0614da9f4c103080fb5489768e443e98932644cb729a20117e6c6ff2a23d358e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 01:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

47b808068f29296e649cdf656435285e.exe
Size

208KB
MD5

47b808068f29296e649cdf656435285e
SHA1

437ad824acd1a476e1b217cceb06b4444741961b
SHA256

0614da9f4c103080fb5489768e443e98932644cb729a20117e6c6ff2a23d358e
SHA512

f6c116ad95289702e5a28d656f0e165a8859cf7597697a65172fd81bb9b53f9b0e2c1ccf06b18f4a288d379887c11b39b9ea55c68600aaf5265d87a8b315ebb3
SSDEEP

6144:4l1LjmzNUc+kMx2l6jUIcpryNxuv/0oPy1:smAx2QjoOsBP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4572	u.dll
1504	mpress.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3144	2380	47b808068f29296e649cdf656435285e.exe	15
PID 2380 wrote to memory of 3144	2380	47b808068f29296e649cdf656435285e.exe	15
PID 2380 wrote to memory of 3144	2380	47b808068f29296e649cdf656435285e.exe	15
PID 3144 wrote to memory of 4572	3144	cmd.exe	16
PID 3144 wrote to memory of 4572	3144	cmd.exe	16
PID 3144 wrote to memory of 4572	3144	cmd.exe	16
PID 4572 wrote to memory of 1504	4572	u.dll	17
PID 4572 wrote to memory of 1504	4572	u.dll	17
PID 4572 wrote to memory of 1504	4572	u.dll	17

C:\Users\Admin\AppData\Local\Temp\47b808068f29296e649cdf656435285e.exe
"C:\Users\Admin\AppData\Local\Temp\47b808068f29296e649cdf656435285e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4D64.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 47b808068f29296e649cdf656435285e.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Users\Admin\AppData\Local\Temp\4E01.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\4E01.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4E02.tmp"
      4⤵
      Executes dropped EXE
      PID:1504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4D64.tmp\vir.bat

Filesize
1KB

MD5
6da46f0579b3abccf2d7a772aece71e0

SHA1
c388c8b91563e4024e822241bc23ab0053da5fcd

SHA256
e92edf717007d230101609e0e3fab3baa74eb7d3c1da3f9177bac79e5c65037c

SHA512
9368796777c81bcd124d55c2d4622eac85c5a22293282c383e370bb804110990582094e1bb419d36864748d5200c03e5af1076edff7572d45726e5aec420db48

Download Submit
C:\Users\Admin\AppData\Local\Temp\4E01.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4E02.tmp

Filesize
41KB

MD5
700e79358492de07a8717cf20ca2f14a

SHA1
f1be4ae88571a56004d75b9f1dcb89f964122f0c

SHA256
9d57f4e84ec5af01bc1f8bb36428febdb1ee8445ae6e87fbc0c632e1db409706

SHA512
e4b03ce6a0fea1e418bf9f9e9edda706f2c469120f9230ce3b8df30cbc5347639c2b51f60e598240a7c407340af8aabae27ae9fa4ccf74c4c1efa44878bcf039

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4E02.tmp

Filesize
41KB

MD5
fc48d0f4736d600b47fddde6c90a7b38

SHA1
3262a22e84a20a11503d3b6c60a0ba3bcb58f3ce

SHA256
db5e921a9c98467be42adb92f4b13ec5ec8520966739f9cdca20878c57a385dc

SHA512
59ba6d11e798978a634a2e1659f9d621469feb9b48979c092303e3a8829760e8a711b2d76cad8b1ad53ae405395cd0b14894556a641926849a393cf988d18d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4E02.tmp

Filesize
24KB

MD5
f634f3bb66a00857278b3f4b500abb23

SHA1
566af3b63e8d53f8a262d801496d1039e8acfb73

SHA256
c17736682513c71d9d74bf65d5c714552b19dad125f91eadb1e508ae972668a8

SHA512
e340f872df7055daeade4f2caf8d2bff9b2fce4567cd082102d5b90a5cd60c3b3bde4db1e0537647d38c90fc61d12137ed3e3cc6ae54c2dacc77e55149abb3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
92KB

MD5
3ead3d1666a7ba5496ca7f0bdba490e6

SHA1
1c2707e1ed0b80eceb9e222e7c12e922e1ad1a13

SHA256
9c86a7b9cbd93a18253b5101b8a4272f9396e752177b5a49520384df06f18f5d

SHA512
147d684c5f73aa2aadc05c01c9aa31e887242edf53b97f151024ddf84384b2517dc6bd9a7bb52d9c607f47583b7b4868e809ad042e7f8e951e6a331004c62335

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
acd2460b36c01254c0510181db7e3b3c

SHA1
97f79fa642286b9b6fcdfa20eefb5a4838b529f5

SHA256
838dade19f948834ad46fc7c6bc33ae65e5285d9ca113d9de18134efc17ea905

SHA512
594b441d71f43fa8cc2249cbd4d9f6d469c794bfce4ca6f858152ed890625de4921deb2f42f8f9fa5939b1d7da9bb245c5530a358de12551a9709c3eca744534

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
ce503ee29a6a69945fd792366488a1b6

SHA1
3ea2bc61dbfb4c27e2a6212cb84ff0c363b45823

SHA256
a44d615cda5d7b55d5f81274b56c3b0595a2545c00cb2a7003f3feb37adce5f5

SHA512
40abe215c10de4658af4505c194c3f35d19f209c1563aae7284d67f8bbd95bd19727786756431d76ab69adc07f3b2a57069d10ddce5524e77b41c6ae79b6eb3c

Download Submit
memory/1504-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2380-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2380-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads