390beeedcf9b2148b52846fb34ea2d755c5aa9c4af25b2c93c7455d8123b2a0c

General

Target

1f622f00bb482dcb1a0e681da8eb0027.exe
Size

209KB
MD5

1f622f00bb482dcb1a0e681da8eb0027
SHA1

5a1df21916c48aff69b15341cf65d18f55b3e664
SHA256

390beeedcf9b2148b52846fb34ea2d755c5aa9c4af25b2c93c7455d8123b2a0c
SHA512

8156866c6d58d2bac1259c697deed4be42f276b7ebb698702c749787783a0d82f59b3d46ba3e4208917ab3417c6143c3763b1df4c1a8d1b4a95dfa9f1ac01b85
SSDEEP

6144:nl0n6auy6sw1KP4MYhiWqraNvMfi1Xc1ehENZRTHRkK:Wn6auyznP41aYvwGXcoaTL2K

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3740	u.dll
4036	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2400	OpenWith.exe
3668	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 1668	984	1f622f00bb482dcb1a0e681da8eb0027.exe	93
PID 984 wrote to memory of 1668	984	1f622f00bb482dcb1a0e681da8eb0027.exe	93
PID 984 wrote to memory of 1668	984	1f622f00bb482dcb1a0e681da8eb0027.exe	93
PID 1668 wrote to memory of 3740	1668	cmd.exe	94
PID 1668 wrote to memory of 3740	1668	cmd.exe	94
PID 1668 wrote to memory of 3740	1668	cmd.exe	94
PID 3740 wrote to memory of 4036	3740	u.dll	95
PID 3740 wrote to memory of 4036	3740	u.dll	95
PID 3740 wrote to memory of 4036	3740	u.dll	95
PID 1668 wrote to memory of 3664	1668	cmd.exe	96
PID 1668 wrote to memory of 3664	1668	cmd.exe	96
PID 1668 wrote to memory of 3664	1668	cmd.exe	96
PID 1668 wrote to memory of 436	1668	cmd.exe	98
PID 1668 wrote to memory of 436	1668	cmd.exe	98
PID 1668 wrote to memory of 436	1668	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\1f622f00bb482dcb1a0e681da8eb0027.exe
"C:\Users\Admin\AppData\Local\Temp\1f622f00bb482dcb1a0e681da8eb0027.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\852E.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 1f622f00bb482dcb1a0e681da8eb0027.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\8628.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\8628.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe8629.tmp"
      4⤵
      Executes dropped EXE
      PID:4036
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3664
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\852E.tmp\vir.bat

Filesize
1KB

MD5
39fe4e28fd148b84ac3a3c3c354332a9

SHA1
1ed992a7f8eb4dfb163dcc8d149041891787a502

SHA256
14df53390bd00eddfa6a8982408be59f9962550d25ce17edb60977dded9a0051

SHA512
01e0e9b706a26092be98f9c29c107cc7c697923366ad73f58b7e7338dbfdad1f22c496e59548e333ac48ac33de31d466457e16379470133e33b57a9c1652a9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\8628.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8629.tmp

Filesize
42KB

MD5
96f818b40d3b4622036db584f6aa6942

SHA1
d76b7a85ac142936288eb6c6070719b21a100dec

SHA256
5fa1227648cbda9e75916fa27e60641d2d784fc89c54022661d14239f9f96111

SHA512
9258c3dea2d6c7d960718aaa37750411aee7d2462a80fe7741ce9f08c4c2fa665f7a545d67e709554115a40bc7be41a4da490797990616e361f883def53dd4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8629.tmp

Filesize
43KB

MD5
6197b66c3d82f0c50b4a8ea41eecee4e

SHA1
b5d73d1ffcd3260e4288cad70841895283a9c3e3

SHA256
6663956e44fd56ef09dcc4d250e5178f5d7e6a71af9d6e6aaaf7202329ea0ab6

SHA512
91475d919420bbda66620faeee5a7a282041761438e5f8d92465a2b5513b985b6a0756becfdeeb22660312a8b9a1be4bb5a6d7d8bd5da7b92e32b69706e3301d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr87ED.tmp

Filesize
26KB

MD5
275978bec25d5e6f05e24f60793f10ea

SHA1
bedaa64db010daa8b898f18be9305b5b847af363

SHA256
ea8d34611fe4abb39cae8cf77a86d3f0a9e1819432b2c3720171c4c0d0045a20

SHA512
5271853370953f610082bd71c41a1d05408b1d7d907f7590ee0116e820ef68d4dde12b69a4b8d522152b7c484979879ed22b9e3877735970c00695469c7c052e

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
1e3532a6e6115470718ff8173104fb8c

SHA1
6ea9f5880a3f7a45752adb288ba017bd2de4ad1f

SHA256
7305ffba0f990fb34e035af37d6421757674e03ae0bdb57cf98909e8f6bf01b5

SHA512
e567c2cac8b78541043f237ed8c97d5532d4b301dfdf96d691b02a334ad05005d4f8f46c3357fdbcdfb859bba057d75d265fa9d3afb4bf136cfcf88540392f4e

Download Submit
memory/984-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/984-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/984-67-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4036-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads