4f7eb00d9beb7c6a438a18d8af591632ab3fa18cb52439b0349cd26254218b34

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 05:03

Target

06a453f7368ac4003e72dbbe329a26f8.exe
Size

209KB
MD5

06a453f7368ac4003e72dbbe329a26f8
SHA1

3673834c07e2fbf5e6c3e3445f7c6358e677dfb0
SHA256

4f7eb00d9beb7c6a438a18d8af591632ab3fa18cb52439b0349cd26254218b34
SHA512

9d90950760c3107b8900bcf5b748540d93da43fc0bd4021d18a4461dd40452ef39e755c53a5b6d9ec851411f17983e109cf0d35bd57a774fdc63ac95e3f36cf6
SSDEEP

6144:al0n6auRkbBfXUFp3I9XaGcaNwmJSXmBMkoDEbxPq+2uVguqc:Nn6auRkxkFi9DcaNwmJemBFOqq+Vguqc

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
4756	u.dll
4604	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4908	OpenWith.exe
1928	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1732	1372	06a453f7368ac4003e72dbbe329a26f8.exe	26
PID 1372 wrote to memory of 1732	1372	06a453f7368ac4003e72dbbe329a26f8.exe	26
PID 1372 wrote to memory of 1732	1372	06a453f7368ac4003e72dbbe329a26f8.exe	26
PID 1732 wrote to memory of 4756	1732	cmd.exe	20
PID 1732 wrote to memory of 4756	1732	cmd.exe	20
PID 1732 wrote to memory of 4756	1732	cmd.exe	20
PID 4756 wrote to memory of 4604	4756	u.dll	21
PID 4756 wrote to memory of 4604	4756	u.dll	21
PID 4756 wrote to memory of 4604	4756	u.dll	21
PID 1732 wrote to memory of 684	1732	cmd.exe	23
PID 1732 wrote to memory of 684	1732	cmd.exe	23
PID 1732 wrote to memory of 684	1732	cmd.exe	23
PID 1732 wrote to memory of 3464	1732	cmd.exe	35
PID 1732 wrote to memory of 3464	1732	cmd.exe	35
PID 1732 wrote to memory of 3464	1732	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\06a453f7368ac4003e72dbbe329a26f8.exe
"C:\Users\Admin\AppData\Local\Temp\06a453f7368ac4003e72dbbe329a26f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\490F.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3464

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 06a453f7368ac4003e72dbbe329a26f8.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\497C.tmp\mpress.exe
  "C:\Users\Admin\AppData\Local\Temp\497C.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe497D.tmp"
  2⤵
  - Executes dropped EXE
  PID:4604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Users\Admin\AppData\Local\Temp\490F.tmp\vir.bat

Filesize
1KB

MD5
ec5bd5f6f6a25b7289f8cacb1f946e11

SHA1
a81fa77ee2c535889e5967cfcdb4fa0cf4638996

SHA256
71ab512974d8833918d41728318d9e0ec7062367e4b883fc87edf670d68ee0bb

SHA512
c33b09f5dbd0a1193ab98dc1f373db648d06609ba9be1deda3a97cd14d7c4483c04bbb5df7b13d858cc4f077640cb5002727435f681d54311af493182f8d2a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
715d4aba5d4f140e7e245923ecc7ffe2

SHA1
768ea5dd2dcd117a36508b9dead97509f9dc20f2

SHA256
84f923ca39ad8cfc834225ff9c0c898483ebc7f9b5edf3866f2c174a87f4817c

SHA512
a61a480f4e076641374cc45fd456ee5676c0e3f0a7ab201e3ce5e3916e872995b5d4b3bca28ed3d60fc1bf36815ed96625b282d009a97257c733a7287d0a9c72

Download Submit
memory/1372-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1372-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1372-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4604-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download