b8a5a78647d51fa18a4a4fe10019b9223d194698dbe54b942e0cac544fab3489

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5683c6585e0db6e7771918febe7537fd.exe
Size

208KB
MD5

5683c6585e0db6e7771918febe7537fd
SHA1

b28a3a63fe1f1416a0d5282976615994e37d476d
SHA256

b8a5a78647d51fa18a4a4fe10019b9223d194698dbe54b942e0cac544fab3489
SHA512

c886e14916d49631fd8b54aa019b5b7fdbdfe73b7a0781cfa9fede3df7b3de1a1905addfdc9a4d1d81737bae9a59702c8efc86562a872c01100e978d3473c8cf
SSDEEP

6144:3lGRgXm15iTe0d08iVcAOUssmbRrK92ncd8j8D3cMl5j:Iv1z0KAjsmR9nO8i3ca

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4916	u.dll
2780	mpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
968	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 3804	3996	5683c6585e0db6e7771918febe7537fd.exe	90
PID 3996 wrote to memory of 3804	3996	5683c6585e0db6e7771918febe7537fd.exe	90
PID 3996 wrote to memory of 3804	3996	5683c6585e0db6e7771918febe7537fd.exe	90
PID 3804 wrote to memory of 4916	3804	cmd.exe	89
PID 3804 wrote to memory of 4916	3804	cmd.exe	89
PID 3804 wrote to memory of 4916	3804	cmd.exe	89
PID 4916 wrote to memory of 2780	4916	u.dll	94
PID 4916 wrote to memory of 2780	4916	u.dll	94
PID 4916 wrote to memory of 2780	4916	u.dll	94
PID 3804 wrote to memory of 1152	3804	cmd.exe	93
PID 3804 wrote to memory of 1152	3804	cmd.exe	93
PID 3804 wrote to memory of 1152	3804	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\5683c6585e0db6e7771918febe7537fd.exe
"C:\Users\Admin\AppData\Local\Temp\5683c6585e0db6e7771918febe7537fd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4565.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:1152

C:\Users\Admin\AppData\Local\Temp\u.dll
u.dll -bat vir.bat -save 5683c6585e0db6e7771918febe7537fd.exe.com -include s.dll -overwrite -nodelete
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Users\Admin\AppData\Local\Temp\45C3.tmp\mpress.exe
  "C:\Users\Admin\AppData\Local\Temp\45C3.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe45C4.tmp"
  2⤵
  - Executes dropped EXE
  PID:2780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4565.tmp\vir.bat

Filesize
1KB

MD5
5eb68b15248c70125ac047ed18d252cc

SHA1
dd5b043a4939d9434167cf9873afb6e9c31a3ebb

SHA256
4d63d17192761061fd7e7f8eb3b512db854f5cea76f8cd36fe0acfe1382ccd46

SHA512
821420cf89715dabf1d307bc2c9a47cb7716ef2f6615704b4822629bf6be23794f6f63977a96ec3dce72aec67bcf6a2bea5a21ed9049b3dd3a39d0db86084cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\45C3.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe45C4.tmp

Filesize
41KB

MD5
4d1c4e637e66e3aee050194ee149b1ae

SHA1
542aab9bf825e8cbb8afc946b8fe555ea402a413

SHA256
ba3591ba0a42bd2556af093af3beb685383b239570a459d00ad9ff0747851e25

SHA512
801010a3a79285d26a7ecd84928b7e24de7adab6ad67d2d2ebc81a5639a6b9ea9f0f5cb087e1dfbda5a9cfa031bc2f1798f18d688a7cfc600cb9cde670862011

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe45C4.tmp

Filesize
24KB

MD5
eea12ffa949b5ad5f71e4a086a674c35

SHA1
c2a96e443b72a2869f2e9425aa775680f4cb2d72

SHA256
b984ba079f06f412c63ad35289400e640e26c8df67ee58975d8822a55cf24341

SHA512
6e078d975011f04ceee3f95ffaf3b13d00532b869d4305a153efa6d4c7bf8413cf7d353e1f0edf07bd982a72e9a5740c6e7bd0250c532cb7eb24a49e6fc02c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
700KB

MD5
e52e1dacca253a95205caebdf9ba61be

SHA1
89b934078b0ebb6045bcc17eee3395fc3af688ca

SHA256
bc6123009aa8bb34968892ccdd73ef4470aea0651056a9c81e10c60185b81621

SHA512
98cc05f9a24eb88d6c3be905c7870db5bc4d2b36c7a62abde8b2a4e3f2066bd715173c5b17d7066b8db049d6adba0a0b7a2214d3eb54a89ce5e1e97f6afcd4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
ed4acee2e3e2dbcec363af58f3714cbc

SHA1
1cb2103ddc762f12e977b9aeb3a26e421916f316

SHA256
3ef04f3ddfa9e842040686a961a368eb33c1235adfa2cc799791bccf8c5aac2c

SHA512
ff4a447b8ef119fdc3802177371264321f3c88d05dd39b0ea76c40cc8ad73b4140507b7a93bdb95e9a5f3c2852fd4040ca6ecda65cc6eba63b38bc7e510d8046

Download Submit
memory/2780-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3996-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3996-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads