63b228e508e96aafc50f6c9f13be2227c7f37c9a5dcf2a464166085ba99e39bf

Analysis

max time kernel
161s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5210cbdff92a15cff75155ef9eda8c45.exe
Size

208KB
MD5

5210cbdff92a15cff75155ef9eda8c45
SHA1

42afb6002f6c13396fb3a266000d84c1516f301f
SHA256

63b228e508e96aafc50f6c9f13be2227c7f37c9a5dcf2a464166085ba99e39bf
SHA512

2743dc2a941f67345f676b44caf018b4f046f8bfdf6f218baec6f9e8bf3f18308f3b206b80d12ce2e3305b192864db3571b3d1f55e59764146da41304760796a
SSDEEP

6144:al4mjZF//qPq55PdklkF+U3NCQLUv8ZalgjuDO7KBt:Kr//qPKkU3CiUEIrD88

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1436	u.dll
2232	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2680	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3808	2412	5210cbdff92a15cff75155ef9eda8c45.exe	95
PID 2412 wrote to memory of 3808	2412	5210cbdff92a15cff75155ef9eda8c45.exe	95
PID 2412 wrote to memory of 3808	2412	5210cbdff92a15cff75155ef9eda8c45.exe	95
PID 3808 wrote to memory of 1436	3808	cmd.exe	96
PID 3808 wrote to memory of 1436	3808	cmd.exe	96
PID 3808 wrote to memory of 1436	3808	cmd.exe	96
PID 1436 wrote to memory of 2232	1436	u.dll	98
PID 1436 wrote to memory of 2232	1436	u.dll	98
PID 1436 wrote to memory of 2232	1436	u.dll	98
PID 3808 wrote to memory of 3204	3808	cmd.exe	99
PID 3808 wrote to memory of 3204	3808	cmd.exe	99
PID 3808 wrote to memory of 3204	3808	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\5210cbdff92a15cff75155ef9eda8c45.exe
"C:\Users\Admin\AppData\Local\Temp\5210cbdff92a15cff75155ef9eda8c45.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5FBF.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 5210cbdff92a15cff75155ef9eda8c45.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\70C6.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\70C6.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe70C7.tmp"
      4⤵
      Executes dropped EXE
      PID:2232
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5FBF.tmp\vir.bat

Filesize
1KB

MD5
ced0af12a5ad2462ff4d4b613fc2b47f

SHA1
e8b54118fa86bd46a64c1be103387ed8c4ebdc89

SHA256
289e1378f365ec6fa819246f044ff1120a2194b335d32ee42e97fc04a8cc35d9

SHA512
1e7502ff36c93a07bfc7bddb8bc206f5741bd5f9094e540aecad67a97e035cd2f24cc010e883cdc26b23d6a5f48b76cf5b7a968c492edd5237f071152b79cf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\70C6.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe70C7.tmp

Filesize
41KB

MD5
1e97c3f7a2966be350cc20c25181fc3f

SHA1
dbbb7f881897311a47468e37683a0f233ee3b165

SHA256
3434ea33f48fb593d6e29fe0fc8382a24f36c06eda802137695e4ebec6f85ced

SHA512
280029401e9c644ac2da463ec7b88a4b588efd3eba5acddb094ce1cdc38a340b2d3f2dc918e9297826941c059ee9ee0ed590b56a6e18c61687d1470f90cb1b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprB8AC.tmp

Filesize
24KB

MD5
e4977b1539d5e8d5cc5375a8b77abd25

SHA1
4ef060db7236a0b06cdeeeba7734a7b1a8e3552f

SHA256
955b258bdb68852f121975c7553eafb17bd993d9b39d6fe26d3d0783b2e2ae62

SHA512
d20619bb7d2d9ac68ddd3eb36e18dacdda367287a8b40bdb7b1a4f828155d88af7955512271cfc41d71d334aee7ef7c61321cf93030f1cb7773f60d7152d925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
ac3e2f16df5b8e004bc7528957957c95

SHA1
318dfb96abdc8e9d3778788dfdbb1f3dba885fba

SHA256
c53ac431faed8f5ab7c67b254f913efe0dceaafdbf26b02b930d07f45d840fe2

SHA512
4c60d3b255c38807a104e4362493dbf651fb8893633e94ee9a4c69770773f8d7bf95d310051154b9bd74d6eb1993626a5eb107e74e891d681f0398c64a7ebaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
9e3095fd59e4045a29557c38aae2a3c5

SHA1
76d1df3a9aef1190b3bdcac4115ff547399c15fa

SHA256
59c21579af616e9a662992df94d63a68f07989e8854d3fc761b372931fa02dec

SHA512
d48b99ecfb7e64699cd10b575f86302119fd085208dabf67f2f3e2a4d59f4bed133096db4347360a7470c2eb90ea4f33f98f8a1293960e79e18f999bfd9d75fc

Download Submit
memory/2232-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2412-7-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2412-21-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2412-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2412-2-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2412-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads