1a432f2085120f3804f9bf787187169e53084500636fe1bac92f092e15f66176

General

Target

bf3e2b7e1d058aa6de1ed557e292814d.exe
Size

208KB
MD5

bf3e2b7e1d058aa6de1ed557e292814d
SHA1

4dd55c8113abba9dfdc2374078f9790866ed6b64
SHA256

1a432f2085120f3804f9bf787187169e53084500636fe1bac92f092e15f66176
SHA512

1e56084deef7731471705e63a14f2f24d5432a50cd33977ec91c2a7079fcf420d248c2d2f2c2bfb6afb76b3ea4d1a51af319c27415d65a7c701f5f984c9393ae
SSDEEP

6144:ml0n6augQyP0JEO8q9B0h3X0uNVbXNADFS5uKA/TIB:xn6auC8Jl8qMhnxVb9ADFS5uzTI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3000	u.dll
2732	u.dll
2912	mpress.exe

Loads dropped DLL 6 IoCs

pid	Process
2944	cmd.exe
2944	cmd.exe
2944	cmd.exe
2944	cmd.exe
2732	u.dll
2732	u.dll

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2944	2740	bf3e2b7e1d058aa6de1ed557e292814d.exe	29
PID 2740 wrote to memory of 2944	2740	bf3e2b7e1d058aa6de1ed557e292814d.exe	29
PID 2740 wrote to memory of 2944	2740	bf3e2b7e1d058aa6de1ed557e292814d.exe	29
PID 2740 wrote to memory of 2944	2740	bf3e2b7e1d058aa6de1ed557e292814d.exe	29
PID 2944 wrote to memory of 3000	2944	cmd.exe	30
PID 2944 wrote to memory of 3000	2944	cmd.exe	30
PID 2944 wrote to memory of 3000	2944	cmd.exe	30
PID 2944 wrote to memory of 3000	2944	cmd.exe	30
PID 2944 wrote to memory of 2732	2944	cmd.exe	31
PID 2944 wrote to memory of 2732	2944	cmd.exe	31
PID 2944 wrote to memory of 2732	2944	cmd.exe	31
PID 2944 wrote to memory of 2732	2944	cmd.exe	31
PID 2732 wrote to memory of 2912	2732	u.dll	32
PID 2732 wrote to memory of 2912	2732	u.dll	32
PID 2732 wrote to memory of 2912	2732	u.dll	32
PID 2732 wrote to memory of 2912	2732	u.dll	32
PID 2944 wrote to memory of 2548	2944	cmd.exe	33
PID 2944 wrote to memory of 2548	2944	cmd.exe	33
PID 2944 wrote to memory of 2548	2944	cmd.exe	33
PID 2944 wrote to memory of 2548	2944	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\bf3e2b7e1d058aa6de1ed557e292814d.exe
"C:\Users\Admin\AppData\Local\Temp\bf3e2b7e1d058aa6de1ed557e292814d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\140D.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save bf3e2b7e1d058aa6de1ed557e292814d.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:3000
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\2FF6.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\2FF6.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe2FF7.tmp"
      4⤵
      Executes dropped EXE
      PID:2912
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:2548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\140D.tmp\vir.bat

Filesize
1KB

MD5
c967404114b059eff8c96c064cc4cc97

SHA1
a193f6b4311ce38ea87f3c3999ff10f11d1e0659

SHA256
aa583180492d35d6bbfabe582c263a3c682ab628cdddd8861ab765caf190e148

SHA512
338cdfc682b23bc2ef2e6c3284e183160c2b3aa9ac4d15e8eab67c1c0c1bdfed871905df2161ebd8f7ff06cf4f0a065b76d7defb3239258b1de4a0707a1edaa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2FF7.tmp

Filesize
24KB

MD5
7cda353434725a4a3712954fd3ded290

SHA1
d8348e79d6bcee527743b126026367d700ddb436

SHA256
7e781837fa89a8ead0a14c14a7f2125a89bb7b33d2ccc358f6b8ad22924b5e86

SHA512
4ac257fe8e0772adc8aa1a2626153c473554c341c025959dd994100c43e2cec274e8a532e0c1b5c0ecdf463733d25a63767b995b731ce272b1c7a3ad0820b95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe2FF7.tmp

Filesize
41KB

MD5
7aa367dca7be65e07b16bd69f06263e3

SHA1
d447739251408f8e8490a9d307927bfbe41737ce

SHA256
738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076

SHA512
d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
585482c70b7868d36ec7e7ef19da8dd3

SHA1
4939b633661c2c1e003a7afb54adec3e3a616ef6

SHA256
c6b7c9c3551fc0744f3d4dc439b92a5395bf79858d755e3e4e586a17c6ea8560

SHA512
8d38a91c821c1103efcf24dd84e5a9bd9ba724b4b7cf4d04efae1fc574cab3f181701b040725e52a6a19dea80aeaf4f3f46ffeeac1a70d0be5a903e041b2169f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
5f5477878b579b5f20971abac7e6a6ee

SHA1
88186a9a0765414b246ac3272480c9e27b3bab8c

SHA256
fee4a02103f7dbc5a88525c0bbc92c9402e8c5f523993f23229ba90825276760

SHA512
ce05f41cda138d94fd89f9f7328bf5ce0bb493a15d16123b457d182eab7f42b078fa5d62b40780efa9efa3ea7daef4c36fb5d6eae73bcebd29037d3b02ee877e

Download Submit
\Users\Admin\AppData\Local\Temp\2FF6.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/2732-95-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2732-97-0x00000000002B0000-0x00000000002E4000-memory.dmp

Filesize
208KB

Download
memory/2740-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2740-114-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2912-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads