25559a3f73bf2d86a333fb1f7d6c7b794576c276f5823d2a5f771a94259490d4

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09e4b4b943b6bb80d59b83fb8f6b9470.exe
Size

209KB
MD5

09e4b4b943b6bb80d59b83fb8f6b9470
SHA1

a57e6d9adcaf9076b060d2b033ecef428fe2f6a1
SHA256

25559a3f73bf2d86a333fb1f7d6c7b794576c276f5823d2a5f771a94259490d4
SHA512

10c9663771b6f1368e8172a0ea2edbc2b6dd9edcf2fe068a1f0ddaa1d8cc99fe79fef0482485ea010fba1b39002ba23686a52b80243d126a97c8ee6c205661bf
SSDEEP

3072:AligYAyRYjGkHgzC9fOlnCLRH6kP9ni5KRh2OPMcb6rky8+ZsiCF8dvNce:Ali5zglHgz62lCLRHG5I2OBmrJ8StP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1064	u.dll
5104	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1472	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 4816	456	09e4b4b943b6bb80d59b83fb8f6b9470.exe	30
PID 456 wrote to memory of 4816	456	09e4b4b943b6bb80d59b83fb8f6b9470.exe	30
PID 456 wrote to memory of 4816	456	09e4b4b943b6bb80d59b83fb8f6b9470.exe	30
PID 4816 wrote to memory of 1064	4816	cmd.exe	29
PID 4816 wrote to memory of 1064	4816	cmd.exe	29
PID 4816 wrote to memory of 1064	4816	cmd.exe	29
PID 1064 wrote to memory of 5104	1064	u.dll	36
PID 1064 wrote to memory of 5104	1064	u.dll	36
PID 1064 wrote to memory of 5104	1064	u.dll	36
PID 4816 wrote to memory of 3360	4816	cmd.exe	37
PID 4816 wrote to memory of 3360	4816	cmd.exe	37
PID 4816 wrote to memory of 3360	4816	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\09e4b4b943b6bb80d59b83fb8f6b9470.exe
"C:\Users\Admin\AppData\Local\Temp\09e4b4b943b6bb80d59b83fb8f6b9470.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\495D.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3360

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 09e4b4b943b6bb80d59b83fb8f6b9470.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mpress.exe
  "C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe49CB.tmp"
  2⤵
  - Executes dropped EXE
  PID:5104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\495D.tmp\vir.bat

Filesize
2KB

MD5
f0bb502733d88b8d657a9522df60d24d

SHA1
0f9f73591aafa28300169df0dff51afda2f810fc

SHA256
ef6f9ac7c1d737f3e15fb76f77c624156eb6e0e53414fec00a897cef38180d9a

SHA512
98ceaf127856a0d44279204b38e613f84fb3d6f24b9d0e7981f9543b703dcee1655023629bde1ac436be5de6a939ddcdc4c7a3084786692e7e4e82d6cabc4f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\49CA.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe49CB.tmp

Filesize
41KB

MD5
f6e37b5b08d4514d8347cb5ed4e670f2

SHA1
0c42b901ed5f2e9e76822ccdab3299b714a89cf0

SHA256
41ac25ee169e9baeccb3d8ccaa3be68b912286125520e56d0ed9854608966a02

SHA512
03cb6ed9236b0e5b679ba92f4e5ca07a1874717af3dcb7f24237c7431bdacfebcfecd46df500083f40f626f5ddef4b18c12feb5338924522dfd9f32751b6f301

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe49CB.tmp

Filesize
24KB

MD5
2ee399a17c0ea32edccfc8f85c5656dd

SHA1
5b8d2aa9fc07724ec5dc516f6bb394b8413562f9

SHA256
a28469395940fbbd313b48ab4f6bac264019b957fa4410b0ec02188e7e1991e8

SHA512
bafc48a3cc6140f3c67b43392506b4ff64d8ed90e4946975648bd43a11906aa133654c930f76c10065ee48b4405e76262b3861eea93f81aac42246f7ff4d377d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
361KB

MD5
6528ad5b5163320bd8dcc1a1c5b89f64

SHA1
99b2688579a9e87ea8ec73cf0362dbd0bc002b6c

SHA256
38990e6289e9f189e50ea0c69f5e8270ece338288e86a37c4fa6500d882dfe62

SHA512
3f0cb669736866e70ed3b9a8e7b65a1efb96288f80e3b4b3eff98890f8f7f4acb24c49a20ade045b837c6bb5e5a732178d966b67b44c94d4384f6b228b120931

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
376KB

MD5
188b8f112889dbed4f5460eb720c8b27

SHA1
d10444e8e85985477c3bdaeb5469ae9a9f7f2a92

SHA256
8230c03527a6762e5b0d6e30151879af947eef4c91235f5196d2adf5b250f759

SHA512
36e97c2d930af24f23c5c58c8a84efec78a674e20d322eee4ed0a56d872f3fdd0448041f27ad716f52af17f1fbc4c80fbe7bc268e630275a22caa02bf0c2c05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
529KB

MD5
31d42fad30593878387a18c63a357827

SHA1
a1a9d4e6ef868769e3288dc11a9616de280b373f

SHA256
a7dfa4bdd674d0db28df7f9e2c1329e00485d42d9de7d4d6686e73d07b4394ab

SHA512
6d8927447e7672f99877f4ebe42cbea9c13cfde8b6fdfb3cf4467854a0f5af7412c903d908611fbf766f0a3b91bb7939810343d7a49230ff50ef2307a9c4d926

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
373KB

MD5
fc4f685c805641af5385fcf152ec0536

SHA1
708a5791c7d750f6bc4fe4439a483b6bb2d5076d

SHA256
9289434d688ee5553dc11fc35f1dc1313a8f1ed4fd0290790d12cc05b232aaf2

SHA512
67b3724fc0d7efecdf8c2b1a2f17976533e4d3084212a2301ab1b72d13e17186b6e53b11ed60b120ecc4a267cea76ffceb51c434a2077a6268c0fa6ab851c9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
d89ad41847b195dfb6ddf03e06d72982

SHA1
3bce015b0f43bf07a81c70b89526199e4a3f5adc

SHA256
a4540a3b413828159f55965601fe2eb25710a99842351a0875fb360147e72e82

SHA512
32d54ab8e48d8cc06c8105792ea56d85d997785aa9cc71bfcb9ecb4aafbe8894c3cd1034c1c0e459b231d91ef02dac5f2b104c82d8e7ba1e340abf5e3c226b58

Download Submit
memory/456-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/456-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/456-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5104-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads