690e898fd01b69ac3eea36ac0bde48295eeb37b85a76ab96368b02dd7ee51615

Analysis

max time kernel
599s
max time network
596s
platform
windows10-2004_x64
resource
win10v2004-20230915-it
resource tags

arch:x64arch:x86image:win10v2004-20230915-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
27-09-2023 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee.exe
Size

3.3MB
MD5

0f188231c29fba40e8b3e76792464cff
SHA1

e231f8e1060915dcb83fcf383ce0c80dbb94b2ea
SHA256

690e898fd01b69ac3eea36ac0bde48295eeb37b85a76ab96368b02dd7ee51615
SHA512

2d430c8bc5d5473bcc41e22bff252f1c09e632a4baaa5da4ac011ba13bf102ccc7a80541293a965a6ff80ca47b3d4271fd1e35c878a2b4ff0123af172f16f803
SSDEEP

98304:sqNAQ6FGtvX6KN5hBAud6kDjGpUefle0GzDKKD:sqN5u06KN5hZnse0GzJ

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4992 set thread context of 2012	4992	eee.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4992	eee.exe
2012	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4992	eee.exe
2012	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 2012	4992	eee.exe	85
PID 4992 wrote to memory of 2012	4992	eee.exe	85
PID 4992 wrote to memory of 2012	4992	eee.exe	85
PID 4992 wrote to memory of 2012	4992	eee.exe	85
PID 2012 wrote to memory of 2732	2012	cmd.exe	95
PID 2012 wrote to memory of 2732	2012	cmd.exe	95
PID 2012 wrote to memory of 2732	2012	cmd.exe	95
PID 2012 wrote to memory of 2732	2012	cmd.exe	95
PID 2012 wrote to memory of 2732	2012	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\eee.exe
"C:\Users\Admin\AppData\Local\Temp\eee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1bca3fb1

Filesize
1.0MB

MD5
cb277933656bb6f203c8e3ea14da330d

SHA1
036517d02a288cbf2591ec04e934280d22e3d324

SHA256
e722a2a0041db9eeabdadc40f39b59908075dfe3a027520c0df2426e353f283d

SHA512
dc5511c5af235e62fdaa8923945ddf6a5e9000c19e6ed108065ed90aa9e442b7a30f01f085dbf8ec91e2b252262f0ef5df6c18127ec6378a2bec43e8269c8de0

Download Submit
memory/2012-11-0x00000000010B0000-0x000000000116F000-memory.dmp

Filesize
764KB

Download
memory/2012-10-0x00000000010B0000-0x000000000116F000-memory.dmp

Filesize
764KB

Download
memory/2012-8-0x00007FFF14BD0000-0x00007FFF14DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2012-6-0x00000000010B0000-0x000000000116F000-memory.dmp

Filesize
764KB

Download
memory/2732-13-0x0000000001000000-0x000000000107A000-memory.dmp

Filesize
488KB

Download
memory/2732-14-0x00007FFF14BD0000-0x00007FFF14DC5000-memory.dmp

Filesize
2.0MB

Download
memory/2732-15-0x0000000001000000-0x000000000107A000-memory.dmp

Filesize
488KB

Download
memory/2732-18-0x0000000000860000-0x0000000000C93000-memory.dmp

Filesize
4.2MB

Download
memory/2732-19-0x0000000001000000-0x000000000107A000-memory.dmp

Filesize
488KB

Download
memory/2732-20-0x0000000001000000-0x000000000107A000-memory.dmp

Filesize
488KB

Download
memory/4992-4-0x0000000077410000-0x00000000774CF000-memory.dmp

Filesize
764KB

Download
memory/4992-3-0x0000000077410000-0x00000000774CF000-memory.dmp

Filesize
764KB

Download
memory/4992-2-0x0000000077410000-0x00000000774CF000-memory.dmp

Filesize
764KB

Download
memory/4992-0-0x0000000000400000-0x000000000075D000-memory.dmp

Filesize
3.4MB

Download