410c45d448e3bef62a84a7a1e31be0332a3a73428f0044ee5499f3bd67bee308

Analysis

max time kernel
1s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 14:53

Target

770d93b9a8b3642423ac96a2078ad007.exe
Size

209KB
MD5

770d93b9a8b3642423ac96a2078ad007
SHA1

da3441676034a2ab1368aa8a5f41d283390f3a90
SHA256

410c45d448e3bef62a84a7a1e31be0332a3a73428f0044ee5499f3bd67bee308
SHA512

7f1cfe78c675144355eb29eb9956974eeb0e94c35ff788b6fa12c7972c9db909117c4276b7205b2484d2252c9d478288b04d35dbe9112a7d4c41345625c19da1
SSDEEP

6144:8l2khf5fme5il+2Sy9Ue0ep4mEFoOYBN40D:hk55fme5uJG4pB/7

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
4956	u.dll
1592	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	calc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 3744	2528	770d93b9a8b3642423ac96a2078ad007.exe	27
PID 2528 wrote to memory of 3744	2528	770d93b9a8b3642423ac96a2078ad007.exe	27
PID 2528 wrote to memory of 3744	2528	770d93b9a8b3642423ac96a2078ad007.exe	27
PID 3744 wrote to memory of 4956	3744	cmd.exe	25
PID 3744 wrote to memory of 4956	3744	cmd.exe	25
PID 3744 wrote to memory of 4956	3744	cmd.exe	25
PID 4956 wrote to memory of 1592	4956	u.dll	24
PID 4956 wrote to memory of 1592	4956	u.dll	24
PID 4956 wrote to memory of 1592	4956	u.dll	24
PID 3744 wrote to memory of 1472	3744	cmd.exe	23
PID 3744 wrote to memory of 1472	3744	cmd.exe	23
PID 3744 wrote to memory of 1472	3744	cmd.exe	23

C:\Users\Admin\AppData\Local\Temp\770d93b9a8b3642423ac96a2078ad007.exe
"C:\Users\Admin\AppData\Local\Temp\770d93b9a8b3642423ac96a2078ad007.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4A38.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3744

C:\Users\Admin\AppData\Local\Temp\4AB5.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\4AB5.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4AB6.tmp"
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\4A38.tmp\vir.bat

Filesize
2KB

MD5
04ab2f3f70483cf1a8c7bb25054cffe0

SHA1
57731722ebdc80f8785e163d9f731aee449e465a

SHA256
a1674724a5eaaabda5a7023619120c40628c46ce5bc67797effb433fc9aee4bf

SHA512
990bf20759a13c4fb70fb37a43e5ff21794a90c31a09a41f865f574249370c100b13ef96691a22b39d2746368bde4319c122cf364ca322e9c1fdbfdedc757b37

Download Submit
memory/1592-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2528-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2528-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download