62f437e363dbfbe1d9e99907b0eca8f2b9083ceface26e177e38f098b0a4d5b7

General

Target

0cbaa61694803eea6300dbd5b250b507.exe
Size

209KB
MD5

0cbaa61694803eea6300dbd5b250b507
SHA1

b72126bc96f7488fcef65bda68268009e13fed34
SHA256

62f437e363dbfbe1d9e99907b0eca8f2b9083ceface26e177e38f098b0a4d5b7
SHA512

3f723ffa8129964aae9f717de3a8e7f0ed17bffcf045cfcbec385abd1abb2b38937677889c23a36ac9c38bad08fd0ca6e8f483d91892834f1961891d93af3b8a
SSDEEP

6144:jlVCYIpCSYIGo4EWiS0E/vkVi0W/2WjE:uYFo4tiS0yT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2820	u.dll
2780	u.dll
2568	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
2332	cmd.exe
2332	cmd.exe
2332	cmd.exe
2332	cmd.exe
2780	u.dll
2780	u.dll

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2332	2500	0cbaa61694803eea6300dbd5b250b507.exe	29
PID 2500 wrote to memory of 2332	2500	0cbaa61694803eea6300dbd5b250b507.exe	29
PID 2500 wrote to memory of 2332	2500	0cbaa61694803eea6300dbd5b250b507.exe	29
PID 2500 wrote to memory of 2332	2500	0cbaa61694803eea6300dbd5b250b507.exe	29
PID 2332 wrote to memory of 2820	2332	cmd.exe	30
PID 2332 wrote to memory of 2820	2332	cmd.exe	30
PID 2332 wrote to memory of 2820	2332	cmd.exe	30
PID 2332 wrote to memory of 2820	2332	cmd.exe	30
PID 2332 wrote to memory of 2780	2332	cmd.exe	31
PID 2332 wrote to memory of 2780	2332	cmd.exe	31
PID 2332 wrote to memory of 2780	2332	cmd.exe	31
PID 2332 wrote to memory of 2780	2332	cmd.exe	31
PID 2780 wrote to memory of 2568	2780	u.dll	32
PID 2780 wrote to memory of 2568	2780	u.dll	32
PID 2780 wrote to memory of 2568	2780	u.dll	32
PID 2780 wrote to memory of 2568	2780	u.dll	32
PID 2332 wrote to memory of 2140	2332	cmd.exe	33
PID 2332 wrote to memory of 2140	2332	cmd.exe	33
PID 2332 wrote to memory of 2140	2332	cmd.exe	33
PID 2332 wrote to memory of 2140	2332	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\0cbaa61694803eea6300dbd5b250b507.exe
"C:\Users\Admin\AppData\Local\Temp\0cbaa61694803eea6300dbd5b250b507.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5C91.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 0cbaa61694803eea6300dbd5b250b507.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\6E6C.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\6E6C.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe6E6D.tmp"
      4⤵
      Executes dropped EXE
      PID:2568
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5C91.tmp\vir.bat

Filesize
1KB

MD5
8c09f509707a2369d5c1e069ad1638da

SHA1
d5b008304582be22d45f88add6c511fbb087e894

SHA256
042e9ca1c2d7896c55cba5efed54855fbe886de908023e93e5279a7bf6ea6110

SHA512
52b6bef72c31ba1365b82b1ddd4be9a90f2e75c4b66a316dc62636001111baff1cc6377328684de72cb471adcb25fe4b7bdb18e2652087138665735d10dbdf91

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe6E6D.tmp

Filesize
41KB

MD5
0702e8031193a3474afa297d17cdc814

SHA1
46cd098f940f31e43b4a606603a0c153cdba950d

SHA256
9e596558228cdc87835f78d9072bdf2c25d3646e0541b3ac5e070dbb136cb116

SHA512
213f4d9187c0fcafaab34f0f91df5a2172a1f67e4750bc247552f430ec95a4c035f43be7421f2fd63da963a0044a6fcf343123dc34b5e26ece2cf9a54137ef94

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe6E6D.tmp

Filesize
24KB

MD5
222d71c8a0d0b8b4e0bb4dcb6babab22

SHA1
ecca4500434c4dad1e55ddb36b647fcff684c94a

SHA256
d8f39360e2d114cd3f5c28ec648b99d1b11cd8f67d4b540eefe3a7d19f6b31b0

SHA512
4e965798b96ec64836b5d37e1c3c2120cf8abcf66e1bd45cfe64b5b6b5777accf364f1b32c5aab1844f6f770a7dc5eb6c92284ea49f3cdba6476e5473e785963

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe6E6D.tmp

Filesize
41KB

MD5
ce261d2612fac50e690e87fe405a5bc9

SHA1
ab2375fb0a0a7ae13c638296390a9809c88d4fca

SHA256
b192ee4faa6b027ec1e17f25f57025951234709cecc1f4ec83911d0d3c87fb3b

SHA512
42e40cb2924d1aabbe751a8caaf03ab61d0a7843ad32537535b03ddac1d003fbbf813ad6aa7293928db41b304f8f20a3d6b0df9269b8942459730ba719c515b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
110ae9a995a0e99df2427f7b97b85eb2

SHA1
3655d0a5ce029e0bbc4d942e477e5be1745ee63b

SHA256
25d07cade85c1a9495bebf0a1f37447fda7401fe4e9d92869ababf83a46b240c

SHA512
4646debc7c8489219c4578bfeb568e178f33e2a589f649ae4ae6ed39a77ffd0a0fc0a401c5279758f975f99a9f777c18cc8e1aadb62c5ce16217e27fc644ded2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
d05de6c336eed752d77ba3c7205b8873

SHA1
3e73b38438f0f5f5029181922e1a94a82ff95b21

SHA256
8a5370b908cb9eb9c422b5f3870d924d21da28d3be61e78c1b8ff81b3fc0a025

SHA512
afbaf6d7ff951bfd048d90952533f7111949b1b5cf94d24bbc89fc299c5649b2cb287767f9e811d4b5bf45c520395eb4eef808f22e4b1ee2b6fd080b55ac1d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
bdfdfe7937a40cf92eff833fc3bdd779

SHA1
e37b4310edc97cd28a3e014438c826c750541adf

SHA256
322d511f5867e3018afb1722d00bfe6692a7e469951991e8c2c872538e499fe2

SHA512
11f6a2dfa243f7b519675c0203cc7af8e5623dcc3b1d57af1754b874980df5dad795f9b8bddc3e186af79f86a9795e709bad137d6b21454bc6113a67117f5feb

Download Submit
\Users\Admin\AppData\Local\Temp\6E6C.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/2500-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2500-113-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2568-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-95-0x0000000002190000-0x00000000021C4000-memory.dmp

Filesize
208KB

Download
memory/2780-89-0x0000000002190000-0x00000000021C4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads