d3615b74a89e5847fd9dcc10df0a186d1da546acecae6ac660633b371b2b334f

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 07:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

12ab2322eaa5f837c3e14e5d754ee57e.exe
Size

209KB
MD5

12ab2322eaa5f837c3e14e5d754ee57e
SHA1

7e97ab94e581d7cde9228e313dd1b2c1383e597e
SHA256

d3615b74a89e5847fd9dcc10df0a186d1da546acecae6ac660633b371b2b334f
SHA512

aaa7a3e353d10c499d4f153724a9979ffa14ef8424471879813d949410b700b5f958b2a49505f486d45ec6de2f42de3f133618687ba40533ef0731801d600038
SSDEEP

6144:mluucMRyLJYRv2o3qKXN1SD57pohdlLElVo:2sLJYV2o35uDRO6l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1240	u.dll
2800	u.dll
2624	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
2040	cmd.exe
2040	cmd.exe
2040	cmd.exe
2040	cmd.exe
2800	u.dll
2800	u.dll

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2040	2888	12ab2322eaa5f837c3e14e5d754ee57e.exe	15
PID 2888 wrote to memory of 2040	2888	12ab2322eaa5f837c3e14e5d754ee57e.exe	15
PID 2888 wrote to memory of 2040	2888	12ab2322eaa5f837c3e14e5d754ee57e.exe	15
PID 2888 wrote to memory of 2040	2888	12ab2322eaa5f837c3e14e5d754ee57e.exe	15
PID 2040 wrote to memory of 1240	2040	cmd.exe	14
PID 2040 wrote to memory of 1240	2040	cmd.exe	14
PID 2040 wrote to memory of 1240	2040	cmd.exe	14
PID 2040 wrote to memory of 1240	2040	cmd.exe	14
PID 2040 wrote to memory of 2800	2040	cmd.exe	54
PID 2040 wrote to memory of 2800	2040	cmd.exe	54
PID 2040 wrote to memory of 2800	2040	cmd.exe	54
PID 2040 wrote to memory of 2800	2040	cmd.exe	54
PID 2800 wrote to memory of 2624	2800	u.dll	53
PID 2800 wrote to memory of 2624	2800	u.dll	53
PID 2800 wrote to memory of 2624	2800	u.dll	53
PID 2800 wrote to memory of 2624	2800	u.dll	53
PID 2040 wrote to memory of 1984	2040	cmd.exe	52
PID 2040 wrote to memory of 1984	2040	cmd.exe	52
PID 2040 wrote to memory of 1984	2040	cmd.exe	52
PID 2040 wrote to memory of 1984	2040	cmd.exe	52
PID 2040 wrote to memory of 1412	2040	cmd.exe	51
PID 2040 wrote to memory of 1412	2040	cmd.exe	51
PID 2040 wrote to memory of 1412	2040	cmd.exe	51
PID 2040 wrote to memory of 1412	2040	cmd.exe	51
PID 2040 wrote to memory of 2744	2040	cmd.exe	50
PID 2040 wrote to memory of 2744	2040	cmd.exe	50
PID 2040 wrote to memory of 2744	2040	cmd.exe	50
PID 2040 wrote to memory of 2744	2040	cmd.exe	50
PID 2040 wrote to memory of 1820	2040	cmd.exe	49
PID 2040 wrote to memory of 1820	2040	cmd.exe	49
PID 2040 wrote to memory of 1820	2040	cmd.exe	49
PID 2040 wrote to memory of 1820	2040	cmd.exe	49
PID 2040 wrote to memory of 1972	2040	cmd.exe	48
PID 2040 wrote to memory of 1972	2040	cmd.exe	48
PID 2040 wrote to memory of 1972	2040	cmd.exe	48
PID 2040 wrote to memory of 1972	2040	cmd.exe	48
PID 2040 wrote to memory of 2172	2040	cmd.exe	47
PID 2040 wrote to memory of 2172	2040	cmd.exe	47
PID 2040 wrote to memory of 2172	2040	cmd.exe	47
PID 2040 wrote to memory of 2172	2040	cmd.exe	47
PID 2040 wrote to memory of 1804	2040	cmd.exe	31
PID 2040 wrote to memory of 1804	2040	cmd.exe	31
PID 2040 wrote to memory of 1804	2040	cmd.exe	31
PID 2040 wrote to memory of 1804	2040	cmd.exe	31
PID 2040 wrote to memory of 2348	2040	cmd.exe	46
PID 2040 wrote to memory of 2348	2040	cmd.exe	46
PID 2040 wrote to memory of 2348	2040	cmd.exe	46
PID 2040 wrote to memory of 2348	2040	cmd.exe	46
PID 2040 wrote to memory of 1624	2040	cmd.exe	45
PID 2040 wrote to memory of 1624	2040	cmd.exe	45
PID 2040 wrote to memory of 1624	2040	cmd.exe	45
PID 2040 wrote to memory of 1624	2040	cmd.exe	45
PID 2040 wrote to memory of 2120	2040	cmd.exe	32
PID 2040 wrote to memory of 2120	2040	cmd.exe	32
PID 2040 wrote to memory of 2120	2040	cmd.exe	32
PID 2040 wrote to memory of 2120	2040	cmd.exe	32
PID 2040 wrote to memory of 940	2040	cmd.exe	44
PID 2040 wrote to memory of 940	2040	cmd.exe	44
PID 2040 wrote to memory of 940	2040	cmd.exe	44
PID 2040 wrote to memory of 940	2040	cmd.exe	44
PID 2040 wrote to memory of 1424	2040	cmd.exe	43
PID 2040 wrote to memory of 1424	2040	cmd.exe	43
PID 2040 wrote to memory of 1424	2040	cmd.exe	43
PID 2040 wrote to memory of 1424	2040	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 12ab2322eaa5f837c3e14e5d754ee57e.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6D4.tmp\vir.bat""
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2120
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:636
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:384
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1424
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:940
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1820
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\ose00000.exe
  ose00000.exe
  2⤵
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\u.dll
  u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800

C:\Users\Admin\AppData\Local\Temp\12ab2322eaa5f837c3e14e5d754ee57e.exe
"C:\Users\Admin\AppData\Local\Temp\12ab2322eaa5f837c3e14e5d754ee57e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Local\Temp\229E.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\229E.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe229F.tmp"
1⤵
- Executes dropped EXE
PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6D4.tmp\vir.bat

Filesize
2KB

MD5
166338665647815c23fc4ebcda92a6f5

SHA1
18acbaf71fe8bad33dbd1b03e12e8af0374422cf

SHA256
c2bd7dd05798975956311eb8c1f2b71afdcca51932482344bae5fda933d3f232

SHA512
c7230d4701b5d013fa840e9eb26360b4db9078a98d688a284a5dde555983ebfe9e1e37f126ae7bbe29166498e5bd8c6f1b887802fccbce572b16293cf5a9f6ab

Download Submit
memory/2624-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2624-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-95-0x0000000000510000-0x0000000000544000-memory.dmp

Filesize
208KB

Download
memory/2888-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2888-111-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads