Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 04:17
Static task
static1
Behavioral task
behavioral1
Sample
04c874fe020aa6a4b23bbb8d5cdb2cc2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
04c874fe020aa6a4b23bbb8d5cdb2cc2.exe
Resource
win10v2004-20231215-en
General
-
Target
04c874fe020aa6a4b23bbb8d5cdb2cc2.exe
-
Size
208KB
-
MD5
04c874fe020aa6a4b23bbb8d5cdb2cc2
-
SHA1
d914a0e2e687f47efecec1a00dc8f3f44f81a89f
-
SHA256
bb78d652d9dcc275e0c57003feb2e59aa88cde6dd485838cbb26c94196005613
-
SHA512
96ec45011b4657f4078d1c3be51d2f37e3c6ebb03f5f79ee1990450d14bf5b47b12337d7ea1d734d738cf6f48f0df6e642c3da9fc4cffe4068e92c255cd524aa
-
SSDEEP
6144:5lkXIuyMYQaXov/5jMfqJGFQrtaa6n3jnL2OsLb:YXIfl/XSjYPX7LJC
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2100 u.dll 2792 mpress.exe 2560 u.dll -
Loads dropped DLL 6 IoCs
pid Process 1700 cmd.exe 1700 cmd.exe 2100 u.dll 2100 u.dll 1700 cmd.exe 1700 cmd.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1700 2052 04c874fe020aa6a4b23bbb8d5cdb2cc2.exe 29 PID 2052 wrote to memory of 1700 2052 04c874fe020aa6a4b23bbb8d5cdb2cc2.exe 29 PID 2052 wrote to memory of 1700 2052 04c874fe020aa6a4b23bbb8d5cdb2cc2.exe 29 PID 2052 wrote to memory of 1700 2052 04c874fe020aa6a4b23bbb8d5cdb2cc2.exe 29 PID 1700 wrote to memory of 2100 1700 cmd.exe 30 PID 1700 wrote to memory of 2100 1700 cmd.exe 30 PID 1700 wrote to memory of 2100 1700 cmd.exe 30 PID 1700 wrote to memory of 2100 1700 cmd.exe 30 PID 2100 wrote to memory of 2792 2100 u.dll 31 PID 2100 wrote to memory of 2792 2100 u.dll 31 PID 2100 wrote to memory of 2792 2100 u.dll 31 PID 2100 wrote to memory of 2792 2100 u.dll 31 PID 1700 wrote to memory of 2560 1700 cmd.exe 32 PID 1700 wrote to memory of 2560 1700 cmd.exe 32 PID 1700 wrote to memory of 2560 1700 cmd.exe 32 PID 1700 wrote to memory of 2560 1700 cmd.exe 32 PID 1700 wrote to memory of 1036 1700 cmd.exe 33 PID 1700 wrote to memory of 1036 1700 cmd.exe 33 PID 1700 wrote to memory of 1036 1700 cmd.exe 33 PID 1700 wrote to memory of 1036 1700 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\04c874fe020aa6a4b23bbb8d5cdb2cc2.exe"C:\Users\Admin\AppData\Local\Temp\04c874fe020aa6a4b23bbb8d5cdb2cc2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9972.tmp\vir.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save 04c874fe020aa6a4b23bbb8d5cdb2cc2.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\9BB3.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\9BB3.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe9BB4.tmp"4⤵
- Executes dropped EXE
PID:2792
-
-
-
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
PID:2560
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:1036
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5085d1a0bd7ac3a07a52efce6f60b1667
SHA12802b4be7df6b882c5aa508074946f78a9c022a2
SHA25676ecbd5d64212d1081d0eb4b4ae9efa97ff500aa1cb0b7b843a9cad4ef11245f
SHA51278f4c3b26e4c534ae45d43a91d1cd7006cf9b0b622a5192dd4e217983e0c35e3903eedf5ec4ade1b32f29b31b37bc96eb15614f2e021a3fe170a03cda08a04b9
-
Filesize
41KB
MD5863c72510f3c30b4e2cd208090af8b92
SHA13c5a6732c904ba8c3004e257d5008beb5311b7af
SHA25687454715574db5716ae855a6dd5a09f80a0ce0adba4699b485dc3152dc3ce544
SHA512d7356b3561c3a8e84cc004d3852e3f8562023e4819e9e07e52b3fbdbb5645c64f9a436bcaea55b24e0fdd231b16d0941ad027db9870230db38a0ca81985d452b
-
Filesize
41KB
MD50277cd7069c4c1240145acdece553204
SHA1a052ea50eefbf28012eaf0185d2ab0d4300ee05b
SHA2563e04b97d881e41e03f3dea65d045869deb21a552b02f4500810df69ae848e0da
SHA512782532f418a2b46532e5bfec4fdded923a6a7cafff7356b9898b17d3edb02567585b4fae78cbaadf2f14c8deafdfc4a4b779cf273bd1dc14d9f2327cf244588c
-
Filesize
25KB
MD57ff19a32a8549b7585f7c8a7a1d3af14
SHA118e657af5ed623c264d5d82fd3b7872b42ab50ab
SHA256f01a68893988b9c711e4dd51964586ce8661d40d8803a8d75e2597847e38786e
SHA5124c049553e4635d95e2af999e5153498cfcb94ea3deef7f480cc0f644591e9fbc7287a71ac456963a215f7cd271c855f392bece810194e21c4104a5c4895d4ad6
-
Filesize
700KB
MD5e4127ceb5db948172fd241be25b36358
SHA15a01fa3772c6d27630d50c73fadac9508780c51a
SHA256f3e8cd29180b07115d0d33a3ecf0c542da05680aee99971aa7e9bd2423597f70
SHA51213dd5db60d2faeaee632b62a3c92b323215931250ed8a1513a0af9b92c335dbf4b6c458e266bc08431eccff36256203dc81488e6f83185bdee737eed1a82883d
-
Filesize
192KB
MD5f41d53d2c18047a6f671f555c695382e
SHA12ec570ad2ae38ccfa6bd6bc8276af3411dabf102
SHA256557df516e26bf2e6e9eb6cd72849d7969ba6c476bca74a94d16f233595d52b05
SHA51209c91210aba54d2ac0369368f83500b4bdf99d89fb282fc911f42c5d021dcdf441d2605651fc9bbe8e8f4ae354265ac2fb6244e53b5e0827fbff1983abc68ec7
-
Filesize
1KB
MD54868162f3b5a8d50d3b626419f6c2c5b
SHA19647c0fced47739b5bf1e5a832de936590694105
SHA2569bb9e9400feaaf7eb9f0cd53889158756290442e304a79a91b846e38446927ec
SHA512e1c6d88dede2c29f6122dbb15ce8ecbdc57e213c53c4dc1cc045ae0be2c9a83767e7df664d469c4dd237333acb986f64941c981f75d8be8e182fb7da21409638
-
Filesize
1KB
MD5d13aa0d77436fec7a34e6657084311ff
SHA1fe91c47cf7686745262839336d7f9c7b38e79020
SHA25663fe5973b61600106b7c3ae7b782746e75cfe2fdb5581ee9bc25a596b25bbbc8
SHA51240affdbb4e27de19ab7c6bbfad176d8b8dec622fe263750ff0e40d0992d8c2f173dfda733a3311ca8872eb2bf94fd68a9e0215eb51b54eaac5b859305c291376
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e
-
Filesize
517KB
MD5cfd1f9755053d0e4b4931ac4631d1edd
SHA1c2941efdaf81f78c599c824d13eeab7fcaab573b
SHA256f4a0ca621ce9a4ef1358cb5b928f8c12d6738d3fc4e64859690f58592c5c94f0
SHA51253cc47637942da8fde39b6950bba51628c582dccf4b2348f602f3092799e6cbafa3cb3e844ccb63cbb3559f3014e572afaea51f2e47b84e7c1b4e86c5af7b69d