62f437e363dbfbe1d9e99907b0eca8f2b9083ceface26e177e38f098b0a4d5b7

Analysis

max time kernel
1s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 06:49

Target

0cbaa61694803eea6300dbd5b250b507.exe
Size

209KB
MD5

0cbaa61694803eea6300dbd5b250b507
SHA1

b72126bc96f7488fcef65bda68268009e13fed34
SHA256

62f437e363dbfbe1d9e99907b0eca8f2b9083ceface26e177e38f098b0a4d5b7
SHA512

3f723ffa8129964aae9f717de3a8e7f0ed17bffcf045cfcbec385abd1abb2b38937677889c23a36ac9c38bad08fd0ca6e8f483d91892834f1961891d93af3b8a
SSDEEP

6144:jlVCYIpCSYIGo4EWiS0E/vkVi0W/2WjE:uYFo4tiS0yT

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
4604	u.dll
3888	mpress.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 2884	3924	0cbaa61694803eea6300dbd5b250b507.exe	23
PID 3924 wrote to memory of 2884	3924	0cbaa61694803eea6300dbd5b250b507.exe	23
PID 3924 wrote to memory of 2884	3924	0cbaa61694803eea6300dbd5b250b507.exe	23
PID 2884 wrote to memory of 4604	2884	cmd.exe	21
PID 2884 wrote to memory of 4604	2884	cmd.exe	21
PID 2884 wrote to memory of 4604	2884	cmd.exe	21
PID 4604 wrote to memory of 3888	4604	u.dll	18
PID 4604 wrote to memory of 3888	4604	u.dll	18
PID 4604 wrote to memory of 3888	4604	u.dll	18
PID 2884 wrote to memory of 3464	2884	cmd.exe	17
PID 2884 wrote to memory of 3464	2884	cmd.exe	17
PID 2884 wrote to memory of 3464	2884	cmd.exe	17

C:\Users\Admin\AppData\Local\Temp\0cbaa61694803eea6300dbd5b250b507.exe
"C:\Users\Admin\AppData\Local\Temp\0cbaa61694803eea6300dbd5b250b507.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4AB5.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884

C:\Users\Admin\AppData\Local\Temp\4B13.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\4B13.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4B14.tmp"
1⤵
- Executes dropped EXE
PID:3888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5052

memory/3888-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3924-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3924-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3924-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download