d00f2d9c5d36edd77398c50ee4d9614e4776957cf0b2c795030ace01435bd707

Analysis

max time kernel
139s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d22072a96ed4015ba12ff9add930db3.exe
Size

337KB
MD5

1d22072a96ed4015ba12ff9add930db3
SHA1

32f209d696c876ab0b94a4b8e6d2197ab4fd7af8
SHA256

d00f2d9c5d36edd77398c50ee4d9614e4776957cf0b2c795030ace01435bd707
SHA512

571363b6a5ae77073df7ac36530d62fbfcad45be57f6c43b32d81b6ca6a4a111064a55ec443f12e3bd45116a6757aad7e3f6ca1dcf8b021fc0012404a631ff31
SSDEEP

6144:rxrq2m47akuF7wLjYkZ/hGTcIoOJmNF5ujYaWdf:l+2TukuF7wLj3ZJ4cIoOJg3ujXWdf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
2736	windmedias.exe
2416	windmedias.exe
2720	windmedias.exe
3048	windmedias.exe
2540	windmedias.exe
1560	windmedias.exe
1112	windmedias.exe
2100	windmedias.exe
2224	windmedias.exe
2056	windmedias.exe

Loads dropped DLL 20 IoCs

pid	Process
2580	1d22072a96ed4015ba12ff9add930db3.exe
2580	1d22072a96ed4015ba12ff9add930db3.exe
2736	windmedias.exe
2736	windmedias.exe
2416	windmedias.exe
2416	windmedias.exe
2720	windmedias.exe
2720	windmedias.exe
3048	windmedias.exe
3048	windmedias.exe
2540	windmedias.exe
2540	windmedias.exe
1560	windmedias.exe
1560	windmedias.exe
1112	windmedias.exe
1112	windmedias.exe
2100	windmedias.exe
2100	windmedias.exe
2224	windmedias.exe
2224	windmedias.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	1d22072a96ed4015ba12ff9add930db3.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	1d22072a96ed4015ba12ff9add930db3.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2736	2580	1d22072a96ed4015ba12ff9add930db3.exe	28
PID 2580 wrote to memory of 2736	2580	1d22072a96ed4015ba12ff9add930db3.exe	28
PID 2580 wrote to memory of 2736	2580	1d22072a96ed4015ba12ff9add930db3.exe	28
PID 2580 wrote to memory of 2736	2580	1d22072a96ed4015ba12ff9add930db3.exe	28
PID 2736 wrote to memory of 2416	2736	windmedias.exe	29
PID 2736 wrote to memory of 2416	2736	windmedias.exe	29
PID 2736 wrote to memory of 2416	2736	windmedias.exe	29
PID 2736 wrote to memory of 2416	2736	windmedias.exe	29
PID 2416 wrote to memory of 2720	2416	windmedias.exe	30
PID 2416 wrote to memory of 2720	2416	windmedias.exe	30
PID 2416 wrote to memory of 2720	2416	windmedias.exe	30
PID 2416 wrote to memory of 2720	2416	windmedias.exe	30
PID 2720 wrote to memory of 3048	2720	windmedias.exe	33
PID 2720 wrote to memory of 3048	2720	windmedias.exe	33
PID 2720 wrote to memory of 3048	2720	windmedias.exe	33
PID 2720 wrote to memory of 3048	2720	windmedias.exe	33
PID 3048 wrote to memory of 2540	3048	windmedias.exe	34
PID 3048 wrote to memory of 2540	3048	windmedias.exe	34
PID 3048 wrote to memory of 2540	3048	windmedias.exe	34
PID 3048 wrote to memory of 2540	3048	windmedias.exe	34
PID 2540 wrote to memory of 1560	2540	windmedias.exe	35
PID 2540 wrote to memory of 1560	2540	windmedias.exe	35
PID 2540 wrote to memory of 1560	2540	windmedias.exe	35
PID 2540 wrote to memory of 1560	2540	windmedias.exe	35
PID 1560 wrote to memory of 1112	1560	windmedias.exe	36
PID 1560 wrote to memory of 1112	1560	windmedias.exe	36
PID 1560 wrote to memory of 1112	1560	windmedias.exe	36
PID 1560 wrote to memory of 1112	1560	windmedias.exe	36
PID 1112 wrote to memory of 2100	1112	windmedias.exe	37
PID 1112 wrote to memory of 2100	1112	windmedias.exe	37
PID 1112 wrote to memory of 2100	1112	windmedias.exe	37
PID 1112 wrote to memory of 2100	1112	windmedias.exe	37
PID 2100 wrote to memory of 2224	2100	windmedias.exe	38
PID 2100 wrote to memory of 2224	2100	windmedias.exe	38
PID 2100 wrote to memory of 2224	2100	windmedias.exe	38
PID 2100 wrote to memory of 2224	2100	windmedias.exe	38
PID 2224 wrote to memory of 2056	2224	windmedias.exe	39
PID 2224 wrote to memory of 2056	2224	windmedias.exe	39
PID 2224 wrote to memory of 2056	2224	windmedias.exe	39
PID 2224 wrote to memory of 2056	2224	windmedias.exe	39

C:\Users\Admin\AppData\Local\Temp\1d22072a96ed4015ba12ff9add930db3.exe
"C:\Users\Admin\AppData\Local\Temp\1d22072a96ed4015ba12ff9add930db3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\windmedias.exe
  C:\Windows\system32\windmedias.exe 480 "C:\Users\Admin\AppData\Local\Temp\1d22072a96ed4015ba12ff9add930db3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\windmedias.exe
    C:\Windows\system32\windmedias.exe 532 "C:\Windows\SysWOW64\windmedias.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\windmedias.exe
      C:\Windows\system32\windmedias.exe 524 "C:\Windows\SysWOW64\windmedias.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 540 "C:\Windows\SysWOW64\windmedias.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 556 "C:\Windows\SysWOW64\windmedias.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 548 "C:\Windows\SysWOW64\windmedias.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 544 "C:\Windows\SysWOW64\windmedias.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 564 "C:\Windows\SysWOW64\windmedias.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 552 "C:\Windows\SysWOW64\windmedias.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 568 "C:\Windows\SysWOW64\windmedias.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windmedias.exe

Filesize
309KB

MD5
7f1eaaeee5655a889a249ff1f40973de

SHA1
1878de8fe06b5ce5e71f9e7d4a46ae3458af0321

SHA256
10de266119bca6d1d787522e5ba838563de226ff88572a5d5788be73170f3328

SHA512
9551f0267e7d0b1074b9303958f97a277f9cdfb114ecd3644aa3c49e4f5debce8753116a00f4eae6fcc2d2235600b5edda6c2464f2d22847f1a94dc3e3da8fe1

Download Submit
\Windows\SysWOW64\windmedias.exe

Filesize
337KB

MD5
1d22072a96ed4015ba12ff9add930db3

SHA1
32f209d696c876ab0b94a4b8e6d2197ab4fd7af8

SHA256
d00f2d9c5d36edd77398c50ee4d9614e4776957cf0b2c795030ace01435bd707

SHA512
571363b6a5ae77073df7ac36530d62fbfcad45be57f6c43b32d81b6ca6a4a111064a55ec443f12e3bd45116a6757aad7e3f6ca1dcf8b021fc0012404a631ff31

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads