e40e757329d90b80bbf78adccd9a39743d8b19b08fb63cef3708c759179fe6f9

Analysis

max time kernel
21s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 06:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a0eae067d5dff84c7ff12725442bac8.exe
Size

209KB
MD5

5a0eae067d5dff84c7ff12725442bac8
SHA1

8eb069c50e65c5465590d52104f86f8771e0c90f
SHA256

e40e757329d90b80bbf78adccd9a39743d8b19b08fb63cef3708c759179fe6f9
SHA512

fc4b5ab728a7aab7289158c35e0332894df81ce466db348ed169ed682ac45aeea67ecb9622dacb5f42270d81182bf7a7a4deaab8293900aefa98cacfd2c4da36
SSDEEP

6144:4l7uLh6KzRvDcGK7kqNxZf+8EomHWaWcxjS:50KW7tVpcN

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2992	u.dll
2588	mpress.exe
1688	u.dll

Loads dropped DLL 6 IoCs

pid	Process
2848	cmd.exe
2848	cmd.exe
2992	u.dll
2992	u.dll
2848	cmd.exe
2848	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2848	1656	5a0eae067d5dff84c7ff12725442bac8.exe	16
PID 1656 wrote to memory of 2848	1656	5a0eae067d5dff84c7ff12725442bac8.exe	16
PID 1656 wrote to memory of 2848	1656	5a0eae067d5dff84c7ff12725442bac8.exe	16
PID 1656 wrote to memory of 2848	1656	5a0eae067d5dff84c7ff12725442bac8.exe	16
PID 2848 wrote to memory of 2992	2848	cmd.exe	19
PID 2848 wrote to memory of 2992	2848	cmd.exe	19
PID 2848 wrote to memory of 2992	2848	cmd.exe	19
PID 2848 wrote to memory of 2992	2848	cmd.exe	19
PID 2992 wrote to memory of 2588	2992	u.dll	18
PID 2992 wrote to memory of 2588	2992	u.dll	18
PID 2992 wrote to memory of 2588	2992	u.dll	18
PID 2992 wrote to memory of 2588	2992	u.dll	18
PID 2848 wrote to memory of 1688	2848	cmd.exe	17
PID 2848 wrote to memory of 1688	2848	cmd.exe	17
PID 2848 wrote to memory of 1688	2848	cmd.exe	17
PID 2848 wrote to memory of 1688	2848	cmd.exe	17
PID 2848 wrote to memory of 1676	2848	cmd.exe	33
PID 2848 wrote to memory of 1676	2848	cmd.exe	33
PID 2848 wrote to memory of 1676	2848	cmd.exe	33
PID 2848 wrote to memory of 1676	2848	cmd.exe	33
PID 2848 wrote to memory of 1592	2848	cmd.exe	34
PID 2848 wrote to memory of 1592	2848	cmd.exe	34
PID 2848 wrote to memory of 1592	2848	cmd.exe	34
PID 2848 wrote to memory of 1592	2848	cmd.exe	34
PID 2848 wrote to memory of 372	2848	cmd.exe	43
PID 2848 wrote to memory of 372	2848	cmd.exe	43
PID 2848 wrote to memory of 372	2848	cmd.exe	43
PID 2848 wrote to memory of 372	2848	cmd.exe	43
PID 2848 wrote to memory of 2564	2848	cmd.exe	42
PID 2848 wrote to memory of 2564	2848	cmd.exe	42
PID 2848 wrote to memory of 2564	2848	cmd.exe	42
PID 2848 wrote to memory of 2564	2848	cmd.exe	42
PID 2848 wrote to memory of 2664	2848	cmd.exe	41
PID 2848 wrote to memory of 2664	2848	cmd.exe	41
PID 2848 wrote to memory of 2664	2848	cmd.exe	41
PID 2848 wrote to memory of 2664	2848	cmd.exe	41
PID 2848 wrote to memory of 2796	2848	cmd.exe	35
PID 2848 wrote to memory of 2796	2848	cmd.exe	35
PID 2848 wrote to memory of 2796	2848	cmd.exe	35
PID 2848 wrote to memory of 2796	2848	cmd.exe	35
PID 2848 wrote to memory of 1936	2848	cmd.exe	40
PID 2848 wrote to memory of 1936	2848	cmd.exe	40
PID 2848 wrote to memory of 1936	2848	cmd.exe	40
PID 2848 wrote to memory of 1936	2848	cmd.exe	40
PID 2848 wrote to memory of 1948	2848	cmd.exe	36
PID 2848 wrote to memory of 1948	2848	cmd.exe	36
PID 2848 wrote to memory of 1948	2848	cmd.exe	36
PID 2848 wrote to memory of 1948	2848	cmd.exe	36
PID 2848 wrote to memory of 2504	2848	cmd.exe	39
PID 2848 wrote to memory of 2504	2848	cmd.exe	39
PID 2848 wrote to memory of 2504	2848	cmd.exe	39
PID 2848 wrote to memory of 2504	2848	cmd.exe	39
PID 2848 wrote to memory of 2792	2848	cmd.exe	37
PID 2848 wrote to memory of 2792	2848	cmd.exe	37
PID 2848 wrote to memory of 2792	2848	cmd.exe	37
PID 2848 wrote to memory of 2792	2848	cmd.exe	37
PID 2848 wrote to memory of 2268	2848	cmd.exe	38
PID 2848 wrote to memory of 2268	2848	cmd.exe	38
PID 2848 wrote to memory of 2268	2848	cmd.exe	38
PID 2848 wrote to memory of 2268	2848	cmd.exe	38
PID 2848 wrote to memory of 592	2848	cmd.exe	55
PID 2848 wrote to memory of 592	2848	cmd.exe	55
PID 2848 wrote to memory of 592	2848	cmd.exe	55
PID 2848 wrote to memory of 592	2848	cmd.exe	55

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4D74.tmp\vir.bat""
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\u.dll
  u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Users\Admin\AppData\Local\Temp\u.dll
  u.dll -bat vir.bat -save 5a0eae067d5dff84c7ff12725442bac8.exe.com -include s.dll -overwrite -nodelete
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1676
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1592
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:372
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1520
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1244
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:576
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:688
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:336
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:592

C:\Users\Admin\AppData\Local\Temp\4E01.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\4E01.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4E02.tmp"
1⤵
- Executes dropped EXE
PID:2588

C:\Users\Admin\AppData\Local\Temp\5a0eae067d5dff84c7ff12725442bac8.exe
"C:\Users\Admin\AppData\Local\Temp\5a0eae067d5dff84c7ff12725442bac8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4D74.tmp\vir.bat

Filesize
1KB

MD5
6e0bd7b7d43bc346416840d70566853d

SHA1
7c9b4522d7190679879e88b14e3c4cfabc3ba59a

SHA256
60009570f32b022e9786fe29840301b133dafde8fe109fc598fbc5eae5ca6c09

SHA512
84dc11fd90317e10a5e5ad165fba04b3b5c9220871921cdc5e43f45e408f7c99010b7a305dfc80662f309ff8fe5cf4ff0d4864ce61cbb58fe8a51e6f4ec3618e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E01.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E01.tmp\mpress.exe

Filesize
95KB

MD5
24e96bc2b60021050b40b7569a0b4c92

SHA1
a858542c7ab95591787664390af45b4a65c0afeb

SHA256
4e6443620923cbe50c38b9a4e95309d4c90eea4b0d47c1efc209a7faac6e4a33

SHA512
35ae95d7b8ba739422c5ee17b593e226338a1693e7ed8962ea2569cc2c0de66e0c3f88edce4002829829c728f13f5ed3d33bdc0993ea52401eec1784f4395a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4E02.tmp

Filesize
41KB

MD5
21ad9b883cb5428eb7a8312dc2468537

SHA1
3e1e5c560a68d92786ed348752be55982c51a405

SHA256
84c821ba37101822b7b832fef732c9f6435c3fc039c3bc6d703c0c0ffc007b6d

SHA512
842ec74ffd31c02ad65f9a9ae2d3ffa0c6a9392bfb25d4e1fc45166abee90ba709ebfcfe14ee722221679d7a88d8438a7635e17a9b9be9f7803988b1d4a40cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4E02.tmp

Filesize
31KB

MD5
03f1ffb4f95533dec110ae1008ea4e22

SHA1
478fe271375e3c71ede2078a7f88ff71deacfb63

SHA256
ab8f3174b11884800fb1c19b3fe1368d4d38ed3eb561f95aa49a1f220260b7c9

SHA512
9a6c1582e4c6743098b1799e7efc12ec6283795c4add6e02b9535532d3b32da666edd03d2d261b26268cb4ca4748e45e9a3e01dc217c19e025a36b7823b386b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4E02.tmp

Filesize
13KB

MD5
020722be8cc474db58b0bb503a399c19

SHA1
6e69878ed5d5e330052c682e181da16dc2aa919a

SHA256
5ce1c1084675539bec37a993951a1bb8575d983d5dbbdb12ec91d5e83fb5bd9e

SHA512
732d5d6dbaece9c81f9afc7fd2fcfb08e4586be6038bde183bc8e204156334e6d004ae097c9151ae5fec1ac85603fe90992a3e6ce5a3bc5bfee5b5e01b458f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4F78.tmp

Filesize
41KB

MD5
dccc902dc69f9012016bfbeebaec2ab4

SHA1
9bb1965864382c768f42709d65999e8ab14af8b5

SHA256
6ef2e241ab78f7ed0389775aed3e394233a49f32634c9bb293e663e1ee381e37

SHA512
7b5ca3fe7b496a6b9b506ea477b72342c2d673278e9e7a1e73a257bf1847e926a866ff624995aee24ec9e871882b34bd2cdf5181a47ec047faa57bb7fe4c3086

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
34KB

MD5
239758c10a9d567338f02d6e69cbe230

SHA1
e598b6f6e15abf7547fe0164c595615eb4bb8e73

SHA256
08b5ef9723bef4567bca96360e544ad088579a92a4be06c00307dd8f08f99b41

SHA512
5a2c244093fe195358f4265c2eaec851231996750a9dec66ce80c882aad176709dd0d8f116b48401f89856ddf88ab283744ec133472eb99f949d8e7052e13c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
124KB

MD5
3c63bb8353dcba22653658eab8212597

SHA1
11cdaadffe5fae8e4c33a97abfa8a3c45468cd53

SHA256
a0da44b568167ffbcea2d5bee5744bd8d6ef8799821a9be5d28c7f41e56fe0e4

SHA512
3941b46a0518d2227bf73acb2727bf27981ea2d99788d5d5acbd65edb86dff20bad7d2d1bc9b36391aa5b0b45e624818757131633b8c455b0e3e08061d320a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
43KB

MD5
32ed8648a028caf9a92998679f4dc185

SHA1
9a9233a1d726f8bc7ad22c996ce6e0c72caac79f

SHA256
04fb09f43e63144bf78cb0afccce19520686fd718cf24ff3a0cb4531a6232205

SHA512
f43bc8e1ce38eda28d371983639f25f22e567d2c04c14c926722fb66d5af2d5c1042ac14969de37a639a2e46b62a37d3cc812693f4c185c8b73e9c75316d9f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
85KB

MD5
6979a5b4040b3e1e6636cc0c2c9c620d

SHA1
d184a8ac9db44c814a9cce5073e8445ddd2cd6c8

SHA256
56780f09f5da1d5f66600dbc9790119e55c139b6d8546d9c1ded56606045eb8e

SHA512
f131ba39069a3e53e0ea54748c899389cfc852a68c2ae72f6ad2c2c0af49bff95d71809b45e46a9afdd7335c387813b47bbebdfb22cc92206a6f90ec5d3a4ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
ba7ca00555c17dd101cd790f3da828bc

SHA1
7e0710cdfc66231d90730a394f958fececb6ce15

SHA256
0d8c72e684378e1fc01feb9f738e78bd2fda226de13e028324bb3fbbfd8d1312

SHA512
54d41ed750da6ce1f09c5379e3a08904e91417f8570bd41b8b9207f28b83b89c071c631c9a0b54c8a3c2bf61405d342fc97b4a22cfd458b2730fcaadf9acd7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
04031a1a582b37b275eee0db11857f00

SHA1
1597848d80a23748346fd5ee69d8d2a60d68bfdd

SHA256
0a21d7581577dacf04209dddea89071b92bc07bd63740c49fd3d8a4986d34b52

SHA512
3c21241f21cc184f7cdd60c7746e2b72d9a66edd399989a190e86e65b3214821c6923e1beef96fecb4208715b4875a36bc5b2eeb506c529f5cfeffe892645f73

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
148KB

MD5
753076c525929bbee678fded1cdb658a

SHA1
31b302ebda6446543d3717e8f7ad3d7f0e562832

SHA256
7ad1d8a9d9c5424ac5115cf1da5f71e3afdfdc8faba415327fc95c691323855c

SHA512
cc3a138422b8b8fa29be90051285915639c8e4f514de66bf9e25a1642e51197158c7f7cf4dbac0fcb1bf06e5c5d07742195071d53257cb0157402a8d4008d506

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
100KB

MD5
7482b7d642ad6ef6c08141e5ed01b778

SHA1
6a7cd749b800e9191c4ba3f2ed1abc3f283a837d

SHA256
432d6ef7dfde95fbf63b5b06a7cdb9f8fd05cda88b056e12590530c67b364134

SHA512
7225fc1a59671ce31a749b650152261941002dbb96d51a47a0c6cc134ef87132a4dc1a38d06d9c9077c04ec3e35da11a33ad07594688c629d75fa3cfd6fcd9b2

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
92KB

MD5
ace4bef1eaa126302be21c4105cc6ea3

SHA1
227744c90647355a13c84178f9fedac3f75fdb97

SHA256
8a675772564f80e1e7c4e51cbb64e1ba19990a010b112abc5f050100a6765c66

SHA512
b4909dc9aabd8f478717a08e14648bc131b6176ac794991bd174f61dff9c3d15b0635352cce622e8088515fafbc447dd15717b3c2001ba34f86a19ba2abc4029

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
65KB

MD5
0f481a9dc62112cbd3d4144b45c39814

SHA1
b0f984d094b85f59181548126f2cdc1e1b05b618

SHA256
2c59c21fe332049aa3b00d726ad13d4a1667ce57df01bb8f5195157185c7892f

SHA512
60fcf0d368202cb5249574f51799655003a6e804c3839b44c1b1aa52b0850863482bf7e7e17bbf980a8e6f06f5ef55ed0c892164270c0644c300ac76eec5ca1c

Download Submit
memory/1656-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1656-109-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2588-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-67-0x0000000001C20000-0x0000000001C54000-memory.dmp

Filesize
208KB

Download
memory/2992-69-0x0000000001C20000-0x0000000001C54000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads