c62257a99d410a5c1fe9764a1bb9ed3b89bce688b599dafb74bbe02ef359672a

Analysis

max time kernel
150s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d5980620789e028934a96097f0cbcad.exe
Size

208KB
MD5

2d5980620789e028934a96097f0cbcad
SHA1

c30257f136d9aad18b1ec33d927b194b6e3ae601
SHA256

c62257a99d410a5c1fe9764a1bb9ed3b89bce688b599dafb74bbe02ef359672a
SHA512

a6a2da28a8f751f67da0e5967a7aa6da2288966ef38644e44be1a0bce0c21610c83ffcfd359225a4a8b0dedb8fd3b803c5422ae584f8d20634af918f80acda0f
SSDEEP

6144:mldxTC7qow3TW0ww7TjuCn7zUmQ7Y0pMWwBZx:+xEqPww7TjtzFQ7VpMWwZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3520	u.dll
4540	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1008	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1500	1240	2d5980620789e028934a96097f0cbcad.exe	27
PID 1240 wrote to memory of 1500	1240	2d5980620789e028934a96097f0cbcad.exe	27
PID 1240 wrote to memory of 1500	1240	2d5980620789e028934a96097f0cbcad.exe	27
PID 1500 wrote to memory of 3520	1500	cmd.exe	32
PID 1500 wrote to memory of 3520	1500	cmd.exe	32
PID 1500 wrote to memory of 3520	1500	cmd.exe	32
PID 3520 wrote to memory of 4540	3520	u.dll	39
PID 3520 wrote to memory of 4540	3520	u.dll	39
PID 3520 wrote to memory of 4540	3520	u.dll	39
PID 1500 wrote to memory of 4888	1500	cmd.exe	41
PID 1500 wrote to memory of 4888	1500	cmd.exe	41
PID 1500 wrote to memory of 4888	1500	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\2d5980620789e028934a96097f0cbcad.exe
"C:\Users\Admin\AppData\Local\Temp\2d5980620789e028934a96097f0cbcad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ED7.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 2d5980620789e028934a96097f0cbcad.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\70AC.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\70AC.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe70AD.tmp"
      4⤵
      Executes dropped EXE
      PID:4540
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ED7.tmp\vir.bat

Filesize
1KB

MD5
847239b869cc7de2a307ffb8500a593a

SHA1
a19164ec634006913e5c7bdfa97955e29f72ab2a

SHA256
3ce964947f05a4d729d0f63c58ee3cbe4da10de3b8ff8cf14f328eac64b76c2b

SHA512
428722a088b5a402de340f48365c57b9915688a113e7d56174c65622b8c5b206c01f0dbb31fe0e32447c40da343278c2e94545766651510a62287f4be3144ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\70AC.tmp\mpress.exe

Filesize
12KB

MD5
ec37f509f29b8eb26705f9ecf6e3fbf3

SHA1
fb44255d898f2ca24b98746d275234319efdd9a0

SHA256
13bb4da69a3167a5a98fdf5aaf7d2e937cd05f8746689d8deeb76e7005b52b2b

SHA512
6c2edfb3e4d6c0ecd33024b09d5eaaa330add17fb4e8e4301e9c6ce76affd53c73a50d3db55d7b8633616daee0fda6425ccad35a4b3fd1e650383b237f8e082f

Download Submit
C:\Users\Admin\AppData\Local\Temp\70AC.tmp\mpress.exe

Filesize
1KB

MD5
118ea5a89a8339f2b622717d48f9285b

SHA1
af38929dcc57a7148af3372008a294a80f3635b4

SHA256
5cb9cef7fa6145284b1593f53f788c5897c8e046fc90943ece566812ef453c62

SHA512
a97715b5b53f060ac8d00b170de05198d03871b95b1a8a0afd7b552e1814d271d74d2d52b22d20542e69c4aac2232a03ae8597958902bd05047031bb1009cf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe70AD.tmp

Filesize
1KB

MD5
19889e037345e5f27472732a11ebb71b

SHA1
b02cfab30e8d4f6a16f8e90b2bf91c73fa0a6a8e

SHA256
631438b917ea651829c405eaaa90e340249a775b436c42c0708455c3faa24d0b

SHA512
8a48ce06f43409bcca320f90472e59aa6e2819888621483aa9c3a58a2da52b0b85622f6186aa8c402aeb2e3390754d6e5c0b39845acd917d6616522d291dae85

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe70AD.tmp

Filesize
24KB

MD5
b799e4b3cff5cefeb8355cff4153f617

SHA1
cf39041f0b03033f148329b62c2f593ffb3ce8cc

SHA256
e6f5642d95d82404f0c87ce3b455c662ad247d533cc01b0f454d194b244207c4

SHA512
62e28c9cf91fd311d2dee021062a92eacf482455842a6f835afedfb368d84de089569ae032a37c85c05c4cc20d1e1aeeda2cda6e673fa42e00b80b19974b9f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr72A0.tmp

Filesize
1KB

MD5
1fd30d21e6552fcbe3dd2a562bc87c17

SHA1
172473f42e5032d7325decc1913b9c7adb4138b0

SHA256
65d52b4d307872463cf5d80571225a4408be42371bde7a49714955ce462ea88c

SHA512
b50525909af88074110250e6065153a32ce01fd36aa26272456c65a190b015fc9cb192a319a237b8bf340643abf3c1f82cc1d5eb749387591e2ea140566314bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
43KB

MD5
e9f0bfb45bb9fcfa2b1020c4097a9cf8

SHA1
d916c529c1ac0974b15cc56d27c24c3818d2e9f3

SHA256
c12c12ab612c7f3679936c1b792bb26086fc1f2885ccfc2769ca264efd821b6f

SHA512
8766f0414a46ff769fa916a66c6a7882cdaf17c497bf208dc7a1cf7b24a9ffe2357aa6634303ef4ca6701c640ffe15e881cdca6880b318a757255b4a04ddb055

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
1KB

MD5
9b960bd34b156ff4acfa2a14b6a9292c

SHA1
193729fb0475a0e31d89d47cb9bece778671415c

SHA256
5c516cd1a02ee440bbae6fc2349fd0bf6390988b8ec9213b3f8b8474940be2c1

SHA512
ab8492f570c3a8223931cf579b326fbb63919c6a2b025f3be847e83ae141a9b28c23834341331df4a1b0a5ab18097ca33308a99f3907c6d24feafdd7ca384358

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
61KB

MD5
376c263e9f9f615c53b800ad49de5117

SHA1
5d447449eb32b1380502f9175f09c68b1c26d5be

SHA256
6de053f6516bbd7345c848762d3df119e9b172d882636748e99ccba4e5603f83

SHA512
8bf11dfb08ee97601071171aab45454afc58e5e56cbac84d50771bd0448b4ca790460827a9ab5f5a06f2fcc23e2ee4863cf5311c293c3e9a8b3c44d48aa5961d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
18KB

MD5
5a4905bbd785cc2412601d7770d7eaa5

SHA1
d26362c1dbbb8f4d51d1719f35ce84a18e276d45

SHA256
c08ab28e8b1f3334033e8a6907fd2807a903abc4ba317687f2e2c4a29162ff3c

SHA512
4db0504054a036c4dcfd05ba6f4979e52f7184501f17f900d3fdd3b4830130848314f688e0c9ff7df2231f7122e2c0dfe1303e7e11c0e75c71636f15b93ad2d3

Download Submit
memory/1240-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1240-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1240-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4540-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4540-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads