6ee6f9b778467a5398d2156ea16c5516248f9003ede08f65d45156d62973efdb

Analysis

max time kernel
1s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:20

Target

217e2401f0434bd442144ecdf7d9aab3.exe
Size

209KB
MD5

217e2401f0434bd442144ecdf7d9aab3
SHA1

10ed4fb1ffb5ab22896894bbcab6d2ef1ab7691f
SHA256

6ee6f9b778467a5398d2156ea16c5516248f9003ede08f65d45156d62973efdb
SHA512

4ce3cef3c8f7db86503c599af30623bc263884449879fbbed58848dd67af97484fb4e5bfe6e6cd1314395f5967f2ca3f1ebe0bdd3e1e6a1332aa27921e984c61
SSDEEP

6144:fl9cYqmsum1YIgEQZxVY+bKydVa+zX/mYJcU:rcY81jgEQZxVQ+zPNO

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
1996	u.dll
2104	mpress.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2292	3592	217e2401f0434bd442144ecdf7d9aab3.exe	26
PID 3592 wrote to memory of 2292	3592	217e2401f0434bd442144ecdf7d9aab3.exe	26
PID 3592 wrote to memory of 2292	3592	217e2401f0434bd442144ecdf7d9aab3.exe	26
PID 2292 wrote to memory of 1996	2292	cmd.exe	25
PID 2292 wrote to memory of 1996	2292	cmd.exe	25
PID 2292 wrote to memory of 1996	2292	cmd.exe	25
PID 1996 wrote to memory of 2104	1996	u.dll	21
PID 1996 wrote to memory of 2104	1996	u.dll	21
PID 1996 wrote to memory of 2104	1996	u.dll	21
PID 2292 wrote to memory of 2132	2292	cmd.exe	19
PID 2292 wrote to memory of 2132	2292	cmd.exe	19
PID 2292 wrote to memory of 2132	2292	cmd.exe	19

C:\Users\Admin\AppData\Local\Temp\217e2401f0434bd442144ecdf7d9aab3.exe
"C:\Users\Admin\AppData\Local\Temp\217e2401f0434bd442144ecdf7d9aab3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5275.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\52D3.tmp\mpress.exe
"C:\Users\Admin\AppData\Local\Temp\52D3.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe52D4.tmp"
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2972

memory/2104-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3592-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3592-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3592-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download