a7c0ecf4294c63269f949b8c65f067e1af78682b1b907e55a34bd3ad448e7710

Analysis

max time kernel
141s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6066afa2f416a782dacdf439033ccab.exe
Size

208KB
MD5

f6066afa2f416a782dacdf439033ccab
SHA1

194d14e8785bbb0f260fd1716f9835c1ad1202d8
SHA256

a7c0ecf4294c63269f949b8c65f067e1af78682b1b907e55a34bd3ad448e7710
SHA512

cb49614597666a45e927b09447cdae8d97fb5124cab967d43db9048170cb06bc259b767520d1176d99f3a353f65439846c609d851181e8461d903498ea837c14
SSDEEP

3072:2luy78nwZgkTDUHscVDVZWn4Xz+rwOvg/WRuPWNuLIO71YH5V06IDMdPW4ops:2lNgwZTDULVDCn4KrXYWRAYH0L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1572	u.dll
3584	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1128	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3672	3036	f6066afa2f416a782dacdf439033ccab.exe	95
PID 3036 wrote to memory of 3672	3036	f6066afa2f416a782dacdf439033ccab.exe	95
PID 3036 wrote to memory of 3672	3036	f6066afa2f416a782dacdf439033ccab.exe	95
PID 3672 wrote to memory of 1572	3672	cmd.exe	92
PID 3672 wrote to memory of 1572	3672	cmd.exe	92
PID 3672 wrote to memory of 1572	3672	cmd.exe	92
PID 1572 wrote to memory of 3584	1572	u.dll	91
PID 1572 wrote to memory of 3584	1572	u.dll	91
PID 1572 wrote to memory of 3584	1572	u.dll	91
PID 3672 wrote to memory of 3144	3672	cmd.exe	93
PID 3672 wrote to memory of 3144	3672	cmd.exe	93
PID 3672 wrote to memory of 3144	3672	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\f6066afa2f416a782dacdf439033ccab.exe
"C:\Users\Admin\AppData\Local\Temp\f6066afa2f416a782dacdf439033ccab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4DF1.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672

C:\Users\Admin\AppData\Local\Temp\4E4F.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\4E4F.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4E50.tmp"
1⤵
- Executes dropped EXE
PID:3584

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save f6066afa2f416a782dacdf439033ccab.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\calc.exe
CALC.EXE
1⤵
- Modifies registry class
PID:3144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4DF1.tmp\vir.bat

Filesize
1KB

MD5
9c62e35fccab7b15fb482cd38e042c33

SHA1
d81afd780036aacb2bfc9666f4b28ae5496ccd3a

SHA256
aac191d0c35804d112ebaf10e0c673c15f27ab4878a925801206fa0a328387cf

SHA512
539d0b172670d11e485d4b894c3112514fd8358d2871f1fb4fa5c9a8d871b204254150d477144725a08eca81c7258a387cc93d32e2ecbf0960e448d161a5778b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E4F.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4E50.tmp

Filesize
208KB

MD5
fe46a58fcdd24570aaaa2f4751666e43

SHA1
c65cf64c9964f4e2fd13ce65399c161af45c1c0c

SHA256
fc768fc726b60e8230db23c6be4901d5b6f66bde6476c9ebac1459ce1b39c208

SHA512
a7dd06302f900ab35c8b899e131d4813fe460578a5c990f3c5a4404d300ff922d29dfb95d9271be445b1ed026416b615a4b06c839a6e3e0a393927fcf539ea5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
0ba8f8311fc3afbb7e32d98236f2efa6

SHA1
956dd3548df11f2c6c36366d74109ddddc33fc33

SHA256
5b6da37dd4f1fa6402e7ee652ef048f7bd7b396f7a3b3f61c56865d5cd3f6e62

SHA512
706f455d004af6d1442402c1a750a37da14da0351c51d0b0b578349355956986941c4a302956590be7c2b00caa6838e3b265dab8766e8636e0c6c4527b82c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
7dd5c776ac0b1312f97b4db7de41f189

SHA1
6d4bb6ce51ec81f57985ff795a63d68170a037b9

SHA256
1de46691d3f072d9159374b3004afae33534ecb00cfa309c751dd181d4435e21

SHA512
3841631fac3c2553ca8e42b8a48ebe3caf345eff5b0d9a71d561d24ecdfe8ca4949d1d222b5338b1bf75e9988cd7b407e811dca6f701a1b2e11885d43205effb

Download Submit
memory/3036-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3036-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3036-68-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3584-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads