c84b5f63992b480e3684a142210ec953bf4bce56920a2f2e8bff5b77322b5447

Analysis

max time kernel
147s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 05:52

Target

2abe7cca18dce6e2749f69846e9c489e.exe
Size

209KB
MD5

2abe7cca18dce6e2749f69846e9c489e
SHA1

bdcbf059df02a81e2841c08fe487b2175e0a61dc
SHA256

c84b5f63992b480e3684a142210ec953bf4bce56920a2f2e8bff5b77322b5447
SHA512

f27350c959c01b5ffa9c632720b8c88cc87c65583fd04c9a3dcbdada8afee4a582ccd2d48bf2a27be783ef0bfb6e716dd83570aa7e1f683613e70df6bf9c8919
SSDEEP

6144:1ldgA0AZVEJagGwtZ24vMjzJW9XOAvhTQ:dguVEJptZ2Eq0xOAp0

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
656	u.dll
1260	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3716	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 1064	2428	2abe7cca18dce6e2749f69846e9c489e.exe	96
PID 2428 wrote to memory of 1064	2428	2abe7cca18dce6e2749f69846e9c489e.exe	96
PID 2428 wrote to memory of 1064	2428	2abe7cca18dce6e2749f69846e9c489e.exe	96
PID 1064 wrote to memory of 656	1064	cmd.exe	92
PID 1064 wrote to memory of 656	1064	cmd.exe	92
PID 1064 wrote to memory of 656	1064	cmd.exe	92
PID 656 wrote to memory of 1260	656	u.dll	95
PID 656 wrote to memory of 1260	656	u.dll	95
PID 656 wrote to memory of 1260	656	u.dll	95
PID 1064 wrote to memory of 4644	1064	cmd.exe	94
PID 1064 wrote to memory of 4644	1064	cmd.exe	94
PID 1064 wrote to memory of 4644	1064	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\2abe7cca18dce6e2749f69846e9c489e.exe
"C:\Users\Admin\AppData\Local\Temp\2abe7cca18dce6e2749f69846e9c489e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8155.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 2abe7cca18dce6e2749f69846e9c489e.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\81E2.tmp\mpress.exe
  "C:\Users\Admin\AppData\Local\Temp\81E2.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe81E3.tmp"
  2⤵
  - Executes dropped EXE
  PID:1260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
92KB

MD5
ace4bef1eaa126302be21c4105cc6ea3

SHA1
227744c90647355a13c84178f9fedac3f75fdb97

SHA256
8a675772564f80e1e7c4e51cbb64e1ba19990a010b112abc5f050100a6765c66

SHA512
b4909dc9aabd8f478717a08e14648bc131b6176ac794991bd174f61dff9c3d15b0635352cce622e8088515fafbc447dd15717b3c2001ba34f86a19ba2abc4029

Download Submit
memory/1260-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1260-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2428-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2428-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download