f0fda560a014654bc696c10ada4c92b66e24adbe883d638761e1181ce075cc49

General

Target

34fb32425a04d650d7a2ffac2921ace8.exe
Size

208KB
MD5

34fb32425a04d650d7a2ffac2921ace8
SHA1

9de9b7b330e18007489b292a7349ba9a1b8a3a38
SHA256

f0fda560a014654bc696c10ada4c92b66e24adbe883d638761e1181ce075cc49
SHA512

1f79df19d3121d8620d9c64a0b04339be75df54328f5df08c22cbf21ba4da21f721e13d58610a8d17cf459e66c548fe1e49f2edb6443aad94073b5731d759a16
SSDEEP

3072:4ld0RoRPsf/Vca1tznQWrxub4k6fhr3A1F183F+koThrpaNmV9qC++DjIOk:4ld0R9f5TUWrxubuTo9hrENK9jCO

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1668	u.dll
2692	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3992	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4072	2228	34fb32425a04d650d7a2ffac2921ace8.exe	94
PID 2228 wrote to memory of 4072	2228	34fb32425a04d650d7a2ffac2921ace8.exe	94
PID 2228 wrote to memory of 4072	2228	34fb32425a04d650d7a2ffac2921ace8.exe	94
PID 4072 wrote to memory of 1668	4072	cmd.exe	95
PID 4072 wrote to memory of 1668	4072	cmd.exe	95
PID 4072 wrote to memory of 1668	4072	cmd.exe	95
PID 1668 wrote to memory of 2692	1668	u.dll	96
PID 1668 wrote to memory of 2692	1668	u.dll	96
PID 1668 wrote to memory of 2692	1668	u.dll	96
PID 4072 wrote to memory of 1468	4072	cmd.exe	97
PID 4072 wrote to memory of 1468	4072	cmd.exe	97
PID 4072 wrote to memory of 1468	4072	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\34fb32425a04d650d7a2ffac2921ace8.exe
"C:\Users\Admin\AppData\Local\Temp\34fb32425a04d650d7a2ffac2921ace8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E79.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 34fb32425a04d650d7a2ffac2921ace8.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Users\Admin\AppData\Local\Temp\701F.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\701F.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe7020.tmp"
      4⤵
      Executes dropped EXE
      PID:2692
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:1468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\701F.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7020.tmp

Filesize
42KB

MD5
3c3d75c493539f0018145a47cd0f9e74

SHA1
a979af8da5ac0529d276235b7bcac656df312d35

SHA256
f9af4530b2f8f8dae7e7e71a3add2453e1985d91a965c6fd61850fd7d00c78da

SHA512
56953ed12b841c8ffd8f2af360b136baa474a925df0ffec9a44136c100e9a316ca759c3a22b090e2a954ae139cb9f39e6d22aa5fb0e1cae0a20fc4ab930b0c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7020.tmp

Filesize
25KB

MD5
7f4700761b02e36b8fb1165f453a104c

SHA1
a8d6c0cf6bc5bd4e77d38cf259f76ebd8d9ba7f7

SHA256
006fc97836ea3bb7767e0b0062105371708b94f17c3b7acddada905547f7cf5d

SHA512
5400d0187fd7ad67a840a2ed43e94460445ec00d56d98e44dd4366dd2279c56b861fc5a3426439f7e84a399b935614c1945e1e70698494287761661c96786b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7020.tmp

Filesize
41KB

MD5
2962dfcac22070e3da981e1115397938

SHA1
09a2ddd77cc9265c1c9a3a0b3797ea5007e3bd28

SHA256
d47a5a1f144a7b1a0267ec604f18238419a29402b4ef51f1b2165f346ef88951

SHA512
8efe28ee9ba694a2cc010bb61736de3f7bc190c3656f814a700e9992391a174982fa21f16d24ce1c36876e095f1a76569183cee52048ae22102cac621beb422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7020.tmp

Filesize
41KB

MD5
77a06c5c46840d106a0d18b6d840abba

SHA1
3649530ef070f8cdd754cc989d920a839da003c2

SHA256
08d65f74d742d02e9396ef5f7c4e95cf10edbfbf93db9bc61231729577f08156

SHA512
fea5fffc72d47bf49e8009678fb550e9677b121f39da5512dc896325fdd8e75616017579486f61ff403042caf0700e43ce7ad6361cc883dbfb46481dda04bd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
b23eb202d343537234f95be249f43af4

SHA1
d7d7ddb09e00482f7c6cf48afaf25b84cb92972d

SHA256
5fe426e8085cc02166f257e82a7fb853a9a027575cd052d3d9d8198becbf1a05

SHA512
571170303486a12993cf9ee975d06b5da26a07434617cab6c61e9309534883d8488564d40c37941487117148fb20d3604ddefaf99da3691f58e033a9d50eafba

Download Submit
memory/2228-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2228-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2228-69-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2692-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads