e7bd5131c867932d9ddc43aae5168c207765497bbb7a04a2f63d71a9d87dbad7

General

Target

0658a6e948703b4ef67a1a85285ef38c.exe
Size

209KB
MD5

0658a6e948703b4ef67a1a85285ef38c
SHA1

e54e051a74b82ffc39f616e067a532734f908547
SHA256

e7bd5131c867932d9ddc43aae5168c207765497bbb7a04a2f63d71a9d87dbad7
SHA512

ce05dc55d35cf3adcf8c021e2e9524378b4ea15e093d211f544b0b47192bb8bd65addc7f7e7c29fe84c2be392d5435476fb585aa63adb87dc3ce00660e7b6dd5
SSDEEP

6144:dlNgwwSMUEVVQT6Y1DYnEdZSEDF+R9iu:1hwSFEC6Y10nwZS0FW0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4536	u.dll
2780	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1732	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 3704	3300	0658a6e948703b4ef67a1a85285ef38c.exe	95
PID 3300 wrote to memory of 3704	3300	0658a6e948703b4ef67a1a85285ef38c.exe	95
PID 3300 wrote to memory of 3704	3300	0658a6e948703b4ef67a1a85285ef38c.exe	95
PID 3704 wrote to memory of 4536	3704	cmd.exe	96
PID 3704 wrote to memory of 4536	3704	cmd.exe	96
PID 3704 wrote to memory of 4536	3704	cmd.exe	96
PID 4536 wrote to memory of 2780	4536	u.dll	97
PID 4536 wrote to memory of 2780	4536	u.dll	97
PID 4536 wrote to memory of 2780	4536	u.dll	97
PID 3704 wrote to memory of 3736	3704	cmd.exe	98
PID 3704 wrote to memory of 3736	3704	cmd.exe	98
PID 3704 wrote to memory of 3736	3704	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\0658a6e948703b4ef67a1a85285ef38c.exe
"C:\Users\Admin\AppData\Local\Temp\0658a6e948703b4ef67a1a85285ef38c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E196.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 0658a6e948703b4ef67a1a85285ef38c.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\E7EF.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\E7EF.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeE7FF.tmp"
      4⤵
      Executes dropped EXE
      PID:2780
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E196.tmp\vir.bat

Filesize
1KB

MD5
da90b097e6600173e3f968b1fe3d2b7d

SHA1
61baee9d1b3fa20271984be4cfa39841eea7abe1

SHA256
0c489a9cc9c2f8c1e6308045136f115f76e5461b3959bdca8a1a5600a5722ff1

SHA512
1094b5c9edcf46a36c4c5e847d5b2dfb3dbd754fc831dc5641e867790c6f42387a482b9a6383b000c1d62824f386e6c8b95660bce0c110f357e6a1d465a3db4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7EF.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeE7FF.tmp

Filesize
43KB

MD5
8d2e9cddbebde21a469241dd023012ce

SHA1
3080009e204d881d53ed44e5f22bc7a03c74a229

SHA256
2f824bc1bae510a8de814de8a9495d52832ff007ef98cb75ea184b248a30d646

SHA512
ba20f0e32e202e69d45f35293560ca585ff18ec34168f96c70b3c5a0ba80029a6c0bb908a74b034b64b8ecaeb2688d3ed0a7ee7cbdecfce34ac7e1d5eebac59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeE7FF.tmp

Filesize
43KB

MD5
05907382ad462e5bdec5616672cd7698

SHA1
613ef8c44ae111cf11c08140fc57b9844a134ca4

SHA256
eaaafff2cb2daf44b025b0d104462db200e11d6e1ec703e71ab35025d2c0599f

SHA512
613762b2f583691496f0d54d6f15c14cdab8f5d5e179c3ab2ae21a111fe51389dd14abaeb930b230815c5d36c636da5b18fb52162ed5d601e9a8d6bf8ff987fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprF1E2.tmp

Filesize
26KB

MD5
74d0289b0521f2ce79b8ab7a654ac694

SHA1
599ffa621ea67c239f4880482d8e961de66f4045

SHA256
fa6b959b6856fea9f38df15b8e9f7875103557405bb4108375736b88debb2777

SHA512
58b0ba10e7a5f3d1144f775948a02c80a054cd57f2f08169ddb87b955ef16657d32387fec532eda580f9376f1be784faf74d265b8ad94fd17b8f1b6d324510f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
0ba8f8311fc3afbb7e32d98236f2efa6

SHA1
956dd3548df11f2c6c36366d74109ddddc33fc33

SHA256
5b6da37dd4f1fa6402e7ee652ef048f7bd7b396f7a3b3f61c56865d5cd3f6e62

SHA512
706f455d004af6d1442402c1a750a37da14da0351c51d0b0b578349355956986941c4a302956590be7c2b00caa6838e3b265dab8766e8636e0c6c4527b82c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
1d310987a06cfe7e852f16bfe36f8191

SHA1
8894f1a0d3031100b9ffcdfe71bca7f27bb6cde6

SHA256
cb631becc24e59851b865474a29ed13755b2ef9fa81d7684696d5ba9d0d3ef59

SHA512
bbaf3dcae8b3c009115626a7f047cd717adbc50cf105d8b3706ec05ca46a700b48156dafd877c6c9ec4990649f312f97916b2b660531bfe89ac1f3f49ddf71af

Download Submit
memory/2780-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3300-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3300-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3300-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3300-68-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads