3ceab021db750c4c70fc9a7aef3662887295fd5043919b0663ae19c2de2b4861

General

Target

6a068645f37f55557fa93f39c9ec8647.exe
Size

208KB
MD5

6a068645f37f55557fa93f39c9ec8647
SHA1

fdbe4f3e284a90b7ca9f8257e171df8b7a74a751
SHA256

3ceab021db750c4c70fc9a7aef3662887295fd5043919b0663ae19c2de2b4861
SHA512

47d2a02251c52871692e5255b6d0dbc503887ef9c2122819f8efe6cab16f21a753ef75949c5de2b924d00bcd87dd36a70a0bbd715d5a57a0676c46201b9117d0
SSDEEP

6144:/lH4WCNpicRdPIGz/INz8Zh0MYe1kaF2aNdQ5Dq:dYpixGz/INzyhn1kaMgoe

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
900	u.dll
736	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3752	OpenWith.exe
1212	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3464	3192	6a068645f37f55557fa93f39c9ec8647.exe	89
PID 3192 wrote to memory of 3464	3192	6a068645f37f55557fa93f39c9ec8647.exe	89
PID 3192 wrote to memory of 3464	3192	6a068645f37f55557fa93f39c9ec8647.exe	89
PID 3464 wrote to memory of 900	3464	cmd.exe	91
PID 3464 wrote to memory of 900	3464	cmd.exe	91
PID 3464 wrote to memory of 900	3464	cmd.exe	91
PID 900 wrote to memory of 736	900	u.dll	94
PID 900 wrote to memory of 736	900	u.dll	94
PID 900 wrote to memory of 736	900	u.dll	94
PID 3464 wrote to memory of 4732	3464	cmd.exe	95
PID 3464 wrote to memory of 4732	3464	cmd.exe	95
PID 3464 wrote to memory of 4732	3464	cmd.exe	95
PID 3464 wrote to memory of 4936	3464	cmd.exe	98
PID 3464 wrote to memory of 4936	3464	cmd.exe	98
PID 3464 wrote to memory of 4936	3464	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\6a068645f37f55557fa93f39c9ec8647.exe
"C:\Users\Admin\AppData\Local\Temp\6a068645f37f55557fa93f39c9ec8647.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8C52.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 6a068645f37f55557fa93f39c9ec8647.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\8D8A.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\8D8A.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe8D8B.tmp"
      4⤵
      Executes dropped EXE
      PID:736
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4732
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4936

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8C52.tmp\vir.bat

Filesize
1KB

MD5
e555eb522b6ffb5816026a73eaa8d26a

SHA1
48b9ac13d7f1e30233632cd3d4f3f208b00e7dbb

SHA256
a29688bb3baebefadb5a9fb12c410a0fa1a4a00b0369e41e6764625bf32654f4

SHA512
b24bf6a575b747fdcd4a8d8fd4335f6187d5615c718001ed731bc1377d1544a53ffa0c7d549c8a476a6429018cfee141a7d484e63ba37c101235976662846a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D8A.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8D8B.tmp

Filesize
41KB

MD5
5a16fb75977e1799ed52f35a164922e6

SHA1
c1697c61c42498f0501a886392ddd2560646b24c

SHA256
f625375b30e87216e720919833d9d4e7bc11f0b61a9d2d218817d2ebb140d7de

SHA512
1e31f17c0fea7df5bd321ff0015b8226a378b649c43df1111d9467b0f86f3a14e5a7ae9ed00314695f688b7cc0c18e44b3fa6521a8fea5943e4eb9a69a612216

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8D8B.tmp

Filesize
24KB

MD5
e6463306e4c9e1869c45c0433ea1eb4b

SHA1
33512256446775a16d9ec37c2ffbf1c181bbcea6

SHA256
c06e36b469862896e2c897a6c5d62904001de12be848452d77aedc560c2630aa

SHA512
a1fb58a92a6a57b166092cae0898937d652ea1f0f555f4829094d5efb7cd4763890ce76e35923ebbef6b3981b5565e0feae2484543f38ef999d6f22fc67bb589

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
382KB

MD5
3981395ac550547f964f87a3f15e2158

SHA1
7538d14a77bbb4cdfadff74385f849199392bf74

SHA256
8ef383ea0d049c6972c81e1ecdde8d719d5d0cdda995fa1ab70a3ee32c4acb73

SHA512
700649f2d7180ce60457de5537544254c40fba9b8871312cf0f25743fcce46714b21c3cc079e80afbc342edd743e33e91b4e28e412315bcdfc8436170e37f1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
863c312b1e74b57dc2d01a1370684ff3

SHA1
39175536b2783f4b3d70cb29d3352388cfebbcac

SHA256
33c2b1a19a8b31cd969ee88acebba54c9af73d4a8633becfa609e067909db33a

SHA512
d6dcd4968bd18b3483f7fb6a63b9640d8d3f3fc63bccd5c0ba294c1f09fc9b6bcb4fae815682d5800f7acf34fdadd2ec54be7d728d754a46b9cdb2362b3fa76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
96KB

MD5
4e4e244658d5fc41726a3f7d91e2180b

SHA1
8167174feefe275ae50f8fb49cd93ec09a106c22

SHA256
16591e0895b28f26bb8e9519824330380937f294613e029b27b6914f8d7e949a

SHA512
76a6b8efe6d9c48b3148074e391f9bbde0b6baeda5a7e8ebedeb87c6891aaebbdfa453050df28b6a6d4c8cf45939bcdc722666177f235dd6e7c1a6d8fbef5f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
6b23d3639ed421d958497412002cf2f8

SHA1
16462c9413167468395e762f5a59ac8ae8e7801a

SHA256
bbad2af274f358216171f83a20c1ecf8967446ee0762e1ff674f2cd1ec170bdb

SHA512
46b5bc522f24fab4ed1a6a0aa1aead2688d9144a98e16b91f0f5beed753b9fcc4c07162cd6689d2f6fa0cb272ce52443ecba42d4d6149d656a1c1be71dee0d4f

Download Submit
memory/736-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/736-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3192-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3192-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads