ba3692ab2f881fdcfebba1ef43cb627ec51fb1c36313f81e776357d47bdf5291

General

Target

b5bbe10a03cfbf606674fa9d35ad20f7.exe
Size

209KB
MD5

b5bbe10a03cfbf606674fa9d35ad20f7
SHA1

49db02612de8bed0c0355cb300c8d43bb089fa67
SHA256

ba3692ab2f881fdcfebba1ef43cb627ec51fb1c36313f81e776357d47bdf5291
SHA512

6c748f8eba2c72b20a4dde5b7c60a7000c26baf7b2c18b5dce34b3833774bb709491c6dbd7f45fa5cc481e5c8ac08b30cdbf96739859443177d0d5695175ea40
SSDEEP

6144:vlGRgXm15idtebexH3zpDHormWoymgJkAK7x:gv1UtebextDIRmgJ9K7x

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4712	u.dll
4892	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4504	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 4560	2516	b5bbe10a03cfbf606674fa9d35ad20f7.exe	90
PID 2516 wrote to memory of 4560	2516	b5bbe10a03cfbf606674fa9d35ad20f7.exe	90
PID 2516 wrote to memory of 4560	2516	b5bbe10a03cfbf606674fa9d35ad20f7.exe	90
PID 4560 wrote to memory of 4712	4560	cmd.exe	91
PID 4560 wrote to memory of 4712	4560	cmd.exe	91
PID 4560 wrote to memory of 4712	4560	cmd.exe	91
PID 4712 wrote to memory of 4892	4712	u.dll	93
PID 4712 wrote to memory of 4892	4712	u.dll	93
PID 4712 wrote to memory of 4892	4712	u.dll	93
PID 4560 wrote to memory of 4652	4560	cmd.exe	96
PID 4560 wrote to memory of 4652	4560	cmd.exe	96
PID 4560 wrote to memory of 4652	4560	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\b5bbe10a03cfbf606674fa9d35ad20f7.exe
"C:\Users\Admin\AppData\Local\Temp\b5bbe10a03cfbf606674fa9d35ad20f7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\327A.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save b5bbe10a03cfbf606674fa9d35ad20f7.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\3364.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\3364.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3365.tmp"
      4⤵
      Executes dropped EXE
      PID:4892
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\327A.tmp\vir.bat

Filesize
1KB

MD5
89c7dd7528b61921800cbdeef197ff18

SHA1
7ddd596dfb0cef4ea38213c8ac98c46076baa327

SHA256
61e0a2de3b2a9d19261e8a887fd03112bcf56fbfd867615c8ea4e35ea7cabeff

SHA512
38e4b33c296d3979919b70137350cc43209d8a2c434961041c85932ded58c714af4d4d96c872e76eaeebc5db1012e3f4a77b867f6f511b985e9b82aacdd8e211

Download Submit
C:\Users\Admin\AppData\Local\Temp\3364.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3365.tmp

Filesize
41KB

MD5
4d1c4e637e66e3aee050194ee149b1ae

SHA1
542aab9bf825e8cbb8afc946b8fe555ea402a413

SHA256
ba3591ba0a42bd2556af093af3beb685383b239570a459d00ad9ff0747851e25

SHA512
801010a3a79285d26a7ecd84928b7e24de7adab6ad67d2d2ebc81a5639a6b9ea9f0f5cb087e1dfbda5a9cfa031bc2f1798f18d688a7cfc600cb9cde670862011

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3365.tmp

Filesize
42KB

MD5
5b6a2bb886af24e66e4a11cbdf264b6c

SHA1
c377be500a7e24c0eff388923800ae614652cf15

SHA256
c00f678fe2b1fc52c0fb0274033fbfb7899cebc9346d9e7bb125172733734653

SHA512
e926b52b7c5ace03500a469bfe48eafedfc78280def78b26a8a7b18165535842fe740175b74e3ea32171a28e1a3a27415c1deccd27e751cb9b14a595b6aac18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr343F.tmp

Filesize
25KB

MD5
156150a37fc25693b1443ddbeeb3d26a

SHA1
680af14dcd5ff59a94f0c50b8a855f7739510967

SHA256
bd698271090038fe0ed3621da82f05ce1bb1af14a2e1cd069a928a8a26bc0ca7

SHA512
8c0a4fbc72c849b8051dfae74473fe6fb2802f03a88a0482f9a8ece26062b5f787f2aa82b2fdb84c90dc05b23c4422e21351d310251e65c452f1b318bb2d5712

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
13c242c6e4dc5588f4dc3e6ced1a374e

SHA1
2fe23f4b3d4bff79efc6fd8e3206cc28ebc2e1b7

SHA256
bda1a26dd691a450651064e81d98a39835b5886780e4158e96e9e445da66ed8d

SHA512
99bc211cc4c8acdcc65d4d49abe3b3d6613862dcb345b42a97891b619cf07855007159b87b135db19f7a28937997dbb24125084b603f564ba0e18edca1bad320

Download Submit
memory/2516-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2516-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2516-69-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4892-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4892-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads