8105237c4ce876f2d6727470dda80a146bb36842e3cc775ee9ddd9fe906322de

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 14:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3d1e91875247744ff3578d71a38f621d.exe
Size

209KB
MD5

3d1e91875247744ff3578d71a38f621d
SHA1

ccaf6ba598df5424bbf2b944ab15d91c2bb9f064
SHA256

8105237c4ce876f2d6727470dda80a146bb36842e3cc775ee9ddd9fe906322de
SHA512

df0c627be6cd9850ccf9c703dbfd874f7e1f4dafb9dbe1973541c5e6156aebaaf4faebb917517257c725ab7ad1ebcd60a50ac9b2b309d8fd5d45318c453a2334
SSDEEP

6144:HlNgwzS6HWjJzVbFTWj8qZNrbIx152mHdr:Hhmd5qVbI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2244	u.dll
2472	u.dll
2880	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
1764	cmd.exe
1764	cmd.exe
1764	cmd.exe
1764	cmd.exe
2472	u.dll
2472	u.dll

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1764	1704	3d1e91875247744ff3578d71a38f621d.exe	29
PID 1704 wrote to memory of 1764	1704	3d1e91875247744ff3578d71a38f621d.exe	29
PID 1704 wrote to memory of 1764	1704	3d1e91875247744ff3578d71a38f621d.exe	29
PID 1704 wrote to memory of 1764	1704	3d1e91875247744ff3578d71a38f621d.exe	29
PID 1764 wrote to memory of 2244	1764	cmd.exe	30
PID 1764 wrote to memory of 2244	1764	cmd.exe	30
PID 1764 wrote to memory of 2244	1764	cmd.exe	30
PID 1764 wrote to memory of 2244	1764	cmd.exe	30
PID 1764 wrote to memory of 2472	1764	cmd.exe	31
PID 1764 wrote to memory of 2472	1764	cmd.exe	31
PID 1764 wrote to memory of 2472	1764	cmd.exe	31
PID 1764 wrote to memory of 2472	1764	cmd.exe	31
PID 2472 wrote to memory of 2880	2472	u.dll	32
PID 2472 wrote to memory of 2880	2472	u.dll	32
PID 2472 wrote to memory of 2880	2472	u.dll	32
PID 2472 wrote to memory of 2880	2472	u.dll	32
PID 1764 wrote to memory of 2816	1764	cmd.exe	62
PID 1764 wrote to memory of 2816	1764	cmd.exe	62
PID 1764 wrote to memory of 2816	1764	cmd.exe	62
PID 1764 wrote to memory of 2816	1764	cmd.exe	62
PID 1764 wrote to memory of 1468	1764	cmd.exe	61
PID 1764 wrote to memory of 1468	1764	cmd.exe	61
PID 1764 wrote to memory of 1468	1764	cmd.exe	61
PID 1764 wrote to memory of 1468	1764	cmd.exe	61
PID 1764 wrote to memory of 804	1764	cmd.exe	60
PID 1764 wrote to memory of 804	1764	cmd.exe	60
PID 1764 wrote to memory of 804	1764	cmd.exe	60
PID 1764 wrote to memory of 804	1764	cmd.exe	60
PID 1764 wrote to memory of 2452	1764	cmd.exe	59
PID 1764 wrote to memory of 2452	1764	cmd.exe	59
PID 1764 wrote to memory of 2452	1764	cmd.exe	59
PID 1764 wrote to memory of 2452	1764	cmd.exe	59
PID 1764 wrote to memory of 2724	1764	cmd.exe	58
PID 1764 wrote to memory of 2724	1764	cmd.exe	58
PID 1764 wrote to memory of 2724	1764	cmd.exe	58
PID 1764 wrote to memory of 2724	1764	cmd.exe	58
PID 1764 wrote to memory of 2748	1764	cmd.exe	57
PID 1764 wrote to memory of 2748	1764	cmd.exe	57
PID 1764 wrote to memory of 2748	1764	cmd.exe	57
PID 1764 wrote to memory of 2748	1764	cmd.exe	57
PID 1764 wrote to memory of 2868	1764	cmd.exe	33
PID 1764 wrote to memory of 2868	1764	cmd.exe	33
PID 1764 wrote to memory of 2868	1764	cmd.exe	33
PID 1764 wrote to memory of 2868	1764	cmd.exe	33
PID 1764 wrote to memory of 2572	1764	cmd.exe	56
PID 1764 wrote to memory of 2572	1764	cmd.exe	56
PID 1764 wrote to memory of 2572	1764	cmd.exe	56
PID 1764 wrote to memory of 2572	1764	cmd.exe	56
PID 1764 wrote to memory of 1524	1764	cmd.exe	55
PID 1764 wrote to memory of 1524	1764	cmd.exe	55
PID 1764 wrote to memory of 1524	1764	cmd.exe	55
PID 1764 wrote to memory of 1524	1764	cmd.exe	55
PID 1764 wrote to memory of 1200	1764	cmd.exe	54
PID 1764 wrote to memory of 1200	1764	cmd.exe	54
PID 1764 wrote to memory of 1200	1764	cmd.exe	54
PID 1764 wrote to memory of 1200	1764	cmd.exe	54
PID 1764 wrote to memory of 1464	1764	cmd.exe	35
PID 1764 wrote to memory of 1464	1764	cmd.exe	35
PID 1764 wrote to memory of 1464	1764	cmd.exe	35
PID 1764 wrote to memory of 1464	1764	cmd.exe	35
PID 1764 wrote to memory of 2344	1764	cmd.exe	34
PID 1764 wrote to memory of 2344	1764	cmd.exe	34
PID 1764 wrote to memory of 2344	1764	cmd.exe	34
PID 1764 wrote to memory of 2344	1764	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\3d1e91875247744ff3578d71a38f621d.exe
"C:\Users\Admin\AppData\Local\Temp\3d1e91875247744ff3578d71a38f621d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ABA.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 3d1e91875247744ff3578d71a38f621d.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2244
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\2674.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\2674.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe2675.tmp"
      4⤵
      Executes dropped EXE
      PID:2880
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2868
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1440
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2076
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2312
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2068
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:3016
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2420
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:320
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:804
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2816
- - C:\Users\Admin\AppData\Local\Temp\ose00000.exe
    ose00000.exe
    3⤵
    PID:2072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ABA.tmp\vir.bat

Filesize
1KB

MD5
612f2aa51cbd2ac956716c3f059800a6

SHA1
49631769ed6988b2f78ed05e2dd1e00a14a54992

SHA256
190a0800042e53ee6ba66cebf2804c38f69037bfdc24d560975696bff6e1ccf9

SHA512
16a600e75da08e24c6353d4f33282c2fac352e53b4cc2794bdf924f0d192d62406d53d429edcc34aa1710b7c62b4768de509a7b7e2fbad4ce3376fcce7076bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2675.tmp

Filesize
24KB

MD5
1c591a621b30fb31de8b83694bffdb57

SHA1
94b0acf10c424c4990f88d8d63ba0ef31231fde8

SHA256
71a4439b7c9ba5b21532c4e3c05f39fd19f2ad9e8f1e7da85244339f7fac0e3d

SHA512
4921aee10a3d419ebbfad7f9f877177fce6aad5a1084099046f97ee63d577d9f54d42b6de5ca256f5250264f929988fbd8e4e050996673c99d95dae8833abe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2675.tmp

Filesize
41KB

MD5
cfb6c23b4ec82cb8a0c562d2b9f34c23

SHA1
c7b496195abf2cceb09d8536768d83ab4aed6687

SHA256
28feed5f31044cbc96b185cd8ac0b12cffbc848b895ffce7d4005e25f7a8faff

SHA512
55a2e71b87db5af46c90eab14f95534d0deed807e91c4a52fb762141972a051633decedaf41b19b857efe8fd24821b59e15b33c9e00073da094495ea316420ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
0ba8f8311fc3afbb7e32d98236f2efa6

SHA1
956dd3548df11f2c6c36366d74109ddddc33fc33

SHA256
5b6da37dd4f1fa6402e7ee652ef048f7bd7b396f7a3b3f61c56865d5cd3f6e62

SHA512
706f455d004af6d1442402c1a750a37da14da0351c51d0b0b578349355956986941c4a302956590be7c2b00caa6838e3b265dab8766e8636e0c6c4527b82c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
5f0e976b21a14489e5367bedc1543a26

SHA1
effa5bdeede7c1bf6cc9f162da495fc4ab14cb41

SHA256
d34ae3670f4d1c09d1eb1523efe0c4526dc48602fef6e1893083c2d3607b0746

SHA512
401f5a3e8c86568957df6ff418e4f6c2613f6408c7c5a537d4085cf5c2cba140d0b1701b67ae159178182be256e27895473039307ab832947e1ba42469f712a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
5743fe9151de333375a1d8a6761e1a22

SHA1
41a4a84233ffc20d634104d2f50ac2cc0c82c297

SHA256
2af4c775667c553c8f35f977cec909eb38124592fe22f14ac84c5fa4934d623a

SHA512
873c91524fed2ecb4d82418c3d769e77006a973c0de7c7f4c1a899911552ef4863b990f91ea11da068c17c00fce1413c55a32c54fca5115f6e9997714a00d165

Download Submit
\Users\Admin\AppData\Local\Temp\2674.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/1704-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1704-114-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2472-94-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2472-98-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2880-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads