0c45c9d707afac5887a1d9e7a3820d1095a5d8ac5d891a2bd2f2e744f62f201c

General

Target

725b61480c6994435da8b6709fce4ff9.exe
Size

208KB
MD5

725b61480c6994435da8b6709fce4ff9
SHA1

0c68323831ef958ae9b33f9633a15adfd31d3935
SHA256

0c45c9d707afac5887a1d9e7a3820d1095a5d8ac5d891a2bd2f2e744f62f201c
SHA512

40aa72ba7d6a73b8ec3237248dbd921727d317776a08d89d5a5e998fea7bfd78a187ab9522264b570a688c9e8364c9e49a4e3e6d3a7f733984055c0bbefbfe57
SSDEEP

6144:OlVCjnYbZosEhj7m+6VWW22BNsG/Gz+S:1j5HhHH6brUz+S

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3380	u.dll
4972	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1528	OpenWith.exe
4552	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4740	4820	725b61480c6994435da8b6709fce4ff9.exe	88
PID 4820 wrote to memory of 4740	4820	725b61480c6994435da8b6709fce4ff9.exe	88
PID 4820 wrote to memory of 4740	4820	725b61480c6994435da8b6709fce4ff9.exe	88
PID 4740 wrote to memory of 3380	4740	cmd.exe	90
PID 4740 wrote to memory of 3380	4740	cmd.exe	90
PID 4740 wrote to memory of 3380	4740	cmd.exe	90
PID 3380 wrote to memory of 4972	3380	u.dll	91
PID 3380 wrote to memory of 4972	3380	u.dll	91
PID 3380 wrote to memory of 4972	3380	u.dll	91
PID 4740 wrote to memory of 1912	4740	cmd.exe	92
PID 4740 wrote to memory of 1912	4740	cmd.exe	92
PID 4740 wrote to memory of 1912	4740	cmd.exe	92
PID 4740 wrote to memory of 3568	4740	cmd.exe	94
PID 4740 wrote to memory of 3568	4740	cmd.exe	94
PID 4740 wrote to memory of 3568	4740	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\725b61480c6994435da8b6709fce4ff9.exe
"C:\Users\Admin\AppData\Local\Temp\725b61480c6994435da8b6709fce4ff9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCA0.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 725b61480c6994435da8b6709fce4ff9.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Users\Admin\AppData\Local\Temp\460.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\460.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe461.tmp"
      4⤵
      Executes dropped EXE
      PID:4972
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:1912
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\460.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCA0.tmp\vir.bat

Filesize
1KB

MD5
263a6bcbda82395880886fbf32d6f019

SHA1
b070d4a5aee829c6ee48c2a35f238a51e197a6bd

SHA256
d273eb7a76bd99713582c5c5280e667b353e41ef68b4c554633bab6f9e3e8ab6

SHA512
bf95ff414ea077b31effa931a6bef98fdcab95e8aee75423a8ea949088499899e9c49b56cdd8ada717d99668f41dfcfa0da6a1a45d27c6bc8706f1586c41cb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe461.tmp

Filesize
41KB

MD5
0702e8031193a3474afa297d17cdc814

SHA1
46cd098f940f31e43b4a606603a0c153cdba950d

SHA256
9e596558228cdc87835f78d9072bdf2c25d3646e0541b3ac5e070dbb136cb116

SHA512
213f4d9187c0fcafaab34f0f91df5a2172a1f67e4750bc247552f430ec95a4c035f43be7421f2fd63da963a0044a6fcf343123dc34b5e26ece2cf9a54137ef94

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr17F8.tmp

Filesize
24KB

MD5
85008b6387188c6e102e3ee8122392a3

SHA1
ec1fb93088e10b24eabe2005d3d18446792f07e1

SHA256
197048083e00ce70d9e0ddd6d38d7b92c72da6914b01bf5fcd2d7db799a194f7

SHA512
96ef1df93e1bfcd170333e6a2b7b07b55ce3f85eecbd7ea17e07be9f910d068f4f4b758084c034ab326d79a52d0b779f3542de1ee01abffd1938c669e664cb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
110ae9a995a0e99df2427f7b97b85eb2

SHA1
3655d0a5ce029e0bbc4d942e477e5be1745ee63b

SHA256
25d07cade85c1a9495bebf0a1f37447fda7401fe4e9d92869ababf83a46b240c

SHA512
4646debc7c8489219c4578bfeb568e178f33e2a589f649ae4ae6ed39a77ffd0a0fc0a401c5279758f975f99a9f777c18cc8e1aadb62c5ce16217e27fc644ded2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
071ae745e84b0d5442ae13f3cad95fa0

SHA1
c388797f55b3d2d79d98269e8ada3e71ea44b653

SHA256
1e607cbb251a803198effaa72957bbd357e54f5839e28345adec11d805281ec5

SHA512
dd6c34692842214ec101469302f0f622b1ea54c6dba11bbe6fd94ea4b22d9b6effc64da9eef00866e54c8e0b58619e61ac9b515120e62908635c9f061881ea52

Download Submit
memory/4820-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4820-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4820-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4972-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads