5e25f38f04cccbee1db0b2f3bb7bcd769bb0d4cde3a5db1bb1867130d8d5c260

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72dd00df2241006a8b6847df698c11be.exe
Size

208KB
MD5

72dd00df2241006a8b6847df698c11be
SHA1

29830c49b07c2f91cb5d6444bd7e51e9776fcb31
SHA256

5e25f38f04cccbee1db0b2f3bb7bcd769bb0d4cde3a5db1bb1867130d8d5c260
SHA512

47ab23045c15f7b9bddf675bb334c7b1e431cbec23f8ff35581b34251ce11c23c4c41466edd2912a705bb9bc45c8523142ba3ac630e74298026da7d6e1aa81e8
SSDEEP

3072:Pl2/rrmXJVZEeFtPpF/n4A5G8kqKm5ahSERzNuq4auxvu8D9PLZoNx2jYS3YGQ2z:Pl2/rrAztht4A5G8WsSB74RTte8Yyz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2496	u.dll
4132	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3396	OpenWith.exe
1232	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 4904	4272	72dd00df2241006a8b6847df698c11be.exe	89
PID 4272 wrote to memory of 4904	4272	72dd00df2241006a8b6847df698c11be.exe	89
PID 4272 wrote to memory of 4904	4272	72dd00df2241006a8b6847df698c11be.exe	89
PID 4904 wrote to memory of 2496	4904	cmd.exe	90
PID 4904 wrote to memory of 2496	4904	cmd.exe	90
PID 4904 wrote to memory of 2496	4904	cmd.exe	90
PID 2496 wrote to memory of 4132	2496	u.dll	91
PID 2496 wrote to memory of 4132	2496	u.dll	91
PID 2496 wrote to memory of 4132	2496	u.dll	91
PID 4904 wrote to memory of 1396	4904	cmd.exe	92
PID 4904 wrote to memory of 1396	4904	cmd.exe	92
PID 4904 wrote to memory of 1396	4904	cmd.exe	92
PID 4904 wrote to memory of 4648	4904	cmd.exe	94
PID 4904 wrote to memory of 4648	4904	cmd.exe	94
PID 4904 wrote to memory of 4648	4904	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\72dd00df2241006a8b6847df698c11be.exe
"C:\Users\Admin\AppData\Local\Temp\72dd00df2241006a8b6847df698c11be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7AED.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save 72dd00df2241006a8b6847df698c11be.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\7BC7.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\7BC7.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe7BC8.tmp"
      4⤵
      Executes dropped EXE
      PID:4132
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:1396
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:4648

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7AED.tmp\vir.bat

Filesize
1KB

MD5
9826e338e1c2e3913336b4b17ecc7046

SHA1
7fac659ab94b051a5699d559e78d4f637c145bd8

SHA256
8dbee316447a2b0041cc7a2121966706c835fc3b2551df71671daa2933089791

SHA512
8fd4b7204ce4bfc6955a03a122d866f6da68d4d9601b44fe0deb698d517b248f4e99f85a3f0a7b0324f67b26f7847368e45e102d235da73c0adf3d5adafccce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BC7.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7BC8.tmp

Filesize
43KB

MD5
59a553db475a826d7912f5381a179b09

SHA1
7913d69607dc5c7408b6aaf13e84874923643ab9

SHA256
fe3a8ae93f08b81a13906d047147e6748a6cbad462a6748e0f4f002b03869e76

SHA512
839548e15a4ad0e52712700f29398eb120edb7445c12212b8d0a3436a3e2c73ded668c88b458a4750e2c1872b4b5cbea205b9b7d7d3f747b55f204fd19e2e7c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7BC8.tmp

Filesize
25KB

MD5
a83b789611633aec380dc1ef9c0a58e3

SHA1
85e0e7f1f119e50b2199679df2ef205e3c95c45a

SHA256
116c72da7e0e1980425932f6b5b1c9b0c9a1d6549446e275c7e8f93540e395b8

SHA512
9c062227421b23777dd23164752c16f4e1543318a8cd441d7cced40b807f4eec5ac24eaf2186abb2f535e97c8f2bfa5a8f7e6b16f3c0e09237f7e5b9e0a1d1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe7BC8.tmp

Filesize
41KB

MD5
ced9fdba93c6c0a69c43a7fc783d0182

SHA1
3919692fb4669491dd6a24c6bb16f430d0a43e7e

SHA256
a3bf78576222c5da88aea0b9196a2d1003618e4bc9de921d3bac3a2c65ded3fc

SHA512
ab94864403a39322f8587ef946a34e06311ef27d051c4023e29e599ac85cd9bfa15dfcb94f491bbc4a95753f33f28a768b22621cba654c8060daa5df03c73ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
206KB

MD5
b4bdf5e4cf141b126144ff5fab9b4080

SHA1
4b1e21c43f769f3a553a6ae0e524ca4f7527dbe6

SHA256
6a012a8236ab15fdfdb5bb11034678b42667f4c5d47d1a28753019d8067c23b9

SHA512
7d921c8b7c0ea4e4517b86d87a81d1add38e66cadbe7a3dca5225a10c34a238cd21680a42a03678929b872425adce890e5bd9fbf6a7f92b19ddcd74b813a8953

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
183KB

MD5
81162d448b0ac2b2a92055e476006475

SHA1
ecd44b077cab570bad63765cae8e45333229ee5d

SHA256
6473874386caa342fe6717a701f7e83a9c5028b9980a003959effd05f5ce8cdf

SHA512
f689e88d048b4e37e4fa583603da23f873b0de3055b2f01068d59c4e381e36e1cd53c8fcf16bafe23205a08607c4eb5e19c45eab54870cf18b9de928e28abe86

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
89KB

MD5
c21a94f7b84633b1881b1be675187144

SHA1
23a19900de5c4236bca9b0965ccf042f0d3e3cd6

SHA256
e120657787c6d146d79f9c1e7a0f23e81102228f774134f8ee8181b583d3fbaa

SHA512
ba3f6ec1c5dcf8a973399ba286e848d16e472a368525959392d4543eaafe49fe03eff9ad64ed6311c62a1ddaf365f99070a4f0eee96c1a9238c8a8642a0180c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
117KB

MD5
bbd23f5ecb600059ab16ed37c0494573

SHA1
360fe7b4da017c047c560743e45bddf210ccf8df

SHA256
97099bbf90f59caa02bb76a8e841b6f6b232db078d631fa73eb05c8ba4b375d4

SHA512
556903c4a33edaab1d6b50805817a69be6967b3ee991d7194bed9c6f45bf8fcfc2efd293f4b38fd081785fb7a6f253a8a4cba98aff16f6f9f70b81167735f66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
f8604f335573511b53fe2b1cc62d8cf8

SHA1
003681dd3f05d23488c435bea5c5eaf0dc9ee508

SHA256
bc8bcb31ec939371e42ab68ec6a420b4819026f3cc78055de549de76bee12d6e

SHA512
b7ed84e6c273e740b47ff73310bbfa4c98fe112da124d1c9b9df6863b7d8cffccfac2396dd0cb3a177f692a84c185b4e0ac3d60835ed8e47443f051695f8e05d

Download Submit
memory/4132-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4272-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4272-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4272-70-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads