6f888e9882a1439f435ddbd9a48fea8f476b68fa8ee1e3b8c13051e476518657

General

Target

146124e1b63933e70840d459c07fdb86.exe
Size

209KB
MD5

146124e1b63933e70840d459c07fdb86
SHA1

e6e6aa4e24c5ef5f8aac452791b5e66e2d188ed3
SHA256

6f888e9882a1439f435ddbd9a48fea8f476b68fa8ee1e3b8c13051e476518657
SHA512

b4c944532abc876762a132619feb7b85a2b4d358224d3797c856d7fe9f716d5cc99c0baabafff648ef0bbf1cf1f87f1b8886a364a3e0d49075b22740d940fbc8
SSDEEP

6144:ul2/rr8gVhVhhV8ZC3Q27Ki0Vost1/IQAR+DmFRI9JL:33VnhhVsejmLt1/VAgoI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3132	u.dll
3172	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2744	OpenWith.exe
4520	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 3008	1744	146124e1b63933e70840d459c07fdb86.exe	93
PID 1744 wrote to memory of 3008	1744	146124e1b63933e70840d459c07fdb86.exe	93
PID 1744 wrote to memory of 3008	1744	146124e1b63933e70840d459c07fdb86.exe	93
PID 3008 wrote to memory of 3132	3008	cmd.exe	95
PID 3008 wrote to memory of 3132	3008	cmd.exe	95
PID 3008 wrote to memory of 3132	3008	cmd.exe	95
PID 3132 wrote to memory of 3172	3132	u.dll	96
PID 3132 wrote to memory of 3172	3132	u.dll	96
PID 3132 wrote to memory of 3172	3132	u.dll	96
PID 3008 wrote to memory of 4720	3008	cmd.exe	97
PID 3008 wrote to memory of 4720	3008	cmd.exe	97
PID 3008 wrote to memory of 4720	3008	cmd.exe	97
PID 3008 wrote to memory of 3252	3008	cmd.exe	100
PID 3008 wrote to memory of 3252	3008	cmd.exe	100
PID 3008 wrote to memory of 3252	3008	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\146124e1b63933e70840d459c07fdb86.exe
"C:\Users\Admin\AppData\Local\Temp\146124e1b63933e70840d459c07fdb86.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F2EB.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 146124e1b63933e70840d459c07fdb86.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\FDD8.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\FDD8.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeFDD9.tmp"
      4⤵
      Executes dropped EXE
      PID:3172
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4720
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2744

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F2EB.tmp\vir.bat

Filesize
1KB

MD5
c24180dd450d220c1f5d085ffd85956d

SHA1
0beedf2d0b6735358dc2c39ee4b200c2cd984244

SHA256
f60f7dc52ce1dfe9f3667aff2f2f64d6b8a4eb4f8d0dd749db34a5d38a72df3f

SHA512
12c45c27c07ddd93eb605078acf93e89e2d8625738041af30d78c85826644cc29fcd4c0b56308b739d6df481117d084c80bce696a696590a8d7515659ee3ce89

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDD8.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeFDD9.tmp

Filesize
43KB

MD5
434011b22fde1076937169931882cd9a

SHA1
11c7d0dac400007440e5b602f5389f6ae31e3613

SHA256
fbaddd2e3f383439d03a9fd995a183fdfdc83ecdcb840da4ab63ecd2734be5ce

SHA512
4425270518550236a30470185f93cff83ef0a18435e064b8bc2015b3d83460a8f18ed9a7da5ddedeebda81be9e194728710ef6826499030f853a6376350c5b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprFFFB.tmp

Filesize
25KB

MD5
f794b3fce9bd19f7287f980e8acafbba

SHA1
4b204ac1581d2e1612aba938f635b3fd39ef1c98

SHA256
b11ebaf00ff2e3d259e92427533e7cb26f6d71e796001da520b38ebea23d9d23

SHA512
acdd84fb66003d4d51d22af0729e71c1cd0d18275c7f9ebbf834a3a95139f9c727db5e188c5ee972f4a7a9f2b6e61bc9413449116859a73dad9d25f0e5b747d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
438KB

MD5
c460283294258ccd5266e8fb5ae1d7e2

SHA1
68f47650db36db4a8d19adf5be1b29d777fa8c9c

SHA256
4e9a21872419217cb83c60598ad62be4e7acfb166e5b2daf593c24127f45998a

SHA512
58acdc7249031fbd627c0003802e2db2ce4ce7b9c4d21c8eb62d241726500931c7964477756cee47f75236a4e37293f96ecbcf859b839621457294893531587f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
9ea19135c5f4066ec4b4d174e449a048

SHA1
e660123c8bdb78bd462f4409775cc001fcb48a82

SHA256
33480a20d4109e995a5b40b5185dbe50175489aa235675938bcd526b9a5491a8

SHA512
49983b1b29c84bf03f43f93d378f81da38ca3c07b5070ca0d9e0f0fdec3312fedca114a35443b1df4fde31c7396fa88a534da1280497b857fc32ef88ecd019c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
1220e73289d10a53b7feb7e690460a8e

SHA1
034f447f6931aad8eaae85f3e27f9b50dc8d8db8

SHA256
d72fbd553ddee374776185f159f8cca74a44a8d24692a3a90da6e72da6d3abed

SHA512
12ae83d3117822e21e50b99a033da13c7cbbe102a25cc608799b9f2a25aa5e8d2a150eef8bc628f872d48bd88dbd17eb71663341f6cd3e655e970edaa6f6a5f1

Download Submit
memory/1744-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1744-3-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1744-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1744-55-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1744-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3172-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3172-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads