75b9d124f95f460989e41601c3a260e0bd45c4ec64f5fb620a4d9f33f7228d6d

General

Target

6c698c33466610f384f78db9c138cab3.exe
Size

208KB
MD5

6c698c33466610f384f78db9c138cab3
SHA1

64ade5d2e9f8536762df4f3859443d18f7796d39
SHA256

75b9d124f95f460989e41601c3a260e0bd45c4ec64f5fb620a4d9f33f7228d6d
SHA512

dbb7832babf8b3dd85f90e8a9cf0ea9e4cb2721d77429f522a583d81e370012450e3c57e60fa6def29f550053cbe72f0d3cff2e8d5031604dab7ba018ff3b491
SSDEEP

6144:3l0n6auFKBfjDLjiNxGwMp1ZdNDHYOgfwvQyXt:mn6auFK1jmNIwih1drH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1548	u.dll
2740	u.dll
2120	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
2264	cmd.exe
2264	cmd.exe
2264	cmd.exe
2264	cmd.exe
2740	u.dll
2740	u.dll

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2264	2332	6c698c33466610f384f78db9c138cab3.exe	29
PID 2332 wrote to memory of 2264	2332	6c698c33466610f384f78db9c138cab3.exe	29
PID 2332 wrote to memory of 2264	2332	6c698c33466610f384f78db9c138cab3.exe	29
PID 2332 wrote to memory of 2264	2332	6c698c33466610f384f78db9c138cab3.exe	29
PID 2264 wrote to memory of 1548	2264	cmd.exe	30
PID 2264 wrote to memory of 1548	2264	cmd.exe	30
PID 2264 wrote to memory of 1548	2264	cmd.exe	30
PID 2264 wrote to memory of 1548	2264	cmd.exe	30
PID 2264 wrote to memory of 2740	2264	cmd.exe	31
PID 2264 wrote to memory of 2740	2264	cmd.exe	31
PID 2264 wrote to memory of 2740	2264	cmd.exe	31
PID 2264 wrote to memory of 2740	2264	cmd.exe	31
PID 2740 wrote to memory of 2120	2740	u.dll	32
PID 2740 wrote to memory of 2120	2740	u.dll	32
PID 2740 wrote to memory of 2120	2740	u.dll	32
PID 2740 wrote to memory of 2120	2740	u.dll	32
PID 2264 wrote to memory of 2296	2264	cmd.exe	33
PID 2264 wrote to memory of 2296	2264	cmd.exe	33
PID 2264 wrote to memory of 2296	2264	cmd.exe	33
PID 2264 wrote to memory of 2296	2264	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\6c698c33466610f384f78db9c138cab3.exe
"C:\Users\Admin\AppData\Local\Temp\6c698c33466610f384f78db9c138cab3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\10A4.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 6c698c33466610f384f78db9c138cab3.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\2C8C.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\2C8C.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe2C8D.tmp"
      4⤵
      Executes dropped EXE
      PID:2120
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10A4.tmp\vir.bat

Filesize
1KB

MD5
ef0dbaac625b9d84d4314de766cb219b

SHA1
c2b3d109fe2252b2d1711d254bfae2d8659e1ffb

SHA256
078ac6b202f35549ed8155f0d2d5dfc037e8549fe5b1bf93cc04e8fe10215357

SHA512
e94f7abf41e58182cbe24b9ada456b8a35999aac3d861bce70d63c093d64c9535a3dab0857aef24649b268b20ba265fdb872dfe0e60e1360875bca9d74042988

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2C8D.tmp

Filesize
25KB

MD5
a7fb3de892773a55d1cb355013d339b4

SHA1
587065ba85e85685686d183d753142239570b537

SHA256
46768a61c8485cceff0b1ce8b9a4230fd7acda615c112b970592aa436f96f7f2

SHA512
8e7b3271a38e914d98138f258cae731d92cf01ff47abf15494998d5e87f761bf9fe09a0681ecb4878942f6b589f202d10d223f831c333e70e6a6be9d1c4d681a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2C8D.tmp

Filesize
41KB

MD5
fc71d91a19a6c7dc29f3aea780627213

SHA1
2b0f5477e07d585ea8471ec87becdc83045d8ec0

SHA256
60ad9ffd3f72533fdcc319dd7cf9213d38097f49f40d0f2001b373841fd00c33

SHA512
3ce7c6abdd8e38ac9c2e0d257fbb0b8c34d17f446250ca1b1d79e1cf49fa3fb710183c7deaa9ba8ada24eeef7f07b39437761877126e98945bbb3b125cd56eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2C8D.tmp

Filesize
41KB

MD5
7aa367dca7be65e07b16bd69f06263e3

SHA1
d447739251408f8e8490a9d307927bfbe41737ce

SHA256
738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076

SHA512
d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
14112e91e63b6e7e1dd66a1c59689ab0

SHA1
1edc63168113fd46847454c83f06f2b7abbc2264

SHA256
208e3342beee170ba58954afb25f686ca28684267bce3f501a33760be6835f4f

SHA512
e47747b526303d6d536d92e9c94b539c1b69f324820f77e6c3c56076aa7bf6502f3c9d3217c075c282167ba19d7872d464b78ce6f56d109a73e8b2364b4e820c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
f7180c1fa6b5c6f947bc1e9cc4ad124f

SHA1
54b570f9f0f1f4d3cc930a67ec5ce202cadff17a

SHA256
7d5c52de17a36cb103ff4954b805159cd3420259e5b27f2701b42fb3ba12d3af

SHA512
c28fa5ccc2eef06d3d394b2ded821fa91400f0ec51c0f999cc78ab34986b94a5d9b52f68a4226fafde3a771c865436736f6222ba9095cac559f4986d91327745

Download Submit
\Users\Admin\AppData\Local\Temp\2C8C.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/2120-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2332-112-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2740-88-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads