3a76cff079ba1c6a6be9692fe6827032922b8c0a89b755df06f379ca66d34ec5

General

Target

3e6e5e3fe0c46ec3a19d613bec300909.exe
Size

208KB
MD5

3e6e5e3fe0c46ec3a19d613bec300909
SHA1

a6f9f3310e387b7164bf0d9823ae72f50fec340b
SHA256

3a76cff079ba1c6a6be9692fe6827032922b8c0a89b755df06f379ca66d34ec5
SHA512

4a2356e4cc71f8a6dc2e9ad7fcf07619c87817530d4cddacc34a384095cf49ab412ea907b1d2ef43b61fecac0c0d66a88b55d77c73859f447f674f5a15bcfee0
SSDEEP

3072:IldYI3AGqmeirgj66yDSJC76O8g2VrTiWv3Ckd9uHHDeb+V1QRYNxS4:IldYh/qgjZ8SJlr2e38xQRYO4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2804	u.dll
2588	mpress.exe
2580	u.dll

Loads dropped DLL 6 IoCs

pid	Process
2480	cmd.exe
2480	cmd.exe
2804	u.dll
2804	u.dll
2480	cmd.exe
2480	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2480	2916	3e6e5e3fe0c46ec3a19d613bec300909.exe	29
PID 2916 wrote to memory of 2480	2916	3e6e5e3fe0c46ec3a19d613bec300909.exe	29
PID 2916 wrote to memory of 2480	2916	3e6e5e3fe0c46ec3a19d613bec300909.exe	29
PID 2916 wrote to memory of 2480	2916	3e6e5e3fe0c46ec3a19d613bec300909.exe	29
PID 2480 wrote to memory of 2804	2480	cmd.exe	30
PID 2480 wrote to memory of 2804	2480	cmd.exe	30
PID 2480 wrote to memory of 2804	2480	cmd.exe	30
PID 2480 wrote to memory of 2804	2480	cmd.exe	30
PID 2804 wrote to memory of 2588	2804	u.dll	31
PID 2804 wrote to memory of 2588	2804	u.dll	31
PID 2804 wrote to memory of 2588	2804	u.dll	31
PID 2804 wrote to memory of 2588	2804	u.dll	31
PID 2480 wrote to memory of 2580	2480	cmd.exe	32
PID 2480 wrote to memory of 2580	2480	cmd.exe	32
PID 2480 wrote to memory of 2580	2480	cmd.exe	32
PID 2480 wrote to memory of 2580	2480	cmd.exe	32
PID 2480 wrote to memory of 2940	2480	cmd.exe	33
PID 2480 wrote to memory of 2940	2480	cmd.exe	33
PID 2480 wrote to memory of 2940	2480	cmd.exe	33
PID 2480 wrote to memory of 2940	2480	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\3e6e5e3fe0c46ec3a19d613bec300909.exe
"C:\Users\Admin\AppData\Local\Temp\3e6e5e3fe0c46ec3a19d613bec300909.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\673B.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 3e6e5e3fe0c46ec3a19d613bec300909.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\693E.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\693E.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe693F.tmp"
      4⤵
      Executes dropped EXE
      PID:2588
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\673B.tmp\vir.bat

Filesize
1KB

MD5
2991f0bc6e62e353c297cd7955e4c95d

SHA1
4e9b3d80cd46ffaa49188a6d84ed9d50c20fed54

SHA256
badff094bf48035d3837d7b03433a9a6f6601b65e938269973cd08c454934b45

SHA512
70203c7b409f89dc9100085dc011d3d784bae453f7b392976d079de9d39bd6b36d326845f3a859915bdf5a843620fc05f4b63cb865a311d4439ca12c5bb2f64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe693F.tmp

Filesize
41KB

MD5
7cb94ab71579f67dd8167ccb854b359a

SHA1
74e86a56f85e57d281d3ef96e9a37e1cbdf00234

SHA256
94c019063145e6f988342dbbdad106f33eb452b627c2b49dab48e42491e84223

SHA512
bc25d4d61dce320e970c357d81acc8bf825ebece79ca49fd5cc7ab6c997e1f68d293a6a7efbf4fcf9720f1a955fec1f89564d736f70c610f8b09adc19663002e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe693F.tmp

Filesize
24KB

MD5
4a5be32fb94601714c46d106925cc4f6

SHA1
de1067395116b3a00152b34e24f6645770eaa2ee

SHA256
5a4aed2b271398f6a9b7de1290e7e5586a19aef9c2437404355c8cf639faaf62

SHA512
27796e99f88ff425751a976d721583a3084185137166a5083f6622cc5092b149e0943b98f96648b6f89ddf5759b870e715ca9aed5519c94e9a3dccb55dab8b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe6B80.tmp

Filesize
41KB

MD5
2962dfcac22070e3da981e1115397938

SHA1
09a2ddd77cc9265c1c9a3a0b3797ea5007e3bd28

SHA256
d47a5a1f144a7b1a0267ec604f18238419a29402b4ef51f1b2165f346ef88951

SHA512
8efe28ee9ba694a2cc010bb61736de3f7bc190c3656f814a700e9992391a174982fa21f16d24ce1c36876e095f1a76569183cee52048ae22102cac621beb422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
e1b0a32300c3cee9c84da25398fe2f87

SHA1
91683f97ee4b9394e26193e28a07348fbab64014

SHA256
90692984059a51dc0e64db6432feeaf0afa9f890b9643d0d349d958cc2f33d13

SHA512
d04350ee4e99542841ee6c140363765559676b0c9dec0d7d1647d16ba8f5247564f85d26f69d3e368ae62ffb21f7355c92dd25a71d00e867f01e883eb8fee9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
32627eacbbef9f061d6ee771667a8cfb

SHA1
779323eb923e25f51cf367b79e62cd399f444a93

SHA256
2a3ea9ac63d23d6bccfc2ec2fa36f2b850327e73e3db268a01035e4f93d55c65

SHA512
560503e6777eeb569fcb6898ab5f73ed17f0474388caef0e2dccdf1aed90d611ff7df13e9b041c3c99ed18a458bdd5e9d1ae305f0d3b83ce40fd4ad0f39302bd

Download Submit
\Users\Admin\AppData\Local\Temp\693E.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/2588-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2804-67-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2804-61-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/2916-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2916-112-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads