32894a28236bb9400a375bef40fc928af67640fd3d216bcc9776bf00b5fb68fd

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

488806365a2a0911408c682883b7b7ad.exe
Size

209KB
MD5

488806365a2a0911408c682883b7b7ad
SHA1

be83f2db42215334d28dc8991762cca03aeac327
SHA256

32894a28236bb9400a375bef40fc928af67640fd3d216bcc9776bf00b5fb68fd
SHA512

22480f20cac87b0b2eda3c592869da6a125c8c34145a2c6bfcaf57881205149b38bb1f617092638a5e578883ca4ca7bd8ef95e8dd4fcd71695479332ac51e88d
SSDEEP

6144:wlGRgXm15ibLGHf7juW00byM7YOsIprxKhmYb:xv14GHfPuW00bmOsi0T

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4636	u.dll
1232	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2216	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 3636	3096	488806365a2a0911408c682883b7b7ad.exe	97
PID 3096 wrote to memory of 3636	3096	488806365a2a0911408c682883b7b7ad.exe	97
PID 3096 wrote to memory of 3636	3096	488806365a2a0911408c682883b7b7ad.exe	97
PID 3636 wrote to memory of 4636	3636	cmd.exe	90
PID 3636 wrote to memory of 4636	3636	cmd.exe	90
PID 3636 wrote to memory of 4636	3636	cmd.exe	90
PID 4636 wrote to memory of 1232	4636	u.dll	94
PID 4636 wrote to memory of 1232	4636	u.dll	94
PID 4636 wrote to memory of 1232	4636	u.dll	94
PID 3636 wrote to memory of 2544	3636	cmd.exe	93
PID 3636 wrote to memory of 2544	3636	cmd.exe	93
PID 3636 wrote to memory of 2544	3636	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\488806365a2a0911408c682883b7b7ad.exe
"C:\Users\Admin\AppData\Local\Temp\488806365a2a0911408c682883b7b7ad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5AA3.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3636

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 488806365a2a0911408c682883b7b7ad.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\5B01.tmp\mpress.exe
  "C:\Users\Admin\AppData\Local\Temp\5B01.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe5B02.tmp"
  2⤵
  - Executes dropped EXE
  PID:1232

C:\Windows\SysWOW64\calc.exe
CALC.EXE
1⤵
- Modifies registry class
PID:2544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5AA3.tmp\vir.bat

Filesize
1KB

MD5
0b519fd57abb84b2e71602fcd5579389

SHA1
7a1d1c07051a0169ed2479d70d58890ede362d55

SHA256
4a186fd031e605cec95ee7e20814abda62388d86b3a0a4f89d4fe9deda585117

SHA512
c8a95a9ed9d4232c0b7991d441e2fc0424f27881cb91463f045411d0e79981c372ec5f547ed33cd68aa1803d6e23753350e3b53ea9db8ace1823972af217b984

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
99KB

MD5
b5af7cde6497f29440edc0995d3bb4ef

SHA1
0353f1d3fd1a30ee038ef578d571c6c37c2c3cff

SHA256
ed5fc209eb3de586551301320b6ddb3c276424503e48f88b7539560977c8709f

SHA512
11965e39eec3fd5cd448e92033c7e90443ed1356172ed8084383d508c849014392bc8073860f8831d7dab498adaf6fa2c854eafcc30487aea9c476f598a46c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
92KB

MD5
ace4bef1eaa126302be21c4105cc6ea3

SHA1
227744c90647355a13c84178f9fedac3f75fdb97

SHA256
8a675772564f80e1e7c4e51cbb64e1ba19990a010b112abc5f050100a6765c66

SHA512
b4909dc9aabd8f478717a08e14648bc131b6176ac794991bd174f61dff9c3d15b0635352cce622e8088515fafbc447dd15717b3c2001ba34f86a19ba2abc4029

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
93KB

MD5
ec3db92301aa424c7a530a4d539a7f37

SHA1
ce848672ac400bb50fb7ef6dfbb0f92f3b41d65c

SHA256
6a9bad795d66771f71f44ef3200af4939ff91cbf757aece23ef677e08b63eebc

SHA512
a6cbd9adaa09737eccce6876531aa59b43b945bcf0ec2b97645f98377061eec725bb7bc678bc7ec16cbf2ba1dcac118a382c0746846cfffde0fdc349331b6b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
e8db1743c61ef9a0bcc4c2909670e86e

SHA1
7c74d2e38505b50c9ff7c6bbade770c13d202445

SHA256
68595c379108300fd6a12996dd6b7aa41f1f4cf5979eaac4d34aa29cad588234

SHA512
63ded50454fd41baf0690dcd0c1da0c722b018e4ae19898cdc43742863a90cb101d0da6a6e1dac87be0ac475cf498121f37c0ce03d6b20ecb2effe51f4514f67

Download Submit
memory/1232-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3096-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3096-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3096-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads