5f415b3445bef9ac993830e75782d294c4e2703d81a9dd50a74d6703c638774d

General

Target

96d5b20e06aa79d275486d9e0b672e3b.exe
Size

209KB
MD5

96d5b20e06aa79d275486d9e0b672e3b
SHA1

49b95dec7c16df56a5a00e201f462f2c05c014e7
SHA256

5f415b3445bef9ac993830e75782d294c4e2703d81a9dd50a74d6703c638774d
SHA512

4e0a148819494114ca24f8411509273ead702fcc5ca6a7b8a1d213caf22dd77e2ca4771dbc581b5d405b92135abdb04664c0f6207f5381acd412422ce66c536d
SSDEEP

3072:/lV+n6au3tJn/bmeEJL/TpTv6dEuGxs5fcQG3Tg21i7JgkGwcXiLZQl5AAX9:/l0n6auL/SeEJ/pT0gs5K2743iFg/9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2824	u.dll
1448	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2528	OpenWith.exe
3176	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 4324	2280	96d5b20e06aa79d275486d9e0b672e3b.exe	85
PID 2280 wrote to memory of 4324	2280	96d5b20e06aa79d275486d9e0b672e3b.exe	85
PID 2280 wrote to memory of 4324	2280	96d5b20e06aa79d275486d9e0b672e3b.exe	85
PID 4324 wrote to memory of 2824	4324	cmd.exe	86
PID 4324 wrote to memory of 2824	4324	cmd.exe	86
PID 4324 wrote to memory of 2824	4324	cmd.exe	86
PID 2824 wrote to memory of 1448	2824	u.dll	87
PID 2824 wrote to memory of 1448	2824	u.dll	87
PID 2824 wrote to memory of 1448	2824	u.dll	87
PID 4324 wrote to memory of 4000	4324	cmd.exe	88
PID 4324 wrote to memory of 4000	4324	cmd.exe	88
PID 4324 wrote to memory of 4000	4324	cmd.exe	88
PID 4324 wrote to memory of 4132	4324	cmd.exe	90
PID 4324 wrote to memory of 4132	4324	cmd.exe	90
PID 4324 wrote to memory of 4132	4324	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\96d5b20e06aa79d275486d9e0b672e3b.exe
"C:\Users\Admin\AppData\Local\Temp\96d5b20e06aa79d275486d9e0b672e3b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4FA6.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 96d5b20e06aa79d275486d9e0b672e3b.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\5072.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\5072.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe5073.tmp"
      4⤵
      Executes dropped EXE
      PID:1448
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4000
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4FA6.tmp\vir.bat

Filesize
1KB

MD5
4ada3a816fcaae74f87d784bb8bdc4fa

SHA1
8f73c7145477bfa9934d3d4c8292d25703b14572

SHA256
4bc9c9627ad271e9d022eb51816527aca778a0e028b9500974aa6f79358a3687

SHA512
052a33ceccc14928e280c05de616a9fbcdeec8a720c7817ed3592293495c138ba7dcbab3568158ff134e1d355157730f53e301639b564e0c382ff7558df8a66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5072.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe5073.tmp

Filesize
41KB

MD5
71ce3645ecf4a753408f77c5a8bad638

SHA1
9b8252af055414bb69e5ce0f1826066c27c0d63e

SHA256
75e8f3a8df737002f0d4be1064a96490ca1c56148ea69781abaaa6299eff9b21

SHA512
79a8d69275afc627a9102e62f05d3867ef013a11c174dd4981fe31494d3f6e127032fdcc92fae99aaac2a485a6acdf0d7fdf6df120c53a024740ff1786f51c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe5073.tmp

Filesize
742KB

MD5
273f86fafd92cbda61da36c31c8a3abe

SHA1
2c561b8bbbc34a4b7083f3794a2afbdfd2210882

SHA256
c5836108ba42d99e213f339a2e30fec69cfd3dfec4065b0691064497b1ff4505

SHA512
8a3dbaa17125aaa2baf95ac206dee5ef722db40485308c602077a512a323ec232135c16652405f05f097d0347226efa0847c44a03de6d2f164a210f7df2854ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr514C.tmp

Filesize
208KB

MD5
bf6c7ef09ba9c142d8743b6466d0f3d9

SHA1
f4de2b98c6306c26fe65709fd97dc03da973dd6c

SHA256
5395244fbe8ef0a2ba193dcc6af17ea2280a823f42604ae2f53cdfe60d5a730c

SHA512
6a50dfa3ac70a5e39a4b52d60062e83164e4124175cdccf6ded30d61eb9c53054676c85530a16392a3e275568dee27c411e22c7e001588d76246457dd65756c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
529d4cc0a7b79fe2209e27b4d686d9b8

SHA1
bb69d3a0dbf603777c1476ce52e4f7ea211043c9

SHA256
03fba07be41801cd8216fe9a5fdc80bfffc3133a112a64c1739ff2ae4b340a99

SHA512
4975f42720e8d7a307737395228712131a288599c78421e3ed595f3c20548359730c8b3be0f39e1110bb5caa9630026f72a2c7fc1389ec99bed865f5946f9388

Download Submit
memory/1448-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1448-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2280-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2280-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2280-67-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads