7fed0c3de687fea710119b6849fcd89867cb0d2bcdbc7afd80c2afe865e03cb2

General

Target

4ba3714f0e5efa0ed6e0e1c272e890ff.exe
Size

209KB
MD5

4ba3714f0e5efa0ed6e0e1c272e890ff
SHA1

de90ba78169c284699d3760b81473ddcec89b82e
SHA256

7fed0c3de687fea710119b6849fcd89867cb0d2bcdbc7afd80c2afe865e03cb2
SHA512

4c8c5afab47e47b1323d76e0e1b2152f063e94bc9a5da5d7aee594a4d1cbeecfceb513686167ab7ae58307ebd97d48797dac81b5ad399609df5f066496068cdc
SSDEEP

6144:ml0n6au2obDzhvawZJo05PNn4c0ra2xJmVGCW:xn6au3vs0/hGvJmhW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2744	u.dll
1632	mpress.exe
2928	u.dll

Loads dropped DLL 6 IoCs

pid	Process
2784	cmd.exe
2784	cmd.exe
2744	u.dll
2744	u.dll
2784	cmd.exe
2784	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2784	2796	4ba3714f0e5efa0ed6e0e1c272e890ff.exe	31
PID 2796 wrote to memory of 2784	2796	4ba3714f0e5efa0ed6e0e1c272e890ff.exe	31
PID 2796 wrote to memory of 2784	2796	4ba3714f0e5efa0ed6e0e1c272e890ff.exe	31
PID 2796 wrote to memory of 2784	2796	4ba3714f0e5efa0ed6e0e1c272e890ff.exe	31
PID 2784 wrote to memory of 2744	2784	cmd.exe	32
PID 2784 wrote to memory of 2744	2784	cmd.exe	32
PID 2784 wrote to memory of 2744	2784	cmd.exe	32
PID 2784 wrote to memory of 2744	2784	cmd.exe	32
PID 2744 wrote to memory of 1632	2744	u.dll	34
PID 2744 wrote to memory of 1632	2744	u.dll	34
PID 2744 wrote to memory of 1632	2744	u.dll	34
PID 2744 wrote to memory of 1632	2744	u.dll	34
PID 2784 wrote to memory of 2928	2784	cmd.exe	33
PID 2784 wrote to memory of 2928	2784	cmd.exe	33
PID 2784 wrote to memory of 2928	2784	cmd.exe	33
PID 2784 wrote to memory of 2928	2784	cmd.exe	33
PID 2784 wrote to memory of 2172	2784	cmd.exe	35
PID 2784 wrote to memory of 2172	2784	cmd.exe	35
PID 2784 wrote to memory of 2172	2784	cmd.exe	35
PID 2784 wrote to memory of 2172	2784	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\4ba3714f0e5efa0ed6e0e1c272e890ff.exe
"C:\Users\Admin\AppData\Local\Temp\4ba3714f0e5efa0ed6e0e1c272e890ff.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\E0BE.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 4ba3714f0e5efa0ed6e0e1c272e890ff.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\E206.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\E206.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeE207.tmp"
      4⤵
      Executes dropped EXE
      PID:1632
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2928
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E0BE.tmp\vir.bat

Filesize
1KB

MD5
b1027952e7fff7c0a8a3743cae060a42

SHA1
7d1b8241d5db14d8b4a69228ec1f1670032a3d5b

SHA256
f3ad9a9ce576d45c964e1842f53770a9bb6a7460eded521c985e0c6ae3154a7c

SHA512
2dc7231e38337da09a100daaa56c33b17f418407dcaa8662e8276c6e02d617dff554def71cf49e23fff19a88054bc984bec54a76334d262ede323c94d3aa74ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeE207.tmp

Filesize
41KB

MD5
7aa367dca7be65e07b16bd69f06263e3

SHA1
d447739251408f8e8490a9d307927bfbe41737ce

SHA256
738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076

SHA512
d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
384KB

MD5
24dfc4c9e007f2583b956d3ad07de800

SHA1
0b55c60ceb419e2fca38ec401fd143fed0cc58ee

SHA256
96696051cd5f06b05353731d5524b3d828259fffe0d9237407776efef7e6ac54

SHA512
282767a6486d42ffed096909fef64086d55ad28bb35cee37da5bc2e573d608342e5bd85eed6c8c330c84df02a1aaf4aea95df870d506d1e0cc35e551d80b39a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
2d987f6708ee156f8f3e9c55d24116c0

SHA1
d64b1840c170b738ac104d6f7b1dc5bb44bdd845

SHA256
0c0fd1195b100b0e9dcfae5d7dee9236cfc2318bd911358ff247e7bb1ff5e0b8

SHA512
d8169beff34a4a3bdf29086f378ee7539f6c86f37fceadf0362294c8ce1b2e7537e75d886a786fa194e07a0117eb44eeb70a73d064f20d3cd8bf8a06c606f7bc

Download Submit
\Users\Admin\AppData\Local\Temp\E206.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
65KB

MD5
be2af27ccfda305f82c11eea8f40884f

SHA1
87ac096bfd210f414ff5c7299482a4c223aeb90c

SHA256
d9c673a3ddd97bbaad8c6001772667093cbe7eea6aae907236d731332a90a391

SHA512
2435c0ab18238ec91fc7c4cd7eaa2f13f4deb9255c8a3a82f0dd3e3a7e152fe5c12692160e4162ace558bb608a28ed25e01bb50ee28379f1d94682a07e7b42f2

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
381KB

MD5
6a44fb5c0f9ddb755e483f86e5a717d0

SHA1
2d12472cba6bb76c016d98e1015e36e317e3a730

SHA256
878d149eb8d275219a0e45096b664460e74bbde6deaae65d3e8d917cbdb6f790

SHA512
3787b404ddd92cbc1ddbf07431d443809df3ec3a32803fd3c30aa62890611b3a5ed8df4803cb175dd2acb30ecdea6dc3149ee7cd2c0ae70400ca8730fd4f1787

Download Submit
memory/1632-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-70-0x00000000004D0000-0x0000000000504000-memory.dmp

Filesize
208KB

Download
memory/2744-67-0x00000000004D0000-0x0000000000504000-memory.dmp

Filesize
208KB

Download
memory/2796-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2796-109-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads