3cb1b41ea234f3ee80f87f6a4e3ecab42cf7a076c4fe68861ab3d0596dbda404

Analysis

max time kernel
1s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 23:56

Target

44a297cf8e98419e8987141cf66fe129.exe
Size

209KB
MD5

44a297cf8e98419e8987141cf66fe129
SHA1

4b504f0e5c28f0ff99137f1db06512fbbb2f4fa4
SHA256

3cb1b41ea234f3ee80f87f6a4e3ecab42cf7a076c4fe68861ab3d0596dbda404
SHA512

60d9a0896eab319cf8db5cd14bd93f8a4c89bebd9d2402733c27503a70f65d800b93b566c149d4838a08e74f3125fe2030b29fa3cc3a631f238ac472a73040b6
SSDEEP

6144:Kl8sGcdu3dgI7+26cePVetEtld4TbmlQCEPOoFYY7MF:OTdu3Kb2v5atlCbyYGy7M

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
436	u.dll
112	mpress.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2740	2264	44a297cf8e98419e8987141cf66fe129.exe	25
PID 2264 wrote to memory of 2740	2264	44a297cf8e98419e8987141cf66fe129.exe	25
PID 2264 wrote to memory of 2740	2264	44a297cf8e98419e8987141cf66fe129.exe	25
PID 2740 wrote to memory of 436	2740	cmd.exe	24
PID 2740 wrote to memory of 436	2740	cmd.exe	24
PID 2740 wrote to memory of 436	2740	cmd.exe	24
PID 436 wrote to memory of 112	436	u.dll	23
PID 436 wrote to memory of 112	436	u.dll	23
PID 436 wrote to memory of 112	436	u.dll	23
PID 2740 wrote to memory of 1960	2740	cmd.exe	21
PID 2740 wrote to memory of 1960	2740	cmd.exe	21
PID 2740 wrote to memory of 1960	2740	cmd.exe	21

C:\Users\Admin\AppData\Local\Temp\44a297cf8e98419e8987141cf66fe129.exe
"C:\Users\Admin\AppData\Local\Temp\44a297cf8e98419e8987141cf66fe129.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4D84.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\4DE1.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\4DE1.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4DE2.tmp"
1⤵
- Executes dropped EXE
PID:112

C:\Users\Admin\AppData\Local\Temp\4D84.tmp\vir.bat

Filesize
1KB

MD5
3c9c2bcc3797fcec966be89e524f3f0c

SHA1
75c06b80730705d621d3909037bb54120a806895

SHA256
9c85bc2b42a74b5767cc08f36a7085f823e906f35320b6f99f4ab821a6638a79

SHA512
081124e3f55190e04f2b57729456dd26cbd57d040111ed85d34148669e44df0278006572b85c1eff7a1dd52b6c94963f6f36a77c41ffec8e4750fc0912b6f308

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
92KB

MD5
3ead3d1666a7ba5496ca7f0bdba490e6

SHA1
1c2707e1ed0b80eceb9e222e7c12e922e1ad1a13

SHA256
9c86a7b9cbd93a18253b5101b8a4272f9396e752177b5a49520384df06f18f5d

SHA512
147d684c5f73aa2aadc05c01c9aa31e887242edf53b97f151024ddf84384b2517dc6bd9a7bb52d9c607f47583b7b4868e809ad042e7f8e951e6a331004c62335

Download Submit
memory/112-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/112-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2264-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2264-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download