81e557c333b87bbd7f89044723e11dec408a0b0631eb60d4280632142d2a377b

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46f40b2bfeff8bc50bd160f624ae76be.exe
Size

208KB
MD5

46f40b2bfeff8bc50bd160f624ae76be
SHA1

ffd5ecb5625a7f579c5c062902b2d06194c8086c
SHA256

81e557c333b87bbd7f89044723e11dec408a0b0631eb60d4280632142d2a377b
SHA512

34ffa8ce2ab9be92cb2ce2bc131698dcfa47d927721c7c7a8119d1ad54f1646507f04ded64b773974f585eb75c31a6c8ff5be9aff31f04085b560e22ce99c880
SSDEEP

3072:Eld1G1hH0LcVCumiGWGxPoHBeI1B2MM30dTBvOTuCEt2d+rQqtyRIMtI8:Eld19wCugWGVmB518N3mTBOuCMZtyVI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2460	u.dll
2356	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2220	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4876	4864	46f40b2bfeff8bc50bd160f624ae76be.exe	89
PID 4864 wrote to memory of 4876	4864	46f40b2bfeff8bc50bd160f624ae76be.exe	89
PID 4864 wrote to memory of 4876	4864	46f40b2bfeff8bc50bd160f624ae76be.exe	89
PID 4876 wrote to memory of 2460	4876	cmd.exe	90
PID 4876 wrote to memory of 2460	4876	cmd.exe	90
PID 4876 wrote to memory of 2460	4876	cmd.exe	90
PID 2460 wrote to memory of 2356	2460	u.dll	93
PID 2460 wrote to memory of 2356	2460	u.dll	93
PID 2460 wrote to memory of 2356	2460	u.dll	93
PID 4876 wrote to memory of 3220	4876	cmd.exe	95
PID 4876 wrote to memory of 3220	4876	cmd.exe	95
PID 4876 wrote to memory of 3220	4876	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\46f40b2bfeff8bc50bd160f624ae76be.exe
"C:\Users\Admin\AppData\Local\Temp\46f40b2bfeff8bc50bd160f624ae76be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\492E.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 46f40b2bfeff8bc50bd160f624ae76be.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\49BB.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\49BB.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe49BC.tmp"
      4⤵
      Executes dropped EXE
      PID:2356
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\492E.tmp\vir.bat

Filesize
1KB

MD5
3132d55642662936b3d596f00f1da821

SHA1
777f0f721c13a934a03a1781a46638b1ab59b760

SHA256
0350f9c503326d27fed3ed81507a0b03fbfa02dc974429f6f1ebaf525eb7ed44

SHA512
8eae3fdc50e1067d1f33f21967a091bc37fb336eeef9e84cd5920502a2669236b9f2183261367abcb94588a6144ebfae4dc0b466682d7a6e7011434d89a653b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\49BB.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe49BC.tmp

Filesize
41KB

MD5
7cb94ab71579f67dd8167ccb854b359a

SHA1
74e86a56f85e57d281d3ef96e9a37e1cbdf00234

SHA256
94c019063145e6f988342dbbdad106f33eb452b627c2b49dab48e42491e84223

SHA512
bc25d4d61dce320e970c357d81acc8bf825ebece79ca49fd5cc7ab6c997e1f68d293a6a7efbf4fcf9720f1a955fec1f89564d736f70c610f8b09adc19663002e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe49BC.tmp

Filesize
24KB

MD5
4a5be32fb94601714c46d106925cc4f6

SHA1
de1067395116b3a00152b34e24f6645770eaa2ee

SHA256
5a4aed2b271398f6a9b7de1290e7e5586a19aef9c2437404355c8cf639faaf62

SHA512
27796e99f88ff425751a976d721583a3084185137166a5083f6622cc5092b149e0943b98f96648b6f89ddf5759b870e715ca9aed5519c94e9a3dccb55dab8b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
03e84bf7ea2eba6e881e868ceefe2526

SHA1
09019ed20cf16847a264f5d1840ee0802f1778a6

SHA256
8b16836b18106d0e8fdbb4b26beefee04479fe219a59cc2a186b68db91fcd832

SHA512
32a47a7b4725f2d71573ad855b0a3bc99b3fa86d70f7b1b60456361bbcd03d37ea58f2b7092c0b6993e156db4ddd66b1d544363523f580a6dd8c055697ec2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
128KB

MD5
a79afbf7eec2e3e15522f2037379e4b3

SHA1
4cd4f4c1c508c815d968730ab8f97fb040052374

SHA256
5342ea8d172011dbb700a36c035e22eea12727b2475c80ee130944c8be04630d

SHA512
c6cc3a66050584228f93481eceb5d042e5c141d7e3edb83f474c4122e82113dc138f14f2eaaf984a5d7acb6c207639ec28c1ddbf9f49e2c636acf99399a22e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
109KB

MD5
bd1c6cf6ae69f82387d4745b560e588c

SHA1
952d9bddaa79eb04598fd923c83034b223bfb8ed

SHA256
da668df79eac99b62dc948d6c0225ef6a470ed8ccb5401c6b5b98528094f0dbe

SHA512
20bd94023b55af2ea712b956d07207839c4849cea7b1e4485d6058bbedacefbdc1894d549725d42b625582dcdd154119b23e5d8b7fa7dd12c801001577f4946a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
93KB

MD5
ec3db92301aa424c7a530a4d539a7f37

SHA1
ce848672ac400bb50fb7ef6dfbb0f92f3b41d65c

SHA256
6a9bad795d66771f71f44ef3200af4939ff91cbf757aece23ef677e08b63eebc

SHA512
a6cbd9adaa09737eccce6876531aa59b43b945bcf0ec2b97645f98377061eec725bb7bc678bc7ec16cbf2ba1dcac118a382c0746846cfffde0fdc349331b6b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
cb1c79f594833990109cfea4810a5e24

SHA1
2112e06776b0a485dd148557a6dcf296db6aafe0

SHA256
d1ee05cf8925ae084deb91221a1b5d2181abaad38aad9a0d66161abc5d598b4a

SHA512
12a111be8d972ce4a04cf88954bf719b775da1cdb7db9047a07c438d5efb9e269652471803b0beccc5f79572b0343e61cb865b3ba187e4359e370d95f1e586c7

Download Submit
memory/2356-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4864-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4864-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads