eb4487d3d3acea2a89c844ce494e0d545c3eceb69a95a57517dfe6e582aab439

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cda9f81511494941e6e3d44b4fe82bc.exe
Size

208KB
MD5

4cda9f81511494941e6e3d44b4fe82bc
SHA1

6cc6c64be2ca0e25b171fd932b08c1b3702191b2
SHA256

eb4487d3d3acea2a89c844ce494e0d545c3eceb69a95a57517dfe6e582aab439
SHA512

843ae7831001a40093e5d1bc9375df42780e90947eae65c05931a20ddc524aebd45a337efecb25a7ec5643601887fd916d5757b5a2a7be2525d32c2054fdac74
SSDEEP

6144:zl4mjZF//HvbDWqRwQhkPURTZ97FU0hLj:nr//zp2URTvxUg

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1744	u.dll
3788	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
964	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 4892	1864	4cda9f81511494941e6e3d44b4fe82bc.exe	89
PID 1864 wrote to memory of 4892	1864	4cda9f81511494941e6e3d44b4fe82bc.exe	89
PID 1864 wrote to memory of 4892	1864	4cda9f81511494941e6e3d44b4fe82bc.exe	89
PID 4892 wrote to memory of 1744	4892	cmd.exe	91
PID 4892 wrote to memory of 1744	4892	cmd.exe	91
PID 4892 wrote to memory of 1744	4892	cmd.exe	91
PID 1744 wrote to memory of 3788	1744	u.dll	93
PID 1744 wrote to memory of 3788	1744	u.dll	93
PID 1744 wrote to memory of 3788	1744	u.dll	93
PID 4892 wrote to memory of 4664	4892	cmd.exe	94
PID 4892 wrote to memory of 4664	4892	cmd.exe	94
PID 4892 wrote to memory of 4664	4892	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\4cda9f81511494941e6e3d44b4fe82bc.exe
"C:\Users\Admin\AppData\Local\Temp\4cda9f81511494941e6e3d44b4fe82bc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63CB.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 4cda9f81511494941e6e3d44b4fe82bc.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\65EE.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\65EE.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe65EF.tmp"
      4⤵
      Executes dropped EXE
      PID:3788
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4664

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\63CB.tmp\vir.bat

Filesize
1KB

MD5
097a40b8d56fa2fb3142a620d468ffb3

SHA1
56ede7655d773021fe6546459494757d80d7b893

SHA256
be97dcd69fb4bb8521fa52ba880ff7652a87a6425183aa4c47dc207362b4f2df

SHA512
b316e9692dd8b1f2c40ca18fee1815548356299da226666fb5943a88b9dfb1ad51bef067bdbf475f733370e2359ef15f4b134c1d9feae2c8067017b67ee13726

Download Submit
C:\Users\Admin\AppData\Local\Temp\65EE.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe65EF.tmp

Filesize
41KB

MD5
9cdcf02f847ddde1f3b62c676c5cc737

SHA1
1e28bc7716cb6adb55b1b397dbabbe31adba3cf2

SHA256
d7726cc05bcd788912a23fc85f233775da28cb0d4d2920c2be66e5cc69e2b7ae

SHA512
438303dceafa36ac40271d6b7759248357109cc479a53dd4eb472ab35d51f333f629be2da54fc113bcdcf2bb4bdf4201b5075351842d20d7e818c80a31b88e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe65EF.tmp

Filesize
24KB

MD5
8dd52bfe2f56ec20402bef5dafe49e83

SHA1
c29e3c436ab92db5326b5d31455202accf8cc98f

SHA256
e35ee21199e637983ccc35c7b648e694f6e5d6993ec12fe99db553270331a880

SHA512
ede99c417e95ef2fd36e8532d7e90cc4ba81800a8d826a0a17ee87e48152013e1cda09bdc1b74f567ee393248a283a443297c9e249ccd544cfb6fcd1ee2b8871

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
91KB

MD5
08597222c6856a114165101ff698ba9a

SHA1
2e445bf5c3503ace37962f867929def84cd6bc28

SHA256
1a121c6b312b001c791669f6bf1582453e11efe8f84af2853149e10d8bedf550

SHA512
839986413e9f615a46a188272d2a3e558d89c7ccd8f376120358b0dd2449736d96b2054a9971fded49c5e129455b88ead7c0b60ddbdb8ceefa09585983438530

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
114KB

MD5
2edc1a5961f364427ec76b4be01111b5

SHA1
a571654cd088e7c05776960bcc5766038a75d5dd

SHA256
bf86e6ab46a5f2720037379626d734b4c7226b3c2e65dd63a9e2895168e635f2

SHA512
fa2183a05e8f95fbc118725e0fcc292cbf53efb6832e83855cd8a703c8ff9056478a6730f226e5d30f40fe4390c11fae321d9202c521456c7f5499543054e160

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
110KB

MD5
d64373725b0899952a36ceea50be1b83

SHA1
f6703e73744ced053a1dbbf28f5a22c40ca78fcb

SHA256
3763a0dd8e8d6b9d9bb0a0fa669d93ead01c821bb5e74eef89fe618e44933ff7

SHA512
f9b319b10432d98ac1e6879879ab1ad6a934843fe70ef7083d0bf929677e68d2cc0052ba6abe7e7b2193b09c12747f339b805de69867f18f138f82f5fdbf88f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
121KB

MD5
5d34093e4ba52fb5ab9d88014a53ed17

SHA1
6be0cf3422fa0e6507745ce1ced5c79a869dba04

SHA256
3929790f1e68e012f5399b2d4d09269a2e28d0aa40f2c709be7539fd785169bc

SHA512
c2756b3bed225e7468ce8577fe7e5962b3bff857fbb56859b2b045699c99eef42fb5223b70c586ad3d12de256734ed2b4806fd00fd810c37c65bac75a1de74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
2378525b1fd9f863b3bf754e46afefee

SHA1
827f9c6357d33f2f9a7cd3f53ff6d842bdef1837

SHA256
9545203f1d31d5986c41c2e8727006233d56abc61a83ac261af6dd2ca64dfb69

SHA512
af0f8339d2dee1ca862d2e97162bc6ccf978b21380be1aef1e67a0a9a410e86c2dd094f0e1a8240ca6849a03a9192cd8de8783159cf68c2bb4d8ebd8a996391c

Download Submit
memory/1864-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1864-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1864-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3788-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads