67df51c1587268268648c688dd721e4de41b218672db56698d07454568b16606

Analysis

max time kernel
1s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 08:25

Target

135cfbb4e5dee131c19348e8f7833e52.exe
Size

209KB
MD5

135cfbb4e5dee131c19348e8f7833e52
SHA1

11d750ddc38ff570d6cbf93293567cacc4093b6a
SHA256

67df51c1587268268648c688dd721e4de41b218672db56698d07454568b16606
SHA512

378f8752a5af55d81393e2bd39794880d1001d32b06813e49a90605a665bc784f8287e4f6bcf41d2b87c4edd330f4159d10e3edc2cb4c9f6653ee5e4919146f9
SSDEEP

6144:rl2kNX273b0/FT+/8d/ufk1uICXdlYTuDpIX:ckNm7r4FQsy1bXdlSopIX

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
1844	u.dll
3436	mpress.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 228	1940	135cfbb4e5dee131c19348e8f7833e52.exe	23
PID 1940 wrote to memory of 228	1940	135cfbb4e5dee131c19348e8f7833e52.exe	23
PID 1940 wrote to memory of 228	1940	135cfbb4e5dee131c19348e8f7833e52.exe	23
PID 228 wrote to memory of 1844	228	cmd.exe	22
PID 228 wrote to memory of 1844	228	cmd.exe	22
PID 228 wrote to memory of 1844	228	cmd.exe	22
PID 1844 wrote to memory of 3436	1844	u.dll	28
PID 1844 wrote to memory of 3436	1844	u.dll	28
PID 1844 wrote to memory of 3436	1844	u.dll	28
PID 228 wrote to memory of 1436	228	cmd.exe	29
PID 228 wrote to memory of 1436	228	cmd.exe	29
PID 228 wrote to memory of 1436	228	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\135cfbb4e5dee131c19348e8f7833e52.exe
"C:\Users\Admin\AppData\Local\Temp\135cfbb4e5dee131c19348e8f7833e52.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4D55.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:1436

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 135cfbb4e5dee131c19348e8f7833e52.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\4DD2.tmp\mpress.exe
  "C:\Users\Admin\AppData\Local\Temp\4DD2.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4DD3.tmp"
  2⤵
  - Executes dropped EXE
  PID:3436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5312

memory/1940-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1940-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1940-69-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3436-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download