460538302642045ba521ff3d056c91b7cb96be1f8eedd23540b2e083bf949ac8

General

Target

6cbe37a05a3122fd1f0171b2adc944db.exe
Size

208KB
MD5

6cbe37a05a3122fd1f0171b2adc944db
SHA1

4c83c505c1627eca51eeb8c4486d6aef34802364
SHA256

460538302642045ba521ff3d056c91b7cb96be1f8eedd23540b2e083bf949ac8
SHA512

5b7884ad7d0fa8a04c4798c84681521b7c08e007831ab1cb04d3f65f59b9fb5d0144efde7abdd51479cbf290b1b3989abea8a43379b7247d0aa53fc3c0faf8c7
SSDEEP

3072:2lmtZSkhslvxNGwGi7JMMYr2buA0l0SPKyDWn3DwJDmuKoWoPlRxwilRM99BjP3I:2lsSFhzmr2b8eSXDW3MK5oPlRxw2we

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2140	u.dll
2360	mpress.exe
2620	u.dll

Loads dropped DLL 6 IoCs

pid	Process
3060	cmd.exe
3060	cmd.exe
2140	u.dll
2140	u.dll
3060	cmd.exe
3060	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3060	2100	6cbe37a05a3122fd1f0171b2adc944db.exe	29
PID 2100 wrote to memory of 3060	2100	6cbe37a05a3122fd1f0171b2adc944db.exe	29
PID 2100 wrote to memory of 3060	2100	6cbe37a05a3122fd1f0171b2adc944db.exe	29
PID 2100 wrote to memory of 3060	2100	6cbe37a05a3122fd1f0171b2adc944db.exe	29
PID 3060 wrote to memory of 2140	3060	cmd.exe	30
PID 3060 wrote to memory of 2140	3060	cmd.exe	30
PID 3060 wrote to memory of 2140	3060	cmd.exe	30
PID 3060 wrote to memory of 2140	3060	cmd.exe	30
PID 2140 wrote to memory of 2360	2140	u.dll	32
PID 2140 wrote to memory of 2360	2140	u.dll	32
PID 2140 wrote to memory of 2360	2140	u.dll	32
PID 2140 wrote to memory of 2360	2140	u.dll	32
PID 3060 wrote to memory of 2620	3060	cmd.exe	31
PID 3060 wrote to memory of 2620	3060	cmd.exe	31
PID 3060 wrote to memory of 2620	3060	cmd.exe	31
PID 3060 wrote to memory of 2620	3060	cmd.exe	31
PID 3060 wrote to memory of 752	3060	cmd.exe	33
PID 3060 wrote to memory of 752	3060	cmd.exe	33
PID 3060 wrote to memory of 752	3060	cmd.exe	33
PID 3060 wrote to memory of 752	3060	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\6cbe37a05a3122fd1f0171b2adc944db.exe
"C:\Users\Admin\AppData\Local\Temp\6cbe37a05a3122fd1f0171b2adc944db.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8F45.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 6cbe37a05a3122fd1f0171b2adc944db.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\9167.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\9167.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe9168.tmp"
      4⤵
      Executes dropped EXE
      PID:2360
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2620
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8F45.tmp\vir.bat

Filesize
1KB

MD5
cd24a5188a86bff763d6d8cbf071f81a

SHA1
73b37e46ed744122c7607dc1510d84df52282878

SHA256
4f2e92a0a8ff26be3d9825aad5f736cee6c29a7ff80ba6803e468ab3b63e8e38

SHA512
cf29cdb872dcaef59886adc98e54cc5ab66109b743078707aad877abd3ad0b8b2f8859e009018863b294569a6cf4625d786eb260d5ef67cfaa9454ce8b999540

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe9168.tmp

Filesize
41KB

MD5
bac68e690b1c14dba6029b68bf6485e0

SHA1
911ac3beb4e166a4fd3e263787175b257a8a2125

SHA256
45422da2885226ab32d568f8155b68c173675a7a5ca058f1e75feddc5229348d

SHA512
6ab4ded492eb5c594ba5a0da0eb0f6f812b459de500b9111264276e6eadaefd58e470abb2bebd4c044b689dddd08a919a947417f53d246e4547befc859f5d34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe9168.tmp

Filesize
24KB

MD5
6c8375af56ea9d846bb98f244c2f75ec

SHA1
f39bbe976b325e9864355bca72648fc1b43c4d2e

SHA256
145af7787040412ff1f590420fe90c147d26dc6c3b705121dc3d0da6448c38a7

SHA512
7810c64eae600cfdad4d398db90b5a84cfd8936fa626c644a36fc8cbc98a6b16fb37807d75ab7ecdfeb19d10db8b6f07e69046dc4fc2ad80bcba50dd058d821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
17ad68b0956810dba03ee39dadb54074

SHA1
2359c0470bb842c74a03ee598767c190cd833a23

SHA256
bb716cfd69f403c0ac843707f2e82b6edfae5cde45cb071783d2dac58c3e9768

SHA512
9818f70abf905eb286ddc9fa6447f69dbb8a8e6a5f5bce90a79391f79e67c121e59699e07b07622e908a97fe6fdeafbbe52980b0fd0ddca3612f779d81af4b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
fd944642912ff8686192d71e04ad1e75

SHA1
1cc747bee2bb5ea37daececc6bec4c87d5d37b82

SHA256
30b1e4753578e84d541a36a74943f6d456155f698432baac87a96efb6b69743d

SHA512
24c50cd4016d3a3eb593c0e953f254b9e0191c002224eee7af12c6816e3dc3187dc87298e9555d8874edd045fefccb96415e949492d258a416c99f4bb20df43a

Download Submit
\Users\Admin\AppData\Local\Temp\9167.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/2100-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2100-114-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2140-68-0x0000000001E70000-0x0000000001EA4000-memory.dmp

Filesize
208KB

Download
memory/2140-63-0x0000000001E70000-0x0000000001EA4000-memory.dmp

Filesize
208KB

Download
memory/2360-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2360-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads