8fd6105b256bf0d6c1d20aa35c562159d0aeb9ce43e2b95a397bd5cfc98ce26b

Analysis

max time kernel
144s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e818857bfd6f24b9ce05abfb478aacb.exe
Size

208KB
MD5

0e818857bfd6f24b9ce05abfb478aacb
SHA1

c4e2c8c3c8f98e4823615494e4b5d0e26ce10b18
SHA256

8fd6105b256bf0d6c1d20aa35c562159d0aeb9ce43e2b95a397bd5cfc98ce26b
SHA512

7c2b75aac0a73408acf4421b77be566ccca7300aea53fa91e389ec8cc8c248e0978f12475ebbd141510ecf4128c8e622f87dc0b77f9b33e2a257ca012a31a133
SSDEEP

6144:Rl0n6auQiDFP1Ov82iOQMCJ4VKnij0BAYmxRAH:In6auQc2iOQMzQizxRAH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2792	u.dll
2636	mpress.exe
2032	u.dll
484	mpress.exe

Loads dropped DLL 8 IoCs

pid	Process
2344	cmd.exe
2344	cmd.exe
2792	u.dll
2792	u.dll
2344	cmd.exe
2344	cmd.exe
2032	u.dll
2032	u.dll

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2344	2092	0e818857bfd6f24b9ce05abfb478aacb.exe	29
PID 2092 wrote to memory of 2344	2092	0e818857bfd6f24b9ce05abfb478aacb.exe	29
PID 2092 wrote to memory of 2344	2092	0e818857bfd6f24b9ce05abfb478aacb.exe	29
PID 2092 wrote to memory of 2344	2092	0e818857bfd6f24b9ce05abfb478aacb.exe	29
PID 2344 wrote to memory of 2792	2344	cmd.exe	30
PID 2344 wrote to memory of 2792	2344	cmd.exe	30
PID 2344 wrote to memory of 2792	2344	cmd.exe	30
PID 2344 wrote to memory of 2792	2344	cmd.exe	30
PID 2792 wrote to memory of 2636	2792	u.dll	53
PID 2792 wrote to memory of 2636	2792	u.dll	53
PID 2792 wrote to memory of 2636	2792	u.dll	53
PID 2792 wrote to memory of 2636	2792	u.dll	53
PID 2344 wrote to memory of 2032	2344	cmd.exe	52
PID 2344 wrote to memory of 2032	2344	cmd.exe	52
PID 2344 wrote to memory of 2032	2344	cmd.exe	52
PID 2344 wrote to memory of 2032	2344	cmd.exe	52
PID 2032 wrote to memory of 484	2032	u.dll	51
PID 2032 wrote to memory of 484	2032	u.dll	51
PID 2032 wrote to memory of 484	2032	u.dll	51
PID 2032 wrote to memory of 484	2032	u.dll	51
PID 2344 wrote to memory of 2876	2344	cmd.exe	31
PID 2344 wrote to memory of 2876	2344	cmd.exe	31
PID 2344 wrote to memory of 2876	2344	cmd.exe	31
PID 2344 wrote to memory of 2876	2344	cmd.exe	31
PID 2344 wrote to memory of 2892	2344	cmd.exe	50
PID 2344 wrote to memory of 2892	2344	cmd.exe	50
PID 2344 wrote to memory of 2892	2344	cmd.exe	50
PID 2344 wrote to memory of 2892	2344	cmd.exe	50
PID 2344 wrote to memory of 2828	2344	cmd.exe	32
PID 2344 wrote to memory of 2828	2344	cmd.exe	32
PID 2344 wrote to memory of 2828	2344	cmd.exe	32
PID 2344 wrote to memory of 2828	2344	cmd.exe	32
PID 2344 wrote to memory of 1796	2344	cmd.exe	49
PID 2344 wrote to memory of 1796	2344	cmd.exe	49
PID 2344 wrote to memory of 1796	2344	cmd.exe	49
PID 2344 wrote to memory of 1796	2344	cmd.exe	49
PID 2344 wrote to memory of 892	2344	cmd.exe	33
PID 2344 wrote to memory of 892	2344	cmd.exe	33
PID 2344 wrote to memory of 892	2344	cmd.exe	33
PID 2344 wrote to memory of 892	2344	cmd.exe	33
PID 2344 wrote to memory of 1344	2344	cmd.exe	48
PID 2344 wrote to memory of 1344	2344	cmd.exe	48
PID 2344 wrote to memory of 1344	2344	cmd.exe	48
PID 2344 wrote to memory of 1344	2344	cmd.exe	48
PID 2344 wrote to memory of 1404	2344	cmd.exe	47
PID 2344 wrote to memory of 1404	2344	cmd.exe	47
PID 2344 wrote to memory of 1404	2344	cmd.exe	47
PID 2344 wrote to memory of 1404	2344	cmd.exe	47
PID 2344 wrote to memory of 320	2344	cmd.exe	46
PID 2344 wrote to memory of 320	2344	cmd.exe	46
PID 2344 wrote to memory of 320	2344	cmd.exe	46
PID 2344 wrote to memory of 320	2344	cmd.exe	46
PID 2344 wrote to memory of 1628	2344	cmd.exe	45
PID 2344 wrote to memory of 1628	2344	cmd.exe	45
PID 2344 wrote to memory of 1628	2344	cmd.exe	45
PID 2344 wrote to memory of 1628	2344	cmd.exe	45
PID 2344 wrote to memory of 2056	2344	cmd.exe	34
PID 2344 wrote to memory of 2056	2344	cmd.exe	34
PID 2344 wrote to memory of 2056	2344	cmd.exe	34
PID 2344 wrote to memory of 2056	2344	cmd.exe	34
PID 2344 wrote to memory of 472	2344	cmd.exe	44
PID 2344 wrote to memory of 472	2344	cmd.exe	44
PID 2344 wrote to memory of 472	2344	cmd.exe	44
PID 2344 wrote to memory of 472	2344	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\0e818857bfd6f24b9ce05abfb478aacb.exe
"C:\Users\Admin\AppData\Local\Temp\0e818857bfd6f24b9ce05abfb478aacb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\6632.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 0e818857bfd6f24b9ce05abfb478aacb.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\675B.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\675B.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe675C.tmp"
      4⤵
      Executes dropped EXE
      PID:2636
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2876
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2828
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2056
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1132
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1312
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:3012
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:916
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2364
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:472
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:320
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1404
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1344
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2892
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2032

C:\Users\Admin\AppData\Local\Temp\699C.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\699C.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe699D.tmp"
1⤵
- Executes dropped EXE
PID:484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6632.tmp\vir.bat

Filesize
1KB

MD5
8bc91a8d451a11b1c746f6548cc27e5d

SHA1
57e7b009ee2fd5fd09fe296382a041b1c7ebdadc

SHA256
dafd5ebad1b9c9cbd981fceb1826c1e74b0316afde5ce48508a836cd353321f0

SHA512
20f2fe3a525a9d647a90a782f30da177758e6824efb36aebb244d42b0ce7428cbf0f8f845c3005f5150bd50d8f22038bd1d63bd09b851adae9bc2a7ccde6cb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe675C.tmp

Filesize
25KB

MD5
a7fb3de892773a55d1cb355013d339b4

SHA1
587065ba85e85685686d183d753142239570b537

SHA256
46768a61c8485cceff0b1ce8b9a4230fd7acda615c112b970592aa436f96f7f2

SHA512
8e7b3271a38e914d98138f258cae731d92cf01ff47abf15494998d5e87f761bf9fe09a0681ecb4878942f6b589f202d10d223f831c333e70e6a6be9d1c4d681a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe675C.tmp

Filesize
41KB

MD5
7aa367dca7be65e07b16bd69f06263e3

SHA1
d447739251408f8e8490a9d307927bfbe41737ce

SHA256
738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076

SHA512
d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
462aa26ca44e60a58ff01ab6a11a3b1c

SHA1
10704cb6da9e4761f5c3f9760d0efdb5a125873c

SHA256
f7fd733f3e4443bd0fac0ce3ab1fbc59ab8b92f426d036074131ec9861222bfd

SHA512
bc6c56ac96ae4337edc53198bb1b2d143d04b639ea3087fd453c7d09d5d23edfa684c129372d74acc7f67189a1cb82ec4456ecdeac6d79024f8a0bb0272a28e8

Download Submit
\Users\Admin\AppData\Local\Temp\675B.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
92KB

MD5
ace4bef1eaa126302be21c4105cc6ea3

SHA1
227744c90647355a13c84178f9fedac3f75fdb97

SHA256
8a675772564f80e1e7c4e51cbb64e1ba19990a010b112abc5f050100a6765c66

SHA512
b4909dc9aabd8f478717a08e14648bc131b6176ac794991bd174f61dff9c3d15b0635352cce622e8088515fafbc447dd15717b3c2001ba34f86a19ba2abc4029

Download Submit
memory/484-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/484-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-139-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2032-143-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2092-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2092-157-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2636-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-67-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download
memory/2792-69-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads