.dll
1644	mpress.exe

Loads dropped DLL 8 IoCs

pid	Process
1300	cmd.exe
1300	cmd.exe
2456	u.dll
2456	u.dll
1300	cmd.exe
1300	cmd.exe
2360	u.dll
2360	u.dll

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 1300	3020	0b7c0afb76cc1303a8f1038603c720f2.exe	29
PID 3020 wrote to memory of 1300	3020	0b7c0afb76cc1303a8f1038603c720f2.exe	29
PID 3020 wrote to memory of 1300	3020	0b7c0afb76cc1303a8f1038603c720f2.exe	29
PID 3020 wrote to memory of 1300	3020	0b7c0afb76cc1303a8f1038603c720f2.exe	29
PID 1300 wrote to memory of 2456	1300	cmd.exe	30
PID 1300 wrote to memory of 2456	1300	cmd.exe	30
PID 1300 wrote to memory of 2456	1300	cmd.exe	30
PID 1300 wrote to memory of 2456	1300	cmd.exe	30
PID 2456 wrote to memory of 2224	2456	u.dll	31
PID 2456 wrote to memory of 2224	2456	u.dll	31
PID 2456 wrote to memory of 2224	2456	u.dll	31
PID 2456 wrote to memory of 2224	2456	u.dll	31
PID 1300 wrote to memory of 2360	1300	cmd.exe	33
PID 1300 wrote to memory of 2360	1300	cmd.exe	33
PID 1300 wrote to memory of 2360	1300	cmd.exe	33
PID 1300 wrote to memory of 2360	1300	cmd.exe	33
PID 2360 wrote to memory of 1644	2360	u.dll	32
PID 2360 wrote to memory of 1644	2360	u.dll	32
PID 2360 wrote to memory of 1644	2360	u.dll	32
PID 2360 wrote to memory of 1644	2360	u.dll	32
PID 1300 wrote to memory of 1844	1300	cmd.exe	34
PID 1300 wrote to memory of 1844	1300	cmd.exe	34
PID 1300 wrote to memory of 1844	1300	cmd.exe	34
PID 1300 wrote to memory of 1844	1300	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\0b7c0afb76cc1303a8f1038603c720f2.exe
"C:\Users\Admin\AppData\Local\Temp\0b7c0afb76cc1303a8f1038603c720f2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\37D2.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 0b7c0afb76cc1303a8f1038603c720f2.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\389D.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\389D.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe389E.tmp"
      4⤵
      Executes dropped EXE
      PID:2224
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2360
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:1844

C:\Users\Admin\AppData\Local\Temp\3ACF.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\3ACF.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3AD0.tmp"
1⤵
- Executes dropped EXE
PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37D2.tmp\vir.bat

Filesize
1KB

MD5
a67f9730c1ada9e212dc4dfd7005ff34

SHA1
76226c3dfcae2f838271a5980cbc81b27b640f9a

SHA256
d8ba528a9ab55b7b9670dc0bed9a12573eb7e954ad2ecad7f94b05c9fbc31a22

SHA512
d85a992e4de65a2d3221688504bd6057e63c40558cc4c946818679d928696c270134e9c883221294572cd57a1c93aa7be9c7b4338c1684bed218281ed4869640

Download Submit
C:\Users\Admin\AppData\Local\Temp\389D.tmp\mpress.exe

Filesize
74KB

MD5
3b4a695b28e731eb0cdacbebca2e4dca

SHA1
b9a87e4c162459a6e2d1204aecb90dcf69fd2ef8

SHA256
d6d3337d71a21ecdcabc92fae04ea9d1c3db6920f4178c62371bd335b7a99fec

SHA512
3ef1479ba9ad9e3318714777d3c7ceb46484fc054be382d55deeccff642470b5c52b21231bee9f8d4eea97e454d2140994d4343bfd6797cb87fb46ba0b70d087

Download Submit
C:\Users\Admin\AppData\Local\Temp\389D.tmp\mpress.exe

Filesize
85KB

MD5
8d5e7a19d64b8996427a2b08f3389af2

SHA1
5d6e0e25209c87eba7ab6c42545e52269e97628f

SHA256
8bddf291681058ae495fce290391ab47519739fc3adca8f91ecac99d958244e1

SHA512
ae2ed98a4bcfd8e0e44390d100903ac5fef5088350516b9f471fded6f2aaf659cb37e4177a3db7d6621178d597d7680e2a0346f2038ca58d4ebf56e580a711b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ACF.tmp\mpress.exe

Filesize
59KB

MD5
f62bda5be087d88130d56386c85de8ca

SHA1
a8f513f2dbb3d7ceef4b6ef9160887846e1ba4fe

SHA256
83d3a891f1a5ff75c5465f420966c154421fffa89d99d915a32856785f3f8e16

SHA512
7286822186bfd03948ee17635c9a7c427daac93e1c33e4cf70085195079cd7fedf01ed07deb3ab0f949ee265fd4e0d048ea82baa49c34214603e5f9160bb6e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe389E.tmp

Filesize
41KB

MD5
cfb6c23b4ec82cb8a0c562d2b9f34c23

SHA1
c7b496195abf2cceb09d8536768d83ab4aed6687

SHA256
28feed5f31044cbc96b185cd8ac0b12cffbc848b895ffce7d4005e25f7a8faff

SHA512
55a2e71b87db5af46c90eab14f95534d0deed807e91c4a52fb762141972a051633decedaf41b19b857efe8fd24821b59e15b33c9e00073da094495ea316420ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe389E.tmp

Filesize
24KB

MD5
1c591a621b30fb31de8b83694bffdb57

SHA1
94b0acf10c424c4990f88d8d63ba0ef31231fde8

SHA256
71a4439b7c9ba5b21532c4e3c05f39fd19f2ad9e8f1e7da85244339f7fac0e3d

SHA512
4921aee10a3d419ebbfad7f9f877177fce6aad5a1084099046f97ee63d577d9f54d42b6de5ca256f5250264f929988fbd8e4e050996673c99d95dae8833abe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3AD0.tmp

Filesize
43KB

MD5
51d7f66dc62696660b707ec328da7fe3

SHA1
a5cbadc076d1741178a87b50649d3e6f855a7cc1

SHA256
e28715fb638928052e1157a2bb3d8f8b9165cd20f5043cb23c79192e4896a108

SHA512
0601119b184717dd2e472528332e346242fa2a097e94781e9d8e7d830e37e85fd3a78063650b17f0c19dee8c2f5649c3b7dd842bd0d3ad61c4d1b06cea30081d

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3AD0.tmp

Filesize
91KB

MD5
060e816dbf27fda98107f28d6963c7bf

SHA1
663ad2150a3dcae6f9bd9dca86390559580a7f86

SHA256
e9d99736e9c8f961380fa3e98604d7fafff62144ceaaf2b248641e7ca2b24f3b

SHA512
017ba13aa4da6347b358430200cd383b82d1a634bf65f48e280e680c710e2e59318273526a4513e64945a897978d1f7d9ea6a9541b20e7e7c7fd629ec005361e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3AD0.tmp

Filesize
83KB

MD5
7c775d43846898890cfc707682c39fd2

SHA1
491ccc82815de531fc05447537f93e552ad7caed

SHA256
f78d48b876f34a14319b29245666b3f3353ad211d09f795f3eb6a959f156945b

SHA512
750bd865a254cc8acd85a87b3b1ec3ea664cd57a6d42fa2caaf8e9b0cdb53d82983e9a113298bdf01c333646580c2cac9fc4679a2af74b2094d9b23dcd747b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3AD0.tmp

Filesize
58KB

MD5
2eb6865335c6537fa3af3cd9b52260e3

SHA1
452e9e91bf7ad359a4102c2a6e57078079e83569

SHA256
5cbaad79b8ca0c02c2d0840fae1f803135066ed11873250650bfc104710fb3f3

SHA512
de013b0817e3b062f3ddb09c9d29424764d79959b2d21f0f509751261ed87de507696cec5e557b2d484fe871d00d0b14249f7d04958ff1808a4c63be5db3bc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
185KB

MD5
a9ae9198185d87042e7751a6a5bb264e

SHA1
d3f2f82b9121391eca16e87f7b0b3416f04327c0

SHA256
ce3a303a05d05428f9c691ab0ae71b889a591e06db59d4e0cf67fabd81975026

SHA512
3cc01919e18afa16ac8970b79bb9cb404ebe8336acf5358ddeef38a6001c0d604b45f27380d692b37fb46fc2482e2dbdb95141d56e1e284b8205baa1af5458da

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
204KB

MD5
e181c7082e1e6e97fbc0af662eb6458d

SHA1
09124b9da871ab56e4a155f179d8e954a334002a

SHA256
13fa319d3b2ad26dc2e3ffe96e70b761538d153ca0036affc9012247816c4c3f

SHA512
b2904e08cb2744f289dbdacde60c432ec9b105658e798240697e95b2cb8acf0cb2247000052aac50ec68fa0a8ff35d1973ecf7b716414da15996fcfa24baf34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
168KB

MD5
3b2fd4bd60f970ec80c8340af355350b

SHA1
fe85693d5024fe5c76e9ed59362b6eb5f2e61b83

SHA256
9479a721518ca22f1670d546bd43d51c1d867c2908a14eb2ba6d8a9c310b3957

SHA512
b9bc8d2871d44674c1e6bd71de589a0f0db564e0784d28cc1794afff848b2cbb2200beeb90129ef80dad24dc1b1950237f5907741bca7406ad5cb6eb5ffcb8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
73KB

MD5
39ba5255a5e308f25252851090662444

SHA1
0fb5ed6ff8b5feb6fb09396d8b1d28ab112e51c8

SHA256
ca0066fbad62f5b38d38175def0a561fed8c840e180270cf79818eb425adf984

SHA512
8f4b7331651e207fe2ab6308ed543cd9ada67c86d77184484dc5e5e908cfd4837a7e19880629da9ad43abbb58afcca9ee186ca34330c2eea4bcacc2b5f1cfb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
639d0953d51cb70c24081d0857b9949c

SHA1
c9f99fb6fdfa42366dd804f70c79b1b0228e62d7

SHA256
d1e5ce2240b6401b63c0218d13186d45506ed9116cda18dcf8397bae5dfb6a72

SHA512
752de0a52b24240991f56175ecbd8d40bc05649c632bb224e2176141835b912a06564365776698d6060a44f31df7e31bfb4d62c770413dd0b103b5dd41076bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
7a2ce13bec5c688b20de52986e383467

SHA1
bc979b94490cfe93f1d2c42f68faa3479a8cb0a1

SHA256
b10eb14739a11a1ffe8aaed005db195ebfb1081fa59d09d7a62cf2db25508365

SHA512
af0b415cd57ed46cef7708e32555b0d2d252918360b5441fc98445cf2052a791b8830903852e3cb8e93b95057a86563d9476110d22465601cd1ce608a9c56fe7

Download Submit
\Users\Admin\AppData\Local\Temp\389D.tmp\mpress.exe

Filesize
95KB

MD5
9c3559d2c514e630a388be996f65fd3f

SHA1
4038c158a8ee40c7a78cad0021cdd367c766bafc

SHA256
a76900c7183a80426b305c6e16f14565a42077bbba3c4eb274ac3874ae278cac

SHA512
9a14325e55e048e85943d461999b9eb09c976056941c5f520101f27bc6b65ac702ab035e40deb4621c9882212725e5ec50e0041630d941894077a43f44e902c3

Download Submit
\Users\Admin\AppData\Local\Temp\389D.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\3ACF.tmp\mpress.exe

Filesize
98KB

MD5
4679dd6550e7fa192cd242bc256c159f

SHA1
774568d982bb0a07218a4bc341b58e2267391d86

SHA256
c9cfe2a0324578faae58ae7d5b8b7b5a7de42befc8061bb87cf04bf577b29c01

SHA512
c983424c7155a49b892db6686f380de4f12291724fc5255fe923d46bfd1fdab5066407acacb5d8ecf3217fd97368c31eeba8e738b0353f7448590418a24b94b9

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
233KB

MD5
86137ecb1f4cff121c7979f86eeded85

SHA1
581bac03441c97eee6c72238ed6cc0b357a25073

SHA256
18de17d27b6ba5b2d66980f956ed441e1f79f1fe1e95504137d8962133cb1b13

SHA512
d67df10843d16028e1413988f7ea89fe9cb974d5704600bb61c5051d212c3167084970672c1b4e22f75429aa1bac61df2979797b72f8c5aba873023ca30eeaf6

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
180KB

MD5
d303a2100809f3d8baa41be1b42fcbd0

SHA1
0350fe5641525d7074c7e2bd0e0ba46ab0b3a179

SHA256
2b4813537edc2d460ed22d2014abbb1a8c8dacc3cfdc61f23f0d554b9cfb8b0e

SHA512
22e2fa51d5bf0ca1c4f22816b485c6f55b308df12bffc8d86f2143c1472849ff20ddb270f082609c750bd8f0885eb88cad29332302a7c49f298bb7ab6f67eaaa

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
128KB

MD5
625dcdf0a5ae2537352fe6a6fbec5e45

SHA1
7dcd150a3d81220c2f184f92dd1c56ce63c6e70a

SHA256
b46037f97e9fc93e7cac3aad85d4f12836a4b1ecbbae7aecb8a7bc0a8e0c34cb

SHA512
072f532528ccbe4288fb31a48deff7a56a1d6f41d39087b9b927889c0ba97b052967320cc5086d2140cc7a8c6f31f80a658011302ff9fc8fd5879d79856c22f3

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
107KB

MD5
bb3824297d2095661cb6fceb1b83a059

SHA1
a8329ba6aec2e96c4b597e9beaef557a1d66d69c

SHA256
58ffca4d771359a26d50e9ff38362383f4c579a8d29b588cb71db72cddb7a125

SHA512
d6775732785d6fc1c2afc173bba7d463f0a2713880aad41745f4a41502f44ec7270e1743815914f9830b2b9e882f9cc135eb98dcc8bc37504ee4293f3a001e17

Download Submit
memory/1644-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-140-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download
memory/2456-68-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2456-69-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/3020-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3020-158-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads