0fd9820013abff58c2af514db0177f097210f2336439a963063f2616c521f8e2

Analysis

max time kernel
1s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 11:13

Target

69fb5061e2cce3273b9a994e5a60caa9.exe
Size

209KB
MD5

69fb5061e2cce3273b9a994e5a60caa9
SHA1

7c2d2a7bdd46958a71fa9f42c6f97899f56376d6
SHA256

0fd9820013abff58c2af514db0177f097210f2336439a963063f2616c521f8e2
SHA512

66bedac71e4dc6d42ae5b7e3decd110c2663e6fd88ae524b767d2b68fe6cc3196559aba8f70f85a4ed7edce78f0a47a3bec370d966a5caaa9ba438b77fdf4c82
SSDEEP

6144:nl0n6auE638MTGXDnnE3mqnaCo/jTJ/7v79N:Wn6auRb0Lqjg/n9

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
5024	u.dll
4820	mpress.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 4164	4340	69fb5061e2cce3273b9a994e5a60caa9.exe	17
PID 4340 wrote to memory of 4164	4340	69fb5061e2cce3273b9a994e5a60caa9.exe	17
PID 4340 wrote to memory of 4164	4340	69fb5061e2cce3273b9a994e5a60caa9.exe	17
PID 4164 wrote to memory of 5024	4164	cmd.exe	25
PID 4164 wrote to memory of 5024	4164	cmd.exe	25
PID 4164 wrote to memory of 5024	4164	cmd.exe	25
PID 5024 wrote to memory of 4820	5024	u.dll	20
PID 5024 wrote to memory of 4820	5024	u.dll	20
PID 5024 wrote to memory of 4820	5024	u.dll	20
PID 4164 wrote to memory of 4992	4164	cmd.exe	21
PID 4164 wrote to memory of 4992	4164	cmd.exe	21
PID 4164 wrote to memory of 4992	4164	cmd.exe	21

C:\Users\Admin\AppData\Local\Temp\69fb5061e2cce3273b9a994e5a60caa9.exe
"C:\Users\Admin\AppData\Local\Temp\69fb5061e2cce3273b9a994e5a60caa9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4DF1.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:4956
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 69fb5061e2cce3273b9a994e5a60caa9.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5024

C:\Users\Admin\AppData\Local\Temp\4E5E.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\4E5E.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4E5F.tmp"
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1396

memory/4340-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4340-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4340-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4820-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download