7258d392d8f6db54bbed77ab472d230aa4113bc0cc72c0a77889b71621a8b4e6

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2148398c3abeab63a4a0e102dd8982e7.exe
Size

209KB
MD5

2148398c3abeab63a4a0e102dd8982e7
SHA1

29681464a49db9d4a653655f6745be9fe3530dbe
SHA256

7258d392d8f6db54bbed77ab472d230aa4113bc0cc72c0a77889b71621a8b4e6
SHA512

106a53adc818be52251ce9ae0a76833cc11f5e4d689c6dc9ab9edf1d6edd82b7eb7c4ef2e8439c9d9afb676f4ef26215efa3a008c69feaa2eba03494f2ae2a84
SSDEEP

6144:aldZ3h5K12FHk9rRrzEccMOU6iwE8dLoWR:6Z3hsbtRXEccBqwdMWR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4480	u.dll
5356	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3300	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 1372	1332	2148398c3abeab63a4a0e102dd8982e7.exe	20
PID 1332 wrote to memory of 1372	1332	2148398c3abeab63a4a0e102dd8982e7.exe	20
PID 1332 wrote to memory of 1372	1332	2148398c3abeab63a4a0e102dd8982e7.exe	20
PID 1372 wrote to memory of 4480	1372	cmd.exe	21
PID 1372 wrote to memory of 4480	1372	cmd.exe	21
PID 1372 wrote to memory of 4480	1372	cmd.exe	21
PID 4480 wrote to memory of 5356	4480	u.dll	24
PID 4480 wrote to memory of 5356	4480	u.dll	24
PID 4480 wrote to memory of 5356	4480	u.dll	24
PID 1372 wrote to memory of 4768	1372	cmd.exe	26
PID 1372 wrote to memory of 4768	1372	cmd.exe	26
PID 1372 wrote to memory of 4768	1372	cmd.exe	26

C:\Users\Admin\AppData\Local\Temp\2148398c3abeab63a4a0e102dd8982e7.exe
"C:\Users\Admin\AppData\Local\Temp\2148398c3abeab63a4a0e102dd8982e7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4D93.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 2148398c3abeab63a4a0e102dd8982e7.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Users\Admin\AppData\Local\Temp\4E10.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\4E10.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4E11.tmp"
      4⤵
      Executes dropped EXE
      PID:5356
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4D93.tmp\vir.bat

Filesize
1KB

MD5
4d8204df1022b35d737078e9be0db8fe

SHA1
1082e3aaaadb023f57af2166a7cbc2582bfcab00

SHA256
80f6cbb5361147b54ad640068b8618bf440189ed52bd6d2f70a3f1152d0bfb48

SHA512
4b30d9e553cfd30f8556f56c73c4558413091cce0be72cce4f8efdd927583f7d645c0bd3ab072b4732de288f7ed605699030bca7d4f95865c9e0e825e8c3aba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
92KB

MD5
ace4bef1eaa126302be21c4105cc6ea3

SHA1
227744c90647355a13c84178f9fedac3f75fdb97

SHA256
8a675772564f80e1e7c4e51cbb64e1ba19990a010b112abc5f050100a6765c66

SHA512
b4909dc9aabd8f478717a08e14648bc131b6176ac794991bd174f61dff9c3d15b0635352cce622e8088515fafbc447dd15717b3c2001ba34f86a19ba2abc4029

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
74bbacf0fb48869b45ed7f0f49247f65

SHA1
9fc7a78f237fd2a2ab529d9c4477962cd0e01790

SHA256
80e64c2815c2749286801398e7288a25c8763270a96c4ae9e2b7e1a179039333

SHA512
7191067cb190af48e84e96a4af5ea08d4008865a34c893308856e9ae1c82540c8bda4748902257bda70b7b35d7d899e5c763f208096a6d9e11e5c77cbe930ff7

Download Submit
memory/1332-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1332-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1332-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5356-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5356-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads