Analysis
-
max time kernel
1s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 23:44
Static task
static1
Behavioral task
behavioral1
Sample
4a16a2eeb25368c6893a2b10323b097d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4a16a2eeb25368c6893a2b10323b097d.exe
Resource
win10v2004-20231222-en
General
-
Target
4a16a2eeb25368c6893a2b10323b097d.exe
-
Size
208KB
-
MD5
4a16a2eeb25368c6893a2b10323b097d
-
SHA1
6d6abf154af69a953bde2ed60a71a9d18e4c6ca0
-
SHA256
a9bfa465d80b94474d989c595dc98d1b23b0c4d02aa31bd1e564c340d84f3a0c
-
SHA512
e51ffdfbc5bcf0e992b6fe4aec7644fa6b52f1242960a7e751edb1527ff565d19a970b61f0e08775fe06f962637b05f0ffa8d6c120e6a2cf81ece503fe27f779
-
SSDEEP
6144:7lH4Z/VA799SAT1RPU9ZADrmbjicBhR5uEmTbcPq:ZY699BAZAH+jiahR5uEmncPq
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 556 u.dll 4764 mpress.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3812 wrote to memory of 512 3812 4a16a2eeb25368c6893a2b10323b097d.exe 89 PID 3812 wrote to memory of 512 3812 4a16a2eeb25368c6893a2b10323b097d.exe 89 PID 3812 wrote to memory of 512 3812 4a16a2eeb25368c6893a2b10323b097d.exe 89 PID 512 wrote to memory of 556 512 cmd.exe 90 PID 512 wrote to memory of 556 512 cmd.exe 90 PID 512 wrote to memory of 556 512 cmd.exe 90 PID 556 wrote to memory of 4764 556 u.dll 94 PID 556 wrote to memory of 4764 556 u.dll 94 PID 556 wrote to memory of 4764 556 u.dll 94 PID 512 wrote to memory of 3408 512 cmd.exe 93 PID 512 wrote to memory of 3408 512 cmd.exe 93 PID 512 wrote to memory of 3408 512 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a16a2eeb25368c6893a2b10323b097d.exe"C:\Users\Admin\AppData\Local\Temp\4a16a2eeb25368c6893a2b10323b097d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4E6E.tmp\vir.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save 4a16a2eeb25368c6893a2b10323b097d.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\4ECC.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\4ECC.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4ECD.tmp"4⤵
- Executes dropped EXE
PID:4764
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:3408
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵PID:2364
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:1332
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3332
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53350b31e7a02e683a845888c2554039b
SHA1a03dbf85f7a9923a03db8b8689bd6ac715be8875
SHA2563299f6343b1c9a9df39695f60df3f023b234684444ce15b8d34611d11f092c72
SHA51265c55aba837d4c54a616d58e3337085334f89bbe02bc928e5a583edb04744718d278916fc6534c9b28623f020d176757098122295aae1135cb41a5dd7bdd5134
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e
-
Filesize
57KB
MD5ad855c26ea2f3706ce13cc626fc3b9da
SHA1303bc5bc3db11a629f6cccfc5b5108ae5bdc9543
SHA2563a410b6a06a351a40e66c1f5509f4c7cf788d07a9cb37d36a2b98bd60c5619ff
SHA5126f2b1f11218be19a9f834969f0ebb8727675f9e0fce428d63ec7cd88d90f357c8a42080c20685104fb8116ed26cab8b39f1eb977d60fd7c4434c72295bedc2d5
-
Filesize
41KB
MD55a16fb75977e1799ed52f35a164922e6
SHA1c1697c61c42498f0501a886392ddd2560646b24c
SHA256f625375b30e87216e720919833d9d4e7bc11f0b61a9d2d218817d2ebb140d7de
SHA5121e31f17c0fea7df5bd321ff0015b8226a378b649c43df1111d9467b0f86f3a14e5a7ae9ed00314695f688b7cc0c18e44b3fa6521a8fea5943e4eb9a69a612216
-
Filesize
24KB
MD5e6463306e4c9e1869c45c0433ea1eb4b
SHA133512256446775a16d9ec37c2ffbf1c181bbcea6
SHA256c06e36b469862896e2c897a6c5d62904001de12be848452d77aedc560c2630aa
SHA512a1fb58a92a6a57b166092cae0898937d652ea1f0f555f4829094d5efb7cd4763890ce76e35923ebbef6b3981b5565e0feae2484543f38ef999d6f22fc67bb589
-
Filesize
103KB
MD588a779d2c56a270e669b562e06900178
SHA1239c9087a29726371bcfd404f3dff783aff5b07f
SHA25611cc5a32831eeac45e407f9704af83a1fc6b91de245daf17dfa881e80b1a97c6
SHA5125e3cdf3229d179c3abccb143f461b88156b3dae31d65d64849642de74026bd0afa3070acb1e6143a21741ce517f3e4b69c198fdc179252b61593831acd8a95f2
-
Filesize
68KB
MD52325c3435c52cf4a0a62ac016df6daaa
SHA1f448f71ebc6ff475d59dc7b3884b087b7edfe770
SHA256130b46e715d57ce9ffd9b8a06215f6a4cd60a4ad245c3815ca19882790eab74d
SHA512c917b7d43c72aa280379e4f527811f2b44d2327113d06ed9457b6dff67c0400a9117fb6effc73ce28b3725058861769a69817e42d16ffb0bd0b6558668e1f307
-
Filesize
117KB
MD5732079ec40108bc90646a01f70591827
SHA184f97eb9184e2157c73c343c6790d4c5fd40ef43
SHA256bdc06b10223c46033b4de87ac659c088b66a0ca2f9b53096086839bfab3296eb
SHA512089538f6e9a43e05d473a34fa9efcc976249b05ea6351b7d243addf0e1d0f7b0e7582305f24325c35144c83d98b5e94b58ed7a336677ca680923883d30af1dc3
-
Filesize
271KB
MD5e5dd02264fc60a88b9d27e9f9d63053c
SHA1fc57944674d220b50b94d3c8a61038675fd60ad9
SHA2569e57a5a588b0bda5c205126bc3ebfa50c81aa1e61f687af576d69ea4ae3f2f66
SHA512cc3a1ef4e43caec6f540540cc43b32a1fb8e29a9bfec6cd49850001bc63502f160609d26f480bf667057661f138e21a09be8638713734745842887b3722f8c0d
-
Filesize
1KB
MD5116ae338a55d43083bbb8840b6bf003e
SHA11b84f9329bfc6268031593a2d0b01f12ff395dd8
SHA25675e4a0e3f6356a27707c78acf6300edd14fa0857fde677b5dae9b0aa351842e4
SHA51256c4f411091eb5fc047da2c30b3dc86638c92f88e0441ae166998c60c3751c32891638083cf197401e1a084fcfa2542257dc09a3de03b83c7fc88f876c1e6f22