7289e6f9c465a642894902c62697e27c42ebc48e2bebdcd122ac7aee43b06b5f

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 15:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7d4c7d98b813f3f3fc3bfbfd576c01c7.exe
Size

209KB
MD5

7d4c7d98b813f3f3fc3bfbfd576c01c7
SHA1

22702d389bf0b1e6694819057e90f1ea9aa1ea3a
SHA256

7289e6f9c465a642894902c62697e27c42ebc48e2bebdcd122ac7aee43b06b5f
SHA512

e23dec857899d0bf8f6de13c6ed18704cb85d534c53c3c8b0bc01f85d0dda1fe6b4d4b253dbd43089b96ab2ce3a7fe61d3631eeb63f1d042cb4393a96d61155c
SSDEEP

3072:Kl/Oe4lzZAtZR3xu/a/nDJAi5kgKwv0vkBj7milVEpLcVwtaWFVCKqDQ29:KlH4lcZegnDJAYKg9j7miawV+a8VCNB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2764	u.dll
2780	u.dll
2052	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
1324	cmd.exe
1324	cmd.exe
1324	cmd.exe
1324	cmd.exe
2780	u.dll
2780	u.dll

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1324	2532	7d4c7d98b813f3f3fc3bfbfd576c01c7.exe	29
PID 2532 wrote to memory of 1324	2532	7d4c7d98b813f3f3fc3bfbfd576c01c7.exe	29
PID 2532 wrote to memory of 1324	2532	7d4c7d98b813f3f3fc3bfbfd576c01c7.exe	29
PID 2532 wrote to memory of 1324	2532	7d4c7d98b813f3f3fc3bfbfd576c01c7.exe	29
PID 1324 wrote to memory of 2764	1324	cmd.exe	30
PID 1324 wrote to memory of 2764	1324	cmd.exe	30
PID 1324 wrote to memory of 2764	1324	cmd.exe	30
PID 1324 wrote to memory of 2764	1324	cmd.exe	30
PID 1324 wrote to memory of 2780	1324	cmd.exe	31
PID 1324 wrote to memory of 2780	1324	cmd.exe	31
PID 1324 wrote to memory of 2780	1324	cmd.exe	31
PID 1324 wrote to memory of 2780	1324	cmd.exe	31
PID 2780 wrote to memory of 2052	2780	u.dll	32
PID 2780 wrote to memory of 2052	2780	u.dll	32
PID 2780 wrote to memory of 2052	2780	u.dll	32
PID 2780 wrote to memory of 2052	2780	u.dll	32
PID 1324 wrote to memory of 2272	1324	cmd.exe	33
PID 1324 wrote to memory of 2272	1324	cmd.exe	33
PID 1324 wrote to memory of 2272	1324	cmd.exe	33
PID 1324 wrote to memory of 2272	1324	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\7d4c7d98b813f3f3fc3bfbfd576c01c7.exe
"C:\Users\Admin\AppData\Local\Temp\7d4c7d98b813f3f3fc3bfbfd576c01c7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\B47.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 7d4c7d98b813f3f3fc3bfbfd576c01c7.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\275E.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\275E.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe275F.tmp"
      4⤵
      Executes dropped EXE
      PID:2052
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B47.tmp\vir.bat

Filesize
1KB

MD5
262f9d1f379f12c6a982d9e7429bac1a

SHA1
8e10ba75932b374496e01e47f2314dab00a0eb71

SHA256
e6cf5d0e69f773ffb242e863a97d1b3ed274d5cee403da895dcdf840f5d32f7f

SHA512
e505fe940cbd13265d202dfe46f4dd196f75bb4b79232b98ebca2896314b18d412b46e084deba2bbd6a3265168f93d3ce99851b1510f1d34526b82545a050288

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe275F.tmp

Filesize
41KB

MD5
5a16fb75977e1799ed52f35a164922e6

SHA1
c1697c61c42498f0501a886392ddd2560646b24c

SHA256
f625375b30e87216e720919833d9d4e7bc11f0b61a9d2d218817d2ebb140d7de

SHA512
1e31f17c0fea7df5bd321ff0015b8226a378b649c43df1111d9467b0f86f3a14e5a7ae9ed00314695f688b7cc0c18e44b3fa6521a8fea5943e4eb9a69a612216

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe275F.tmp

Filesize
41KB

MD5
dfc8d2e1dd2780e45b067a84ad1c6abb

SHA1
c3a94079c4fa7ad89134c1625ecf1d96baf619a3

SHA256
3bee1b133959a8602e12a5703f053cd7f8fbf43f598ce3233b83866db0efaf07

SHA512
256a5f003e485048c6311c0bc3dad9d6cd031219c2e95f9d384f26b5f8cbfd963db5447366c8efe85d2e561582ae8bb6f5a70c0eb2c4acadfe5c81a5596db094

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe275F.tmp

Filesize
24KB

MD5
f3519b252d0de793d3ce63ceb29d1790

SHA1
a92ca1e1568bd8e681cfb935f62581ca0550300e

SHA256
f3b70ed7dcb53efc47a68dc0c263ce879b15cdaba3aa61ce20f7b131c978e70c

SHA512
8662777d90416fe363e4e21379f63c49f922f109a065ac83ba225ca4c88aba5b72fe18765fe6d63c58b8d68f3ea05094b717ece20f88a3c33db485bdfee650a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe275F.tmp

Filesize
41KB

MD5
9d694f4d4123d3827c28b441a9d01394

SHA1
333b1eb7a0a86f466d0a2957c8d3a3fd8e51fbea

SHA256
325e4580a4d53a12886a83227961a1e9cab80a88e05bb271a99cc1c88f74ece3

SHA512
f99e1510bd003c79686220868f7eebd0695f74b7e54ec658ffc3bdc7ae6b89366b7404a56241c5e003389f9f3506515a609cf2913281c08383a16a6929aad2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
863c312b1e74b57dc2d01a1370684ff3

SHA1
39175536b2783f4b3d70cb29d3352388cfebbcac

SHA256
33c2b1a19a8b31cd969ee88acebba54c9af73d4a8633becfa609e067909db33a

SHA512
d6dcd4968bd18b3483f7fb6a63b9640d8d3f3fc63bccd5c0ba294c1f09fc9b6bcb4fae815682d5800f7acf34fdadd2ec54be7d728d754a46b9cdb2362b3fa76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
492ce3a728ff5c0bb1632b6ec51c1914

SHA1
aa0ec696f4599e3e9646b816639c7ccdc0e4a250

SHA256
f4da9363bd21afa4e82e9776d0dc2d11c4852b5f09b53bade19059f06bb5409f

SHA512
52d74c472b0a4a65ce9c14f5e00ba4bc06551d80db9a25d7872cfd1af93f21b2b57c8d9052e0d40fb73d36a68ea6b6c3af4304736d0308187d717c9744051cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
d9eeecc3d1c5c92da5cbfd4977ce3421

SHA1
ce1498a52e387c2ff88493da245fb7f6230e5c31

SHA256
6a1cfcb86d799bd9071287bf8a16a3ee8a2a54fe5c6dc50c2d89ab8b04af55b2

SHA512
ffa06cc360b30490703148644eaaccea96c99c8402fdba11e262d7b8e38deed3d8b1c801dab6c0fe50da97bef5a04f80594a359f5f587067681eacbbe2ed714b

Download Submit
\Users\Admin\AppData\Local\Temp\275E.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/2052-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2052-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2532-112-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2780-93-0x0000000000530000-0x0000000000564000-memory.dmp

Filesize
208KB

Download
memory/2780-89-0x0000000000530000-0x0000000000564000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads