d00f2d9c5d36edd77398c50ee4d9614e4776957cf0b2c795030ace01435bd707

Analysis

max time kernel
62s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d22072a96ed4015ba12ff9add930db3.exe
Size

337KB
MD5

1d22072a96ed4015ba12ff9add930db3
SHA1

32f209d696c876ab0b94a4b8e6d2197ab4fd7af8
SHA256

d00f2d9c5d36edd77398c50ee4d9614e4776957cf0b2c795030ace01435bd707
SHA512

571363b6a5ae77073df7ac36530d62fbfcad45be57f6c43b32d81b6ca6a4a111064a55ec443f12e3bd45116a6757aad7e3f6ca1dcf8b021fc0012404a631ff31
SSDEEP

6144:rxrq2m47akuF7wLjYkZ/hGTcIoOJmNF5ujYaWdf:l+2TukuF7wLj3ZJ4cIoOJg3ujXWdf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4288	windmedias.exe
3560	windmedias.exe
4584	windmedias.exe
4628	windmedias.exe
1216	windmedias.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	1d22072a96ed4015ba12ff9add930db3.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	1d22072a96ed4015ba12ff9add930db3.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File created	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe
File opened for modification	C:\Windows\SysWOW64\windmedias.exe	windmedias.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 4288	2236	1d22072a96ed4015ba12ff9add930db3.exe	64
PID 2236 wrote to memory of 4288	2236	1d22072a96ed4015ba12ff9add930db3.exe	64
PID 2236 wrote to memory of 4288	2236	1d22072a96ed4015ba12ff9add930db3.exe	64
PID 4288 wrote to memory of 3560	4288	windmedias.exe	99
PID 4288 wrote to memory of 3560	4288	windmedias.exe	99
PID 4288 wrote to memory of 3560	4288	windmedias.exe	99
PID 3560 wrote to memory of 4584	3560	windmedias.exe	101
PID 3560 wrote to memory of 4584	3560	windmedias.exe	101
PID 3560 wrote to memory of 4584	3560	windmedias.exe	101
PID 4584 wrote to memory of 4628	4584	windmedias.exe	103
PID 4584 wrote to memory of 4628	4584	windmedias.exe	103
PID 4584 wrote to memory of 4628	4584	windmedias.exe	103
PID 4628 wrote to memory of 1216	4628	windmedias.exe	106
PID 4628 wrote to memory of 1216	4628	windmedias.exe	106
PID 4628 wrote to memory of 1216	4628	windmedias.exe	106

C:\Users\Admin\AppData\Local\Temp\1d22072a96ed4015ba12ff9add930db3.exe
"C:\Users\Admin\AppData\Local\Temp\1d22072a96ed4015ba12ff9add930db3.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\windmedias.exe
  C:\Windows\system32\windmedias.exe 1140 "C:\Users\Admin\AppData\Local\Temp\1d22072a96ed4015ba12ff9add930db3.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\windmedias.exe
    C:\Windows\system32\windmedias.exe 1144 "C:\Windows\SysWOW64\windmedias.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\SysWOW64\windmedias.exe
      C:\Windows\system32\windmedias.exe 1112 "C:\Windows\SysWOW64\windmedias.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4584
    - - C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 1116 "C:\Windows\SysWOW64\windmedias.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 1104 "C:\Windows\SysWOW64\windmedias.exe"
        6⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 1124 "C:\Windows\SysWOW64\windmedias.exe"
        7⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 1092 "C:\Windows\SysWOW64\windmedias.exe"
        8⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 1136 "C:\Windows\SysWOW64\windmedias.exe"
        9⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 1148 "C:\Windows\SysWOW64\windmedias.exe"
        10⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\windmedias.exe
        
        C:\Windows\system32\windmedias.exe 1152 "C:\Windows\SysWOW64\windmedias.exe"
        11⤵
        
        PID:1844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\windmedias.exe

Filesize
69KB

MD5
973eb487c35ec4d27b28968d6e6a9e1a

SHA1
fdfe239a56ab6225b568858f0f74eee06ada6cb2

SHA256
99168d81eb721f779795e11c370d60d9f61eec3cf8bd8aedd0058fdca1fa251b

SHA512
9f94ccb4ba4d8d228a03a670e960078e1ea64840fcf485117d83cb614d13e7f3f8a2b4ea8ec452ae556a85c429c447a2f8802b3d0ab7b330807bd027eeb80e76

Download Submit
C:\Windows\SysWOW64\windmedias.exe

Filesize
20KB

MD5
17761be147cd7cbabd3f03b9f1d0e88b

SHA1
6befc89283927b8e81c082041db9ae30450a0269

SHA256
4ae5f32d14e8d109986fb60f1aa1d9f0ec81fd9f27f646aa9bd45939b5103772

SHA512
2bacfb6870063481cd8031a00907ce4097104ffb998cafb9bcf2322fc11a97a19aab83c75ce6fbf7df241dd21e5fff142439fb6adc2f92bb9f0b0e546f5e4f30

Download Submit
C:\Windows\SysWOW64\windmedias.exe

Filesize
130KB

MD5
3d70acfcb869f046133da819116f66d9

SHA1
89b562c231e88546a3eb6d8e3071e1ea00a93763

SHA256
1c636fae5cc40d5a379d0ac42a760819af6c1b52121df950b8a29e34b8b6e4ce

SHA512
54fd16c693efee721379b2839b239791c0d0cd8c849a75e8aa09463aa6dcb8c6984f38037d5d2fe0ee776411ba09929f0858ec025506a4d49240e85087d1fc0e

Download Submit
C:\Windows\SysWOW64\windmedias.exe

Filesize
20KB

MD5
5b8910fa2eeeeb710fb02e591cbff052

SHA1
54b64e6a9c8ead8c3fab2ce1eaa707d7d0d7b650

SHA256
059f121fca23ddd16294e5c28c229384cb651b5ce01e1e57b7a8a3a94c99b35f

SHA512
5f32b901f0aa78e5801f60e0ee991d8c32c01f0ac4b48059b868eac75f47ed8d6bc49073d6896db54472be11a873accda6417cb179ae0c01f7cee9bfffc55d05

Download Submit
C:\Windows\SysWOW64\windmedias.exe

Filesize
337KB

MD5
1d22072a96ed4015ba12ff9add930db3

SHA1
32f209d696c876ab0b94a4b8e6d2197ab4fd7af8

SHA256
d00f2d9c5d36edd77398c50ee4d9614e4776957cf0b2c795030ace01435bd707

SHA512
571363b6a5ae77073df7ac36530d62fbfcad45be57f6c43b32d81b6ca6a4a111064a55ec443f12e3bd45116a6757aad7e3f6ca1dcf8b021fc0012404a631ff31

Download Submit
C:\Windows\SysWOW64\windmedias.exe

Filesize
169KB

MD5
f26b2addc9744f940480e016244bf170

SHA1
15ed9b982ca4dc5e9640450dc6050465b3dfaff2

SHA256
892bd4a71e54018984a83e18ea44eff535730af34e60d0b6d09e31c916c0f273

SHA512
3f73cc748759b1155ce388d2493730945dfe722c1a88b6bcf602fae9e65e797be8f8e419e6255862cbe6955facb388b5f4d17b4b98805e69fb39606753a0f954

Download Submit
C:\Windows\SysWOW64\windmedias.exe

Filesize
78KB

MD5
1a02ade275cbda92d4cc4ebdc5b19b7d

SHA1
828e1866187f77fa0a5e39cef653c200150fb3bb

SHA256
faee8425685c55c76779c3107161c205c718d4439b17cc62ddb1de9cd8ff2487

SHA512
1f9d56611ae29c725adb414e9aae3d935a333274f8fec0e8b546517ad569c3777ce38fb1894ee5877d685a7b69f4dfc5c3b40f552e061780c41f20dc932c99bb

Download Submit
C:\Windows\SysWOW64\windmedias.exe

Filesize
53KB

MD5
31bc984e1b2ab58a35b153b4177d9873

SHA1
6d4752b4c95cca712ebf6e6bfa37b73d09bc548b

SHA256
1a76b10835b864327bf8b31ba9f6f2269625795d5328819483c9eb641a265b2c

SHA512
e5b1307ecde197029ec49092f41ed4b1679c74814727008fdde5742ca162d47e51e41f5050c3a6a132adc0de2506919a92fb94bc48ccba10f9f1ddea299de9a1

Download Submit
C:\Windows\SysWOW64\windmedias.exe

Filesize
37KB

MD5
1cf55ad2f0c9bd27b99dcecc5d0fb3fd

SHA1
f4dbaf57a3145f2011937f204f0c209877188f69

SHA256
e024f648c467d540c20dadaf6960d2e3a2acba03e0e5cc5cd71c0da8d7b78f1f

SHA512
4355c627095fea48dd0a9dc48fd1babc60d2a77fb5f8625e50e17292a75f5d8aa8f329a1e0fa5dd5298944345e49efa39127e442c6c98e69d28e295828a96aef

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads