5f6ca70c362f96c43ba6984ccff9269ecbcc3caeaa43da84cec632af88493728

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b6020d02d860d73c4bdcdce048f378.exe
Size

209KB
MD5

a1b6020d02d860d73c4bdcdce048f378
SHA1

c5d5ed5802569b985730f0fd5e591bc3f7abe3e0
SHA256

5f6ca70c362f96c43ba6984ccff9269ecbcc3caeaa43da84cec632af88493728
SHA512

38fdb1fc990b13b5a3d53ed966c3079dd0ddd7197621b46c2c2a69c1a8a2d37ad4bd7a1a16bd434d3e83ec8154bacb35694e944676c9769c0c2238600b224add
SSDEEP

6144:+l0n6auJ+xcfsJyT+C4HT8Et4kVPEPmd5cfo:Zn6auJ4JnCMTrt1VPEPmq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2564	u.dll
2716	mpress.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	calc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4112	OpenWith.exe
3708	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4888	4136	a1b6020d02d860d73c4bdcdce048f378.exe	88
PID 4136 wrote to memory of 4888	4136	a1b6020d02d860d73c4bdcdce048f378.exe	88
PID 4136 wrote to memory of 4888	4136	a1b6020d02d860d73c4bdcdce048f378.exe	88
PID 4888 wrote to memory of 2564	4888	cmd.exe	89
PID 4888 wrote to memory of 2564	4888	cmd.exe	89
PID 4888 wrote to memory of 2564	4888	cmd.exe	89
PID 2564 wrote to memory of 2716	2564	u.dll	90
PID 2564 wrote to memory of 2716	2564	u.dll	90
PID 2564 wrote to memory of 2716	2564	u.dll	90
PID 4888 wrote to memory of 3508	4888	cmd.exe	91
PID 4888 wrote to memory of 3508	4888	cmd.exe	91
PID 4888 wrote to memory of 3508	4888	cmd.exe	91
PID 4888 wrote to memory of 2912	4888	cmd.exe	93
PID 4888 wrote to memory of 2912	4888	cmd.exe	93
PID 4888 wrote to memory of 2912	4888	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\a1b6020d02d860d73c4bdcdce048f378.exe
"C:\Users\Admin\AppData\Local\Temp\a1b6020d02d860d73c4bdcdce048f378.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\24D.tmp\vir.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\u.dll
    u.dll -bat vir.bat -save a1b6020d02d860d73c4bdcdce048f378.exe.com -include s.dll -overwrite -nodelete
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\589.tmp\mpress.exe
      "C:\Users\Admin\AppData\Local\Temp\589.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe58A.tmp"
      4⤵
      Executes dropped EXE
      PID:2716
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:3508
- - C:\Windows\SysWOW64\calc.exe
    CALC.EXE
    3⤵
    - Modifies registry class
    PID:2912

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\24D.tmp\vir.bat

Filesize
1KB

MD5
5745d2e7b40b8cf0f0e4b9212dcd53a9

SHA1
4527b006f5d9afe570cbd92cf036de9ac1ed3408

SHA256
1633b5f23c807ee9030e1d567655f7b475b053cb46692327454f753932dc0426

SHA512
3770ce98f2e146a1a6f32928557ddebcf518d7df074b58cf98347d0dc76ba8e1dd3d5fd768d79621a2096aeb926a84841c0885a98d2f067d1e85a16a69633963

Download Submit
C:\Users\Admin\AppData\Local\Temp\589.tmp\mpress.exe

Filesize
100KB

MD5
e42b81b9636152c78ba480c1c47d3c7f

SHA1
66a2fca3925428ee91ad9df5b76b90b34d28e0f8

SHA256
7c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2

SHA512
4b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\exe58A.tmp

Filesize
41KB

MD5
7aa367dca7be65e07b16bd69f06263e3

SHA1
d447739251408f8e8490a9d307927bfbe41737ce

SHA256
738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076

SHA512
d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mprA6B.tmp

Filesize
24KB

MD5
7cda353434725a4a3712954fd3ded290

SHA1
d8348e79d6bcee527743b126026367d700ddb436

SHA256
7e781837fa89a8ead0a14c14a7f2125a89bb7b33d2ccc358f6b8ad22924b5e86

SHA512
4ac257fe8e0772adc8aa1a2626153c473554c341c025959dd994100c43e2cec274e8a532e0c1b5c0ecdf463733d25a63767b995b731ce272b1c7a3ad0820b95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.dll

Filesize
700KB

MD5
3c9568b0d86a865f9f73d9c0967cfdad

SHA1
3270df3e0e600f4df2c3cbc384837693a8a3a83e

SHA256
c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6

SHA512
bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
479KB

MD5
c5a8500728c92091086545cace9138c7

SHA1
ed94b1a8576711efebf96bcc7d4a28ce88674d1c

SHA256
854d790b0dbaf76e02576b86e7b2200f834c58c1daca2d7cac1bf0ceca139852

SHA512
c94c6da8595471d02b4c97df9bc3f1ad1a9af365f211c9db9345111aa340fa0b74df4c60350faa2d04cd124c9d6dfe642e4aa3e30e72f4e3e14ba62ef5316aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
446KB

MD5
47c0e223476c9dd9d64a270f2636eeab

SHA1
c83fcef7dbf625ee7007cad4c8a0dcd4317f5a75

SHA256
4c77ecb6a5650756de2911413ff745b6589194e142aa63d10529df74b3221029

SHA512
39a8adf1d61d743bb49c20006a97e5e136585be0a42b21e50881b2c7a23e595c7029a3a8210435e3a8992df383622d8e52bf1be86e2aaeee80cc0f2aefa0998c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.dll

Filesize
64KB

MD5
960ed4ed404aaa84f491a6dbd0954263

SHA1
1a9d9c09e97eff39fcea870b3fe6e6fe1a220726

SHA256
9e727f8a4a13982c915a6527619a077166fb36eacdda912581c1808a620d519e

SHA512
49c5c9099cb7b9440338b7569c2f1bb960bef8363cb2785cc6c0d64b424827f92c01bb50a223c3cabdc6b40061886bcf43e52cd35320a3a7ea4dd2334e521ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vir.bat

Filesize
1KB

MD5
dd2755b2fdbd8fe4e420ed1fe8afd168

SHA1
3c4f7d3f6ea9c68d6835c2b1d2c407bddc8971eb

SHA256
56c40636e34b42e9ef6fb7626c5653b185ca3d8ef555e094bba6665b2b7cb2ac

SHA512
508362fe168b5a6c46799b475a14365e0fbb0c8668532be7fec1ce0c9a88db693edc5585d47756c86b3096634f96bec97f602fc6b4c5b19c2fc6c57d7f665da1

Download Submit
memory/2716-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4136-0-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4136-1-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/4136-71-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads