053bbbda869d3cd0f1f00178cf4fae3b6ef85f06bb3eeb874c2ca9f4af1670fc

General

Target

50a2d7e4a6cfa3e8596ac960deee46f3.exe
Size

209KB
MD5

50a2d7e4a6cfa3e8596ac960deee46f3
SHA1

1ab53987da8edb27e0992326f492e01cfd21529d
SHA256

053bbbda869d3cd0f1f00178cf4fae3b6ef85f06bb3eeb874c2ca9f4af1670fc
SHA512

4588d973b31967093881c243c57330bd46811c00a5ac163bb698ca78eaa11db11d30cb88561c10835ff0e9e5c79806a15da902c74669c64d5e00da5021073580
SSDEEP

6144:DlUzl29na2Fi859T5Lue+PMXav5TgwzSW7:m49a2FDvJFKBTgw+W

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2204	u.dll
2472	u.dll
2756	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
3048	cmd.exe
3048	cmd.exe
3048	cmd.exe
3048	cmd.exe
2472	u.dll
2472	u.dll

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3048	2240	50a2d7e4a6cfa3e8596ac960deee46f3.exe	29
PID 2240 wrote to memory of 3048	2240	50a2d7e4a6cfa3e8596ac960deee46f3.exe	29
PID 2240 wrote to memory of 3048	2240	50a2d7e4a6cfa3e8596ac960deee46f3.exe	29
PID 2240 wrote to memory of 3048	2240	50a2d7e4a6cfa3e8596ac960deee46f3.exe	29
PID 3048 wrote to memory of 2204	3048	cmd.exe	30
PID 3048 wrote to memory of 2204	3048	cmd.exe	30
PID 3048 wrote to memory of 2204	3048	cmd.exe	30
PID 3048 wrote to memory of 2204	3048	cmd.exe	30
PID 3048 wrote to memory of 2472	3048	cmd.exe	31
PID 3048 wrote to memory of 2472	3048	cmd.exe	31
PID 3048 wrote to memory of 2472	3048	cmd.exe	31
PID 3048 wrote to memory of 2472	3048	cmd.exe	31
PID 2472 wrote to memory of 2756	2472	u.dll	33
PID 2472 wrote to memory of 2756	2472	u.dll	33
PID 2472 wrote to memory of 2756	2472	u.dll	33
PID 2472 wrote to memory of 2756	2472	u.dll	33
PID 3048 wrote to memory of 2440	3048	cmd.exe	32
PID 3048 wrote to memory of 2440	3048	cmd.exe	32
PID 3048 wrote to memory of 2440	3048	cmd.exe	32
PID 3048 wrote to memory of 2440	3048	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\50a2d7e4a6cfa3e8596ac960deee46f3.exe
"C:\Users\Admin\AppData\Local\Temp\50a2d7e4a6cfa3e8596ac960deee46f3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\EC0.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 50a2d7e4a6cfa3e8596ac960deee46f3.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\2AB8.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\2AB8.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe2AB9.tmp"
      4⤵
      Executes dropped EXE
      PID:2756
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2AB8.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC0.tmp\vir.bat

Filesize
2KB

MD5
b27ca5fb9b244bc5735cbe6e24be25f8

SHA1
0635f80dd9d507a156fb9ef295d331b9b2da837c

SHA256
1d9a5c0de2b8ee3a44066c42d27f239aed93d76bebf3220b5366da132dce0491

SHA512
4da97f624bfc6b8dd1effbf1aa4d416c62789387cae257c2b1f1f165a03e1a4ab7755642167f21b2263601facfc9c6bb5037c8e3a27cbf1fde28b553c4302a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2AB9.tmp

Filesize
24KB

MD5
615cf02a831ad50dec9c776daff01ba3

SHA1
6d9f36270c32cfd8f33d22cb5647e3b559997790

SHA256
2914430430416af4bf2e7b75306923518661cd7fcd7de9194c10902d7f1e58fa

SHA512
a9b821ace1e6dac19b9060bc74393dc25e0d3c702449bba46af34e96731502873aa30c9957a32ac8e113bdb09ee9be87309fc79a7302bea01a97ce9e09913539

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2AB9.tmp

Filesize
41KB

MD5
a2c3062fa164e9bfe5a343b4dcbc95c5

SHA1
3a9ab7db5f1a0c958828a58561779800532babee

SHA256
abaa1cf5206bf5b210bb8673e718356cfce1b863f7429df9fb88dff486a9e642

SHA512
cc3af460becb242a8e06c1906b49949a7d7fb4f622950ef9c3479f5143d70bb261c91131b402f98a34268d1d94ef45f4b521a09295360a231700ade6d739fd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
11585f18c9216b57877b16053bfd5b47

SHA1
aa3d4a53611dc2e8645a1473556e477ef4882dc4

SHA256
dc21e0697b91315cbd903f8e3bd5fdd2085815da56fe5ca696d3b17dd09ae9cc

SHA512
84218aa1df912e039948bbf6e9cc0f129bcc12f84d37a192a5d8e970d22ebb16bebc12cd8c7953a0488e32771503be74e0c40d0312972046723d647f8dd5741d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
ab02efd1452b61f23d09a86635b090f8

SHA1
040be81519f50dfe0df28ad54f68b5fe43c3603e

SHA256
a096ca3b6fc9d1cf257efb60225eab8a6615e5d5e4c51b77ba710aa8b313ad11

SHA512
855d2515e30e279ac8169713074459bc2a3daab3af02b861b3f9920a0df940e9305ab9faef67ca2963a6582e6ce317cc784461593fd169a752b28bffce5b82e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
ccc0829a8fc184b8dd0f2f44b64dd13c

SHA1
99fae6e99f6e5f2022e261919a811ae33139d7f8

SHA256
1d7617e1083f4d35984ae62718088ddfdbab0c4450b7b4b6d8f0989024255b78

SHA512
e001468f920db27eca8dce4c78f3c1c084be2494d38011761afab146ced05b2d0e170ab1942accfa4360bb6e5d880bcc591732b2df02720ef1bf0ee0733e708b

Download Submit
\Users\Admin\AppData\Local\Temp\u.dll

Filesize
313KB

MD5
89187e656a504dc6d81da382742a78a3

SHA1
e5157ef3612dee6ca1b1b8cec3384b43b7a12d94

SHA256
7f26c0219bfe83207ddb18ea44892f0b3fc726aa43d17946045038db091e6a02

SHA512
119608621415ed994c89617835ff1e3c54bb409c2b9536b2b4589426c78835e41b49fc0db71ed8195d0b9e99d45e4d67b2e95360e5c756b1703b325d1c66a4a4

Download Submit
memory/2240-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-113-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2472-95-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download
memory/2756-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2756-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads