27086e35617d05afb65e76effcf40d62227721062a661f5d1f6a727402e8a8c3

Analysis

max time kernel
211s
max time network
42s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49090a6dd9464f74bf2bd39e78ab9f85.exe
Size

208KB
MD5

49090a6dd9464f74bf2bd39e78ab9f85
SHA1

7ba7163474d4aef3668ee2bcb263ccc9e82c522a
SHA256

27086e35617d05afb65e76effcf40d62227721062a661f5d1f6a727402e8a8c3
SHA512

8fc38ee708759512b37103cce28a8e7edc0d091d59dc6c43f94810a5e1a8aaab6a253fb812088622e8f5619f3a368b27c91fd2a3f7165e5ad7d4019ec13ce498
SSDEEP

6144:OlNgwrksI9gfOy/6pcopbc1HPz9TTdog:ehrRIlA6pcoBc9Zu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1636	u.dll
2108	mpress.exe
2312	u.dll

Loads dropped DLL 6 IoCs

pid	Process
1560	cmd.exe
1560	cmd.exe
1636	u.dll
1636	u.dll
1560	cmd.exe
1560	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1560	2544	49090a6dd9464f74bf2bd39e78ab9f85.exe	29
PID 2544 wrote to memory of 1560	2544	49090a6dd9464f74bf2bd39e78ab9f85.exe	29
PID 2544 wrote to memory of 1560	2544	49090a6dd9464f74bf2bd39e78ab9f85.exe	29
PID 2544 wrote to memory of 1560	2544	49090a6dd9464f74bf2bd39e78ab9f85.exe	29
PID 1560 wrote to memory of 1636	1560	cmd.exe	30
PID 1560 wrote to memory of 1636	1560	cmd.exe	30
PID 1560 wrote to memory of 1636	1560	cmd.exe	30
PID 1560 wrote to memory of 1636	1560	cmd.exe	30
PID 1636 wrote to memory of 2108	1636	u.dll	31
PID 1636 wrote to memory of 2108	1636	u.dll	31
PID 1636 wrote to memory of 2108	1636	u.dll	31
PID 1636 wrote to memory of 2108	1636	u.dll	31
PID 1560 wrote to memory of 2312	1560	cmd.exe	32
PID 1560 wrote to memory of 2312	1560	cmd.exe	32
PID 1560 wrote to memory of 2312	1560	cmd.exe	32
PID 1560 wrote to memory of 2312	1560	cmd.exe	32
PID 1560 wrote to memory of 1796	1560	cmd.exe	33
PID 1560 wrote to memory of 1796	1560	cmd.exe	33
PID 1560 wrote to memory of 1796	1560	cmd.exe	33
PID 1560 wrote to memory of 1796	1560	cmd.exe	33
PID 1560 wrote to memory of 1068	1560	cmd.exe	34
PID 1560 wrote to memory of 1068	1560	cmd.exe	34
PID 1560 wrote to memory of 1068	1560	cmd.exe	34
PID 1560 wrote to memory of 1068	1560	cmd.exe	34
PID 1560 wrote to memory of 1364	1560	cmd.exe	35
PID 1560 wrote to memory of 1364	1560	cmd.exe	35
PID 1560 wrote to memory of 1364	1560	cmd.exe	35
PID 1560 wrote to memory of 1364	1560	cmd.exe	35
PID 1560 wrote to memory of 668	1560	cmd.exe	36
PID 1560 wrote to memory of 668	1560	cmd.exe	36
PID 1560 wrote to memory of 668	1560	cmd.exe	36
PID 1560 wrote to memory of 668	1560	cmd.exe	36
PID 1560 wrote to memory of 1036	1560	cmd.exe	37
PID 1560 wrote to memory of 1036	1560	cmd.exe	37
PID 1560 wrote to memory of 1036	1560	cmd.exe	37
PID 1560 wrote to memory of 1036	1560	cmd.exe	37
PID 1560 wrote to memory of 2332	1560	cmd.exe	38
PID 1560 wrote to memory of 2332	1560	cmd.exe	38
PID 1560 wrote to memory of 2332	1560	cmd.exe	38
PID 1560 wrote to memory of 2332	1560	cmd.exe	38
PID 1560 wrote to memory of 1856	1560	cmd.exe	39
PID 1560 wrote to memory of 1856	1560	cmd.exe	39
PID 1560 wrote to memory of 1856	1560	cmd.exe	39
PID 1560 wrote to memory of 1856	1560	cmd.exe	39
PID 1560 wrote to memory of 1072	1560	cmd.exe	40
PID 1560 wrote to memory of 1072	1560	cmd.exe	40
PID 1560 wrote to memory of 1072	1560	cmd.exe	40
PID 1560 wrote to memory of 1072	1560	cmd.exe	40
PID 1560 wrote to memory of 904	1560	cmd.exe	41
PID 1560 wrote to memory of 904	1560	cmd.exe	41
PID 1560 wrote to memory of 904	1560	cmd.exe	41
PID 1560 wrote to memory of 904	1560	cmd.exe	41
PID 1560 wrote to memory of 2536	1560	cmd.exe	42
PID 1560 wrote to memory of 2536	1560	cmd.exe	42
PID 1560 wrote to memory of 2536	1560	cmd.exe	42
PID 1560 wrote to memory of 2536	1560	cmd.exe	42
PID 1560 wrote to memory of 1508	1560	cmd.exe	43
PID 1560 wrote to memory of 1508	1560	cmd.exe	43
PID 1560 wrote to memory of 1508	1560	cmd.exe	43
PID 1560 wrote to memory of 1508	1560	cmd.exe	43
PID 1560 wrote to memory of 2276	1560	cmd.exe	44
PID 1560 wrote to memory of 2276	1560	cmd.exe	44
PID 1560 wrote to memory of 2276	1560	cmd.exe	44
PID 1560 wrote to memory of 2276	1560	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\49090a6dd9464f74bf2bd39e78ab9f85.exe
"C:\Users\Admin\AppData\Local\Temp\49090a6dd9464f74bf2bd39e78ab9f85.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\12A6.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 49090a6dd9464f74bf2bd39e78ab9f85.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\909C.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\909C.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe909D.tmp"
      4⤵
      Executes dropped EXE
      PID:2108
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1068
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:668
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1036
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2332
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1856
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1072
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:904
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2536
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2276
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2156
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:344
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2424
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2252
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2220
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2232
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2648
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1768
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1888
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1088
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2304
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:3024
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2844
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:3012
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2524
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1844
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12A6.tmp\vir.bat

Filesize
1KB

MD5
b34f84e6038fd8c16dad6f00ea125822

SHA1
d4c318fe8768667da03d1fd77b28bad0fe5ba908

SHA256
07f2e927bd4da28709f56d4b55730c97f2e3bac27cd3850cff1fb7b83347223b

SHA512
e43358ec7fb6e5df4b4b3e7ba271cbb211fe272bff8d0a927298852def8ef0c85036a73fff84cc429248832acfe5ee173f9dd8d5c0fb1f5dd00f3a8f8d8cee3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe909D.tmp

Filesize
41KB

MD5
f7d46418a33764dd76d7a4884d35a192

SHA1
df2ac112309d82ea5e0e8c5919bb664ebedaf5c8

SHA256
ff34e2440937e60d6e3ce805827a77750f407c848cad773df28a889dbefd779a

SHA512
5c6fbdaa916df4d3d169d9827d64020a2d6f5195e479c3bcda52051058e37e4033eb0b1eac5ff57ac33b7b0d2046625c39fbfa494baaf7f5ece783d0c55c291d

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe909D.tmp

Filesize
742KB

MD5
e4ac25dc826389e5628b0ac4d43cd2f5

SHA1
b9aa6a5aa1a5a54554825b436aac4e5cfc79aecb

SHA256
fbbaa0732bedfbf66994e44343b191aead6a969f81b06da8c6d95f6e01684c40

SHA512
81668eb3409108021f62c976fc76fbc3962fbb1fcc2dbfa4fda460c666ded033976f31f6aff4b2c5fb5c3b752c5ef463f3eefd871baed35b5702410591903160

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe909D.tmp

Filesize
208KB

MD5
36c9f60c66c72290169896ba49fcb96b

SHA1
650fa8b0d9c987f2cb1d7054559712d7b24061e8

SHA256
e15df1fd7c0307af1f63419d5104dbc11af2b2745953b942fd7d4eb74b5e32ac

SHA512
af52b9b1603c694148c85fe5be0bf35da65675db6175d1c7115b7dc8a5c1465d9e6936c30bcdc26ce48e9afdd2d7730ed78f47ee4b5f6d1f2e3e2d65e47ef087

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe9FC9.tmp

Filesize
41KB

MD5
cfb6c23b4ec82cb8a0c562d2b9f34c23

SHA1
c7b496195abf2cceb09d8536768d83ab4aed6687

SHA256
28feed5f31044cbc96b185cd8ac0b12cffbc848b895ffce7d4005e25f7a8faff

SHA512
55a2e71b87db5af46c90eab14f95534d0deed807e91c4a52fb762141972a051633decedaf41b19b857efe8fd24821b59e15b33c9e00073da094495ea316420ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
0ba8f8311fc3afbb7e32d98236f2efa6

SHA1
956dd3548df11f2c6c36366d74109ddddc33fc33

SHA256
5b6da37dd4f1fa6402e7ee652ef048f7bd7b396f7a3b3f61c56865d5cd3f6e62

SHA512
706f455d004af6d1442402c1a750a37da14da0351c51d0b0b578349355956986941c4a302956590be7c2b00caa6838e3b265dab8766e8636e0c6c4527b82c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
285KB

MD5
0713b7b5d626381977c7b1bf51b6c269

SHA1
36e3d7e57b340af375e28ea85023424225471a4e

SHA256
ced61ebd51272d4080d721344465cc0a8145a3ba92c33c8b42e1003537f54b96

SHA512
8efab0962ea4e39ab613ff667b7416883f9e55228bb4895322ba7dcdbf15364259810801975a5e2bdd922d3eb71c1bd9afe3eb0e88cec25c9c4b35643cda9acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
313KB

MD5
f4af64252a27e122fcde3c1c644e4f06

SHA1
21b028e3b6fc87e76eed5e0232b08ae7f6bbeecd

SHA256
3f94d2322a0843bd1934b0363580393e51def7bf1e43826dc8328448e547251a

SHA512
1b51205e840dd0d970c9b58421ad00403d5294f22adf58835294d18f50f71a7d270b3c20d2411d36cf3f441aeffda674e8d8a9ed125aa06ec4920c9fdcf1efed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
ff17d0b20bd1547e38061c562b25a7f5

SHA1
8b74be7c03f12af50a77159e865f5b124d53c3c7

SHA256
ebcabe8883e6a9ed3ae8c27a91c24bebd3647b7ca45f3ae4515cecdbd5e6e14a

SHA512
a4a829d1f2b73a6d1caa6b689a47a86fbfaa1669fe17c107a0f88ee609f014d2ecae3936e3986d207a2d41e4704d42d60c2615dbc0c51c7bc73e06d5c612cc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
ff4ce13a0ed40af5dc0f3a56e17e1764

SHA1
e4ac261b6723b065c56811cbe1ba9f04c2d62205

SHA256
18faebf058d24d829052b6c396fcdad4f2f8ff3251ccd5aa07ede2ebebf6798f

SHA512
6e1c1157843618f2272a65026f6238b5550a7f917587feecc314e260fa8c70748e0c4e826a7a24dc734f2712df0b352cfa9c07c76bb305604077aee967f2f1bf

Download Submit
\Users\Admin\AppData\Local\Temp\909C.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
174KB

MD5
784c2a52594ce10a1752642965d3e0f1

SHA1
d7798cb26e786b1f4cd2a372f40f74fdb90863fc

SHA256
a39159ac09bf15b5f9655baa2e99399a6f7bfbae84b33d7296352e3846f32a79

SHA512
0e026febfba82b52a4206f753b1b53465b192550455177afed27e24d5f722b843f77c54c9b41bbca95fbcc610d185267524f902ca4abf34262e80f8df85a2eca

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
273KB

MD5
c7ab073b5a425e8d5643e11dc88fcb0a

SHA1
4f421bee3e9baca78da5afbe0771391402d8394a

SHA256
3545f77fd2c3493ed0182856691105556f35a32ba2518b7b48e7ced9a92b88d8

SHA512
7f6632406303d1e009cc874262813ba4b87cec3f26850d72e16c077428cd5405d142c62ef19e5a89271d9bfc89d36eaaa9011928abeb849e8a3e2968e9ede832

Download Submit
memory/1636-68-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/1636-72-0x0000000000350000-0x0000000000384000-memory.dmp

Filesize
208KB

Download
memory/2108-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2108-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2544-26-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2544-5-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2544-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads