68bf1f616d4fa8c8ff95ad421c12d7f1a8127aae17a8eb60824b20e6a58f68f7

General

Target

97c12d5c50117fd2dd0bf2714389f894.exe
Size

209KB
MD5

97c12d5c50117fd2dd0bf2714389f894
SHA1

ee84449f33abd439ebcbec25bde347654d9e3e03
SHA256

68bf1f616d4fa8c8ff95ad421c12d7f1a8127aae17a8eb60824b20e6a58f68f7
SHA512

51622f32ce21deb09de0e94cac6942482f6952573a826cc1dc4970256d5745320ce61c72001ff1a53c2c96349ca15f9c975a58c7cb8f30bfd98d7933bf93aba9
SSDEEP

6144:7l9cp2t5jmxBtjvAwzhCwWfMbor+UtSrKhSqU:nc9XDNQwhUBSrzqU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1412	u.dll
1180	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3680	OpenWith.exe
2892	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 232	2188	97c12d5c50117fd2dd0bf2714389f894.exe	85
PID 2188 wrote to memory of 232	2188	97c12d5c50117fd2dd0bf2714389f894.exe	85
PID 2188 wrote to memory of 232	2188	97c12d5c50117fd2dd0bf2714389f894.exe	85
PID 232 wrote to memory of 1412	232	cmd.exe	86
PID 232 wrote to memory of 1412	232	cmd.exe	86
PID 232 wrote to memory of 1412	232	cmd.exe	86
PID 1412 wrote to memory of 1180	1412	u.dll	87
PID 1412 wrote to memory of 1180	1412	u.dll	87
PID 1412 wrote to memory of 1180	1412	u.dll	87
PID 232 wrote to memory of 2428	232	cmd.exe	88
PID 232 wrote to memory of 2428	232	cmd.exe	88
PID 232 wrote to memory of 2428	232	cmd.exe	88
PID 232 wrote to memory of 4288	232	cmd.exe	90
PID 232 wrote to memory of 4288	232	cmd.exe	90
PID 232 wrote to memory of 4288	232	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\97c12d5c50117fd2dd0bf2714389f894.exe
"C:\Users\Admin\AppData\Local\Temp\97c12d5c50117fd2dd0bf2714389f894.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4D07.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 97c12d5c50117fd2dd0bf2714389f894.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Users\Admin\AppData\Local\Temp\4DE1.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\4DE1.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4DE2.tmp"
      4⤵
      Executes dropped EXE
      PID:1180
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2428
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4D07.tmp\vir.bat

Filesize
2KB

MD5
426e37947c185097c0fd60777e56e868

SHA1
b2fa8d11ed39cecf907e72470555edb045d0c758

SHA256
35179444f664e7de8b96d316541f89cc6460393eda1373d9c1eb9d6d3672046b

SHA512
437589bce53127690b5dc03b7ee69b7c3250da509f1c3e7f0a23304820ea6739b5e4540470f4237d556089b86ce8d0cdf5f72fec72c45b77ba5a87a45cdbe922

Download Submit
C:\Users\Admin\AppData\Local\Temp\4DE1.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4DE2.tmp

Filesize
41KB

MD5
34c413a874021691b852f8e370987807

SHA1
23953e31264901013c50d21f52bbe9a38f5e3b73

SHA256
e3adec6e3a280977d75216a5c6ffa38a2fe128fb6c91c2d33cf30bfdf7a1afb2

SHA512
01a585ebe91fab0c3c4f9d1577932399408ad837404de3e1e7bf6e2923e9d2d25094e2be317a5b3b8fb31916ed213f94e3fa9339165b2cdc931156e478ae1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4DE2.tmp

Filesize
744KB

MD5
b65ad10ba0ab532b5ffb7944f3e6e434

SHA1
4d1e61c623c7f68f09c23a9b1b050ae5f9aaa223

SHA256
f79dff865862c059f8984a6722e583b57612890d039f63f634c6b9582ac3ba03

SHA512
0b4e42a466d781534a532ab1891b04bd597809a7cda363190d4d33be09d3179e7e4f7332419b5cc196db5c345dcd6ee7975601678014fc4aafd2b27bae025543

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr4FC6.tmp

Filesize
209KB

MD5
d505b1cd4d3cd4a598762654a17d0ef7

SHA1
8a5f2c04cb0f5d666e52499a724d81319154190c

SHA256
4045d580cc17c8cbfb0bba45bee07b86f51e453e3e7788f5896c772c6c3dce5b

SHA512
30923c6dc0a4eb998877ea6e682d954fe3e468bd7fd9d203f919d481811e3697ba8226b61c202ff47db546bbb96ba5c534f2b9f95a9e994b861d96a3076e500b

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
83487666be316a39faef6e3dc9afe669

SHA1
b4e1bfe112a461f3ffbe014eb1da46ed5b06fd5a

SHA256
7a65383d268c9b8d3c2b9b7d9b048bc4763ce217ec51301167f9043c4deaa024

SHA512
144fb6062054977d70910ba15dbace6bbc1bcfe7efe495e81eabbce5b2b509250f63ef3aa5b03c7ad77037c921f201cdc07a0d836c5c5edcfa6d309725a71972

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
f036f8b3e917d34c21d6687639f74e44

SHA1
6e097ed808ce017ff974c94cc19cdeca4580e7ed

SHA256
e554a2bc4d2cf9728c33c90f4f74c902dad42faa043f33fd9219d948a5812030

SHA512
39b291a34f34e4b3e0176c7abe37d4b085dd476f01bb1f832f3f94d141a65d24962e490691eadb1b5e31a79f1c3e781e010734cc352906d885546eae4136fa66

Download Submit
memory/1180-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1180-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2188-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2188-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2188-66-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads