66c6bf46eb6e3505b51901b7373dcbab9c38416fe6f7adf8a970c8972b4e5e0a

General

Target

df880786b7bbc177d7c5e135d93a7ba0.exe
Size

208KB
MD5

df880786b7bbc177d7c5e135d93a7ba0
SHA1

dc328028a69662972bdc75fa8531327ec28096f9
SHA256

66c6bf46eb6e3505b51901b7373dcbab9c38416fe6f7adf8a970c8972b4e5e0a
SHA512

113b06b0f3b52e1cc299d3fab28ba11945299f4c1d79ab77887c6d120adc02ce80e5f353887d600a0dfc39ffd011cdfca866ed9d192ae12b8810a4bf52ff9b62
SSDEEP

3072:Xl4mjD1F//wsw+Tr0G6p2HT7P0LlX0dn37Ok2ErgoPonzupwbw:Xl4mjZF//dw+Tcp2fPhLOtE0oPog+w

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4708	u.dll
1500	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
116	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 4056	2520	df880786b7bbc177d7c5e135d93a7ba0.exe	89
PID 2520 wrote to memory of 4056	2520	df880786b7bbc177d7c5e135d93a7ba0.exe	89
PID 2520 wrote to memory of 4056	2520	df880786b7bbc177d7c5e135d93a7ba0.exe	89
PID 4056 wrote to memory of 4708	4056	cmd.exe	90
PID 4056 wrote to memory of 4708	4056	cmd.exe	90
PID 4056 wrote to memory of 4708	4056	cmd.exe	90
PID 4708 wrote to memory of 1500	4708	u.dll	93
PID 4708 wrote to memory of 1500	4708	u.dll	93
PID 4708 wrote to memory of 1500	4708	u.dll	93
PID 4056 wrote to memory of 1164	4056	cmd.exe	95
PID 4056 wrote to memory of 1164	4056	cmd.exe	95
PID 4056 wrote to memory of 1164	4056	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\df880786b7bbc177d7c5e135d93a7ba0.exe
"C:\Users\Admin\AppData\Local\Temp\df880786b7bbc177d7c5e135d93a7ba0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\78AA.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save df880786b7bbc177d7c5e135d93a7ba0.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\7A50.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\7A50.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe7A51.tmp"
      4⤵
      Executes dropped EXE
      PID:1500
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:1164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\78AA.tmp\vir.bat

Filesize
1KB

MD5
89c95107269d082d40c93f1468ffd775

SHA1
ecf7cda7cebb1442a56767fb96f50d1ad1d13913

SHA256
05d81eb4733bc3ef128aca91a74572457b30872a2128d83effbc6487f56bea7a

SHA512
6fc16d3dcee825f548497b617bc71be3d87c083bff9a1419fcdcbe0210ecc8be8b335a08078259ad431f2b44070f175d9819805c3e79b602c0109e0eb8c1624f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A50.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7A51.tmp

Filesize
41KB

MD5
9cdcf02f847ddde1f3b62c676c5cc737

SHA1
1e28bc7716cb6adb55b1b397dbabbe31adba3cf2

SHA256
d7726cc05bcd788912a23fc85f233775da28cb0d4d2920c2be66e5cc69e2b7ae

SHA512
438303dceafa36ac40271d6b7759248357109cc479a53dd4eb472ab35d51f333f629be2da54fc113bcdcf2bb4bdf4201b5075351842d20d7e818c80a31b88e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7A51.tmp

Filesize
741KB

MD5
3c2cadcc1f10be2139916db6572e348c

SHA1
6cd038cdb6407d5ba80559500e2f17b63bc92906

SHA256
a68ab6e49126dae2d842d8032a6d1a72c7a2bf4346768d008d9125e53268723c

SHA512
c5ae3d110a093336816fc59b19bdd061acd6311698e47e6ea2036ae1dbe364053bef1777ea880b6877155e2a17a677778b7884264d9a32710134ce12e3175e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr8194.tmp

Filesize
207KB

MD5
1fdcee4df506395d2269028fd5da87f3

SHA1
43382f3f0fc52a4f20569149ecb3399823bdac38

SHA256
6f84d9193bc1b7f05d4e67a0c33f68e818d1623a5620258a52118cfbec025f06

SHA512
7092523979046c1c00397351aa0ba688fe4beb9309b73002698e5ecce7b1995e7c71ebb52aa0dbe8a34793665583a579d38ccb0e423b3d07e85eae450544ae9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
ac3e2f16df5b8e004bc7528957957c95

SHA1
318dfb96abdc8e9d3778788dfdbb1f3dba885fba

SHA256
c53ac431faed8f5ab7c67b254f913efe0dceaafdbf26b02b930d07f45d840fe2

SHA512
4c60d3b255c38807a104e4362493dbf651fb8893633e94ee9a4c69770773f8d7bf95d310051154b9bd74d6eb1993626a5eb107e74e891d681f0398c64a7ebaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
d169a82dddccf00ae6e79506f97ef5f1

SHA1
0b6ce0b6ce136069239c3b2e45db6e70d921888d

SHA256
bb90adfbfaebdd361879b7a46f02fa8dca46f4de0073137959bfe6b52bf43659

SHA512
1e9986b807b0f3b94c829aecd81d57a8434c9b4e8e3d6a1e0fa5e18870e7380c6c580a32cf36dc297a2f63416c4352b161758e32528afd41dcb162b5098c4bda

Download Submit
memory/1500-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1500-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2520-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2520-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2520-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads