bf9be332600dd8550b57f80bf9ddeb0ad5f1cdc6a891e0bb149cb7a0b0431991

General

Target

c162356e660bdd31e84b1192dfe2114b.exe
Size

208KB
MD5

c162356e660bdd31e84b1192dfe2114b
SHA1

c9c56069053b71b99b9770417523471e8ad1323b
SHA256

bf9be332600dd8550b57f80bf9ddeb0ad5f1cdc6a891e0bb149cb7a0b0431991
SHA512

fa3c75c6445708668a2abf911ac6ef1382f6ecd1e95d933d32b7118c52308cb0190a2d599fe75ff79089a9515f5aac16087aec63c783320415914c113e28f1c0
SSDEEP

3072:clKMCvRa0wbyjxrOGb4Ro9Cj1euqkaaWBbrtYP679vmNn6HOh8xgF91j:clVCJP6yjxKGbij1fqZBd9+MO+A1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2324	u.dll
932	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4816	OpenWith.exe
3148	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 3816	4428	c162356e660bdd31e84b1192dfe2114b.exe	89
PID 4428 wrote to memory of 3816	4428	c162356e660bdd31e84b1192dfe2114b.exe	89
PID 4428 wrote to memory of 3816	4428	c162356e660bdd31e84b1192dfe2114b.exe	89
PID 3816 wrote to memory of 2324	3816	cmd.exe	90
PID 3816 wrote to memory of 2324	3816	cmd.exe	90
PID 3816 wrote to memory of 2324	3816	cmd.exe	90
PID 2324 wrote to memory of 932	2324	u.dll	91
PID 2324 wrote to memory of 932	2324	u.dll	91
PID 2324 wrote to memory of 932	2324	u.dll	91
PID 3816 wrote to memory of 2204	3816	cmd.exe	95
PID 3816 wrote to memory of 2204	3816	cmd.exe	95
PID 3816 wrote to memory of 2204	3816	cmd.exe	95
PID 3816 wrote to memory of 3960	3816	cmd.exe	97
PID 3816 wrote to memory of 3960	3816	cmd.exe	97
PID 3816 wrote to memory of 3960	3816	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\c162356e660bdd31e84b1192dfe2114b.exe
"C:\Users\Admin\AppData\Local\Temp\c162356e660bdd31e84b1192dfe2114b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5767.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save c162356e660bdd31e84b1192dfe2114b.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\5813.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\5813.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe5814.tmp"
      4⤵
      Executes dropped EXE
      PID:932
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2204
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5767.tmp\vir.bat

Filesize
1KB

MD5
471433bde4b269f95f77d88fb4f62494

SHA1
e668b9339fa70ec8414fe584b7131a86c7da187d

SHA256
cc09f27765cb412ba0ac8ec30f33d955550bc5950997bb56ca427391363d683b

SHA512
875f9639f3b3d8ad6a90db8748ce03041731d50a53b8065cb8a29030967cab25076eb16e33160d85106d54bd10dd340326b44bbdc39bf714beddc269c765ae86

Download Submit
C:\Users\Admin\AppData\Local\Temp\5813.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe5814.tmp

Filesize
41KB

MD5
0702e8031193a3474afa297d17cdc814

SHA1
46cd098f940f31e43b4a606603a0c153cdba950d

SHA256
9e596558228cdc87835f78d9072bdf2c25d3646e0541b3ac5e070dbb136cb116

SHA512
213f4d9187c0fcafaab34f0f91df5a2172a1f67e4750bc247552f430ec95a4c035f43be7421f2fd63da963a0044a6fcf343123dc34b5e26ece2cf9a54137ef94

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe5814.tmp

Filesize
742KB

MD5
52a143fa311a824bc287d38a8e700e45

SHA1
6c0679741ceea044310cfe1fb53bc552dbbf0f79

SHA256
61175612c8906a8e40ed0cf4f579a364901b1c833db7b369943197d59f6f9876

SHA512
498bbd5d5d2f0619f8e145fc22782380002001164707544a612837bda592329e01819def379dffaa8ba2fd7f86e30419fcfa4877c50c1e0b068a48c04ec3d910

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr58FD.tmp

Filesize
208KB

MD5
f5c81f0bb0b70447d96ebfae1293522d

SHA1
f783f96af59a472f16ee78590d4c8e28d5e3cf5e

SHA256
7f6d92f842391db71880a2a4232ac58f567a9498614f3df1c139475c0e1d9ff8

SHA512
9417ca64aca671d43b0b2d3bb72e01db3317468928233aa8841a3effa9a807bb66823c91e505af3c5d0c2211f110517a0627e1b0372f3b5d797d2d225deda3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
110ae9a995a0e99df2427f7b97b85eb2

SHA1
3655d0a5ce029e0bbc4d942e477e5be1745ee63b

SHA256
25d07cade85c1a9495bebf0a1f37447fda7401fe4e9d92869ababf83a46b240c

SHA512
4646debc7c8489219c4578bfeb568e178f33e2a589f649ae4ae6ed39a77ffd0a0fc0a401c5279758f975f99a9f777c18cc8e1aadb62c5ce16217e27fc644ded2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
3f1178fd8da9f43401ea320f7d007992

SHA1
6a543826a2f25ced77a2e4f7ce9836b470ea8fcc

SHA256
f87ad010961dcd3c9a9279b9ce64bd63c3a2a998366be73b259401975a7abf4e

SHA512
3a27f27786c56c2729a18cbee2c6ebdc4a1cb950792e6770e513a869f78c0117d91dc35c564cc13007b47bae56605703987297f2ef7e21480b3f6edbe24d5ee6

Download Submit
memory/932-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4428-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4428-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4428-69-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads