Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 00:20
Static task
static1
Behavioral task
behavioral1
Sample
217e2401f0434bd442144ecdf7d9aab3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
217e2401f0434bd442144ecdf7d9aab3.exe
Resource
win10v2004-20231215-en
General
-
Target
217e2401f0434bd442144ecdf7d9aab3.exe
-
Size
209KB
-
MD5
217e2401f0434bd442144ecdf7d9aab3
-
SHA1
10ed4fb1ffb5ab22896894bbcab6d2ef1ab7691f
-
SHA256
6ee6f9b778467a5398d2156ea16c5516248f9003ede08f65d45156d62973efdb
-
SHA512
4ce3cef3c8f7db86503c599af30623bc263884449879fbbed58848dd67af97484fb4e5bfe6e6cd1314395f5967f2ca3f1ebe0bdd3e1e6a1332aa27921e984c61
-
SSDEEP
6144:fl9cYqmsum1YIgEQZxVY+bKydVa+zX/mYJcU:rcY81jgEQZxVQ+zPNO
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2804 u.dll 2596 mpress.exe 2956 u.dll 2936 mpress.exe -
Loads dropped DLL 8 IoCs
pid Process 1936 cmd.exe 1936 cmd.exe 2804 u.dll 2804 u.dll 1936 cmd.exe 1936 cmd.exe 2956 u.dll 2956 u.dll -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1536 wrote to memory of 1936 1536 217e2401f0434bd442144ecdf7d9aab3.exe 29 PID 1536 wrote to memory of 1936 1536 217e2401f0434bd442144ecdf7d9aab3.exe 29 PID 1536 wrote to memory of 1936 1536 217e2401f0434bd442144ecdf7d9aab3.exe 29 PID 1536 wrote to memory of 1936 1536 217e2401f0434bd442144ecdf7d9aab3.exe 29 PID 1936 wrote to memory of 2804 1936 cmd.exe 30 PID 1936 wrote to memory of 2804 1936 cmd.exe 30 PID 1936 wrote to memory of 2804 1936 cmd.exe 30 PID 1936 wrote to memory of 2804 1936 cmd.exe 30 PID 2804 wrote to memory of 2596 2804 u.dll 31 PID 2804 wrote to memory of 2596 2804 u.dll 31 PID 2804 wrote to memory of 2596 2804 u.dll 31 PID 2804 wrote to memory of 2596 2804 u.dll 31 PID 1936 wrote to memory of 2956 1936 cmd.exe 32 PID 1936 wrote to memory of 2956 1936 cmd.exe 32 PID 1936 wrote to memory of 2956 1936 cmd.exe 32 PID 1936 wrote to memory of 2956 1936 cmd.exe 32 PID 2956 wrote to memory of 2936 2956 u.dll 33 PID 2956 wrote to memory of 2936 2956 u.dll 33 PID 2956 wrote to memory of 2936 2956 u.dll 33 PID 2956 wrote to memory of 2936 2956 u.dll 33 PID 1936 wrote to memory of 2960 1936 cmd.exe 34 PID 1936 wrote to memory of 2960 1936 cmd.exe 34 PID 1936 wrote to memory of 2960 1936 cmd.exe 34 PID 1936 wrote to memory of 2960 1936 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\217e2401f0434bd442144ecdf7d9aab3.exe"C:\Users\Admin\AppData\Local\Temp\217e2401f0434bd442144ecdf7d9aab3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3A62.tmp\vir.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save 217e2401f0434bd442144ecdf7d9aab3.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\3BB9.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\3BB9.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3BBA.tmp"4⤵
- Executes dropped EXE
PID:2596
-
-
-
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\3D5E.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\3D5E.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3D5F.tmp"4⤵
- Executes dropped EXE
PID:2936
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:2960
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d8f9ecb387e0e80ad733df8c8e243f3f
SHA191ce2f3d32c88b84a3f3b4947070f6e19caa691e
SHA25625a1349234764eb3c3653f018838b5d1f51c7f684b97b3f3b980271345794722
SHA51226188ab18c7dbb159e90f6dbf68e0c84ef44c4581bafec37685ccbbabd61570c1a829a81e35c64c95597009b6c6887857fdaf436a1938d03d312e5a697637575
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e
-
Filesize
41KB
MD534c413a874021691b852f8e370987807
SHA123953e31264901013c50d21f52bbe9a38f5e3b73
SHA256e3adec6e3a280977d75216a5c6ffa38a2fe128fb6c91c2d33cf30bfdf7a1afb2
SHA51201a585ebe91fab0c3c4f9d1577932399408ad837404de3e1e7bf6e2923e9d2d25094e2be317a5b3b8fb31916ed213f94e3fa9339165b2cdc931156e478ae1252
-
Filesize
24KB
MD5ff875d59adbd73ee874b08295fe3a154
SHA10d3cca10c250c5b9b0c04981f2068b6ab16165f3
SHA2563b2c762e0854eec4a1bfa87e688ea1c95e3e5fbaf24968815ff4e0a518f8a822
SHA5122b058d8b02cf68ce4d3e6029cfcfe68cad618c3f0761973de47b669f3fd9140177b89740bfb37cf55fcbf2d416faf530e7ea34fd446c0e3202b508eac104be68
-
Filesize
41KB
MD5b294d8915e6e13dd0511bd0529fe13a5
SHA1a050bdc6edb8f4005a63ef538c72c7da91c0cf5d
SHA256e4b4dd4055e0b686850012889623c51486f3b42e6c031f55916ada013af28b6e
SHA512846dd78dbabccb54720c1385741ed52d93b07f66cab0ed5bfef68c0d15806b8799653c0b6027c155e51d88e255377d34f52e4a637b536bc6d438cb2b0043fc0c
-
Filesize
24KB
MD54e7e835c26d6b19602427c3d7219ae4c
SHA17864053cfef93486f31b49afc93521b9fda6382e
SHA2567fb727ab205def3cf5f05852105a4c33c9f43906a1ed2b7aac8a24047e6498ea
SHA51252069cd217c8b9ede871efc96908e40a732007b27326420a1834bafc6034d0b8fae7b375bec0e6e0b3503158a832401cd9175556ab37c5f4b39cc8c93f4469e6
-
Filesize
700KB
MD583487666be316a39faef6e3dc9afe669
SHA1b4e1bfe112a461f3ffbe014eb1da46ed5b06fd5a
SHA2567a65383d268c9b8d3c2b9b7d9b048bc4763ce217ec51301167f9043c4deaa024
SHA512144fb6062054977d70910ba15dbace6bbc1bcfe7efe495e81eabbce5b2b509250f63ef3aa5b03c7ad77037c921f201cdc07a0d836c5c5edcfa6d309725a71972
-
Filesize
1KB
MD50e37ee0110356e208d9eb19c905dce8b
SHA13f01a97c20f90a985f3ffcb8caaa5851b3959b1c
SHA2568a3650728dd1fabb4d455351684be15fd4b367bb2e39ed52cd5e7ca954c59cf5
SHA512a5d9ba414ae813a8b6f401d94b567b959e2d2bf80c508c4f0498951982aeb0c22d1ebea2868e557bf1da039ae213d69e6b6d80b58b81604d5d2f5f97b459544b
-
Filesize
2KB
MD5d78ba62ddbf2f8dedd45be9eee3c4979
SHA1e177ea38117c3ec29aa443ea059eacf575446424
SHA256b4aad5f0bc594eb4c752480ba18c07005fb269b6ee318513f684e8dcb903a220
SHA512ce333d91186246b9d84ea3308a8c158eea548b5e65db707b75d932c72b562320c67dbbef023b662cfbb6c89625fd653d0bb0e1cc0a22f2efd78e95f4afeadee2