30cc562b25fc4a222022397885f7bf1fdd3a02fc7775172328e403d67b23b0a8

General

Target

890d6442adfc92a8b4479bcf685d4c4d.exe
Size

208KB
MD5

890d6442adfc92a8b4479bcf685d4c4d
SHA1

1d84cf46c68a8a6cd7d5332f99de4d28eb71ec63
SHA256

30cc562b25fc4a222022397885f7bf1fdd3a02fc7775172328e403d67b23b0a8
SHA512

f09387f47c627dd7ac0008817ca9b2046ed98c83d70e6a6aa910472472cb6129bc04594ac5ee55b9fb4bf52e78d56a56dcbafa75366aa286c3ac7e39833988c2
SSDEEP

6144:Ol0n6auQc8gLckTVZubHN2gc4E8NDFAbZNAz:pn6aujTot2eE8N5AvAz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2860	u.dll
2572	mpress.exe
2952	u.dll

Loads dropped DLL 6 IoCs

pid	Process
2708	cmd.exe
2708	cmd.exe
2860	u.dll
2860	u.dll
2708	cmd.exe
2708	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2708	2264	890d6442adfc92a8b4479bcf685d4c4d.exe	29
PID 2264 wrote to memory of 2708	2264	890d6442adfc92a8b4479bcf685d4c4d.exe	29
PID 2264 wrote to memory of 2708	2264	890d6442adfc92a8b4479bcf685d4c4d.exe	29
PID 2264 wrote to memory of 2708	2264	890d6442adfc92a8b4479bcf685d4c4d.exe	29
PID 2708 wrote to memory of 2860	2708	cmd.exe	30
PID 2708 wrote to memory of 2860	2708	cmd.exe	30
PID 2708 wrote to memory of 2860	2708	cmd.exe	30
PID 2708 wrote to memory of 2860	2708	cmd.exe	30
PID 2860 wrote to memory of 2572	2860	u.dll	31
PID 2860 wrote to memory of 2572	2860	u.dll	31
PID 2860 wrote to memory of 2572	2860	u.dll	31
PID 2860 wrote to memory of 2572	2860	u.dll	31
PID 2708 wrote to memory of 2952	2708	cmd.exe	32
PID 2708 wrote to memory of 2952	2708	cmd.exe	32
PID 2708 wrote to memory of 2952	2708	cmd.exe	32
PID 2708 wrote to memory of 2952	2708	cmd.exe	32
PID 2708 wrote to memory of 2840	2708	cmd.exe	33
PID 2708 wrote to memory of 2840	2708	cmd.exe	33
PID 2708 wrote to memory of 2840	2708	cmd.exe	33
PID 2708 wrote to memory of 2840	2708	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\890d6442adfc92a8b4479bcf685d4c4d.exe
"C:\Users\Admin\AppData\Local\Temp\890d6442adfc92a8b4479bcf685d4c4d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\6345.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 890d6442adfc92a8b4479bcf685d4c4d.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\6529.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\6529.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe652A.tmp"
      4⤵
      Executes dropped EXE
      PID:2572
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6345.tmp\vir.bat

Filesize
1KB

MD5
f93cbaea91ced1a39216fc5129702397

SHA1
4af464066bb33110557123fa7838677a1cff5d29

SHA256
bd6f19e20de2cef1c552c98742652ee8fe63d89ac94f62122056065d12de84ae

SHA512
b54e1279462f9b5df97b8d189585abcfeab128ce1a4e36b9f1432faf124f06b6ff454b567909e2c5a255334b2247d3ff96f23b0dffba9976dd66d8be2e994155

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe652A.tmp

Filesize
41KB

MD5
7aa367dca7be65e07b16bd69f06263e3

SHA1
d447739251408f8e8490a9d307927bfbe41737ce

SHA256
738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076

SHA512
d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe652A.tmp

Filesize
741KB

MD5
fede3b152faf828326a1966a63d0ce68

SHA1
03673b268f912613e6de2dcebd79efa4cd9b9915

SHA256
9945f0e7e578397ab4addf6e01fde79c2983e20c01120477a59d932c6866aefd

SHA512
b1f253bb479c81644182ff1854e8bed70616d8824464c2d60b3000791b84afb0fa5be1128d4369cb8540680fcd71bbb4554d8c67336383d0504e8dda6b5487b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe652A.tmp

Filesize
207KB

MD5
5c8f9a1066119dccaf7e3a3aadb31b34

SHA1
a284592f9d878c5ec3b524d4630074b7d72c42f3

SHA256
55053a5a17c83669902250dd3d0299dd83bdc2b28460eb0d7c0da2378dd11828

SHA512
ac0b13ceeb82ed55cfe20e63149b7bfd70f7b91b3672b37fd10838ffb8b0a6e10d249bea0cb6949d7d3a13827b71e2d52c7ad4ce9ce855365091780391027da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
a9f4ed682d8e25168c3299583006a706

SHA1
4cfbe58142b4ca03993aefdec82f267d27fda536

SHA256
04f1e375427eb3d6f389e8b99ee55fbd92998b289cc55c58a8a03c053e22bf73

SHA512
9807bc567a5dd8461d38c543c84a92d15e007f5783c6898fb02dde077dcad400ab9c9eb89860f5465dcc9807f652edb5a483a4d24cf32296de20553e74f542c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
54f1586c238428fb994e40c3640ea2bb

SHA1
c651b6dbc02b0287617cc2a5d783ab73321969ba

SHA256
83d0b726117e4524fdddf41fb7917627b2a8927b55f777b32a2b989de688c4de

SHA512
25e5af3fae15c37ea6e0bd01bbcde1526c062fefdecb6293c52f933d57d807e6e96f0da47431f803d0941b34b2f1cd76055a6afb81f6c17b4f358518cb55d940

Download Submit
\Users\Admin\AppData\Local\Temp\6529.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/2264-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2264-113-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2572-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2860-67-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2860-62-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads