ab58a5cc6b72aeb9226f7146716357d72669defde4daf061605761b606595bf3

Analysis

max time kernel
141s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 20:39

Target

f691d1aa0f8ff2b27cad22d13183bfb6.exe
Size

209KB
MD5

f691d1aa0f8ff2b27cad22d13183bfb6
SHA1

1bda3cbf4e8389e87a2ab290052e1fee59fd20d4
SHA256

ab58a5cc6b72aeb9226f7146716357d72669defde4daf061605761b606595bf3
SHA512

2465f8226d58063d26ec570d95ee8766e277cab5648828ef9d8b60c052cb91d5a603ce87521748088f558609b5657bb4f272e79801ab81d3acaf5d17b8857f68
SSDEEP

6144:vli564m1zKYPFMpVn4MKF7ZyDZgHyhNe:Zh1zBPKVn4NnHyh8

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2088	u.dll
4656	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1192	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 5096	232	f691d1aa0f8ff2b27cad22d13183bfb6.exe	24
PID 232 wrote to memory of 5096	232	f691d1aa0f8ff2b27cad22d13183bfb6.exe	24
PID 232 wrote to memory of 5096	232	f691d1aa0f8ff2b27cad22d13183bfb6.exe	24
PID 5096 wrote to memory of 2088	5096	cmd.exe	22
PID 5096 wrote to memory of 2088	5096	cmd.exe	22
PID 5096 wrote to memory of 2088	5096	cmd.exe	22
PID 2088 wrote to memory of 4656	2088	u.dll	17
PID 2088 wrote to memory of 4656	2088	u.dll	17
PID 2088 wrote to memory of 4656	2088	u.dll	17
PID 5096 wrote to memory of 4012	5096	cmd.exe	20
PID 5096 wrote to memory of 4012	5096	cmd.exe	20
PID 5096 wrote to memory of 4012	5096	cmd.exe	20

C:\Users\Admin\AppData\Local\Temp\f691d1aa0f8ff2b27cad22d13183bfb6.exe
"C:\Users\Admin\AppData\Local\Temp\f691d1aa0f8ff2b27cad22d13183bfb6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4B70.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5096

C:\Users\Admin\AppData\Local\Temp\4BCE.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\4BCE.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4BCF.tmp"
1⤵
- Executes dropped EXE
PID:4656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
92KB

MD5
ace4bef1eaa126302be21c4105cc6ea3

SHA1
227744c90647355a13c84178f9fedac3f75fdb97

SHA256
8a675772564f80e1e7c4e51cbb64e1ba19990a010b112abc5f050100a6765c66

SHA512
b4909dc9aabd8f478717a08e14648bc131b6176ac794991bd174f61dff9c3d15b0635352cce622e8088515fafbc447dd15717b3c2001ba34f86a19ba2abc4029

Download Submit
memory/232-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/232-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/232-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4656-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download