d431f6d8b17bf39d64898203fc00df6ce22d8976f8be21a10413c017c44c236d

Analysis

max time kernel
1s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 07:58

Target

12d1509828f7b5485648ef7e2eb6f5be.exe
Size

208KB
MD5

12d1509828f7b5485648ef7e2eb6f5be
SHA1

9afc1cf9d400f4232d1f5d420b0c66c2bd482b89
SHA256

d431f6d8b17bf39d64898203fc00df6ce22d8976f8be21a10413c017c44c236d
SHA512

d1676321f5ba1238968d5204f2d7f0d480e5a1a2e24ddad5d47f1ff1dddbd872c4b6b4af0479e6d76f0b20312073f694e6f61c88e5ea6f463dcb339408f3b381
SSDEEP

6144:wlNgw8yiI7v27OQ7HMJsc5yL0L2nT46eBcrzxmOC8YHoz/3Z:4h8A7+7OvVMHnhacnxm+YIzP

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
3696	u.dll
4748	mpress.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 3204	4212	12d1509828f7b5485648ef7e2eb6f5be.exe	23
PID 4212 wrote to memory of 3204	4212	12d1509828f7b5485648ef7e2eb6f5be.exe	23
PID 4212 wrote to memory of 3204	4212	12d1509828f7b5485648ef7e2eb6f5be.exe	23
PID 3204 wrote to memory of 3696	3204	cmd.exe	24
PID 3204 wrote to memory of 3696	3204	cmd.exe	24
PID 3204 wrote to memory of 3696	3204	cmd.exe	24
PID 3696 wrote to memory of 4748	3696	u.dll	27
PID 3696 wrote to memory of 4748	3696	u.dll	27
PID 3696 wrote to memory of 4748	3696	u.dll	27
PID 3204 wrote to memory of 3084	3204	cmd.exe	28
PID 3204 wrote to memory of 3084	3204	cmd.exe	28
PID 3204 wrote to memory of 3084	3204	cmd.exe	28

C:\Users\Admin\AppData\Local\Temp\12d1509828f7b5485648ef7e2eb6f5be.exe
"C:\Users\Admin\AppData\Local\Temp\12d1509828f7b5485648ef7e2eb6f5be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5738.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 12d1509828f7b5485648ef7e2eb6f5be.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\57B5.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\57B5.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe57B6.tmp"
      4⤵
      Executes dropped EXE
      PID:4748
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:3084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4228

memory/4212-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4212-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4212-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4748-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download