b8566395db8a7752b12223119ef210d55e51b6ee906c57dbdc5ca505a6ccc5e1

Analysis

max time kernel
42s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 01:49

Target

235b3ee1a7c5570876dfac8782ad9bc1.exe
Size

209KB
MD5

235b3ee1a7c5570876dfac8782ad9bc1
SHA1

8795b868f7b1ee71ba6b8deea912a47ff562f8f4
SHA256

b8566395db8a7752b12223119ef210d55e51b6ee906c57dbdc5ca505a6ccc5e1
SHA512

a4e97e7c223603779bc41392400808d02dadd7b5fca041f3007f8a2ba4197298feca0cc710cca80467705d240e35f26c4b499d6c90099be1d3d93912be866400
SSDEEP

6144:Hl0n6aub5h3U5ZUCM3Hq2rsHrdwRfjmjHIthNRBYazy5pno:2n6auxFQLq6D6hNRSb5pno

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
2496	u.dll
4604	mpress.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3668	2356	235b3ee1a7c5570876dfac8782ad9bc1.exe	22
PID 2356 wrote to memory of 3668	2356	235b3ee1a7c5570876dfac8782ad9bc1.exe	22
PID 2356 wrote to memory of 3668	2356	235b3ee1a7c5570876dfac8782ad9bc1.exe	22
PID 3668 wrote to memory of 2496	3668	cmd.exe	17
PID 3668 wrote to memory of 2496	3668	cmd.exe	17
PID 3668 wrote to memory of 2496	3668	cmd.exe	17
PID 2496 wrote to memory of 4604	2496	u.dll	18
PID 2496 wrote to memory of 4604	2496	u.dll	18
PID 2496 wrote to memory of 4604	2496	u.dll	18

C:\Users\Admin\AppData\Local\Temp\235b3ee1a7c5570876dfac8782ad9bc1.exe
"C:\Users\Admin\AppData\Local\Temp\235b3ee1a7c5570876dfac8782ad9bc1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4863.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 235b3ee1a7c5570876dfac8782ad9bc1.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\48C1.tmp\mpress.exe
  "C:\Users\Admin\AppData\Local\Temp\48C1.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe48C2.tmp"
  2⤵
  - Executes dropped EXE
  PID:4604

memory/2356-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2356-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2356-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4604-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download