b4ca9c6f251508fb78551ad3b76a00f5d23472a91dbce5815124e188202d4436

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2024 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c9b45c9119955fa8e030d4e0d1e7c58.exe
Size

209KB
MD5

4c9b45c9119955fa8e030d4e0d1e7c58
SHA1

82232f4fdbe0058e8ea09699a99eab4257e8661b
SHA256

b4ca9c6f251508fb78551ad3b76a00f5d23472a91dbce5815124e188202d4436
SHA512

f5c1192b20735a0030e79a86c62e0ef95eda0362dbb645c20e2e2b5c48955abf6b3e874fd5c6d4c0deb38fa90f0b662a1b1c9afccb8a78e04c3733c33d9db9c6
SSDEEP

6144:/lGRgXm15ixES+ERa7mf1rTCKjY6Iwek4IA4dUBceg3nz4YL/yo:wv1JoRaQ13C163ek4E41gjLLB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2916	u.dll
3384	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4120	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4668	4060	4c9b45c9119955fa8e030d4e0d1e7c58.exe	87
PID 4060 wrote to memory of 4668	4060	4c9b45c9119955fa8e030d4e0d1e7c58.exe	87
PID 4060 wrote to memory of 4668	4060	4c9b45c9119955fa8e030d4e0d1e7c58.exe	87
PID 4668 wrote to memory of 2916	4668	cmd.exe	88
PID 4668 wrote to memory of 2916	4668	cmd.exe	88
PID 4668 wrote to memory of 2916	4668	cmd.exe	88
PID 2916 wrote to memory of 3384	2916	u.dll	93
PID 2916 wrote to memory of 3384	2916	u.dll	93
PID 2916 wrote to memory of 3384	2916	u.dll	93
PID 4668 wrote to memory of 2348	4668	cmd.exe	92
PID 4668 wrote to memory of 2348	4668	cmd.exe	92
PID 4668 wrote to memory of 2348	4668	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\4c9b45c9119955fa8e030d4e0d1e7c58.exe
"C:\Users\Admin\AppData\Local\Temp\4c9b45c9119955fa8e030d4e0d1e7c58.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\45C3.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 4c9b45c9119955fa8e030d4e0d1e7c58.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\4631.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\4631.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4632.tmp"
      4⤵
      Executes dropped EXE
      PID:3384
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\45C3.tmp\vir.bat

Filesize
1KB

MD5
194713fa454705191ea5f3a5f0c2d853

SHA1
be438904539c6079c3e6bc179a042f4334e574d5

SHA256
1933dffff3ff0a06caccecc20bcff61cae1c802b376bf431a2abf5d095837273

SHA512
1b284be1d2a96f61ec43c49c1a8dd1314202c0c0fb232c9995afca48596e230fb95a50a7377217bd7e08eb4255b76720ea93471a70b586e2a5c11f438740f11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4631.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4632.tmp

Filesize
41KB

MD5
4d1c4e637e66e3aee050194ee149b1ae

SHA1
542aab9bf825e8cbb8afc946b8fe555ea402a413

SHA256
ba3591ba0a42bd2556af093af3beb685383b239570a459d00ad9ff0747851e25

SHA512
801010a3a79285d26a7ecd84928b7e24de7adab6ad67d2d2ebc81a5639a6b9ea9f0f5cb087e1dfbda5a9cfa031bc2f1798f18d688a7cfc600cb9cde670862011

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe4632.tmp

Filesize
41KB

MD5
dcd2886d7d47d082ba1d1aa8199e6fe2

SHA1
a9e6a16c78c39a55eb625c10743bc078417ce8d1

SHA256
96c55161ed7b9e313813ef86b937623ecac7852adb17fca24bdc8b1e4d7e6ea0

SHA512
e1549f74df265c03abf49c5b0b3a68e43886139b4c3edb3295fbfdbba5f5baa2bfa6b3d59b448116242245088ae0b56755155c84df5ecf5acfd2a8946f5f087c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
444e98d7d053e1fd121b9d5ebed52181

SHA1
e7b2a883b90498d0d2fb5bd7085eb3865c6201a9

SHA256
6d9c5dd70414a1a543c38f2a82997ec34868bcd484fae2b8146d186d7f7bc2c1

SHA512
3738cce8411d09682824365d6e49db0919e95c98fb55c6be9000611aa612618295b9bef353f7f5d972c5c92781470aa5629c2a956956a968edfd17ddacd54c49

Download Submit
memory/3384-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4060-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4060-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads