27086e35617d05afb65e76effcf40d62227721062a661f5d1f6a727402e8a8c3

Analysis

max time kernel
141s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49090a6dd9464f74bf2bd39e78ab9f85.exe
Size

208KB
MD5

49090a6dd9464f74bf2bd39e78ab9f85
SHA1

7ba7163474d4aef3668ee2bcb263ccc9e82c522a
SHA256

27086e35617d05afb65e76effcf40d62227721062a661f5d1f6a727402e8a8c3
SHA512

8fc38ee708759512b37103cce28a8e7edc0d091d59dc6c43f94810a5e1a8aaab6a253fb812088622e8f5619f3a368b27c91fd2a3f7165e5ad7d4019ec13ce498
SSDEEP

6144:OlNgwrksI9gfOy/6pcopbc1HPz9TTdog:ehrRIlA6pcoBc9Zu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1396	u.dll
3032	mpress.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2824	536	49090a6dd9464f74bf2bd39e78ab9f85.exe	21
PID 536 wrote to memory of 2824	536	49090a6dd9464f74bf2bd39e78ab9f85.exe	21
PID 536 wrote to memory of 2824	536	49090a6dd9464f74bf2bd39e78ab9f85.exe	21
PID 2824 wrote to memory of 1396	2824	cmd.exe	22
PID 2824 wrote to memory of 1396	2824	cmd.exe	22
PID 2824 wrote to memory of 1396	2824	cmd.exe	22
PID 1396 wrote to memory of 3032	1396	u.dll	25
PID 1396 wrote to memory of 3032	1396	u.dll	25
PID 1396 wrote to memory of 3032	1396	u.dll	25

C:\Users\Admin\AppData\Local\Temp\49090a6dd9464f74bf2bd39e78ab9f85.exe
"C:\Users\Admin\AppData\Local\Temp\49090a6dd9464f74bf2bd39e78ab9f85.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\47A8.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 49090a6dd9464f74bf2bd39e78ab9f85.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\4805.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\4805.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4806.tmp"
      4⤵
      Executes dropped EXE
      PID:3032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47A8.tmp\vir.bat

Filesize
1KB

MD5
b34f84e6038fd8c16dad6f00ea125822

SHA1
d4c318fe8768667da03d1fd77b28bad0fe5ba908

SHA256
07f2e927bd4da28709f56d4b55730c97f2e3bac27cd3850cff1fb7b83347223b

SHA512
e43358ec7fb6e5df4b4b3e7ba271cbb211fe272bff8d0a927298852def8ef0c85036a73fff84cc429248832acfe5ee173f9dd8d5c0fb1f5dd00f3a8f8d8cee3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4805.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4806.tmp

Filesize
41KB

MD5
f7d46418a33764dd76d7a4884d35a192

SHA1
df2ac112309d82ea5e0e8c5919bb664ebedaf5c8

SHA256
ff34e2440937e60d6e3ce805827a77750f407c848cad773df28a889dbefd779a

SHA512
5c6fbdaa916df4d3d169d9827d64020a2d6f5195e479c3bcda52051058e37e4033eb0b1eac5ff57ac33b7b0d2046625c39fbfa494baaf7f5ece783d0c55c291d

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4806.tmp

Filesize
24KB

MD5
159a8487c515a71e48ceacc9e098effa

SHA1
bcea437733428a69c7104aeddb7a8759b2da4256

SHA256
1a5d3c5c8395a11d01c6edfb4fc5389627290c26f7ee3f6e2c66a17cb348feef

SHA512
f94abc5c5d14877883a2dc9191bbec01a5878f4259081ba802ec201dba3e38843d6c08cf97d8587d34c2e92309e493daff1cbf3271d58dc79ba7414a37145b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
115KB

MD5
abcdb913579d28ebe0bb799b220d7ce7

SHA1
cd065b74b17c8aeb6c7c7a4726795de4955b479a

SHA256
8ebc5c980f0c3e0bba48da307d444dd7dd9f619bd01422ac40a0a558d6def9e2

SHA512
9f66db87f3488e05dec2089b57946f4783857218a4c931b62899cb61f5d103a17bfd766fcaabf0f648bce17b2864966a644c0035d7bee14ed2cd8e545002f48d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
87KB

MD5
a8ac6139e5e6971ca8203640dd0e2581

SHA1
5a828cbc25f4107c2d9c6b8fe03140bee39f9e52

SHA256
467d5ea2c9b78a53ef65294b4b465ad02fcb7f08d8c47f9b3fa8c7ba6f5bb0bb

SHA512
cca1aa4bda4c933f44327374fd8ced96ca91cd69ab4c7863b7b0c3355d5ad2c1e10d8d0d32fd209f3e743e50ee8ba81597590e17c1037031c54e2456f529673e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
112KB

MD5
6139469601397d8981c79ae4d72527c3

SHA1
befaa066806e0b2290898818b43e888b81de80e0

SHA256
5180d29c3539aa9919cb1d3511c66986c0b1eaa589b8ea9052b8d69a58dd2fdc

SHA512
736641c76eef854553824048f6f3b8b0bae5f5b1fbf79586fce54a073df4c002ae8b5d075c548008b3ef5bfc917fdb286da16dcfa81cdc8968bfe6685f290dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
255KB

MD5
5590db8982d7dedffd4d077ed2c98ab1

SHA1
f23568acba3ed5428b41f9ce3dc3976cbf2d005b

SHA256
e136155291bc2c8ae309f3fcab29888191335157c335dfeee3a95208a72f355a

SHA512
703aeb71b3ca02e1693580c9419f51608332e87e2cf68f111f30b9b418407203f0d36916e78f1ab83c000bdfd3132cfcb1df905040f2314cc753bd2fd56b7e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
ff4ce13a0ed40af5dc0f3a56e17e1764

SHA1
e4ac261b6723b065c56811cbe1ba9f04c2d62205

SHA256
18faebf058d24d829052b6c396fcdad4f2f8ff3251ccd5aa07ede2ebebf6798f

SHA512
6e1c1157843618f2272a65026f6238b5550a7f917587feecc314e260fa8c70748e0c4e826a7a24dc734f2712df0b352cfa9c07c76bb305604077aee967f2f1bf

Download Submit
memory/536-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/536-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/536-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3032-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads