a7c0ecf4294c63269f949b8c65f067e1af78682b1b907e55a34bd3ad448e7710

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6066afa2f416a782dacdf439033ccab.exe
Size

208KB
MD5

f6066afa2f416a782dacdf439033ccab
SHA1

194d14e8785bbb0f260fd1716f9835c1ad1202d8
SHA256

a7c0ecf4294c63269f949b8c65f067e1af78682b1b907e55a34bd3ad448e7710
SHA512

cb49614597666a45e927b09447cdae8d97fb5124cab967d43db9048170cb06bc259b767520d1176d99f3a353f65439846c609d851181e8461d903498ea837c14
SSDEEP

3072:2luy78nwZgkTDUHscVDVZWn4Xz+rwOvg/WRuPWNuLIO71YH5V06IDMdPW4ops:2lNgwZTDULVDCn4KrXYWRAYH0L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2652	u.dll
2720	mpress.exe
3024	u.dll

Loads dropped DLL 6 IoCs

pid	Process
2832	cmd.exe
2832	cmd.exe
2652	u.dll
2652	u.dll
2832	cmd.exe
2832	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2832	2644	f6066afa2f416a782dacdf439033ccab.exe	29
PID 2644 wrote to memory of 2832	2644	f6066afa2f416a782dacdf439033ccab.exe	29
PID 2644 wrote to memory of 2832	2644	f6066afa2f416a782dacdf439033ccab.exe	29
PID 2644 wrote to memory of 2832	2644	f6066afa2f416a782dacdf439033ccab.exe	29
PID 2832 wrote to memory of 2652	2832	cmd.exe	30
PID 2832 wrote to memory of 2652	2832	cmd.exe	30
PID 2832 wrote to memory of 2652	2832	cmd.exe	30
PID 2832 wrote to memory of 2652	2832	cmd.exe	30
PID 2652 wrote to memory of 2720	2652	u.dll	31
PID 2652 wrote to memory of 2720	2652	u.dll	31
PID 2652 wrote to memory of 2720	2652	u.dll	31
PID 2652 wrote to memory of 2720	2652	u.dll	31
PID 2832 wrote to memory of 3024	2832	cmd.exe	32
PID 2832 wrote to memory of 3024	2832	cmd.exe	32
PID 2832 wrote to memory of 3024	2832	cmd.exe	32
PID 2832 wrote to memory of 3024	2832	cmd.exe	32
PID 2832 wrote to memory of 1656	2832	cmd.exe	33
PID 2832 wrote to memory of 1656	2832	cmd.exe	33
PID 2832 wrote to memory of 1656	2832	cmd.exe	33
PID 2832 wrote to memory of 1656	2832	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\f6066afa2f416a782dacdf439033ccab.exe
"C:\Users\Admin\AppData\Local\Temp\f6066afa2f416a782dacdf439033ccab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8DFD.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save f6066afa2f416a782dacdf439033ccab.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\906D.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\906D.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe906E.tmp"
      4⤵
      Executes dropped EXE
      PID:2720
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:3024
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8DFD.tmp\vir.bat

Filesize
1KB

MD5
9c62e35fccab7b15fb482cd38e042c33

SHA1
d81afd780036aacb2bfc9666f4b28ae5496ccd3a

SHA256
aac191d0c35804d112ebaf10e0c673c15f27ab4878a925801206fa0a328387cf

SHA512
539d0b172670d11e485d4b894c3112514fd8358d2871f1fb4fa5c9a8d871b204254150d477144725a08eca81c7258a387cc93d32e2ecbf0960e448d161a5778b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe906E.tmp

Filesize
41KB

MD5
cfb6c23b4ec82cb8a0c562d2b9f34c23

SHA1
c7b496195abf2cceb09d8536768d83ab4aed6687

SHA256
28feed5f31044cbc96b185cd8ac0b12cffbc848b895ffce7d4005e25f7a8faff

SHA512
55a2e71b87db5af46c90eab14f95534d0deed807e91c4a52fb762141972a051633decedaf41b19b857efe8fd24821b59e15b33c9e00073da094495ea316420ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe906E.tmp

Filesize
741KB

MD5
84acfd5a635c861968acaf03b2dbcae8

SHA1
1c3adf393e48289499d0f0191d2d58c78bbffa0c

SHA256
761f34511d12aa6172b10472352e5bda5292d1218f9fbfd48ab3bfc5362522b9

SHA512
cc9c1e70f5c39de174b1eaff92fff3b79fcc39e7756df5f55ce47fa8590b0c1c2d4f312eaae0d7e8f872a409045ce00624ca7a461b9a392c8d1253500ef9dc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe906E.tmp

Filesize
741KB

MD5
a5b25a568637e30317543006618495c3

SHA1
c211c79a8b5989e73fc22f80664ef5a7308eef64

SHA256
c80ae550786fc33f65c9ad1df456e16918db41ef6f4b7864f3f470e38df9df1d

SHA512
9e4620a233dd634cde0d923be9679030661fa58fbd24bca17a56fccf71200e184c66e84d6db37925af40f84ca2539f85367d408f1b66fc2b750f7f038b6f4109

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe906E.tmp

Filesize
207KB

MD5
302f16f1967d728ce14ef59bba009f50

SHA1
e961f6446c6b55103ed3db7dce94560b7ebca87a

SHA256
34930db884d2ab32dc29f646b8c3f8ac1efe65d1808409e7e5830497e4ab5cf4

SHA512
63df9620925cbff5de213a80f657e5630ba357ac1027101cfd7b9f323e12b5ec428bcbb55e2932fdc4f9affea38a92610d7f070cb822535ca93b884a0c5630ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
0ba8f8311fc3afbb7e32d98236f2efa6

SHA1
956dd3548df11f2c6c36366d74109ddddc33fc33

SHA256
5b6da37dd4f1fa6402e7ee652ef048f7bd7b396f7a3b3f61c56865d5cd3f6e62

SHA512
706f455d004af6d1442402c1a750a37da14da0351c51d0b0b578349355956986941c4a302956590be7c2b00caa6838e3b265dab8766e8636e0c6c4527b82c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
7dd5c776ac0b1312f97b4db7de41f189

SHA1
6d4bb6ce51ec81f57985ff795a63d68170a037b9

SHA256
1de46691d3f072d9159374b3004afae33534ecb00cfa309c751dd181d4435e21

SHA512
3841631fac3c2553ca8e42b8a48ebe3caf345eff5b0d9a71d561d24ecdfe8ca4949d1d222b5338b1bf75e9988cd7b407e811dca6f701a1b2e11885d43205effb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
7f6a82734c95796dc0ca623e88ab6ffd

SHA1
8b352e1bc1cad6446770544960197988260391cb

SHA256
f2386745de92b28afc3c235832759d30b79f6f829ed6c1508c6ab80ba3e15cd1

SHA512
3446429c5f1e4dec56edceb5de76c2884ec20f29b1164c9bcc63c8909a4ce16a04639cf55c5e1519391169868a0ef92890857c18e2facce872e9dfe04cb95f1b

Download Submit
\Users\Admin\AppData\Local\Temp\906D.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/2644-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2644-111-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2652-65-0x0000000001D20000-0x0000000001D54000-memory.dmp

Filesize
208KB

Download
memory/2652-60-0x0000000001D20000-0x0000000001D54000-memory.dmp

Filesize
208KB

Download
memory/2720-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads