fb13dc0c1467526c6f879daaa749486cd34c72b47ef51e1a5f3fb933cc590d8f

General

Target

ae19e72a31d6b45a52fa1fbd9ad2249b.exe
Size

208KB
MD5

ae19e72a31d6b45a52fa1fbd9ad2249b
SHA1

8489cd383869548b599830e55f51dfbd4d143ebb
SHA256

fb13dc0c1467526c6f879daaa749486cd34c72b47ef51e1a5f3fb933cc590d8f
SHA512

da19624a884dd4d3440be0cdfd2d9fd6112808781f3f8ce050eb8d71285c90f1b22e046de97993bf8a2f015df550d09982855c540ffb17cd86d0f2e513ef2d17
SSDEEP

6144:KlGRgXm15iTEV0cSd/WBpnCOD5yBHRBvMhQ6KDx8:7v1Ec/CAQHPvMh2Dx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2928	u.dll
3888	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4440	4148	ae19e72a31d6b45a52fa1fbd9ad2249b.exe	97
PID 4148 wrote to memory of 4440	4148	ae19e72a31d6b45a52fa1fbd9ad2249b.exe	97
PID 4148 wrote to memory of 4440	4148	ae19e72a31d6b45a52fa1fbd9ad2249b.exe	97
PID 4440 wrote to memory of 2928	4440	cmd.exe	98
PID 4440 wrote to memory of 2928	4440	cmd.exe	98
PID 4440 wrote to memory of 2928	4440	cmd.exe	98
PID 2928 wrote to memory of 3888	2928	u.dll	100
PID 2928 wrote to memory of 3888	2928	u.dll	100
PID 2928 wrote to memory of 3888	2928	u.dll	100
PID 4440 wrote to memory of 3336	4440	cmd.exe	102
PID 4440 wrote to memory of 3336	4440	cmd.exe	102
PID 4440 wrote to memory of 3336	4440	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\ae19e72a31d6b45a52fa1fbd9ad2249b.exe
"C:\Users\Admin\AppData\Local\Temp\ae19e72a31d6b45a52fa1fbd9ad2249b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A662.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ae19e72a31d6b45a52fa1fbd9ad2249b.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\A7D9.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\A7D9.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exeA7DA.tmp"
      4⤵
      Executes dropped EXE
      PID:3888
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2276,i,1205556100727695622,5044463180471657307,262144 --variations-seed-version /prefetch:8
1⤵
PID:4548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A662.tmp\vir.bat

Filesize
1KB

MD5
6d7257cc6c671aac5b0c722ce9eb97f9

SHA1
cbb624fd3143e6bcf670423ed5204fff2723c3e3

SHA256
ea6bc5b89778e1efb69d029c3ff27154db2571da14f253015140dae245c3783a

SHA512
8937707efc801378e7fe0549fbf79925dfc8f32dd25827a27f0523da1af9405f986712af6cbe737fce7caa22a4ac36edf3ec3352bf3698dfd863f783ee8d8732

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7D9.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeA7DA.tmp

Filesize
41KB

MD5
4d1c4e637e66e3aee050194ee149b1ae

SHA1
542aab9bf825e8cbb8afc946b8fe555ea402a413

SHA256
ba3591ba0a42bd2556af093af3beb685383b239570a459d00ad9ff0747851e25

SHA512
801010a3a79285d26a7ecd84928b7e24de7adab6ad67d2d2ebc81a5639a6b9ea9f0f5cb087e1dfbda5a9cfa031bc2f1798f18d688a7cfc600cb9cde670862011

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprA96F.tmp

Filesize
24KB

MD5
eea12ffa949b5ad5f71e4a086a674c35

SHA1
c2a96e443b72a2869f2e9425aa775680f4cb2d72

SHA256
b984ba079f06f412c63ad35289400e640e26c8df67ee58975d8822a55cf24341

SHA512
6e078d975011f04ceee3f95ffaf3b13d00532b869d4305a153efa6d4c7bf8413cf7d353e1f0edf07bd982a72e9a5740c6e7bd0250c532cb7eb24a49e6fc02c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
144473a96b3549ec9b070c6d30ecc912

SHA1
cb35111705e02c9bf27df9050793f7bf07c63a72

SHA256
7751f4980dbbc29bad2b03ea7452278c6e8e305e66bc2e0c7a717770d3650fcc

SHA512
3e1800c3ea5d4c6607409452a88c477c4b962503a5ab85de52624416b7073cb6135fcd97fa04fe63662c2da64d30011b9ad04814ae50b39e0ece582ddd94431f

Download Submit
memory/3888-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4148-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4148-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads