65a3554cac0e9afbf29c1f11d93577ac7c20432e090c6b25dd36d84ea1c082cb

General

Target

1ea69db85dd76d6b1d0e0709af8439a5.exe
Size

209KB
MD5

1ea69db85dd76d6b1d0e0709af8439a5
SHA1

e3b17d1f365154f65b7d1fa37bfd5cd7654dc48a
SHA256

65a3554cac0e9afbf29c1f11d93577ac7c20432e090c6b25dd36d84ea1c082cb
SHA512

1fb7b9301a9ecbc448d843f7a4df998ef1311f2f4cd91160b17d955acfd4cf6caa7971298f746ade7a9d68267bf79a036c9b1feda066821307e425f8e3c36cee
SSDEEP

6144:AlUzSr4UdIz838hEGM9aUEmpftK/m2p45nD:XGr4xo38hU9LHtK/0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3172	u.dll
4168	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4704	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 4048	2436	1ea69db85dd76d6b1d0e0709af8439a5.exe	91
PID 2436 wrote to memory of 4048	2436	1ea69db85dd76d6b1d0e0709af8439a5.exe	91
PID 2436 wrote to memory of 4048	2436	1ea69db85dd76d6b1d0e0709af8439a5.exe	91
PID 4048 wrote to memory of 3172	4048	cmd.exe	94
PID 4048 wrote to memory of 3172	4048	cmd.exe	94
PID 4048 wrote to memory of 3172	4048	cmd.exe	94
PID 3172 wrote to memory of 4168	3172	u.dll	97
PID 3172 wrote to memory of 4168	3172	u.dll	97
PID 3172 wrote to memory of 4168	3172	u.dll	97
PID 4048 wrote to memory of 2764	4048	cmd.exe	98
PID 4048 wrote to memory of 2764	4048	cmd.exe	98
PID 4048 wrote to memory of 2764	4048	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\1ea69db85dd76d6b1d0e0709af8439a5.exe
"C:\Users\Admin\AppData\Local\Temp\1ea69db85dd76d6b1d0e0709af8439a5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65BA.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 1ea69db85dd76d6b1d0e0709af8439a5.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\8652.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\8652.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe8653.tmp"
      4⤵
      Executes dropped EXE
      PID:4168
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\65BA.tmp\vir.bat

Filesize
2KB

MD5
6903fde1a3008cc11e3d6438bf9d9ef1

SHA1
3badf7fcae924355a59bf7bac306d04620c9fa1f

SHA256
9caa4517242e92724a4555f44937515587716bebc3bf337a072273a7d1905a3d

SHA512
80bb937a4ca384a5d4e3d348a54bd5318792401d73f3566a6cf365a9f430b8a917025cfabb3c0ca989a1692ea30ce97fda7df20a0f125a76cadc566a7131c077

Download Submit
C:\Users\Admin\AppData\Local\Temp\8652.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8653.tmp

Filesize
41KB

MD5
a2c3062fa164e9bfe5a343b4dcbc95c5

SHA1
3a9ab7db5f1a0c958828a58561779800532babee

SHA256
abaa1cf5206bf5b210bb8673e718356cfce1b863f7429df9fb88dff486a9e642

SHA512
cc3af460becb242a8e06c1906b49949a7d7fb4f622950ef9c3479f5143d70bb261c91131b402f98a34268d1d94ef45f4b521a09295360a231700ade6d739fd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe8653.tmp

Filesize
741KB

MD5
8109035fc279cde0f81ba930e8986c4d

SHA1
cc61acd29b1f00d06e5e74308d7c100ab54a45b1

SHA256
f34a49206b4f61b0e15a41450c36edbd724a54889817d30ccaae0a561d51c22d

SHA512
90efe487c8fd0e0ca4d4088c4d198ea982bfa020a2b5c6eeb43f3bbcd0d9e2d30d096f79db07f020120d9c4bb8df156d3b1f104c17a940db8210ec6baef4bc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprBB3D.tmp

Filesize
207KB

MD5
80c2ecbf97fdd05beb7084254070a634

SHA1
548e5f4b584d44ef8e27aaf872e63c46028e08b3

SHA256
94d9da42acb242d9bff0ac97fc41a9ffc08cad03113579f1eb100b81ae071dc1

SHA512
b1e4851581c446721768e0f08bb737dc40703bc9be1415e1dcbde5a596a603b04b71a8227b007535b3cbb8f392b5d96a73669e6184e76e7809afe332db254652

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
11585f18c9216b57877b16053bfd5b47

SHA1
aa3d4a53611dc2e8645a1473556e477ef4882dc4

SHA256
dc21e0697b91315cbd903f8e3bd5fdd2085815da56fe5ca696d3b17dd09ae9cc

SHA512
84218aa1df912e039948bbf6e9cc0f129bcc12f84d37a192a5d8e970d22ebb16bebc12cd8c7953a0488e32771503be74e0c40d0312972046723d647f8dd5741d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
b18798b79127188ba8276980ddd44dac

SHA1
11dce802281e1c7ac278d1a286ee2d4c356bf028

SHA256
3ae59678d752eae7e46e0e4f28833a7ca6794f34d9f4202dc519e4eb84bf0159

SHA512
0661e4f6b1c352b4007469f6954635d64cd4c6a7a3cac728bf82abb4e4d32d6479d586ee7ce10006a81696678f1a7aa404766c12d8136e4bdad8e3f35eec8ace

Download Submit
memory/2436-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2436-7-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2436-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2436-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4168-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads