1a5e45f203a2da83dddf6573eb82965d867770219d2cbea8636a93707f4ccdab

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 18:53

Target

35ed51a7de2693e364d83c94b76c58ee.exe
Size

209KB
MD5

35ed51a7de2693e364d83c94b76c58ee
SHA1

a9246afc1f52575459a0fbf754018c702e1a18e0
SHA256

1a5e45f203a2da83dddf6573eb82965d867770219d2cbea8636a93707f4ccdab
SHA512

0884c5191c650b385763e5256423f16b5a961619075e0572406ec4e284eda2fd101f28cf8377ab50efc8f06cd718b19ee94f932098c1b8f36ee8b35ed7911a17
SSDEEP

6144:hl0n6au4QpDsdprlPwnRB/+3I7+rXh0uCI40Su:Yn6auBpDeprlPkRB/tujNV

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
3720	u.dll
1152	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1908	OpenWith.exe
2744	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2508	1848	35ed51a7de2693e364d83c94b76c58ee.exe	25
PID 1848 wrote to memory of 2508	1848	35ed51a7de2693e364d83c94b76c58ee.exe	25
PID 1848 wrote to memory of 2508	1848	35ed51a7de2693e364d83c94b76c58ee.exe	25
PID 2508 wrote to memory of 3720	2508	cmd.exe	24
PID 2508 wrote to memory of 3720	2508	cmd.exe	24
PID 2508 wrote to memory of 3720	2508	cmd.exe	24
PID 3720 wrote to memory of 1152	3720	u.dll	18
PID 3720 wrote to memory of 1152	3720	u.dll	18
PID 3720 wrote to memory of 1152	3720	u.dll	18
PID 2508 wrote to memory of 1072	2508	cmd.exe	19
PID 2508 wrote to memory of 1072	2508	cmd.exe	19
PID 2508 wrote to memory of 1072	2508	cmd.exe	19
PID 2508 wrote to memory of 2600	2508	cmd.exe	22
PID 2508 wrote to memory of 2600	2508	cmd.exe	22
PID 2508 wrote to memory of 2600	2508	cmd.exe	22

C:\Users\Admin\AppData\Local\Temp\35ed51a7de2693e364d83c94b76c58ee.exe
"C:\Users\Admin\AppData\Local\Temp\35ed51a7de2693e364d83c94b76c58ee.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\54F6.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508

C:\Users\Admin\AppData\Local\Temp\5544.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\5544.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe5545.tmp"
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2744

C:\Users\Admin\AppData\Local\Temp\54F6.tmp\vir.bat

Filesize
1KB

MD5
9f8022a402f31986dda1140d01453c69

SHA1
870211d6d62db9edf9bf9345c3d7eea1b1f5fb72

SHA256
73dc9856fb8aa4f23f9d0d68c0fc6c2fe2fbf9b28085db096445802cebf1e005

SHA512
4adf1ed7c8e142d3464af7a24b982def76e1e249a75622917e6686f8ccc832f0811a1cd56e8c8bebaefd4e575e9d1b9879c1f66c7e44b18430b57fd4e68b2295

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
92KB

MD5
ace4bef1eaa126302be21c4105cc6ea3

SHA1
227744c90647355a13c84178f9fedac3f75fdb97

SHA256
8a675772564f80e1e7c4e51cbb64e1ba19990a010b112abc5f050100a6765c66

SHA512
b4909dc9aabd8f478717a08e14648bc131b6176ac794991bd174f61dff9c3d15b0635352cce622e8088515fafbc447dd15717b3c2001ba34f86a19ba2abc4029

Download Submit
memory/1152-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1152-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1848-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1848-67-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download