f1b75b41fbe10a967a7ed23b7cac253562e82d2b5106744a0d333eaf867639bf

General

Target

7c4709481fe4c9732acbe7a9447fd525.exe
Size

208KB
MD5

7c4709481fe4c9732acbe7a9447fd525
SHA1

7ffd15f379df95d7440b01308431ced525c23f44
SHA256

f1b75b41fbe10a967a7ed23b7cac253562e82d2b5106744a0d333eaf867639bf
SHA512

a756481469229a592f5964b67a009b3818f577512246a8688876a913f7bc73d6c16e2eca4ad102641d95ec2332d47bfd6d7d02e4a52d9ee7847204da50bbcca9
SSDEEP

6144:El2/rrWDJn76dtMYfTXH6NO8/K++b/ubDgyuPz:dOJ76dtDXL8/3+6bhuP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4168	u.dll
3144	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2480	OpenWith.exe
3224	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2524	2200	7c4709481fe4c9732acbe7a9447fd525.exe	88
PID 2200 wrote to memory of 2524	2200	7c4709481fe4c9732acbe7a9447fd525.exe	88
PID 2200 wrote to memory of 2524	2200	7c4709481fe4c9732acbe7a9447fd525.exe	88
PID 2524 wrote to memory of 4168	2524	cmd.exe	90
PID 2524 wrote to memory of 4168	2524	cmd.exe	90
PID 2524 wrote to memory of 4168	2524	cmd.exe	90
PID 4168 wrote to memory of 3144	4168	u.dll	91
PID 4168 wrote to memory of 3144	4168	u.dll	91
PID 4168 wrote to memory of 3144	4168	u.dll	91
PID 2524 wrote to memory of 3428	2524	cmd.exe	92
PID 2524 wrote to memory of 3428	2524	cmd.exe	92
PID 2524 wrote to memory of 3428	2524	cmd.exe	92
PID 2524 wrote to memory of 2412	2524	cmd.exe	94
PID 2524 wrote to memory of 2412	2524	cmd.exe	94
PID 2524 wrote to memory of 2412	2524	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\7c4709481fe4c9732acbe7a9447fd525.exe
"C:\Users\Admin\AppData\Local\Temp\7c4709481fe4c9732acbe7a9447fd525.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4E5E.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 7c4709481fe4c9732acbe7a9447fd525.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4168
  - - C:\Users\Admin\AppData\Local\Temp\4EDB.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\4EDB.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4EDC.tmp"
      4⤵
      Executes dropped EXE
      PID:3144
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3428
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4E5E.tmp\vir.bat

Filesize
1KB

MD5
797d457b5f2732596db394e7f637c8c8

SHA1
dcdc657a094dd11e6230d6947aab7325c033d058

SHA256
0729894a1616a1e5c68471cafe3a7232f959e74ae03af01a4f027d6f8e9aa15d

SHA512
5575f177c27c7914a01622cf66d2126b24c5c9b709a61f276a0c0bef2b4f8dcbdf9516dd0bdbbf90a00e735f217fa993bf68cd28ca357a0d6ecebd1b80729efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EDB.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4EDC.tmp

Filesize
41KB

MD5
ced9fdba93c6c0a69c43a7fc783d0182

SHA1
3919692fb4669491dd6a24c6bb16f430d0a43e7e

SHA256
a3bf78576222c5da88aea0b9196a2d1003618e4bc9de921d3bac3a2c65ded3fc

SHA512
ab94864403a39322f8587ef946a34e06311ef27d051c4023e29e599ac85cd9bfa15dfcb94f491bbc4a95753f33f28a768b22621cba654c8060daa5df03c73ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4EDC.tmp

Filesize
41KB

MD5
1f721101b85fcb61635e506953d9e24b

SHA1
af9d47bebe3c5594c7809450f4e28115e3de07d4

SHA256
5f06ed4c4432a04b6bba5a068044a51464c74cd80ad1b970ee3f8c9115f3f155

SHA512
1a2ee87f06c1e7977332b9c4aac96e2ce66ab465da15fbd4358bbfbea16dbec3028510b17e4c277f391197f9ac48e1705c7c7053dd9f2d8d45038f4ee6b85e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr5014.tmp

Filesize
24KB

MD5
c4cd0cce2fcadadd40be248acba305f1

SHA1
4bd74a03deedec37e9ff75c56df84802b1e1f4b5

SHA256
b342bd4d80aefa30ed1049da836999a9557c1ffe88d78fce34076754c9a6de07

SHA512
8f5cff3378092692a6e96199172127a0064d072195416992dc2cc4b02e242829f1eab1c43504a490e3d42cc9ead635935362d0d597d97b48a7ca117dc2bb17c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
9ea19135c5f4066ec4b4d174e449a048

SHA1
e660123c8bdb78bd462f4409775cc001fcb48a82

SHA256
33480a20d4109e995a5b40b5185dbe50175489aa235675938bcd526b9a5491a8

SHA512
49983b1b29c84bf03f43f93d378f81da38ca3c07b5070ca0d9e0f0fdec3312fedca114a35443b1df4fde31c7396fa88a534da1280497b857fc32ef88ecd019c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
ddc6b18e6bc87ec686f1b7e92cfda9b9

SHA1
583239bb4778c52e481ec7035940aee970b30344

SHA256
3fe986875ac2e89505937211ba2ed4e231302e1bdee07c97f996fcdaa2f838cb

SHA512
b76be2e861c7e4c0e04cc4f3a0876d8618ebc69aab3eaba614141e31d071ce059254407ae7696c73b0390105a8676ea8158ee58be70d84777e20a8ea7a381735

Download Submit
memory/2200-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2200-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2200-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3144-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3144-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads