6f345b9fda1ceb9fe4cf58b33337bb9f820550ba08ae07c782c2e142f7323748

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bad.exe
Size

8.9MB
MD5

9120525f9a007e2487301070745af67e
SHA1

2df57c96326d983e2d9f0ab21fad9be9bb2fe4ea
SHA256

6f345b9fda1ceb9fe4cf58b33337bb9f820550ba08ae07c782c2e142f7323748
SHA512

802df1821793e3166b419bf90393455094750d78661a4859ea37a84555b98eb5a70f0c84ff514e97d015fb0bad798fcdf332b58557674e83cfdd3db5a97b68db
SSDEEP

196608:yf0ZfmRqcAOPZBqgpA22NJEP7fxRCO3mCZ:ycZfm5ZYMApETfjC6mo

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

logagent.exe

pid process

924 logagent.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

bad.execmd.exe

description pid process target process

PID 3684 set thread context of 892 3684 bad.exe cmd.exe
PID 892 set thread context of 924 892 cmd.exe logagent.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

bad.execmd.exe

pid process

3684 bad.exe
3684 bad.exe
892 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

bad.execmd.exe

pid process

3684 bad.exe
892 cmd.exe
892 cmd.exe

pid	process
924	logagent.exe

description	pid	process	target process
PID 3684 set thread context of 892	3684	bad.exe	cmd.exe
PID 892 set thread context of 924	892	cmd.exe	logagent.exe

pid	process
3684	bad.exe
3684	bad.exe
892	cmd.exe

pid	process
3684	bad.exe
892	cmd.exe
892	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bad.execmd.exe

description	pid	process	target process
PID 3684 wrote to memory of 892	3684	bad.exe	cmd.exe
PID 3684 wrote to memory of 892	3684	bad.exe	cmd.exe
PID 3684 wrote to memory of 892	3684	bad.exe	cmd.exe
PID 3684 wrote to memory of 892	3684	bad.exe	cmd.exe
PID 892 wrote to memory of 924	892	cmd.exe	logagent.exe
PID 892 wrote to memory of 924	892	cmd.exe	logagent.exe
PID 892 wrote to memory of 924	892	cmd.exe	logagent.exe
PID 892 wrote to memory of 924	892	cmd.exe	logagent.exe
PID 892 wrote to memory of 924	892	cmd.exe	logagent.exe

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\logagent.exe
C:\Users\Admin\AppData\Local\Temp\logagent.exe
3⤵
- Loads dropped DLL
PID:924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2c53ea44
Filesize
730KB

MD5
46efabc7ea5996dd21572c684669572e

SHA1
854f19c6e739c1f04d2b434e29acd5f689fb7c76

SHA256
27c4dbf6c22a9c766fc4128ebd70c575561f01a122f03c6411094e13e8ed07a4

SHA512
252d61a5c54094ac1d8e31677cda4dd1a8cabf60930578d2d5fa7e5e4b95975002ba6f979ad2d8fae846438779cadde6f3db0c4640edf59d17f2eaa3b77313ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\logagent.exe
Filesize
301KB

MD5
68cefdfbd2e1a35e8c4f144e37d77a76

SHA1
0a6637d5eb3c958a0136358d0290514c7309af73

SHA256
c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8

SHA512
88d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\logagent.exe
Filesize
119KB

MD5
ca44dd11038ae0b6ad53e9683a5c417c

SHA1
69d016695560bce891bd162b474a7fb7d01d7f46

SHA256
42ef1909706aba9c326c696ed50d7f0f560c6b02d46ba63a3c6a074b9b040e10

SHA512
a1545ebb47516875aeb500c9018fa1725a9b0d2e66e30e9abb5e664e64fb3aef0622724a9f6818dd3baf2c1e141b55877d71746b97bffe4ebd1b7a1b26b62de2

Download Submit
memory/892-3-0x0000000073B00000-0x0000000074D54000-memory.dmp

Filesize
18.3MB

Download
memory/892-5-0x00007FF9D5190000-0x00007FF9D5385000-memory.dmp

Filesize
2.0MB

Download
memory/892-7-0x0000000073B00000-0x0000000074D54000-memory.dmp

Filesize
18.3MB

Download
memory/892-9-0x0000000073B00000-0x0000000074D54000-memory.dmp

Filesize
18.3MB

Download
memory/892-12-0x0000000073B00000-0x0000000074D54000-memory.dmp

Filesize
18.3MB

Download
memory/924-15-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/924-11-0x0000000073B00000-0x0000000074D54000-memory.dmp

Filesize
18.3MB

Download
memory/924-18-0x00007FF9D5190000-0x00007FF9D5385000-memory.dmp

Filesize
2.0MB

Download
memory/924-19-0x0000000000AC0000-0x0000000000AFB000-memory.dmp

Filesize
236KB

Download
memory/924-20-0x0000000002E00000-0x0000000002E8A000-memory.dmp

Filesize
552KB

Download
memory/924-21-0x00000000046A0000-0x00000000046A2000-memory.dmp

Filesize
8KB

Download
memory/924-22-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3684-1-0x0000000073B00000-0x0000000074D54000-memory.dmp

Filesize
18.3MB

Download