fb5af2b5000a75416c83d6c89c0b08a52a440837ce522a9319ce7ada45405334

Analysis

max time kernel
32s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd7ee512314c91cc7651d54471c66fbb.exe
Size

599KB
MD5

cd7ee512314c91cc7651d54471c66fbb
SHA1

68e75d9251c164d4f5d44b37944034979237f85f
SHA256

fb5af2b5000a75416c83d6c89c0b08a52a440837ce522a9319ce7ada45405334
SHA512

44b25a7018d6224ebbbe45348c3fe2da0b415dc3492895f2500cc58d73e76c2ab3e78e9aa763b44e08fc28a76dfa0b6ac2071a3f5659f78e2ff21e56a3a02e70
SSDEEP

12288:l9wr+IG5FPUAMKINVEGfhX0LkHQJfmYS5hd:lk0l4V5hQJjSb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
872	iplog.exe
4172	iplog.exe
2808	iplog.exe
4940	iplog.exe
3444	iplog.exe
2900	iplog.exe
2872	iplog.exe
4388	iplog.exe
3664	iplog.exe
1344	iplog.exe
3484	iplog.exe
1512	iplog.exe
1640	iplog.exe
2428	iplog.exe
2536	iplog.exe
1036	iplog.exe
3636	iplog.exe
4348	iplog.exe
3284	iplog.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	cd7ee512314c91cc7651d54471c66fbb.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	cd7ee512314c91cc7651d54471c66fbb.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\iplog.exe	cd7ee512314c91cc7651d54471c66fbb.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File opened for modification	C:\Windows\SysWOW64\logkey.ini	iplog.exe
File created	C:\Windows\SysWOW64\iplog.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File opened for modification	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe
File created	C:\Windows\SysWOW64\ipsnow.exe	iplog.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File created	C:\Windows\sk.exe	cd7ee512314c91cc7651d54471c66fbb.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe
File opened for modification	C:\Windows\sk.exe	iplog.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 872	3612	cd7ee512314c91cc7651d54471c66fbb.exe	92
PID 3612 wrote to memory of 872	3612	cd7ee512314c91cc7651d54471c66fbb.exe	92
PID 3612 wrote to memory of 872	3612	cd7ee512314c91cc7651d54471c66fbb.exe	92
PID 872 wrote to memory of 4172	872	iplog.exe	98
PID 872 wrote to memory of 4172	872	iplog.exe	98
PID 872 wrote to memory of 4172	872	iplog.exe	98
PID 4172 wrote to memory of 2808	4172	iplog.exe	100
PID 4172 wrote to memory of 2808	4172	iplog.exe	100
PID 4172 wrote to memory of 2808	4172	iplog.exe	100
PID 2808 wrote to memory of 4940	2808	iplog.exe	102
PID 2808 wrote to memory of 4940	2808	iplog.exe	102
PID 2808 wrote to memory of 4940	2808	iplog.exe	102
PID 4940 wrote to memory of 3444	4940	iplog.exe	103
PID 4940 wrote to memory of 3444	4940	iplog.exe	103
PID 4940 wrote to memory of 3444	4940	iplog.exe	103
PID 3444 wrote to memory of 2900	3444	iplog.exe	106
PID 3444 wrote to memory of 2900	3444	iplog.exe	106
PID 3444 wrote to memory of 2900	3444	iplog.exe	106
PID 2900 wrote to memory of 2872	2900	iplog.exe	107
PID 2900 wrote to memory of 2872	2900	iplog.exe	107
PID 2900 wrote to memory of 2872	2900	iplog.exe	107
PID 2872 wrote to memory of 4388	2872	iplog.exe	108
PID 2872 wrote to memory of 4388	2872	iplog.exe	108
PID 2872 wrote to memory of 4388	2872	iplog.exe	108
PID 4388 wrote to memory of 3664	4388	iplog.exe	109
PID 4388 wrote to memory of 3664	4388	iplog.exe	109
PID 4388 wrote to memory of 3664	4388	iplog.exe	109
PID 3664 wrote to memory of 1344	3664	iplog.exe	110
PID 3664 wrote to memory of 1344	3664	iplog.exe	110
PID 3664 wrote to memory of 1344	3664	iplog.exe	110
PID 1344 wrote to memory of 3484	1344	iplog.exe	111
PID 1344 wrote to memory of 3484	1344	iplog.exe	111
PID 1344 wrote to memory of 3484	1344	iplog.exe	111
PID 3484 wrote to memory of 1512	3484	iplog.exe	112
PID 3484 wrote to memory of 1512	3484	iplog.exe	112
PID 3484 wrote to memory of 1512	3484	iplog.exe	112
PID 1512 wrote to memory of 1640	1512	iplog.exe	113
PID 1512 wrote to memory of 1640	1512	iplog.exe	113
PID 1512 wrote to memory of 1640	1512	iplog.exe	113
PID 1640 wrote to memory of 2428	1640	iplog.exe	114
PID 1640 wrote to memory of 2428	1640	iplog.exe	114
PID 1640 wrote to memory of 2428	1640	iplog.exe	114
PID 2428 wrote to memory of 2536	2428	iplog.exe	115
PID 2428 wrote to memory of 2536	2428	iplog.exe	115
PID 2428 wrote to memory of 2536	2428	iplog.exe	115
PID 2536 wrote to memory of 1036	2536	iplog.exe	116
PID 2536 wrote to memory of 1036	2536	iplog.exe	116
PID 2536 wrote to memory of 1036	2536	iplog.exe	116
PID 1036 wrote to memory of 3636	1036	iplog.exe	117
PID 1036 wrote to memory of 3636	1036	iplog.exe	117
PID 1036 wrote to memory of 3636	1036	iplog.exe	117
PID 3636 wrote to memory of 4348	3636	iplog.exe	119
PID 3636 wrote to memory of 4348	3636	iplog.exe	119
PID 3636 wrote to memory of 4348	3636	iplog.exe	119
PID 4348 wrote to memory of 3284	4348	iplog.exe	120
PID 4348 wrote to memory of 3284	4348	iplog.exe	120
PID 4348 wrote to memory of 3284	4348	iplog.exe	120

C:\Users\Admin\AppData\Local\Temp\cd7ee512314c91cc7651d54471c66fbb.exe
"C:\Users\Admin\AppData\Local\Temp\cd7ee512314c91cc7651d54471c66fbb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\iplog.exe
  C:\Windows\system32\iplog.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\iplog.exe
    C:\Windows\system32\iplog.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4172
  - - C:\Windows\SysWOW64\iplog.exe
      C:\Windows\system32\iplog.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\SysWOW64\iplog.exe
        
        C:\Windows\system32\iplog.exe
        20⤵
        Executes dropped EXE
        
        PID:3284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\iplog.exe

Filesize
599KB

MD5
cd7ee512314c91cc7651d54471c66fbb

SHA1
68e75d9251c164d4f5d44b37944034979237f85f

SHA256
fb5af2b5000a75416c83d6c89c0b08a52a440837ce522a9319ce7ada45405334

SHA512
44b25a7018d6224ebbbe45348c3fe2da0b415dc3492895f2500cc58d73e76c2ab3e78e9aa763b44e08fc28a76dfa0b6ac2071a3f5659f78e2ff21e56a3a02e70

Download Submit
C:\Windows\SysWOW64\logkey.ini

Filesize
50B

MD5
798e9d09e53254c0e70dd121cf63419b

SHA1
3b240d9315d03a03d447d7e48038b1d4a17e8167

SHA256
51355a51199fd9af5654338e100c392da2fa7d30e42ed3314be20edaa4969ec3

SHA512
e67804418a45570045cc52507333b6af1904e3b7f415cb1b58fb1af3887d6bc3d199db4aeac8c598d78370edc9a9870e2638475ac702281045923b86871ac5df

Download Submit
C:\Windows\sk.exe

Filesize
599KB

MD5
7d4fe8661340b6e581ec5c6a17767eca

SHA1
47c498bd2862e49138758ffa235de38e67f95041

SHA256
e9b6c8fe24dc20a77aa2db9afb4312302d362d60a73617e4dbac9e424625a7b4

SHA512
411ede34699efa114bc36087af1536b04cfb601059ac1600640187c15dbb842dc0129ac275d7e415c0608ea951af65fd0defc43110a6b0015484c0aabe5c72df

Download Submit
C:\Windows\sk.exe

Filesize
599KB

MD5
7e0d3287a2fcad85c902538fc59435e9

SHA1
d4105fef2229abfd4039f6e4978949519b6510f2

SHA256
0e9ab3b4fd81473852a7cfd6defc513ad5d8a9597d189b5df70d1ff6673f564a

SHA512
2c4888eb5fff01f4c94e2b91ec76eb8aa028bd8defdfa09098064437a1d2fd3489abcd2840d2d7d510fc019dc9294ed1265f3ebcf5c8d6fe2cb61397fb83ec54

Download Submit
memory/872-9-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/872-17-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1036-150-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1036-145-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1344-90-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1344-98-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1512-108-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1512-116-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1640-125-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1640-117-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2428-126-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/2428-133-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2536-136-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2536-143-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2808-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2808-27-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2872-63-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2872-71-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2900-54-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2900-61-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3444-45-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3444-53-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3484-99-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/3484-107-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3612-8-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3612-0-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/3636-155-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3636-151-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3664-89-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3664-81-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4172-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4172-19-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/4348-160-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4348-156-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4388-80-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4388-72-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4940-36-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4940-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads