bb78d652d9dcc275e0c57003feb2e59aa88cde6dd485838cbb26c94196005613

General

Target

04c874fe020aa6a4b23bbb8d5cdb2cc2.exe
Size

208KB
MD5

04c874fe020aa6a4b23bbb8d5cdb2cc2
SHA1

d914a0e2e687f47efecec1a00dc8f3f44f81a89f
SHA256

bb78d652d9dcc275e0c57003feb2e59aa88cde6dd485838cbb26c94196005613
SHA512

96ec45011b4657f4078d1c3be51d2f37e3c6ebb03f5f79ee1990450d14bf5b47b12337d7ea1d734d738cf6f48f0df6e642c3da9fc4cffe4068e92c255cd524aa
SSDEEP

6144:5lkXIuyMYQaXov/5jMfqJGFQrtaa6n3jnL2OsLb:YXIfl/XSjYPX7LJC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
208	u.dll
4900	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3320	OpenWith.exe
2764	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4540	4928	04c874fe020aa6a4b23bbb8d5cdb2cc2.exe	89
PID 4928 wrote to memory of 4540	4928	04c874fe020aa6a4b23bbb8d5cdb2cc2.exe	89
PID 4928 wrote to memory of 4540	4928	04c874fe020aa6a4b23bbb8d5cdb2cc2.exe	89
PID 4540 wrote to memory of 208	4540	cmd.exe	90
PID 4540 wrote to memory of 208	4540	cmd.exe	90
PID 4540 wrote to memory of 208	4540	cmd.exe	90
PID 208 wrote to memory of 4900	208	u.dll	95
PID 208 wrote to memory of 4900	208	u.dll	95
PID 208 wrote to memory of 4900	208	u.dll	95
PID 4540 wrote to memory of 4000	4540	cmd.exe	94
PID 4540 wrote to memory of 4000	4540	cmd.exe	94
PID 4540 wrote to memory of 4000	4540	cmd.exe	94
PID 4540 wrote to memory of 5100	4540	cmd.exe	97
PID 4540 wrote to memory of 5100	4540	cmd.exe	97
PID 4540 wrote to memory of 5100	4540	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\04c874fe020aa6a4b23bbb8d5cdb2cc2.exe
"C:\Users\Admin\AppData\Local\Temp\04c874fe020aa6a4b23bbb8d5cdb2cc2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3CF9.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 04c874fe020aa6a4b23bbb8d5cdb2cc2.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\3D95.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\3D95.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3D96.tmp"
      4⤵
      Executes dropped EXE
      PID:4900
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4000
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:5100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3CF9.tmp\vir.bat

Filesize
1KB

MD5
085d1a0bd7ac3a07a52efce6f60b1667

SHA1
2802b4be7df6b882c5aa508074946f78a9c022a2

SHA256
76ecbd5d64212d1081d0eb4b4ae9efa97ff500aa1cb0b7b843a9cad4ef11245f

SHA512
78f4c3b26e4c534ae45d43a91d1cd7006cf9b0b622a5192dd4e217983e0c35e3903eedf5ec4ade1b32f29b31b37bc96eb15614f2e021a3fe170a03cda08a04b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3D95.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3D96.tmp

Filesize
41KB

MD5
57e7d2dcbc1686d2d2efb77c1198ce9c

SHA1
48c2849994f0f6bdbfb30e612ca01694232a15ae

SHA256
b4a2baaf1b1d49dee4c1f0d647f211b44b7f06c18d665bd9226ba69ab4340573

SHA512
98616ac6349379ae1b3ed0d9d8b38e9d088b598ff38367efb5dd9ae0b8d3f88c6fd63bc6ebb195e76f8052abd59221bdf317b9017917b5d3f723e68312694ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3D96.tmp

Filesize
24KB

MD5
371c4910c08109d87f99f9774eb24709

SHA1
e943f3ed9a80459593e7f48fa6ffcc17d4b30799

SHA256
9523a038732d4e1fffeb9d8df39c32a8b87f33cbf1e51994108c16e0ab1b552d

SHA512
48a03c5c75f463aaf85fd99c093f0151a3c2b3033d34d49b9107363831773625bde92bc7a0a20ca24572a1d834a8409097418a0829344440370295cd0b1a865d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
e4127ceb5db948172fd241be25b36358

SHA1
5a01fa3772c6d27630d50c73fadac9508780c51a

SHA256
f3e8cd29180b07115d0d33a3ecf0c542da05680aee99971aa7e9bd2423597f70

SHA512
13dd5db60d2faeaee632b62a3c92b323215931250ed8a1513a0af9b92c335dbf4b6c458e266bc08431eccff36256203dc81488e6f83185bdee737eed1a82883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
4868162f3b5a8d50d3b626419f6c2c5b

SHA1
9647c0fced47739b5bf1e5a832de936590694105

SHA256
9bb9e9400feaaf7eb9f0cd53889158756290442e304a79a91b846e38446927ec

SHA512
e1c6d88dede2c29f6122dbb15ce8ecbdc57e213c53c4dc1cc045ae0be2c9a83767e7df664d469c4dd237333acb986f64941c981f75d8be8e182fb7da21409638

Download Submit
memory/4900-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4928-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4928-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads