e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2

General

Target

e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe
Size

100KB
MD5

da54fb33318eba3300335a5f5c347b71
SHA1

ad5aefe73b42c026ad64c6ba6336433271fc0c05
SHA256

e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2
SHA512

65064defbba0d1e9f1cce1319cb6da4d1878bac3c11f4be1bfe693fdcbebfe3377726803df74276dd4744a3a56a2234db583bf871ccaaeefc3bb84bcaf1f802f
SSDEEP

1536:7eGnZCYbMtsMxBxVxxo19p0elScbF1/omRd:CXsM3xBxEYelS6F1/oAd

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.execmd.exe

description	pid	process	target process
PID 308 wrote to memory of 336	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 336	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 336	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 336	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1520	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1520	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1520	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1520	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1800	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1800	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1800	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1800	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 1800 wrote to memory of 1716	1800	cmd.exe	attrib.exe
PID 1800 wrote to memory of 1716	1800	cmd.exe	attrib.exe
PID 1800 wrote to memory of 1716	1800	cmd.exe	attrib.exe
PID 1800 wrote to memory of 1716	1800	cmd.exe	attrib.exe
PID 308 wrote to memory of 1440	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1440	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1440	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 1440	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 872	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 872	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 872	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 872	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 316	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 316	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 316	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 316	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 904	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 904	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 904	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 308 wrote to memory of 904	308	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1716 attrib.exe

pid	process
1716	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe
"C:\Users\Admin\AppData\Local\Temp\e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
2⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
2⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
3⤵
- Views/modifies file attributes
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:904

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-60-0x0000000000000000-mapping.dmp

Download
memory/336-54-0x0000000000000000-mapping.dmp

Download
memory/872-59-0x0000000000000000-mapping.dmp

Download
memory/904-61-0x0000000000000000-mapping.dmp

Download
memory/1440-58-0x0000000000000000-mapping.dmp

Download
memory/1520-55-0x0000000000000000-mapping.dmp

Download
memory/1716-57-0x0000000000000000-mapping.dmp

Download
memory/1800-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing