e330f9246a677abaf2382307c5e18147d6c208397bc4cb1104f57921413ba693

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0dd07cda261348fb6a5362e75d0afb19.exe
Size

209KB
MD5

0dd07cda261348fb6a5362e75d0afb19
SHA1

1321a9d4b14d1f80c26aa01bc8ecd26888da0532
SHA256

e330f9246a677abaf2382307c5e18147d6c208397bc4cb1104f57921413ba693
SHA512

f9a82a4c282ffe7736cdae5d9f1350108e1b202cdc771dfeb34c1037760a7edd02ef88e399253973b7f732441307685c53b32d5e17ba905b50fac81a8f69ed7e
SSDEEP

6144:Gldbtg92f5FHa2agfQA0cJTC6SsV4U0jsxk38ozds5F9:eb+92f5FHRYA51LDqWk4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2732	u.dll
5012	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1116	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 3864	1828	0dd07cda261348fb6a5362e75d0afb19.exe	27
PID 1828 wrote to memory of 3864	1828	0dd07cda261348fb6a5362e75d0afb19.exe	27
PID 1828 wrote to memory of 3864	1828	0dd07cda261348fb6a5362e75d0afb19.exe	27
PID 3864 wrote to memory of 2732	3864	cmd.exe	20
PID 3864 wrote to memory of 2732	3864	cmd.exe	20
PID 3864 wrote to memory of 2732	3864	cmd.exe	20
PID 2732 wrote to memory of 5012	2732	u.dll	24
PID 2732 wrote to memory of 5012	2732	u.dll	24
PID 2732 wrote to memory of 5012	2732	u.dll	24
PID 3864 wrote to memory of 3644	3864	cmd.exe	23
PID 3864 wrote to memory of 3644	3864	cmd.exe	23
PID 3864 wrote to memory of 3644	3864	cmd.exe	23

C:\Users\Admin\AppData\Local\Temp\0dd07cda261348fb6a5362e75d0afb19.exe
"C:\Users\Admin\AppData\Local\Temp\0dd07cda261348fb6a5362e75d0afb19.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\44BA.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3864

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 0dd07cda261348fb6a5362e75d0afb19.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\4527.tmp\mpress.exe
  "C:\Users\Admin\AppData\Local\Temp\4527.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4528.tmp"
  2⤵
  - Executes dropped EXE
  PID:5012

C:\Windows\SysWOW64\calc.exe
CALC.EXE
1⤵
- Modifies registry class
PID:3644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44BA.tmp\vir.bat

Filesize
1KB

MD5
f9b5f1758f9a5b8487600f539b20f846

SHA1
d67371fde34480fe04d12917503314f0178cdfd4

SHA256
1e219ac1adfca40a304d6c192a78e27110e0e6ebe72e057f1f049971e5e97418

SHA512
6af904525354c68954b55899bef37e6b4981abbedc53c943ec8148100037fcfd07dfdafc0b33b07ddb4ed2b02b2be7d87d274dedcbd3811f2cab988e713bafc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4528.tmp

Filesize
41KB

MD5
2962dfcac22070e3da981e1115397938

SHA1
09a2ddd77cc9265c1c9a3a0b3797ea5007e3bd28

SHA256
d47a5a1f144a7b1a0267ec604f18238419a29402b4ef51f1b2165f346ef88951

SHA512
8efe28ee9ba694a2cc010bb61736de3f7bc190c3656f814a700e9992391a174982fa21f16d24ce1c36876e095f1a76569183cee52048ae22102cac621beb422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
4dd9f8069dd49b13d4a3ac4c7c3428b9

SHA1
978d3163aa8b716fc153eb679e9c3aba0fdcf739

SHA256
223e62294eb4b86cc1547704cd28c8680f575991c6055849859a2ab77394bb66

SHA512
14666b6c2230bd48708ca322df94675a407dc839ea70c8b43b3bbe5f47ebba26f3c12ed4f4a097e62f4ccc7e0fae9bf274b85d08bd29c2a654d03a41907cd79f

Download Submit
memory/1828-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1828-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1828-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5012-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads