4969bebc3f9ec115187c5d310831c48f89aad355622d3417137cdf39bb26ef25

Analysis

max time kernel
143s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

604ac5fdfe5562387e2497f34a543df5.exe
Size

208KB
MD5

604ac5fdfe5562387e2497f34a543df5
SHA1

7f853524c8fb634d7defbdfccfe7cf2637d9b4f2
SHA256

4969bebc3f9ec115187c5d310831c48f89aad355622d3417137cdf39bb26ef25
SHA512

8110bcc0271830555ec12da772e902dc759f447b0f3d5c463b60bf3caf3ea98a0baaab2b51791ebb7e36f9aecce1de9cbb09fce7f63e69ef2b3c1c9895e112b3
SSDEEP

6144:FlsSFhznFu8WD6RrZOAR7y5JMcrUGqRQQ:8Uh7Q8MQZOARO5ucrUpR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2100	u.dll
1896	mpress.exe
1964	u.dll

Loads dropped DLL 6 IoCs

pid	Process
2408	cmd.exe
2408	cmd.exe
2100	u.dll
2100	u.dll
2408	cmd.exe
2408	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2408	1740	604ac5fdfe5562387e2497f34a543df5.exe	24
PID 1740 wrote to memory of 2408	1740	604ac5fdfe5562387e2497f34a543df5.exe	24
PID 1740 wrote to memory of 2408	1740	604ac5fdfe5562387e2497f34a543df5.exe	24
PID 1740 wrote to memory of 2408	1740	604ac5fdfe5562387e2497f34a543df5.exe	24
PID 2408 wrote to memory of 2100	2408	cmd.exe	27
PID 2408 wrote to memory of 2100	2408	cmd.exe	27
PID 2408 wrote to memory of 2100	2408	cmd.exe	27
PID 2408 wrote to memory of 2100	2408	cmd.exe	27
PID 2100 wrote to memory of 1896	2100	u.dll	26
PID 2100 wrote to memory of 1896	2100	u.dll	26
PID 2100 wrote to memory of 1896	2100	u.dll	26
PID 2100 wrote to memory of 1896	2100	u.dll	26
PID 2408 wrote to memory of 1964	2408	cmd.exe	28
PID 2408 wrote to memory of 1964	2408	cmd.exe	28
PID 2408 wrote to memory of 1964	2408	cmd.exe	28
PID 2408 wrote to memory of 1964	2408	cmd.exe	28
PID 2408 wrote to memory of 3040	2408	cmd.exe	33
PID 2408 wrote to memory of 3040	2408	cmd.exe	33
PID 2408 wrote to memory of 3040	2408	cmd.exe	33
PID 2408 wrote to memory of 3040	2408	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\604ac5fdfe5562387e2497f34a543df5.exe
"C:\Users\Admin\AppData\Local\Temp\604ac5fdfe5562387e2497f34a543df5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8AA3.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 604ac5fdfe5562387e2497f34a543df5.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2100
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:1964
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:3040

C:\Users\Admin\AppData\Local\Temp\8B4F.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\8B4F.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe8B50.tmp"
1⤵
- Executes dropped EXE
PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8AA3.tmp\vir.bat

Filesize
1KB

MD5
771d25d832d995785d1640bb90de0539

SHA1
f3a2b3798bec5ec83ec081f98684d8eb97d0c27a

SHA256
c1e2408c5e645862a48b35780fbe12365131c45f1371412a8f6e0f334d7753a3

SHA512
5968b217f4c2b35dcc40c9a271dcc09c8525313e857083f7c29ec6cf9e6b42a89db3b7c2174624e5edb6edec5ce186729738f7d8d03c4b53209f8d52cd68a359

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B4F.tmp\mpress.exe

Filesize
56KB

MD5
463c8c49ebe505ca5630af90806bee76

SHA1
4f788079648791bb3174d698d890f0f1861550d0

SHA256
210a51e19af27fc438bc0b5823e1159bfb10b190b45794841dd5283f68f6e9ce

SHA512
0c5cb8e6a83970161b6688b7353c0f4d6090fd99dfaaca594079d4295dc4813aff90150320f16ff67bbbdd0c72c574fe4fee9e7ae7688ccde8c0eb0bed9668d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B4F.tmp\mpress.exe

Filesize
17KB

MD5
0bf0c363e08037d436f79250a22ea99b

SHA1
1b270903e272d98d1f28a00859bf91e994c06f28

SHA256
824ed42371126a601472437346344376d8870c9ce2c8a9113d24f273a70622bd

SHA512
e9a5a0ee47b0c5bd0214803c88cd1c1a4a5bb40bdb1f1f6a3ae56589cd50df3e3d84848ea5ef9dc55a96530184d7de4834e785c053bb19a5bd25a8c1a3e6b2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8B50.tmp

Filesize
41KB

MD5
bac68e690b1c14dba6029b68bf6485e0

SHA1
911ac3beb4e166a4fd3e263787175b257a8a2125

SHA256
45422da2885226ab32d568f8155b68c173675a7a5ca058f1e75feddc5229348d

SHA512
6ab4ded492eb5c594ba5a0da0eb0f6f812b459de500b9111264276e6eadaefd58e470abb2bebd4c044b689dddd08a919a947417f53d246e4547befc859f5d34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8B50.tmp

Filesize
16KB

MD5
387af16f91ee7646a8c49c5b1c0c59a2

SHA1
5f47e77a879105daf5cc905dee975bbfccfd1d7c

SHA256
47cfadd8f6975dcea35d55ed69594ec31e36d1d98fb8e8b7cb072f8c251ce4e9

SHA512
6697b80889b05d5008d248a3b5e642333a533f0a952d62e249e8594b56e082b66c6e77ae3592c42c18cd853f2bc507b14c70a57d887f325f5dcf0c921a4a250d

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8B50.tmp

Filesize
21KB

MD5
960339c4025a1b1f2ce1394c0ceca9b4

SHA1
7dd9d0827f087e9c58d817e9344bb72b8a612866

SHA256
5487be0ec0aa5d617bfaf70ffc4f4e1da7107d2d72d2ae481aea14edffcbdddd

SHA512
a60cae3294b7b6819fc6dddce957f67ef34272741b63bd05cefab84d15c8d5cd8cb082f5e3a3bb759c3740e94a4f57a9553a50d3ce709306d1f5e57c71704a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
69KB

MD5
30edb64bbc1657c7e2f201c844558693

SHA1
1b7dbbec665681be1b09d47618f0b67809196dcd

SHA256
2ee7a565b694092d6c6f37c30176c23d92e0ec08fff74e9f18edfb93f73fffd2

SHA512
431a9b3ad6fb1ed5a8e237d68525f4d0abfc25eee680663277b331a51dbafd7575f5664d3fcf7ed115258c21b6ecf1f483b61c6b0a1847335c28caac727730f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
35KB

MD5
de72a832985de4a8936fc5e4ce08a749

SHA1
f1d0af17c98451dd9735cb6cd550f0bd7ee2fca1

SHA256
e1fe243a0cf2b1a9a0fb357c596f6f4fa74796d290bb5ebeeb36ee60300b3c35

SHA512
52ca68f333d256b4848368f667493e402c619abe0308b5b32b392b2225556e9747ff1bfcba98cdb83761b4c1f844d34fc46b79a2887798778ffc74ec46563440

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
82KB

MD5
e96a645fe290a628df8132dea816766e

SHA1
69af4c0c56ffddb5dac73d5244351d9bda8e5a7d

SHA256
a1b9441a4773439c74ffff04d78c5160af50a20abbf6a60c2efa99cb11197901

SHA512
133fd39c15a1a79a536d1def921c65b1edbd92cab1bb13862a21e64e12e9709745cd8f1b708d346d9797d4efad82ddc4f2e77ced6ee1a6723fa724fc32ee56b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
41KB

MD5
b5274cf9cff2a2921872378fc20b79d4

SHA1
b2b80a6c5adca99a91ba42c32fa177470b78dd35

SHA256
accca6a15872c0fab8f4e3145e5287eb2c48452f77f1738f416688a064c9ea1b

SHA512
cf3078b47f1e3af539395a5834eee31fd20e690dd33c6b92a3e00ac80cf944d27737d0a9e29dd4045cc8d7179d5a27c7af0f7207a89469833f7007d370e244ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
5b302f4d9d10d7b253514c064eac8d79

SHA1
66d9e7e1d227b0e05c7d325719dea9906b141cae

SHA256
236feca84b282d477a116affe8afe45463d371c24acfd5cd790750704a809730

SHA512
9fd7187dde14f756b9d9a8f908df8ee912b4e7a1d22ceef1bc6cb404df076ba38d41bd88a0d13da467f3988a6a75214a56d6db99e6b3befcc9c5a644d54f8e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
40ceec7a5e6f0a6a34d1afed2fff7863

SHA1
fd97d7ff8f0b3542f8a482d54e5559e071cfc113

SHA256
17a3f370f3ad6284237b16a6218830d28d663b836cc43b088a52a4ee50de437e

SHA512
cc2da1f5c0b17e726c55ac22cece265cb2d38cff297cd8ae23600ca865732e4c42c9b9f9e6f2a4debaa5823914582154b841d12c95540360051f16f0734e7363

Download Submit
\Users\Admin\AppData\Local\Temp\8B4F.tmp\mpress.exe

Filesize
59KB

MD5
713493f277852c35f22e33e3818d5b2c

SHA1
271edf70d35e00b58a4542bd8b75eaebdf11f8dd

SHA256
24839ef3ef375406143d4dab52d31c6a7a34ef56e39dd62e1f32538312d946ca

SHA512
8755f99d342392e013fdd2874b2bf4cdd05c6bffd7037204d12419724a30671aea208c53f683b30b4eea1cc85243fee69a361613d89ddc94f2128ca0e2667576

Download Submit
\Users\Admin\AppData\Local\Temp\8B4F.tmp\mpress.exe

Filesize
54KB

MD5
f6c44c0a6639831ae87a41b78fd60fc6

SHA1
aa8eb509e0606815771119c2b4bf7a93238b81a2

SHA256
9cbf2c8bceffc4e9ba3d1171982b6399c1c5d374fdd5ea5cdf7721002f2162fe

SHA512
47bf958ca87e5226e97d88a5b49491290b5e3cb1ff80ee0ead534bcfddb59e36ae9f2c984f2763009861c9793bf1cff98fc44b6ac9c7e1c7edd68dacf4afa094

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
38KB

MD5
9c6808d07caea78d2e6ba849102e0565

SHA1
ca98ae6081c744f3a5c72b0ca09c02120448ab12

SHA256
7d1e709971cc64f11b6e56d9fa36568e93123ec86a7e8a3fdac434344c44db34

SHA512
239268cbea262834c92ca72e66620dc3c51d803e0cf7cdd77e11105a194acdce3493a440cf96682b51b846d7af9dc02dad33c91e14ad74dca159d918a5beed8f

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
56KB

MD5
20817c4fec9d37ecbf621d3f25014e60

SHA1
276d0cd50d797959f3739a38ad3fe0f3b2a168a1

SHA256
a522c77e6a646622339a4f9ea62b33cdbcac24bebb7cb564dd14e80f7e4d3338

SHA512
ea416865d7be2acd7f973ab15906099f1f53e6e7407e6623a9c57ba483238ed240c63dc29430895752adc41aaa4e550feecaaec08c6056c541bc88df3ef589d6

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
21KB

MD5
9247b8089e4c7fe2dbcbd5df46a7bdb5

SHA1
a84ecf4e2f0b7a596c495567bf0ff5ca61bf0d61

SHA256
27c9876715ade9972aaaa20229bd8614750c8cc802f3c86b06557f8b21109e4a

SHA512
5db347e0c1ffcb775d6046a286670e6bbf90878d543506286e1f6e8c2d21912c4b58254dae535861b995629d1af1eb4f46fb8175990ff551f993892e87a5038c

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
31KB

MD5
f1ac2d96bb2a49a81a5c711acb8aaf20

SHA1
fda431fcc19a583658b5450f7bfffb0b07db90cc

SHA256
2bc9100c8b37cb0868d812f75119bcd141bf8fca453fa2e32376fa851b41b0b3

SHA512
6e99a63467d7e9193d04fc12cbca0ddb688bd7910acb70363895f4eb85831a9edab433c4c519ea75ad20170e522e4635f04815ba968b7b41124d76f68b38c97d

Download Submit
memory/1740-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1740-110-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1896-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-69-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2100-68-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads