Analysis
-
max time kernel
161s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2024, 00:38
Static task
static1
Behavioral task
behavioral1
Sample
5210cbdff92a15cff75155ef9eda8c45.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5210cbdff92a15cff75155ef9eda8c45.exe
Resource
win10v2004-20231215-en
General
-
Target
5210cbdff92a15cff75155ef9eda8c45.exe
-
Size
208KB
-
MD5
5210cbdff92a15cff75155ef9eda8c45
-
SHA1
42afb6002f6c13396fb3a266000d84c1516f301f
-
SHA256
63b228e508e96aafc50f6c9f13be2227c7f37c9a5dcf2a464166085ba99e39bf
-
SHA512
2743dc2a941f67345f676b44caf018b4f046f8bfdf6f218baec6f9e8bf3f18308f3b206b80d12ce2e3305b192864db3571b3d1f55e59764146da41304760796a
-
SSDEEP
6144:al4mjZF//qPq55PdklkF+U3NCQLUv8ZalgjuDO7KBt:Kr//qPKkU3CiUEIrD88
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1436 u.dll 2232 mpress.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings calc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2680 OpenWith.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2412 wrote to memory of 3808 2412 5210cbdff92a15cff75155ef9eda8c45.exe 95 PID 2412 wrote to memory of 3808 2412 5210cbdff92a15cff75155ef9eda8c45.exe 95 PID 2412 wrote to memory of 3808 2412 5210cbdff92a15cff75155ef9eda8c45.exe 95 PID 3808 wrote to memory of 1436 3808 cmd.exe 96 PID 3808 wrote to memory of 1436 3808 cmd.exe 96 PID 3808 wrote to memory of 1436 3808 cmd.exe 96 PID 1436 wrote to memory of 2232 1436 u.dll 98 PID 1436 wrote to memory of 2232 1436 u.dll 98 PID 1436 wrote to memory of 2232 1436 u.dll 98 PID 3808 wrote to memory of 3204 3808 cmd.exe 99 PID 3808 wrote to memory of 3204 3808 cmd.exe 99 PID 3808 wrote to memory of 3204 3808 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\5210cbdff92a15cff75155ef9eda8c45.exe"C:\Users\Admin\AppData\Local\Temp\5210cbdff92a15cff75155ef9eda8c45.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5FBF.tmp\vir.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save 5210cbdff92a15cff75155ef9eda8c45.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\70C6.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\70C6.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe70C7.tmp"4⤵
- Executes dropped EXE
PID:2232
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵
- Modifies registry class
PID:3204
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2680
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ced0af12a5ad2462ff4d4b613fc2b47f
SHA1e8b54118fa86bd46a64c1be103387ed8c4ebdc89
SHA256289e1378f365ec6fa819246f044ff1120a2194b335d32ee42e97fc04a8cc35d9
SHA5121e7502ff36c93a07bfc7bddb8bc206f5741bd5f9094e540aecad67a97e035cd2f24cc010e883cdc26b23d6a5f48b76cf5b7a968c492edd5237f071152b79cf53
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e
-
Filesize
41KB
MD51e97c3f7a2966be350cc20c25181fc3f
SHA1dbbb7f881897311a47468e37683a0f233ee3b165
SHA2563434ea33f48fb593d6e29fe0fc8382a24f36c06eda802137695e4ebec6f85ced
SHA512280029401e9c644ac2da463ec7b88a4b588efd3eba5acddb094ce1cdc38a340b2d3f2dc918e9297826941c059ee9ee0ed590b56a6e18c61687d1470f90cb1b92
-
Filesize
24KB
MD5e4977b1539d5e8d5cc5375a8b77abd25
SHA14ef060db7236a0b06cdeeeba7734a7b1a8e3552f
SHA256955b258bdb68852f121975c7553eafb17bd993d9b39d6fe26d3d0783b2e2ae62
SHA512d20619bb7d2d9ac68ddd3eb36e18dacdda367287a8b40bdb7b1a4f828155d88af7955512271cfc41d71d334aee7ef7c61321cf93030f1cb7773f60d7152d925f
-
Filesize
700KB
MD5ac3e2f16df5b8e004bc7528957957c95
SHA1318dfb96abdc8e9d3778788dfdbb1f3dba885fba
SHA256c53ac431faed8f5ab7c67b254f913efe0dceaafdbf26b02b930d07f45d840fe2
SHA5124c60d3b255c38807a104e4362493dbf651fb8893633e94ee9a4c69770773f8d7bf95d310051154b9bd74d6eb1993626a5eb107e74e891d681f0398c64a7ebaf4
-
Filesize
1KB
MD59e3095fd59e4045a29557c38aae2a3c5
SHA176d1df3a9aef1190b3bdcac4115ff547399c15fa
SHA25659c21579af616e9a662992df94d63a68f07989e8854d3fc761b372931fa02dec
SHA512d48b99ecfb7e64699cd10b575f86302119fd085208dabf67f2f3e2a4d59f4bed133096db4347360a7470c2eb90ea4f33f98f8a1293960e79e18f999bfd9d75fc