66c6bf46eb6e3505b51901b7373dcbab9c38416fe6f7adf8a970c8972b4e5e0a

Analysis

max time kernel
142s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df880786b7bbc177d7c5e135d93a7ba0.exe
Size

208KB
MD5

df880786b7bbc177d7c5e135d93a7ba0
SHA1

dc328028a69662972bdc75fa8531327ec28096f9
SHA256

66c6bf46eb6e3505b51901b7373dcbab9c38416fe6f7adf8a970c8972b4e5e0a
SHA512

113b06b0f3b52e1cc299d3fab28ba11945299f4c1d79ab77887c6d120adc02ce80e5f353887d600a0dfc39ffd011cdfca866ed9d192ae12b8810a4bf52ff9b62
SSDEEP

3072:Xl4mjD1F//wsw+Tr0G6p2HT7P0LlX0dn37Ok2ErgoPonzupwbw:Xl4mjZF//dw+Tcp2fPhLOtE0oPog+w

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2832	u.dll
2536	mpress.exe
2380	u.dll

Loads dropped DLL 6 IoCs

pid	Process
3012	cmd.exe
3012	cmd.exe
2832	u.dll
2832	u.dll
3012	cmd.exe
3012	cmd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3012	2240	df880786b7bbc177d7c5e135d93a7ba0.exe	29
PID 2240 wrote to memory of 3012	2240	df880786b7bbc177d7c5e135d93a7ba0.exe	29
PID 2240 wrote to memory of 3012	2240	df880786b7bbc177d7c5e135d93a7ba0.exe	29
PID 2240 wrote to memory of 3012	2240	df880786b7bbc177d7c5e135d93a7ba0.exe	29
PID 3012 wrote to memory of 2832	3012	cmd.exe	30
PID 3012 wrote to memory of 2832	3012	cmd.exe	30
PID 3012 wrote to memory of 2832	3012	cmd.exe	30
PID 3012 wrote to memory of 2832	3012	cmd.exe	30
PID 2832 wrote to memory of 2536	2832	u.dll	31
PID 2832 wrote to memory of 2536	2832	u.dll	31
PID 2832 wrote to memory of 2536	2832	u.dll	31
PID 2832 wrote to memory of 2536	2832	u.dll	31
PID 3012 wrote to memory of 2380	3012	cmd.exe	32
PID 3012 wrote to memory of 2380	3012	cmd.exe	32
PID 3012 wrote to memory of 2380	3012	cmd.exe	32
PID 3012 wrote to memory of 2380	3012	cmd.exe	32
PID 3012 wrote to memory of 1716	3012	cmd.exe	33
PID 3012 wrote to memory of 1716	3012	cmd.exe	33
PID 3012 wrote to memory of 1716	3012	cmd.exe	33
PID 3012 wrote to memory of 1716	3012	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\df880786b7bbc177d7c5e135d93a7ba0.exe
"C:\Users\Admin\AppData\Local\Temp\df880786b7bbc177d7c5e135d93a7ba0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\5F30.tmp\vir.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save df880786b7bbc177d7c5e135d93a7ba0.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\6104.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\6104.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe6105.tmp"
      4⤵
      Executes dropped EXE
      PID:2536
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save ose00000.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    PID:2380
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F30.tmp\vir.bat

Filesize
1KB

MD5
89c95107269d082d40c93f1468ffd775

SHA1
ecf7cda7cebb1442a56767fb96f50d1ad1d13913

SHA256
05d81eb4733bc3ef128aca91a74572457b30872a2128d83effbc6487f56bea7a

SHA512
6fc16d3dcee825f548497b617bc71be3d87c083bff9a1419fcdcbe0210ecc8be8b335a08078259ad431f2b44070f175d9819805c3e79b602c0109e0eb8c1624f

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe6105.tmp

Filesize
41KB

MD5
9cdcf02f847ddde1f3b62c676c5cc737

SHA1
1e28bc7716cb6adb55b1b397dbabbe31adba3cf2

SHA256
d7726cc05bcd788912a23fc85f233775da28cb0d4d2920c2be66e5cc69e2b7ae

SHA512
438303dceafa36ac40271d6b7759248357109cc479a53dd4eb472ab35d51f333f629be2da54fc113bcdcf2bb4bdf4201b5075351842d20d7e818c80a31b88e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe6105.tmp

Filesize
43KB

MD5
0982710ab671940508e8d2276ef577ac

SHA1
e838b2a226f2acf50a4716d3165fe7086519848f

SHA256
9abf85527ad1ae29f1abc27f54b7d2f13accd448c78cc201489bf8ff8bb56d4c

SHA512
05e82e9f7c63eb8deaa64e887570c671961357a99468a205e54911b534febc59e48f1bec16e09ebead68e37f38f32704e9d15f4f9efc7c99cbc567c6626602d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe6105.tmp

Filesize
744KB

MD5
d33ab6fdb477870c62f2b39ba4574f1c

SHA1
058d79ce586d8d7bc490a2420f31632a983ab0ff

SHA256
32a3adac8c194790891f1578556f71b04d54c07e85528a6336351ec990ccb31f

SHA512
2f8a0f5f092c1ef6b3a91213f06c0f5a6e9b768735b101634201c42983446cd890bf07287c317196607fe28aa65f5c189520c094b7e6f14aab57128eeb6b37b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe6105.tmp

Filesize
209KB

MD5
45d3d7f168fb4da317fd4bf72b95828c

SHA1
e9b5aa44feda651b5aea773971934a6f04324536

SHA256
0271e3f95c79cf73a5ca6375908da14472dd9903204b7219fdf9b723c04840a3

SHA512
818ed0d12cced912b049ef85cdfec71d5abf6c628e78d5ab72fa375fd2a33b3f5e525c7fbaf83a6cf8921e729c19ba5732267977c965db5d0d421eb3413d9992

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
ac3e2f16df5b8e004bc7528957957c95

SHA1
318dfb96abdc8e9d3778788dfdbb1f3dba885fba

SHA256
c53ac431faed8f5ab7c67b254f913efe0dceaafdbf26b02b930d07f45d840fe2

SHA512
4c60d3b255c38807a104e4362493dbf651fb8893633e94ee9a4c69770773f8d7bf95d310051154b9bd74d6eb1993626a5eb107e74e891d681f0398c64a7ebaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
d169a82dddccf00ae6e79506f97ef5f1

SHA1
0b6ce0b6ce136069239c3b2e45db6e70d921888d

SHA256
bb90adfbfaebdd361879b7a46f02fa8dca46f4de0073137959bfe6b52bf43659

SHA512
1e9986b807b0f3b94c829aecd81d57a8434c9b4e8e3d6a1e0fa5e18870e7380c6c580a32cf36dc297a2f63416c4352b161758e32528afd41dcb162b5098c4bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
2b0a55f670e483feeec4d0aa0b7208a7

SHA1
408e7b99d9f25476dab39a32a7bac62c5b1c6aee

SHA256
3307ece236881dc500b380cb6e973479769b2e04f09ffda662483bcaae285a0e

SHA512
e14eafbf29240a6bbe6eb738a0bb01796cac3dacba9433efecb29636ee828368814dea982b5a3b60588cb20a6d8aede5497c58f8b7c73ac21bfdf1b7933e74cb

Download Submit
\Users\Admin\AppData\Local\Temp\6104.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
memory/2240-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-111-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2536-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-60-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download
memory/2832-65-0x00000000004C0000-0x00000000004F4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads