58ce1000a10c2ea608213fd0a25e2335680e03f638ba24a11abe3ab6b924ed36

General

Target

ce296760437b4fd4fe7de03de76f1986.exe
Size

209KB
MD5

ce296760437b4fd4fe7de03de76f1986
SHA1

a43a7b472c131b5b4cd0f0e343392bac355430c4
SHA256

58ce1000a10c2ea608213fd0a25e2335680e03f638ba24a11abe3ab6b924ed36
SHA512

99dfe9981a4db0adf7ec2ec9432644a885096e424c0a2e48fd0d387bebc8f0b15254231b24d1b4cac504dc0b9cccf6cae72be114867430f3945511ba034fefaf
SSDEEP

6144:qlsSFhzeSWjfnGO2p+vqxhZLTCi88jVL2iUWxcQ:JUhEyOOVxfSi8annx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2124	u.dll
684	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3508	OpenWith.exe
1360	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1244	3048	ce296760437b4fd4fe7de03de76f1986.exe	88
PID 3048 wrote to memory of 1244	3048	ce296760437b4fd4fe7de03de76f1986.exe	88
PID 3048 wrote to memory of 1244	3048	ce296760437b4fd4fe7de03de76f1986.exe	88
PID 1244 wrote to memory of 2124	1244	cmd.exe	89
PID 1244 wrote to memory of 2124	1244	cmd.exe	89
PID 1244 wrote to memory of 2124	1244	cmd.exe	89
PID 2124 wrote to memory of 684	2124	u.dll	90
PID 2124 wrote to memory of 684	2124	u.dll	90
PID 2124 wrote to memory of 684	2124	u.dll	90
PID 1244 wrote to memory of 1332	1244	cmd.exe	94
PID 1244 wrote to memory of 1332	1244	cmd.exe	94
PID 1244 wrote to memory of 1332	1244	cmd.exe	94
PID 1244 wrote to memory of 2064	1244	cmd.exe	96
PID 1244 wrote to memory of 2064	1244	cmd.exe	96
PID 1244 wrote to memory of 2064	1244	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\ce296760437b4fd4fe7de03de76f1986.exe
"C:\Users\Admin\AppData\Local\Temp\ce296760437b4fd4fe7de03de76f1986.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35A6.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ce296760437b4fd4fe7de03de76f1986.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\3633.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\3633.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe3634.tmp"
      4⤵
      Executes dropped EXE
      PID:684
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:1332
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\35A6.tmp\vir.bat

Filesize
1KB

MD5
4e23c21b139f85843ed5a855085c9ff4

SHA1
fb5326c54dad5988783e5b952f1d42767d543ad1

SHA256
1df5dd76bf338aa79ccc3b9dafcfa1c8555cc70f5bda7bb81633c68fb713bfe8

SHA512
26a67c403772b5bef89a2f730422099a004262f700b7d5234eb81f66ec58bf5eafb80f28ed28c6a425e45182bc9ed13ac462d6f4cfbeecb6c9fac6be6beab078

Download Submit
C:\Users\Admin\AppData\Local\Temp\3633.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3634.tmp

Filesize
41KB

MD5
bac68e690b1c14dba6029b68bf6485e0

SHA1
911ac3beb4e166a4fd3e263787175b257a8a2125

SHA256
45422da2885226ab32d568f8155b68c173675a7a5ca058f1e75feddc5229348d

SHA512
6ab4ded492eb5c594ba5a0da0eb0f6f812b459de500b9111264276e6eadaefd58e470abb2bebd4c044b689dddd08a919a947417f53d246e4547befc859f5d34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe3634.tmp

Filesize
41KB

MD5
c5589f60d14abe1707fcee8b5e9d2c85

SHA1
5689893df6cb7fa7f3a194fee696e8e3781005e1

SHA256
d83cd1518f13052ba4b8076924b3a410a9fd75725b2e37705438f442aab07509

SHA512
d46cc2bbaa002db37df79c8f558c943c59012b4154a7f669b5d6b9f516c83042558b32f67ec219aedb0bb55dd17e0f8bb99f3fd1ffce5133bf6fccd6144c5194

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr373C.tmp

Filesize
25KB

MD5
71974f4c9d4074b761ce76c67028bdcc

SHA1
4f3591b21ba6f6ee0ff9fa1f3e9bb150d9b264d8

SHA256
b3317752a95b04db0ed147bc88ce264bc49f6d9299adfc6cffdbe18f09ecb130

SHA512
91a83bcad34743bf01e91ebdfe0014bfd23e4ecff1521b27fc8d8a4c9d2bff51631c40d4d0400885453865bc82e1490585692d6b2bce4dd46b36820504b24421

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
b9dd7ab9d6f863ea416f9ecdb7f39cf1

SHA1
d36975e9cd5d8e54fb01186afdecb42e932fa356

SHA256
e5886dd9562fee3cfb916fde420a9d063b9cedb408d94ede1805c7c40f6c1d57

SHA512
715f1923ac8ce7e3bbc720f66a8bcd249f416202e8ce454fb7a54aea93b24cc8474be29dbd3735c03af8f6bef13418e9c5f6ba9a78dcf1844ca4a631fddffae1

Download Submit
memory/684-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3048-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3048-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads