Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 00:20

General

  • Target

    217e2401f0434bd442144ecdf7d9aab3.exe

  • Size

    209KB

  • MD5

    217e2401f0434bd442144ecdf7d9aab3

  • SHA1

    10ed4fb1ffb5ab22896894bbcab6d2ef1ab7691f

  • SHA256

    6ee6f9b778467a5398d2156ea16c5516248f9003ede08f65d45156d62973efdb

  • SHA512

    4ce3cef3c8f7db86503c599af30623bc263884449879fbbed58848dd67af97484fb4e5bfe6e6cd1314395f5967f2ca3f1ebe0bdd3e1e6a1332aa27921e984c61

  • SSDEEP

    6144:fl9cYqmsum1YIgEQZxVY+bKydVa+zX/mYJcU:rcY81jgEQZxVQ+zPNO

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\217e2401f0434bd442144ecdf7d9aab3.exe
    "C:\Users\Admin\AppData\Local\Temp\217e2401f0434bd442144ecdf7d9aab3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\3A62.tmp\vir.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Users\Admin\AppData\Local\Temp\u.dll
        u.dll -bat vir.bat -save 217e2401f0434bd442144ecdf7d9aab3.exe.com -include s.dll -overwrite -nodelete
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Users\Admin\AppData\Local\Temp\3BB9.tmp\mpress.exe
          "C:\Users\Admin\AppData\Local\Temp\3BB9.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3BBA.tmp"
          4⤵
          • Executes dropped EXE
          PID:2596
      • C:\Users\Admin\AppData\Local\Temp\u.dll
        u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Users\Admin\AppData\Local\Temp\3D5E.tmp\mpress.exe
          "C:\Users\Admin\AppData\Local\Temp\3D5E.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3D5F.tmp"
          4⤵
          • Executes dropped EXE
          PID:2936
      • C:\Windows\SysWOW64\calc.exe
        CALC.EXE
        3⤵
          PID:2960

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3A62.tmp\vir.bat

      Filesize

      1KB

      MD5

      d8f9ecb387e0e80ad733df8c8e243f3f

      SHA1

      91ce2f3d32c88b84a3f3b4947070f6e19caa691e

      SHA256

      25a1349234764eb3c3653f018838b5d1f51c7f684b97b3f3b980271345794722

      SHA512

      26188ab18c7dbb159e90f6dbf68e0c84ef44c4581bafec37685ccbbabd61570c1a829a81e35c64c95597009b6c6887857fdaf436a1938d03d312e5a697637575

    • C:\Users\Admin\AppData\Local\Temp\3BB9.tmp\mpress.exe

      Filesize

      100KB

      MD5

      e42b81b9636152c78ba480c1c47d3c7f

      SHA1

      66a2fca3925428ee91ad9df5b76b90b34d28e0f8

      SHA256

      7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

      SHA512

      4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

    • C:\Users\Admin\AppData\Local\Temp\exe3BBA.tmp

      Filesize

      41KB

      MD5

      34c413a874021691b852f8e370987807

      SHA1

      23953e31264901013c50d21f52bbe9a38f5e3b73

      SHA256

      e3adec6e3a280977d75216a5c6ffa38a2fe128fb6c91c2d33cf30bfdf7a1afb2

      SHA512

      01a585ebe91fab0c3c4f9d1577932399408ad837404de3e1e7bf6e2923e9d2d25094e2be317a5b3b8fb31916ed213f94e3fa9339165b2cdc931156e478ae1252

    • C:\Users\Admin\AppData\Local\Temp\exe3BBA.tmp

      Filesize

      24KB

      MD5

      ff875d59adbd73ee874b08295fe3a154

      SHA1

      0d3cca10c250c5b9b0c04981f2068b6ab16165f3

      SHA256

      3b2c762e0854eec4a1bfa87e688ea1c95e3e5fbaf24968815ff4e0a518f8a822

      SHA512

      2b058d8b02cf68ce4d3e6029cfcfe68cad618c3f0761973de47b669f3fd9140177b89740bfb37cf55fcbf2d416faf530e7ea34fd446c0e3202b508eac104be68

    • C:\Users\Admin\AppData\Local\Temp\exe3D5F.tmp

      Filesize

      41KB

      MD5

      b294d8915e6e13dd0511bd0529fe13a5

      SHA1

      a050bdc6edb8f4005a63ef538c72c7da91c0cf5d

      SHA256

      e4b4dd4055e0b686850012889623c51486f3b42e6c031f55916ada013af28b6e

      SHA512

      846dd78dbabccb54720c1385741ed52d93b07f66cab0ed5bfef68c0d15806b8799653c0b6027c155e51d88e255377d34f52e4a637b536bc6d438cb2b0043fc0c

    • C:\Users\Admin\AppData\Local\Temp\exe3D5F.tmp

      Filesize

      24KB

      MD5

      4e7e835c26d6b19602427c3d7219ae4c

      SHA1

      7864053cfef93486f31b49afc93521b9fda6382e

      SHA256

      7fb727ab205def3cf5f05852105a4c33c9f43906a1ed2b7aac8a24047e6498ea

      SHA512

      52069cd217c8b9ede871efc96908e40a732007b27326420a1834bafc6034d0b8fae7b375bec0e6e0b3503158a832401cd9175556ab37c5f4b39cc8c93f4469e6

    • C:\Users\Admin\AppData\Local\Temp\s.dll

      Filesize

      700KB

      MD5

      83487666be316a39faef6e3dc9afe669

      SHA1

      b4e1bfe112a461f3ffbe014eb1da46ed5b06fd5a

      SHA256

      7a65383d268c9b8d3c2b9b7d9b048bc4763ce217ec51301167f9043c4deaa024

      SHA512

      144fb6062054977d70910ba15dbace6bbc1bcfe7efe495e81eabbce5b2b509250f63ef3aa5b03c7ad77037c921f201cdc07a0d836c5c5edcfa6d309725a71972

    • C:\Users\Admin\AppData\Local\Temp\vir.bat

      Filesize

      1KB

      MD5

      0e37ee0110356e208d9eb19c905dce8b

      SHA1

      3f01a97c20f90a985f3ffcb8caaa5851b3959b1c

      SHA256

      8a3650728dd1fabb4d455351684be15fd4b367bb2e39ed52cd5e7ca954c59cf5

      SHA512

      a5d9ba414ae813a8b6f401d94b567b959e2d2bf80c508c4f0498951982aeb0c22d1ebea2868e557bf1da039ae213d69e6b6d80b58b81604d5d2f5f97b459544b

    • C:\Users\Admin\AppData\Local\Temp\vir.bat

      Filesize

      2KB

      MD5

      d78ba62ddbf2f8dedd45be9eee3c4979

      SHA1

      e177ea38117c3ec29aa443ea059eacf575446424

      SHA256

      b4aad5f0bc594eb4c752480ba18c07005fb269b6ee318513f684e8dcb903a220

      SHA512

      ce333d91186246b9d84ea3308a8c158eea548b5e65db707b75d932c72b562320c67dbbef023b662cfbb6c89625fd653d0bb0e1cc0a22f2efd78e95f4afeadee2

    • memory/1536-160-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/1536-0-0x0000000000400000-0x00000000004BF000-memory.dmp

      Filesize

      764KB

    • memory/2596-71-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2596-76-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2804-67-0x0000000000300000-0x0000000000334000-memory.dmp

      Filesize

      208KB

    • memory/2804-70-0x0000000000300000-0x0000000000334000-memory.dmp

      Filesize

      208KB

    • memory/2936-144-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2936-149-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2956-142-0x00000000004C0000-0x00000000004F4000-memory.dmp

      Filesize

      208KB