e9538d759a3eb323bd74736c5a3f002f371048e131a4fbfc5fb91ecd29438ed7

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 22:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05b52e140a2ad13e0941f917b537dff3.exe
Size

209KB
MD5

05b52e140a2ad13e0941f917b537dff3
SHA1

c96936d0521cc248d6a65ca05c79e36444e58545
SHA256

e9538d759a3eb323bd74736c5a3f002f371048e131a4fbfc5fb91ecd29438ed7
SHA512

53cffbfc2bf9e50ade58d005f618308808d1493220b1523228c707047c38b53e51db41f468a3318fb065badf0c581065195bfa74d70e2957af8af24f8ecd2914
SSDEEP

6144:vlKiQ9xysISXcE645G4hKf1lMa98TB1rOl4K4ikOd:wbryREn5768rO+ik

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
232	u.dll
4772	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4396	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 2368	4252	05b52e140a2ad13e0941f917b537dff3.exe	24
PID 4252 wrote to memory of 2368	4252	05b52e140a2ad13e0941f917b537dff3.exe	24
PID 4252 wrote to memory of 2368	4252	05b52e140a2ad13e0941f917b537dff3.exe	24
PID 2368 wrote to memory of 232	2368	cmd.exe	27
PID 2368 wrote to memory of 232	2368	cmd.exe	27
PID 2368 wrote to memory of 232	2368	cmd.exe	27
PID 232 wrote to memory of 4772	232	u.dll	34
PID 232 wrote to memory of 4772	232	u.dll	34
PID 232 wrote to memory of 4772	232	u.dll	34
PID 2368 wrote to memory of 5064	2368	cmd.exe	36
PID 2368 wrote to memory of 5064	2368	cmd.exe	36
PID 2368 wrote to memory of 5064	2368	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\05b52e140a2ad13e0941f917b537dff3.exe
"C:\Users\Admin\AppData\Local\Temp\05b52e140a2ad13e0941f917b537dff3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\497C.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 05b52e140a2ad13e0941f917b537dff3.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\49EA.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\49EA.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe49EB.tmp"
      4⤵
      Executes dropped EXE
      PID:4772
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:5064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\497C.tmp\vir.bat

Filesize
2KB

MD5
78ce3a04668b238b2f7fd442154204e7

SHA1
ce9ce456e68bd006521ec2764cb044c30021db08

SHA256
2535b506ad1eaba13ffe2bfffa3d84e2f063fb624db7f296341583350c553aaf

SHA512
210e6db0443f0a22c5c703aae0bf9ecf40473546fed8b2c9b4cbe0d84cc361fc8f0945c82c40bc77d3db53f95f40240dd0b3d72f81e05ab34b9efaf817dac047

Download Submit
C:\Users\Admin\AppData\Local\Temp\49EA.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe49EB.tmp

Filesize
41KB

MD5
34dc2281ba5f8c4a7db8388be126278d

SHA1
1974c9398171a8151acc6602a5f0adea3c62ad98

SHA256
b40e0b0ed0a877a445c21852b0449a4a45fb1210babc9b5ff0c024f29cafa4b6

SHA512
5b0b0a694464d1d20786f726c32b571e757db323c0d9523c3028f4ec9702023501749b908c86dc19b3f8f0e1d514413868e148ceb39c6ce9544d70bc3ee5b8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe49EB.tmp

Filesize
24KB

MD5
93cb0adb901680dd14269ab60f8e59c1

SHA1
36d8f6831c115cc28c096947ab078da884a71b8b

SHA256
12df3126aee7ef26b97e1e8cf0b98f0a3c7450d86214a3c55752444ead3425e1

SHA512
1b2cc2c348ea28b998e3ed6f41efe95a3cfbf8ce22d8132cc1a0aafdf08fb2890efad278655770f9eb8cc3e69377d34db9de6733f21e00da2b4c4236fe702453

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
182KB

MD5
2edc2f73d25f229011b53fbe8a9007ae

SHA1
a9f6f1788b4041523942722f6671913bcd7c109c

SHA256
def8bd49af92eb351b62b97323519544a5a514104be7ed2fd0fef6ff5851ae74

SHA512
a4153a67151964c6d52202ced4c558e987472224dc59c92ee9280c7e974f7e7473d8554e020bacf1a8099388914332caf37bdbfdb421d52664c90e6fcfe9ed42

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
231KB

MD5
df9b805e007a4b45e7f3ade0a17f8a51

SHA1
88f9f128806e0875fb2b9450cdc444b8772e57d0

SHA256
a337bedde969f3fa1ccd55c99fa18b4ceab6bcb1110bf014e8d97418aad9f281

SHA512
abdabaab4b2f7f7b7266c4e17a66cc5fcfb86c4d11cf944fbd078d58e718424d2b508093bc2adfe542859eb45c5daf165d512f819fbc5937bca27e08bb1bf43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
233KB

MD5
bf0c4d00ebe5f17c9863c2c0711b6535

SHA1
2c15f5dd289cd2411232f48ef27a9f5160b32412

SHA256
fdfae84b8763167eb02164c01d5508ea41bc03b3a8b4072847319fd86cdabd42

SHA512
764e84f9fd6599fb710432bd019d8fec35430e530551dddd4f51e3e710a60aaf095a6be96824b9b406cc7327e70c5f2b7b87f5010af5855cb1283f9da1a667df

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
258KB

MD5
f72d45c17a6210daae665c0e32a590b0

SHA1
9e19d7f2b8c4d6a38d92393c4233355cf03444a1

SHA256
c96b962b7fb946a3932a9ad79a46c2162e642b96f6d9e79c6ff5cd7838829a9f

SHA512
2bc7866724b132b57bc0f475efefd4179f07dff96d3187f6a76eaaf549b871afde61ecdb05e58e3699907bbb2ded67cd9c03df4418065aab70d528bb362f2f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
b9e7caa955a277a56803b0c8d3b003f8

SHA1
32df6a8613dd0406bc3debe9184479e1b18f8ef3

SHA256
312aba001900a684c8c973218603aa6ed9543f3a4a94331afe57ef250fa51225

SHA512
0c8ba1df087ce3af11cc3faaf0b4db6efae4324a375146cd56225d9c5c1f949eeeed241ca41c844425d9bce3b6c9b1647e59e949ef5b9871719e45e6f6bc9bda

Download Submit
memory/4252-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4252-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4252-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4772-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4772-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads