1345cbf3daf6161ce349d41cbf10efe7ce3aadf85905f8d4db7f6026d970206f

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 21:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ed37e52930b5c3c0fbc9e6abf0d982f.exe
Size

209KB
MD5

3ed37e52930b5c3c0fbc9e6abf0d982f
SHA1

c68a2c997a8e0c0f9de3a99da7cef376ed96183f
SHA256

1345cbf3daf6161ce349d41cbf10efe7ce3aadf85905f8d4db7f6026d970206f
SHA512

c107e0e23510df45bf9acc9c4340750a44183700c6892c66b91dc3bbb8fabc49f241b2398417fd24f16ef4d72cb1b971d9452734b3a72ce99ec8bace9349be77
SSDEEP

6144:8ltGmuklXlMILZpHy3GGeuv5Ppf5ZYdNm:8GmpmILoGGes5PphEm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4476	u.dll
2904	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
716	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1596	2596	3ed37e52930b5c3c0fbc9e6abf0d982f.exe	88
PID 2596 wrote to memory of 1596	2596	3ed37e52930b5c3c0fbc9e6abf0d982f.exe	88
PID 2596 wrote to memory of 1596	2596	3ed37e52930b5c3c0fbc9e6abf0d982f.exe	88
PID 1596 wrote to memory of 4476	1596	cmd.exe	89
PID 1596 wrote to memory of 4476	1596	cmd.exe	89
PID 1596 wrote to memory of 4476	1596	cmd.exe	89
PID 4476 wrote to memory of 2904	4476	u.dll	92
PID 4476 wrote to memory of 2904	4476	u.dll	92
PID 4476 wrote to memory of 2904	4476	u.dll	92
PID 1596 wrote to memory of 1820	1596	cmd.exe	94
PID 1596 wrote to memory of 1820	1596	cmd.exe	94
PID 1596 wrote to memory of 1820	1596	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\3ed37e52930b5c3c0fbc9e6abf0d982f.exe
"C:\Users\Admin\AppData\Local\Temp\3ed37e52930b5c3c0fbc9e6abf0d982f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\64F4.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 3ed37e52930b5c3c0fbc9e6abf0d982f.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\664B.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\664B.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe664C.tmp"
      4⤵
      Executes dropped EXE
      PID:2904
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:1820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64F4.tmp\vir.bat

Filesize
2KB

MD5
b0967bb4fc50c8f3d39b83cfd180f66f

SHA1
8f6cc182d8c88152ebf2da7a572cd2132bfa2f05

SHA256
694d51ca613cf04313cc30d7887310d1ad84736bc28197736eaed1f90a12b85a

SHA512
b251b58cdffbe9d5dd9e86a22ba6116e43c44c2a31e9daf242e8560bb6fbd78b4d7102cc8d72375f20c2f01eb133105d43bf199c9e296b66254797cd59b05b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\664B.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe664C.tmp

Filesize
41KB

MD5
4f74129c104ef1d140d90e0ba568ce01

SHA1
6f3eff482f956305006b6768a2a6ff242798a45d

SHA256
7695698f1983d6f8884164972c0e546da7e4a29f3c2ac244927f5b28da24c753

SHA512
8757d38c206b29cbabc7ada99871fc590ff0a775814a74752b9f3971956e7c000ca259cc9e1906897a343397d4dcfe9c271024878de42eb87e22477a6fd50f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\mpr67B3.tmp

Filesize
24KB

MD5
cdcfa1efe50d04afc7e0132fefaaebee

SHA1
9fb31f91df27a9fa854e13997eb27b1fffba93ec

SHA256
b418c29a1ce04661d4028ca863ba1253d49c15570cbfd50a0b1cba268357520d

SHA512
1aea5e87344b6f74b2584635216f3a3501bb8852aede2b5e395713041b82c006a8518edac769578e2062f9f592a0e5600ca7685fb1430eaef278c4b99b275a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
fd0d0d7ae1d515c6a6a5e027a383e813

SHA1
5ac4fff2a23711869002bb26e4463530788e086d

SHA256
6429e1a8f97a7e8226cae762348ad91d938e474db9ac2eb7d5d3aa2cc4b6123e

SHA512
068bec88e014b8d1a657f1eb75dfa1730c48601c4dd69198214fb8ea95e4e99fd8b185dbd1ca2cc6b075acb950af299b2483a3176951d2e80b0070708791778a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
2KB

MD5
7d6875c060e8ea1fd217a9d9d9bd9fbd

SHA1
6d2c7ec99b63c082f95f47a787d4804efc1a3453

SHA256
e8fe876faf5734a9d4f6dfa13a2dbde34d0f06ec1894d970dc40dab20466c9fe

SHA512
e96aa6809813fba1cedfb8ff31d5fb596f7d065d0226d371ed8f624ca4937d9f912e56ee9c20953ed6048339551313185815d65a8c8d6997aeb60ef2ddd1d7c0

Download Submit
memory/2596-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2596-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2596-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2904-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads