468c76e378cf9552cc72d371cd6f51dd61b0083691ac49302e0ccd670673efa6

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d1c0ecc1bd61eda6af0bf391d4500bb.exe
Size

209KB
MD5

0d1c0ecc1bd61eda6af0bf391d4500bb
SHA1

1d21d79cfb2deb91ac5735f6d2b419428cadda1d
SHA256

468c76e378cf9552cc72d371cd6f51dd61b0083691ac49302e0ccd670673efa6
SHA512

f46c3edd4128a81c920384cd07fe4f8f9e6f12f27d7f681094d2aad4d6bd3821fbf6302f85d7534ca433ecdbd1e9d5c0759cfcf34f4620c74a9d27dee64e9c21
SSDEEP

3072:nldDFCbYPYmAFF7JZAv7oTDxsYzlDjJcj3e32V7ZTSnd6Mg+w6T:nldxCbYPYFFIv74t7zpV2q2PT3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4996	u.dll
3880	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5116	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1092	1052	0d1c0ecc1bd61eda6af0bf391d4500bb.exe	91
PID 1052 wrote to memory of 1092	1052	0d1c0ecc1bd61eda6af0bf391d4500bb.exe	91
PID 1052 wrote to memory of 1092	1052	0d1c0ecc1bd61eda6af0bf391d4500bb.exe	91
PID 1092 wrote to memory of 4996	1092	cmd.exe	92
PID 1092 wrote to memory of 4996	1092	cmd.exe	92
PID 1092 wrote to memory of 4996	1092	cmd.exe	92
PID 4996 wrote to memory of 3880	4996	u.dll	94
PID 4996 wrote to memory of 3880	4996	u.dll	94
PID 4996 wrote to memory of 3880	4996	u.dll	94
PID 1092 wrote to memory of 2056	1092	cmd.exe	95
PID 1092 wrote to memory of 2056	1092	cmd.exe	95
PID 1092 wrote to memory of 2056	1092	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\0d1c0ecc1bd61eda6af0bf391d4500bb.exe
"C:\Users\Admin\AppData\Local\Temp\0d1c0ecc1bd61eda6af0bf391d4500bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E98.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 0d1c0ecc1bd61eda6af0bf391d4500bb.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Users\Admin\AppData\Local\Temp\7119.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\7119.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe711A.tmp"
      4⤵
      Executes dropped EXE
      PID:3880
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6E98.tmp\vir.bat

Filesize
1KB

MD5
d2a03b028d8452d110af211cf2b99383

SHA1
8ac49c33e37495bf6a646be2357bbf3a198a601a

SHA256
bba9612e8ae023170618a05c27095e12e0a04c119ca63518a2cb3631c6f1062b

SHA512
14270009528b9d1e4bca2cc174a8f8ee50fadad556e52e621ef73c638ddd783dcb005793a7092a5b9cf38634569ac4b10677a786de207efd9123cfd78893718d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7119.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe711A.tmp

Filesize
41KB

MD5
2962dfcac22070e3da981e1115397938

SHA1
09a2ddd77cc9265c1c9a3a0b3797ea5007e3bd28

SHA256
d47a5a1f144a7b1a0267ec604f18238419a29402b4ef51f1b2165f346ef88951

SHA512
8efe28ee9ba694a2cc010bb61736de3f7bc190c3656f814a700e9992391a174982fa21f16d24ce1c36876e095f1a76569183cee52048ae22102cac621beb422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe711A.tmp

Filesize
741KB

MD5
799f72d27f76fe1aed76843c8c732f58

SHA1
5fec5156dfe34a1b05c383221856423ea7dce11e

SHA256
29863b1375d5022a9003e60e0b0457b5547e95a96cff50b721f3f188a3a98208

SHA512
f54ce7b1c6cca84e0a3f698ad9a915e6165a74ee9d21ccb1346a871781c37599681dcb8db42b78f1f81a49179d4f51a9ee5bb7b88ca9e8d904f84e76ca2a4c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr7271.tmp

Filesize
207KB

MD5
9125af36bbd8f8c1a81ba1f96eb5ff91

SHA1
9d76ec3f2a7f83f1d147725268c51115af356aaf

SHA256
92203e0188b931ee9fd48d31b07409836c67e01ee0c02c85c41f3aceae8d1b24

SHA512
c7812cbab8447d8d0a7dd59ca8936a407b1b2a5ab2203e9c626966c5ba5a70ddb4ca4ee66e7a711fcca4bac1e0a11a0b3b5db142ef01d23cda2380ba1ac334ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
508KB

MD5
33d789ab56f9da88eed3ad905b09843a

SHA1
0dcacc89fee5d3d24d787ad87e8a3abfd66125e5

SHA256
031c24007a61763864cf0b548aa23ffe95750f1b6064670e60fba90ad5110c48

SHA512
3f15c308daf385cb250719ac6751444f8fa0778a455ea48f3021b098ca33dbadae85e5f6cc56ef2560871b2e7f2485d605515b36512e183932541f972314b4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
337KB

MD5
7f58d9ea879c4873253896e035f32334

SHA1
c7ddedc831e5af40e368d06692db093d92adff96

SHA256
8eaa6c394189bccd25f1550152ec64a18a33a10fc8b0701d55c3a2e70036b8ee

SHA512
f131cd703d0c54a40048e34820553e0cf53d6ecfa0df23e0b6303d35ba3c8e38aae4384255677565e8760343aeb1af4e2d45504e763481a0ec361d42ffdd0958

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
5052cc6558e4954e9065d5c4e11b1f26

SHA1
abcbec4e3d9f5f3ff11df2573250cf51c49b6fc0

SHA256
28b4f0353bd33f85f133c99c96d1ee57d3a8df12dcec0baee38a32c312b1d285

SHA512
164d034a7e58d3a6672b8327b5a07137779a554dbed8ee24a21bd904376be676ad77ff4de51dca1534918c2934f0cadc90cfd9537c68ae393099a254603aa1e5

Download Submit
memory/1052-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1052-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1052-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3880-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads