a520c5d81ccf5fb7701c0540f4fac5046e9e8b2ea94f2fd808baa16b50f8d9e8

Analysis

max time kernel
1s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2024, 16:41

Target

4ed3921e940ee7d187b6ff39e253853d.exe
Size

209KB
MD5

4ed3921e940ee7d187b6ff39e253853d
SHA1

ae3a3acb97f42f52e50cdd93a7643be732f286ca
SHA256

a520c5d81ccf5fb7701c0540f4fac5046e9e8b2ea94f2fd808baa16b50f8d9e8
SHA512

c19835ab6cfdf46e3a336ab2698c37703cdf65bbadffc8b42454c47c84dd076cab0025db47a92c0fb5bf74c5559058736c27f87802e386d816aa312c4baab0c8
SSDEEP

3072:TlUz9nfwWiUVPtaebCOWiDyz0+amogwQQqA9k/0wMFZ9UMmICmvCZYO:TlUzEUNttCX2mDwQQp9k/0LMaCZ

Score

7^/10

Executes dropped EXE 2 IoCs

pid	Process
4520	u.dll
5760	mpress.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 2712	912	4ed3921e940ee7d187b6ff39e253853d.exe	17
PID 912 wrote to memory of 2712	912	4ed3921e940ee7d187b6ff39e253853d.exe	17
PID 912 wrote to memory of 2712	912	4ed3921e940ee7d187b6ff39e253853d.exe	17
PID 2712 wrote to memory of 4520	2712	cmd.exe	19
PID 2712 wrote to memory of 4520	2712	cmd.exe	19
PID 2712 wrote to memory of 4520	2712	cmd.exe	19
PID 4520 wrote to memory of 5760	4520	u.dll	24
PID 4520 wrote to memory of 5760	4520	u.dll	24
PID 4520 wrote to memory of 5760	4520	u.dll	24
PID 2712 wrote to memory of 4420	2712	cmd.exe	22
PID 2712 wrote to memory of 4420	2712	cmd.exe	22
PID 2712 wrote to memory of 4420	2712	cmd.exe	22

C:\Users\Admin\AppData\Local\Temp\4ed3921e940ee7d187b6ff39e253853d.exe
"C:\Users\Admin\AppData\Local\Temp\4ed3921e940ee7d187b6ff39e253853d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\48C1.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 4ed3921e940ee7d187b6ff39e253853d.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\492E.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\492E.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe492F.tmp"
      4⤵
      Executes dropped EXE
      PID:5760
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    PID:4420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\48C1.tmp\vir.bat

Filesize
2KB

MD5
a82b16df789a5f6c704ed18b8edaf84a

SHA1
5558013a3b0f5640e00cc868e3f17855e2efd689

SHA256
13d9edea0b722d4941647aa8153ce877a94b8fa4c641887e7309801097df77af

SHA512
60074e236d290ee26dcb727a73bb003a2b1b3a4cff15346b2768d39cb9d689b0b6cc874f7de37a58624025ec6df0872d4b066e1bde48afe509b1d6cb583fbfd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
92KB

MD5
ace4bef1eaa126302be21c4105cc6ea3

SHA1
227744c90647355a13c84178f9fedac3f75fdb97

SHA256
8a675772564f80e1e7c4e51cbb64e1ba19990a010b112abc5f050100a6765c66

SHA512
b4909dc9aabd8f478717a08e14648bc131b6176ac794991bd174f61dff9c3d15b0635352cce622e8088515fafbc447dd15717b3c2001ba34f86a19ba2abc4029

Download Submit
memory/912-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/912-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/912-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/5760-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5760-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download