267d8cc1689679116d31f13d3fa9b5bd48b6aa327846c89e56c592fe2da1a3f1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21bcb4b12052f3c175b02baeff3cd539.exe
Size

209KB
MD5

21bcb4b12052f3c175b02baeff3cd539
SHA1

cdc9d8047a529cbcf504a33083b48d573d751743
SHA256

267d8cc1689679116d31f13d3fa9b5bd48b6aa327846c89e56c592fe2da1a3f1
SHA512

616eed0d9d3a21f8bc1f8f0a2c7770d848e59dcb67f0d4ac4a8181c6a0bff96c053947655a5181f5c6ac3800d90272e7f8d8916012bb390bc3ebf67a8e10532b
SSDEEP

6144:UlsSFhzhXVW4u4Xzbn4SRMhIr5OR+2la3ca3VxNmrBHhFozg:jUhdFVuezbnWI5OR+HhFurBBFkg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3584	u.dll
4232	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4920	OpenWith.exe
4016	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 4596	3700	21bcb4b12052f3c175b02baeff3cd539.exe	20
PID 3700 wrote to memory of 4596	3700	21bcb4b12052f3c175b02baeff3cd539.exe	20
PID 3700 wrote to memory of 4596	3700	21bcb4b12052f3c175b02baeff3cd539.exe	20
PID 4596 wrote to memory of 3584	4596	cmd.exe	21
PID 4596 wrote to memory of 3584	4596	cmd.exe	21
PID 4596 wrote to memory of 3584	4596	cmd.exe	21
PID 3584 wrote to memory of 4232	3584	u.dll	24
PID 3584 wrote to memory of 4232	3584	u.dll	24
PID 3584 wrote to memory of 4232	3584	u.dll	24
PID 4596 wrote to memory of 2040	4596	cmd.exe	23
PID 4596 wrote to memory of 2040	4596	cmd.exe	23
PID 4596 wrote to memory of 2040	4596	cmd.exe	23
PID 4596 wrote to memory of 4892	4596	cmd.exe	26
PID 4596 wrote to memory of 4892	4596	cmd.exe	26
PID 4596 wrote to memory of 4892	4596	cmd.exe	26

C:\Users\Admin\AppData\Local\Temp\21bcb4b12052f3c175b02baeff3cd539.exe
"C:\Users\Admin\AppData\Local\Temp\21bcb4b12052f3c175b02baeff3cd539.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4E20.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 21bcb4b12052f3c175b02baeff3cd539.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\4E7E.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\4E7E.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4E7F.tmp"
      4⤵
      Executes dropped EXE
      PID:4232
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2040
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4E20.tmp\vir.bat

Filesize
1KB

MD5
fef8850eeb3aea96e8ea4ff9667d801f

SHA1
7c36156f435ad8b24252f2ba0adafa1c7731e7fd

SHA256
d76a8a3841dc203c24090608dabceae8f0f3049a97af08500271bacf31666d5c

SHA512
3c07c3a269e098c09c795c24c2191987490321c0ce81bedb2b771de5aba434645ec3672cd2f687b2536a889ad24c6654b40860cdb1424155c751ebce328d24e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4E7F.tmp

Filesize
41KB

MD5
bac68e690b1c14dba6029b68bf6485e0

SHA1
911ac3beb4e166a4fd3e263787175b257a8a2125

SHA256
45422da2885226ab32d568f8155b68c173675a7a5ca058f1e75feddc5229348d

SHA512
6ab4ded492eb5c594ba5a0da0eb0f6f812b459de500b9111264276e6eadaefd58e470abb2bebd4c044b689dddd08a919a947417f53d246e4547befc859f5d34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
77ba6153827a203577b5d79c941e801c

SHA1
6deb4bdee67f4fb1a01ffa702e7941220c00f5a0

SHA256
7df73edded92f9b3f8e0639a4acaac72fdee2358eb0325e5cd66b23b44ce9bf7

SHA512
65d6b016a9109dc3358f7952fef0eb520a79a3084cb6da4f30558ebfeaf127f046408366452b178f43fd75d5a077118301326899f0207ed38b96310273824ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
4355e52d3f4638979de2ad37eae2374d

SHA1
83f588d81925d90093307fe0ad85a799ee96ad48

SHA256
fb1f72387920f1faaf01daa14e0c82f5584d66b3c9af393d2df917ee4033c983

SHA512
365fe9532173a227aea473dff7304cd5c50465cace6490060ba669c39becd24ee3521e4d6ed1b6994bdb9c585d0ae645cf31e7126ceebd0f535220aba2928bfa

Download Submit
memory/3700-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3700-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3700-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4232-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads