929d6dedb06e32de238ea60b4923f30385efee26d68e542d32775ee2989b3e5c

General

Target

488aa6ef5fb22ecc988f52397ffb6edc.exe
Size

209KB
MD5

488aa6ef5fb22ecc988f52397ffb6edc
SHA1

2631a533b03eb78605f5b51338a96958b1126975
SHA256

929d6dedb06e32de238ea60b4923f30385efee26d68e542d32775ee2989b3e5c
SHA512

f85c7470547d3129c6496220fc33e570ded64e34ab59af2615aae629f9c15b3c8816d0882a9ffe28eed992abaf2765aa7a78ac6f88ed73199a90e51c7fef3913
SSDEEP

6144:zldu+vpEnwIO9VwSiO3cW0FHXXqQ+4rLY2:vucntbcDhnqh4rL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2764	u.dll
2700	mpress.exe
2984	u.dll

Loads dropped DLL 6 IoCs

pid	Process
2360	cmd.exe
2360	cmd.exe
2764	u.dll
2764	u.dll
2360	cmd.exe
2360	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2360	2276	488aa6ef5fb22ecc988f52397ffb6edc.exe	29
PID 2276 wrote to memory of 2360	2276	488aa6ef5fb22ecc988f52397ffb6edc.exe	29
PID 2276 wrote to memory of 2360	2276	488aa6ef5fb22ecc988f52397ffb6edc.exe	29
PID 2276 wrote to memory of 2360	2276	488aa6ef5fb22ecc988f52397ffb6edc.exe	29
PID 2360 wrote to memory of 2764	2360	cmd.exe	30
PID 2360 wrote to memory of 2764	2360	cmd.exe	30
PID 2360 wrote to memory of 2764	2360	cmd.exe	30
PID 2360 wrote to memory of 2764	2360	cmd.exe	30
PID 2764 wrote to memory of 2700	2764	u.dll	31
PID 2764 wrote to memory of 2700	2764	u.dll	31
PID 2764 wrote to memory of 2700	2764	u.dll	31
PID 2764 wrote to memory of 2700	2764	u.dll	31
PID 2360 wrote to memory of 2984	2360	cmd.exe	32
PID 2360 wrote to memory of 2984	2360	cmd.exe	32
PID 2360 wrote to memory of 2984	2360	cmd.exe	32
PID 2360 wrote to memory of 2984	2360	cmd.exe	32
PID 2360 wrote to memory of 2228	2360	cmd.exe	33
PID 2360 wrote to memory of 2228	2360	cmd.exe	33
PID 2360 wrote to memory of 2228	2360	cmd.exe	33
PID 2360 wrote to memory of 2228	2360	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\488aa6ef5fb22ecc988f52397ffb6edc.exe
"C:\Users\Admin\AppData\Local\Temp\488aa6ef5fb22ecc988f52397ffb6edc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\848B.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 488aa6ef5fb22ecc988f52397ffb6edc.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\86DC.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\86DC.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe86DD.tmp"
      4⤵
      Executes dropped EXE
      PID:2700
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2984
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\848B.tmp\vir.bat

Filesize
1KB

MD5
ec3b1ea59faebbd2106e080ee05f856f

SHA1
ac5b113b51d795d199521781cdb94f00f600b77f

SHA256
764a803458a531da1283da100f63af4c7628231d49826659e7f4f718fad9f393

SHA512
eb97ea581f9468bc98c9b9657a599fb283ccc6cf5671593a13a16277677d3d9552399a9e4b50c8ee035029de3bb6731d3bbdc5307f73e41e8d148185e22c3838

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe86DD.tmp

Filesize
41KB

MD5
2962dfcac22070e3da981e1115397938

SHA1
09a2ddd77cc9265c1c9a3a0b3797ea5007e3bd28

SHA256
d47a5a1f144a7b1a0267ec604f18238419a29402b4ef51f1b2165f346ef88951

SHA512
8efe28ee9ba694a2cc010bb61736de3f7bc190c3656f814a700e9992391a174982fa21f16d24ce1c36876e095f1a76569183cee52048ae22102cac621beb422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe86DD.tmp

Filesize
742KB

MD5
09bfaf4e0966da572cbf3fdf4c0878a6

SHA1
1340c775c85069d649971f15904fed6a43c596d3

SHA256
b0aaf5b0e135b8f813e7a796415805ffb77bab4cb148647050bcd10b6bfe5e82

SHA512
b10c0cbcdb09e89298b308b7733a64835fc948ab794e8ce77f94d1048182104095113ce0942c7e62cd45cdfd15a3997b77fd9ef6c28068b8c7375c920bb4b16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe86DD.tmp

Filesize
208KB

MD5
7263ee421b90ac7e7e873093cd322355

SHA1
2c33f50957712f75d1427cacce94ba34ffb202df

SHA256
53b69083308b16c5fae18ec798ae2af4112a177e0115c890490c3dd1cd18a71d

SHA512
16ef813a2bc038934cb0ad9e55eb5bf01aed154e352928e043ac83e9d044c7e08df5ab147beacd0daf16e649fcd7ec31fbea3aae31c8c160f68a5a9fa23dd916

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
ea5ebc2e2def8cb0021a381b3551a280

SHA1
144810df3fd0a26d65375f6bd3be7bf05453e14c

SHA256
8bf62180d080d0aae8c4de97d3db7c4b47a2cdb206d1150ce42fb47ca8c93cf2

SHA512
3ada363c86184786091d837e9028d249e402820478b1895a573a022b77b4d8b4e46227201d5a20c9d2313720f96098ce371c541692a426d8fc0c7b1383a3e064

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
cb1274ab5e6ad96f5462cb4bb8aea28a

SHA1
e68cb4e63303e81c6f360267594e42d9ef470f99

SHA256
3ccb7993c33c9d2ce608e91ff745891b77c0e54808c67ae4472cd514e9e4e34a

SHA512
c97b353a965487f17e0f8f557d07692af1305a9d6041788a85a6641771643fd4d14f0b51e7067501985e4b70352b3fecc322aaf6e87ea7660b15b0424c77bed2

Download Submit
\Users\Admin\AppData\Local\Temp\86DC.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/2276-109-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2276-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2700-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-64-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2764-59-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads