65a3554cac0e9afbf29c1f11d93577ac7c20432e090c6b25dd36d84ea1c082cb

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 12:32

Target

1ea69db85dd76d6b1d0e0709af8439a5.exe
Size

209KB
MD5

1ea69db85dd76d6b1d0e0709af8439a5
SHA1

e3b17d1f365154f65b7d1fa37bfd5cd7654dc48a
SHA256

65a3554cac0e9afbf29c1f11d93577ac7c20432e090c6b25dd36d84ea1c082cb
SHA512

1fb7b9301a9ecbc448d843f7a4df998ef1311f2f4cd91160b17d955acfd4cf6caa7971298f746ade7a9d68267bf79a036c9b1feda066821307e425f8e3c36cee
SSDEEP

6144:AlUzSr4UdIz838hEGM9aUEmpftK/m2p45nD:XGr4xo38hU9LHtK/0

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
3472	u.dll
2364	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2696	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 2180	4376	1ea69db85dd76d6b1d0e0709af8439a5.exe	26
PID 4376 wrote to memory of 2180	4376	1ea69db85dd76d6b1d0e0709af8439a5.exe	26
PID 4376 wrote to memory of 2180	4376	1ea69db85dd76d6b1d0e0709af8439a5.exe	26
PID 2180 wrote to memory of 3472	2180	cmd.exe	25
PID 2180 wrote to memory of 3472	2180	cmd.exe	25
PID 2180 wrote to memory of 3472	2180	cmd.exe	25
PID 3472 wrote to memory of 2364	3472	u.dll	24
PID 3472 wrote to memory of 2364	3472	u.dll	24
PID 3472 wrote to memory of 2364	3472	u.dll	24
PID 2180 wrote to memory of 3644	2180	cmd.exe	22
PID 2180 wrote to memory of 3644	2180	cmd.exe	22
PID 2180 wrote to memory of 3644	2180	cmd.exe	22

C:\Users\Admin\AppData\Local\Temp\1ea69db85dd76d6b1d0e0709af8439a5.exe
"C:\Users\Admin\AppData\Local\Temp\1ea69db85dd76d6b1d0e0709af8439a5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\45F2.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Users\Admin\AppData\Local\Temp\465F.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\465F.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4660.tmp"
1⤵
- Executes dropped EXE
PID:2364

C:\Users\Admin\AppData\Local\Temp\45F2.tmp\vir.bat

Filesize
2KB

MD5
6903fde1a3008cc11e3d6438bf9d9ef1

SHA1
3badf7fcae924355a59bf7bac306d04620c9fa1f

SHA256
9caa4517242e92724a4555f44937515587716bebc3bf337a072273a7d1905a3d

SHA512
80bb937a4ca384a5d4e3d348a54bd5318792401d73f3566a6cf365a9f430b8a917025cfabb3c0ca989a1692ea30ce97fda7df20a0f125a76cadc566a7131c077

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
93KB

MD5
ec3db92301aa424c7a530a4d539a7f37

SHA1
ce848672ac400bb50fb7ef6dfbb0f92f3b41d65c

SHA256
6a9bad795d66771f71f44ef3200af4939ff91cbf757aece23ef677e08b63eebc

SHA512
a6cbd9adaa09737eccce6876531aa59b43b945bcf0ec2b97645f98377061eec725bb7bc678bc7ec16cbf2ba1dcac118a382c0746846cfffde0fdc349331b6b91

Download Submit
memory/2364-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4376-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4376-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download