ee97a1d6b12ceb4d29746bd3306cfb4c7d4e68101a77d92579a2b6bc0b3cb945

Analysis

max time kernel
1s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 15:14

Target

2877add6bc794f3cef19cb4d9a9257ad.exe
Size

209KB
MD5

2877add6bc794f3cef19cb4d9a9257ad
SHA1

1d64d2b6370fe4fddf0fa502168cad7557813a34
SHA256

ee97a1d6b12ceb4d29746bd3306cfb4c7d4e68101a77d92579a2b6bc0b3cb945
SHA512

7e127c7e76c4e16031ee1465e8817fb34cbccf083c08bf9e1aeaf724b32d2b2efaeeaa17a4f729f5f8741f84624d932f1261e3d13556804f16c79714011466e6
SSDEEP

6144:Fl0n6auRWbi9aVyvNyBspW2A6WNnE46L:En6auoQwyvNyuE2QdER

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2948	u.dll
2304	mpress.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3632 wrote to memory of 4924	3632	2877add6bc794f3cef19cb4d9a9257ad.exe	27
PID 3632 wrote to memory of 4924	3632	2877add6bc794f3cef19cb4d9a9257ad.exe	27
PID 3632 wrote to memory of 4924	3632	2877add6bc794f3cef19cb4d9a9257ad.exe	27
PID 4924 wrote to memory of 2948	4924	cmd.exe	19
PID 4924 wrote to memory of 2948	4924	cmd.exe	19
PID 4924 wrote to memory of 2948	4924	cmd.exe	19
PID 2948 wrote to memory of 2304	2948	u.dll	22
PID 2948 wrote to memory of 2304	2948	u.dll	22
PID 2948 wrote to memory of 2304	2948	u.dll	22
PID 4924 wrote to memory of 3856	4924	cmd.exe	20
PID 4924 wrote to memory of 3856	4924	cmd.exe	20
PID 4924 wrote to memory of 3856	4924	cmd.exe	20

C:\Users\Admin\AppData\Local\Temp\2877add6bc794f3cef19cb4d9a9257ad.exe
"C:\Users\Admin\AppData\Local\Temp\2877add6bc794f3cef19cb4d9a9257ad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4DC2.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 2877add6bc794f3cef19cb4d9a9257ad.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\4E3F.tmp\mpress.exe
  "C:\Users\Admin\AppData\Local\Temp\4E3F.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4E40.tmp"
  2⤵
  - Executes dropped EXE
  PID:2304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\4DC2.tmp\vir.bat

Filesize
1KB

MD5
dd29526dc200dc2ba2d23fbe04335379

SHA1
0572ab16ecaf5bc5d500153eadf9d83464b32f9f

SHA256
b7edc701b9bade87cc2ff6b05bb20e034aa03cef88f5e1e5671735e676ba758a

SHA512
17b1d94b4520e8f12d5c6d015cde69a4239eb2de8a3b396a0ff8c02429c2410427118fd83f4768372effa759547dbc741cebed7ec824058b505ba46fafc93cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
92KB

MD5
3ead3d1666a7ba5496ca7f0bdba490e6

SHA1
1c2707e1ed0b80eceb9e222e7c12e922e1ad1a13

SHA256
9c86a7b9cbd93a18253b5101b8a4272f9396e752177b5a49520384df06f18f5d

SHA512
147d684c5f73aa2aadc05c01c9aa31e887242edf53b97f151024ddf84384b2517dc6bd9a7bb52d9c607f47583b7b4868e809ad042e7f8e951e6a331004c62335

Download Submit
memory/2304-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2304-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3632-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3632-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3632-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download