3561308fdc7e8c6da36d69a7de4a8c5e9752d3f7cff1736f51077d7dfe34b04c

General

Target

3f6c3dfc2f7bc1ad78cf7f73e1bb1ffb.exe
Size

209KB
MD5

3f6c3dfc2f7bc1ad78cf7f73e1bb1ffb
SHA1

3e3f82ab923f0adf74fda0ff3ac9a5c4fe4e1d4c
SHA256

3561308fdc7e8c6da36d69a7de4a8c5e9752d3f7cff1736f51077d7dfe34b04c
SHA512

21d8990a54f849106cf20b20fab6e5a119929ac2e3a8c88acc1edf9d924c5c2cdd974e10f051bb050143f59777cf67e088ff3bad8db4ad0f02d840cc8dfb81ae
SSDEEP

6144:Ali5nyd1+Q9OXpW8pTCNGMe5+Td8GtCB9:biOXpFh78TztQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2896	u.dll
2596	mpress.exe
1552	u.dll

Loads dropped DLL 6 IoCs

pid	Process
2480	cmd.exe
2480	cmd.exe
2896	u.dll
2896	u.dll
2480	cmd.exe
2480	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2480	1664	3f6c3dfc2f7bc1ad78cf7f73e1bb1ffb.exe	29
PID 1664 wrote to memory of 2480	1664	3f6c3dfc2f7bc1ad78cf7f73e1bb1ffb.exe	29
PID 1664 wrote to memory of 2480	1664	3f6c3dfc2f7bc1ad78cf7f73e1bb1ffb.exe	29
PID 1664 wrote to memory of 2480	1664	3f6c3dfc2f7bc1ad78cf7f73e1bb1ffb.exe	29
PID 2480 wrote to memory of 2896	2480	cmd.exe	30
PID 2480 wrote to memory of 2896	2480	cmd.exe	30
PID 2480 wrote to memory of 2896	2480	cmd.exe	30
PID 2480 wrote to memory of 2896	2480	cmd.exe	30
PID 2896 wrote to memory of 2596	2896	u.dll	32
PID 2896 wrote to memory of 2596	2896	u.dll	32
PID 2896 wrote to memory of 2596	2896	u.dll	32
PID 2896 wrote to memory of 2596	2896	u.dll	32
PID 2480 wrote to memory of 1552	2480	cmd.exe	31
PID 2480 wrote to memory of 1552	2480	cmd.exe	31
PID 2480 wrote to memory of 1552	2480	cmd.exe	31
PID 2480 wrote to memory of 1552	2480	cmd.exe	31
PID 2480 wrote to memory of 780	2480	cmd.exe	33
PID 2480 wrote to memory of 780	2480	cmd.exe	33
PID 2480 wrote to memory of 780	2480	cmd.exe	33
PID 2480 wrote to memory of 780	2480	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\3f6c3dfc2f7bc1ad78cf7f73e1bb1ffb.exe
"C:\Users\Admin\AppData\Local\Temp\3f6c3dfc2f7bc1ad78cf7f73e1bb1ffb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\70AD.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 3f6c3dfc2f7bc1ad78cf7f73e1bb1ffb.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\7178.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\7178.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe7179.tmp"
      4⤵
      Executes dropped EXE
      PID:2596
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:1552
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\70AD.tmp\vir.bat

Filesize
2KB

MD5
cbe9d17819443e3af83f77e8a5f6b7a0

SHA1
d84166ba988f4755344bf2be35ab6014fbb24d7d

SHA256
65c8b9d55b4dd996ab1439cbd56ad7b39fbf6f98f2729010689ac849e40e4ffa

SHA512
2e3fab5db205159bebf128b3cf4bdd912b932f15b848dac2a0c809b35855aa5ed87d53f5003a8e9daec135df7ea0ff4c30196c2134e570bb76440f7fcb037515

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7179.tmp

Filesize
41KB

MD5
f6e37b5b08d4514d8347cb5ed4e670f2

SHA1
0c42b901ed5f2e9e76822ccdab3299b714a89cf0

SHA256
41ac25ee169e9baeccb3d8ccaa3be68b912286125520e56d0ed9854608966a02

SHA512
03cb6ed9236b0e5b679ba92f4e5ca07a1874717af3dcb7f24237c7431bdacfebcfecd46df500083f40f626f5ddef4b18c12feb5338924522dfd9f32751b6f301

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
84b76845654285a13592c9e42b2f8b8a

SHA1
af1373a5c315f3fc3fb18d88ad4c28f6938de640

SHA256
635da8f03b922a520ffb1ad9c4e8c460822cec92bc02c14da4d2455ba0300242

SHA512
a0c1e791d4f571b27f34f37529ac0391557f08edf6feaa9866117924a6e2c0a5eae0c9f88f79f570321676b6fa630933f301324f08915ad13825ce76d7aef33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
381KB

MD5
6a44fb5c0f9ddb755e483f86e5a717d0

SHA1
2d12472cba6bb76c016d98e1015e36e317e3a730

SHA256
878d149eb8d275219a0e45096b664460e74bbde6deaae65d3e8d917cbdb6f790

SHA512
3787b404ddd92cbc1ddbf07431d443809df3ec3a32803fd3c30aa62890611b3a5ed8df4803cb175dd2acb30ecdea6dc3149ee7cd2c0ae70400ca8730fd4f1787

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
bb8d477357744725242949d689ff1d17

SHA1
f674b09bea00148134dbf1970387cfc4fb6c7cb5

SHA256
c3825ad1ec7f2453e405b108ca99bef3c25b59537795faa3ce642280483d10fc

SHA512
98ae4e7307f7d5a55759cc727b672734bc90c6c75a3e788f83c8d4642435801fa766b1538cd9bd824f1afceef0b4f8d71ee99bc7388037a0cd63e2981e535967

Download Submit
memory/1664-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1664-110-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2596-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-68-0x0000000001D20000-0x0000000001D54000-memory.dmp

Filesize
208KB

Download
memory/2896-63-0x0000000001D20000-0x0000000001D54000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads