a5c5acd97eb3e3ef5797715539ca1d158304b2c53d88526f69fcb8be570841c7

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

299a728676ae049325c2fb9124e2101c.exe
Size

152KB
MD5

299a728676ae049325c2fb9124e2101c
SHA1

c7ef26619e8c2b63dffceff4208e023fd178d520
SHA256

a5c5acd97eb3e3ef5797715539ca1d158304b2c53d88526f69fcb8be570841c7
SHA512

4e8deea33f908942c67373eb11809106b7e316c7c9f5b5966a4415568ef45857d9714c2b565d5fbcf621a7cdf43b6745f74dfdbe0acad216e0b8de0ed2304de5
SSDEEP

1536:JGgTooz31U5X9N7uhrV0/xyS+DUvwQzV1Pq:JCa3et9N6tV0ppJvxvPq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1588	mez.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe	299a728676ae049325c2fb9124e2101c.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File opened for modification	C:\Windows\SysWOW64\mez.exe	299a728676ae049325c2fb9124e2101c.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe	mez.exe
File created	C:\Windows\SysWOW64\mez.exe\mez.exe	mez.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1940	299a728676ae049325c2fb9124e2101c.exe
1940	299a728676ae049325c2fb9124e2101c.exe
1588	mez.exe
1588	mez.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1588	1940	299a728676ae049325c2fb9124e2101c.exe	71
PID 1940 wrote to memory of 1588	1940	299a728676ae049325c2fb9124e2101c.exe	71
PID 1940 wrote to memory of 1588	1940	299a728676ae049325c2fb9124e2101c.exe	71

C:\Users\Admin\AppData\Local\Temp\299a728676ae049325c2fb9124e2101c.exe
"C:\Users\Admin\AppData\Local\Temp\299a728676ae049325c2fb9124e2101c.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\mez.exe
  C:\Windows\system32\mez.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mez.exe

Filesize
152KB

MD5
299a728676ae049325c2fb9124e2101c

SHA1
c7ef26619e8c2b63dffceff4208e023fd178d520

SHA256
a5c5acd97eb3e3ef5797715539ca1d158304b2c53d88526f69fcb8be570841c7

SHA512
4e8deea33f908942c67373eb11809106b7e316c7c9f5b5966a4415568ef45857d9714c2b565d5fbcf621a7cdf43b6745f74dfdbe0acad216e0b8de0ed2304de5

Download Submit
memory/1588-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1940-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download