7d0d8474a3c4561bf4f54de8b04d6852fe5c114169d750e61d7da51a06e2940a

Analysis

max time kernel
1s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 11:30

Target

1ae661911338de08b9a4ae130e46756f.exe
Size

209KB
MD5

1ae661911338de08b9a4ae130e46756f
SHA1

fe553a1ef917c0e3372bb5c531afb0a55ba0a429
SHA256

7d0d8474a3c4561bf4f54de8b04d6852fe5c114169d750e61d7da51a06e2940a
SHA512

cbab529739c5e6a02607c9f5b346f69c0bba237df3feb796fc07efa41c5aeb25901ca6e946791704f08484a7235de644d4f16720c5d9d5568397dc79fb9bc51b
SSDEEP

6144:vl0n6auwBkUgHaZmXblLxfuaQbNtTs/ezCY2Eii+:On6auckblL8aQR0yN2Ee

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2344	u.dll
5036	mpress.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4320	2680	1ae661911338de08b9a4ae130e46756f.exe	17
PID 2680 wrote to memory of 4320	2680	1ae661911338de08b9a4ae130e46756f.exe	17
PID 2680 wrote to memory of 4320	2680	1ae661911338de08b9a4ae130e46756f.exe	17
PID 4320 wrote to memory of 2344	4320	cmd.exe	25
PID 4320 wrote to memory of 2344	4320	cmd.exe	25
PID 4320 wrote to memory of 2344	4320	cmd.exe	25
PID 2344 wrote to memory of 5036	2344	u.dll	21
PID 2344 wrote to memory of 5036	2344	u.dll	21
PID 2344 wrote to memory of 5036	2344	u.dll	21
PID 4320 wrote to memory of 4392	4320	cmd.exe	19
PID 4320 wrote to memory of 4392	4320	cmd.exe	19
PID 4320 wrote to memory of 4392	4320	cmd.exe	19

C:\Users\Admin\AppData\Local\Temp\1ae661911338de08b9a4ae130e46756f.exe
"C:\Users\Admin\AppData\Local\Temp\1ae661911338de08b9a4ae130e46756f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5217.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:3960
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 1ae661911338de08b9a4ae130e46756f.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2344

C:\Users\Admin\AppData\Local\Temp\5275.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\5275.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe5276.tmp"
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4588

memory/2680-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2680-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2680-68-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5036-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download