Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
d5d73ef7b54c7028c75a6a2543895683.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d5d73ef7b54c7028c75a6a2543895683.exe
Resource
win10v2004-20240226-en
General
-
Target
d5d73ef7b54c7028c75a6a2543895683.exe
-
Size
209KB
-
MD5
d5d73ef7b54c7028c75a6a2543895683
-
SHA1
da90a0334978dc07bdc5feb0698e01c0d10b9472
-
SHA256
5411452626d6233d06eeee147f9aa3d99bc432fbb12b610cfcb2a41e0a1872e3
-
SHA512
ec29d678ff63574a986116e63609c84713002e8c91e1b9ec300de3c93be6bbf6865ea42b02865945cffd0b0f8296afa2f1d2b0f68bf1c40ca5e3e975a6bb2468
-
SSDEEP
6144:wl0n6auHvtAedmhSzGR2kUEsEgunwBzJyBE4+Rw:jn6auHv6l4S2kUEsEjwBVyBE3Rw
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 696 u.dll 3872 mpress.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings calc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4868 OpenWith.exe 432 OpenWith.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2252 wrote to memory of 1808 2252 d5d73ef7b54c7028c75a6a2543895683.exe 90 PID 2252 wrote to memory of 1808 2252 d5d73ef7b54c7028c75a6a2543895683.exe 90 PID 2252 wrote to memory of 1808 2252 d5d73ef7b54c7028c75a6a2543895683.exe 90 PID 1808 wrote to memory of 696 1808 cmd.exe 91 PID 1808 wrote to memory of 696 1808 cmd.exe 91 PID 1808 wrote to memory of 696 1808 cmd.exe 91 PID 696 wrote to memory of 3872 696 u.dll 92 PID 696 wrote to memory of 3872 696 u.dll 92 PID 696 wrote to memory of 3872 696 u.dll 92 PID 1808 wrote to memory of 1360 1808 cmd.exe 96 PID 1808 wrote to memory of 1360 1808 cmd.exe 96 PID 1808 wrote to memory of 1360 1808 cmd.exe 96 PID 1808 wrote to memory of 1208 1808 cmd.exe 98 PID 1808 wrote to memory of 1208 1808 cmd.exe 98 PID 1808 wrote to memory of 1208 1808 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5d73ef7b54c7028c75a6a2543895683.exe"C:\Users\Admin\AppData\Local\Temp\d5d73ef7b54c7028c75a6a2543895683.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\41DB.tmp\vir.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\u.dllu.dll -bat vir.bat -save d5d73ef7b54c7028c75a6a2543895683.exe.com -include s.dll -overwrite -nodelete3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\4277.tmp\mpress.exe"C:\Users\Admin\AppData\Local\Temp\4277.tmp\mpress.exe" "C:\Users\Admin\AppData\Local\Temp\exe4278.tmp"4⤵
- Executes dropped EXE
PID:3872
-
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵
- Modifies registry class
PID:1360
-
-
C:\Windows\SysWOW64\calc.exeCALC.EXE3⤵
- Modifies registry class
PID:1208
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4868
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:432
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ca74aa325e8054d6e94d2e4c16d49bc
SHA17934d42f41ecc30115011e51933794326363bc1d
SHA2562653f5968b6883d57af922ef80eb44d1d0d8d7b3b1b28e069b9e8b8b5f56a1aa
SHA5120abf250eb7073fd3be688ae8e3dd26e45ab39d08b2a5400d27dc8bcf3969ac213a99c00cfc1a0dc84bbf0c1142a9122bfb43ddad3e7c595fbf29d5701a788491
-
Filesize
100KB
MD5e42b81b9636152c78ba480c1c47d3c7f
SHA166a2fca3925428ee91ad9df5b76b90b34d28e0f8
SHA2567c24c72439880e502be51da5d991b9b56a1af242b4eef4737f0f43b4a87546d2
SHA5124b2986106325c5c3fe11ab460f646d4740eb85252aa191f2b84e29901fac146d7a82e31c72d39c38a70277f78278621ee506d9da2681f5019cd64c7df85cff6e
-
Filesize
41KB
MD57aa367dca7be65e07b16bd69f06263e3
SHA1d447739251408f8e8490a9d307927bfbe41737ce
SHA256738bf50547320b0683af727ad6d430f2e7b83c846fe24f91527b7ee263bfa076
SHA512d7884589d7d12a628c9e07b77b3b793fa91f67fe13563e7b072ca864e053e6b7d711852e30ae1c877576b8ad47f67d2826e8ee711e6b65a329baa57492fe31b3
-
Filesize
41KB
MD502715a4b432f3804e8e071e403bc20bb
SHA1e9f78fec93c6bab25fde6f1e428451c1d72680a4
SHA256c32141e78c6b89fc670ce80893be58e270a10e37aace8819021468e5415a5aad
SHA512fbafe6e5226a5b00a0f8531a8f22a3e3aabcaefff9d048721c2efe198ea2f31dc74c8a5cc60e2a67db50059d0ab53244b7c92b8fef898b17a7feaca5ddc7f3f7
-
Filesize
24KB
MD5d4cc8079170c36bc2ed96932abce3ae1
SHA1a9d6947389e98106859e656da214ae9f53757946
SHA2563f25abd11cecf55b92ef59c4d806a5f8d325d01eb63d8520c7fb6f424ff36d7b
SHA5120ff6b44d497c56dad1d5fe0df3d9a8cd64c6e1fb4e88d8c0e77aeb67082d6d21a92478c759cb8a03c8b478aec3b9f4d3b7ff6e58c83bb776609e6310f362ae27
-
Filesize
700KB
MD53c9568b0d86a865f9f73d9c0967cfdad
SHA13270df3e0e600f4df2c3cbc384837693a8a3a83e
SHA256c7b97a001b39e17382e929aad924555f3d21886b86aed38cffd660490801d1d6
SHA512bd423d1d57823b1bf6db42aeec199aa93178a9317ead85b42b60e091aaf4f73ce721bc07fda4750e112c4dccb9d87e21d5793965da9d6e92b0c5bed92c26876f
-
Filesize
1KB
MD505b8f0277cb24f2fd5bacd5a300cf764
SHA173e4b020b936680060bfc1e97dedd15c74a7fee3
SHA256a96263e098a2cd159ecbec307b758a8d7b0a93ae3ccde3793af9ccb1cb88d32d
SHA512cb73b93ee98abbac9a5c28110ffbf916fc6268910148386420f1c6db4f243a790048d61268687ba2739bf906d76de65f17781fb7efdf234f2b50f1e49d315b88