97c4dc97b02054162091ba2cfe35ad0118a996153a685e61c63f876d5fd5db2b

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97c4dc97b02054162091ba2cfe35ad0118a996153a685e61c63f876d5fd5db2b.exe
Size

12KB
MD5

f6610c44ddb14f057e51eb7e6eccc9b6
SHA1

f9ddcd7abe31fedb0d4bf7c49e763ae2a3e1bcbf
SHA256

97c4dc97b02054162091ba2cfe35ad0118a996153a685e61c63f876d5fd5db2b
SHA512

d440aa5498f3a2d22bc06718fa39591d88d89d973df8031f20140a3ea4492e7570dc247d0024081828651a38b109a0a83b69953d8a9cab4303382ef74e831354
SSDEEP

192:olIT53So0tSV96ZuknYhcgfLaP8UVBN5kO18kGGGWlJdxqHivo:FZ7nVE3tjCITGWlJj+

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
4976	240603140658318.exe
3608	242603140708505.exe
448	242603140719443.exe
1188	242603140729896.exe
3432	242603140739208.exe
3400	242603140749411.exe
2092	242603140759193.exe
1804	242603140809818.exe
5016	242603140819943.exe
2900	242603140830927.exe
2392	242603140840630.exe
2988	242603140850739.exe
3084	242603140900193.exe
4448	242603140909052.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2320	4280	97c4dc97b02054162091ba2cfe35ad0118a996153a685e61c63f876d5fd5db2b.exe	92
PID 4280 wrote to memory of 2320	4280	97c4dc97b02054162091ba2cfe35ad0118a996153a685e61c63f876d5fd5db2b.exe	92
PID 2320 wrote to memory of 4976	2320	cmd.exe	93
PID 2320 wrote to memory of 4976	2320	cmd.exe	93
PID 4976 wrote to memory of 2880	4976	240603140658318.exe	94
PID 4976 wrote to memory of 2880	4976	240603140658318.exe	94
PID 2880 wrote to memory of 3608	2880	cmd.exe	95
PID 2880 wrote to memory of 3608	2880	cmd.exe	95
PID 3608 wrote to memory of 4692	3608	242603140708505.exe	97
PID 3608 wrote to memory of 4692	3608	242603140708505.exe	97
PID 4692 wrote to memory of 448	4692	cmd.exe	98
PID 4692 wrote to memory of 448	4692	cmd.exe	98
PID 448 wrote to memory of 2044	448	242603140719443.exe	99
PID 448 wrote to memory of 2044	448	242603140719443.exe	99
PID 2044 wrote to memory of 1188	2044	cmd.exe	100
PID 2044 wrote to memory of 1188	2044	cmd.exe	100
PID 1188 wrote to memory of 3824	1188	242603140729896.exe	101
PID 1188 wrote to memory of 3824	1188	242603140729896.exe	101
PID 3824 wrote to memory of 3432	3824	cmd.exe	102
PID 3824 wrote to memory of 3432	3824	cmd.exe	102
PID 3432 wrote to memory of 2264	3432	242603140739208.exe	103
PID 3432 wrote to memory of 2264	3432	242603140739208.exe	103
PID 2264 wrote to memory of 3400	2264	cmd.exe	104
PID 2264 wrote to memory of 3400	2264	cmd.exe	104
PID 3400 wrote to memory of 3652	3400	242603140749411.exe	105
PID 3400 wrote to memory of 3652	3400	242603140749411.exe	105
PID 3652 wrote to memory of 2092	3652	cmd.exe	106
PID 3652 wrote to memory of 2092	3652	cmd.exe	106
PID 2092 wrote to memory of 1492	2092	242603140759193.exe	107
PID 2092 wrote to memory of 1492	2092	242603140759193.exe	107
PID 1492 wrote to memory of 1804	1492	cmd.exe	108
PID 1492 wrote to memory of 1804	1492	cmd.exe	108
PID 1804 wrote to memory of 1500	1804	242603140809818.exe	109
PID 1804 wrote to memory of 1500	1804	242603140809818.exe	109
PID 1500 wrote to memory of 5016	1500	cmd.exe	110
PID 1500 wrote to memory of 5016	1500	cmd.exe	110
PID 5016 wrote to memory of 2616	5016	242603140819943.exe	111
PID 5016 wrote to memory of 2616	5016	242603140819943.exe	111
PID 2616 wrote to memory of 2900	2616	cmd.exe	112
PID 2616 wrote to memory of 2900	2616	cmd.exe	112
PID 2900 wrote to memory of 1952	2900	242603140830927.exe	113
PID 2900 wrote to memory of 1952	2900	242603140830927.exe	113
PID 1952 wrote to memory of 2392	1952	cmd.exe	114
PID 1952 wrote to memory of 2392	1952	cmd.exe	114
PID 2392 wrote to memory of 808	2392	242603140840630.exe	115
PID 2392 wrote to memory of 808	2392	242603140840630.exe	115
PID 808 wrote to memory of 2988	808	cmd.exe	116
PID 808 wrote to memory of 2988	808	cmd.exe	116
PID 2988 wrote to memory of 4312	2988	242603140850739.exe	117
PID 2988 wrote to memory of 4312	2988	242603140850739.exe	117
PID 4312 wrote to memory of 3084	4312	cmd.exe	118
PID 4312 wrote to memory of 3084	4312	cmd.exe	118
PID 3084 wrote to memory of 2540	3084	242603140900193.exe	119
PID 3084 wrote to memory of 2540	3084	242603140900193.exe	119
PID 2540 wrote to memory of 4448	2540	cmd.exe	120
PID 2540 wrote to memory of 4448	2540	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\97c4dc97b02054162091ba2cfe35ad0118a996153a685e61c63f876d5fd5db2b.exe
"C:\Users\Admin\AppData\Local\Temp\97c4dc97b02054162091ba2cfe35ad0118a996153a685e61c63f876d5fd5db2b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240603140658318.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\240603140658318.exe
    C:\Users\Admin\AppData\Local\Temp\240603140658318.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140708505.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\242603140708505.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140708505.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140719443.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\242603140719443.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140719443.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140729896.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\242603140729896.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140729896.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140739208.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\242603140739208.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140739208.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140749411.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\242603140749411.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140749411.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140759193.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\242603140759193.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140759193.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140809818.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\242603140809818.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140809818.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140819943.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\242603140819943.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140819943.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140830927.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\242603140830927.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140830927.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140840630.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\242603140840630.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140840630.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140850739.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\242603140850739.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140850739.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140900193.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\242603140900193.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140900193.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603140909052.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\242603140909052.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603140909052.exe 00000e
        29⤵
        Executes dropped EXE
        
        PID:4448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240603140658318.exe

Filesize
12KB

MD5
0be5ef8a7e51e359fb60e1fcfb76d366

SHA1
836ae8bd1eeeab0b5f0b91a3a9e1a1f61aadcfd4

SHA256
ca14651db1252c0253761d4fa8819c05c966aafc04c1ecf77ab31c6e26e3f72f

SHA512
76b55f65e1b74d33965c1778d8c4a9a076eee855eccda8eda9707de5bda97baefb76288ed09c07f3a8c9c616207e6a07edcd0f0c6f3847f03a4e45852d52dee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140708505.exe

Filesize
12KB

MD5
70cabe2f4290dc453e9a867bad5613e8

SHA1
1917ac4ca9ea4cd23b42dac5cfcbb7002b4f643e

SHA256
a6c89a383c367a965faf31c68940eae7a9c6227fb3023c5923dab89fa0d214b0

SHA512
0d0dbc8906f7ceb7abdcf194bd8c9677c269d5a12e99cb2dc92213f3972439810e5a13b289ec7b056cf2286bf4dfb9a2b99625b138dda0d031de79c457759246

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140719443.exe

Filesize
12KB

MD5
7c53978459856a6abe2c8c049500d312

SHA1
a4a7b062d23c35ca3ce17ecdb4a668d5f218f215

SHA256
01ce3fd4f1c1d79f4365cdfb49654f52529bacca3fb4edb3b0aed198353dec3a

SHA512
1f95a619f3da553d088b455ccc3235fc1b7b65717b48b7d6819cb52ace41aca835f5c54e069a101a92c0a695440a1283d628527bb11358845537d14d6e316b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140729896.exe

Filesize
12KB

MD5
1eb92ab58af499c9ae349a20b9762de9

SHA1
396269dd29faa22218ebc13493456908f7947a0f

SHA256
789ce890d340c1a842c0a542ef18e4c6641086a60f7523acb4ae46e002d2ee8e

SHA512
ff8e3dd2e45b035587813c653d7d6b0f7b01c4fcbb9a3cd58b11f8bb615e9266053fda2157040c853b9b99449fadd8afdfa5a181ae338b01ab34a9ddfbda190f

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140739208.exe

Filesize
13KB

MD5
b5f55e9e0c4808c3818b11977b606daa

SHA1
da0cf32040c36753d60e551a38afb03e799842db

SHA256
c648df1b684d59eacad2d3ed22137b3d96a33b85fcd63a67b4969d866207ff4f

SHA512
af51b9d35757480acde6d7f716f4413d0c0f9b6647950fdbec779ca7a064d1fc204d419984e825f77adeaaf14286a514ec7bb2eda2f508a454e99c433bffb3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140749411.exe

Filesize
12KB

MD5
3894ec6104f38b8f0a2819e473c6487c

SHA1
592e67010275c9782a3b9c9e0491ec814a3e2b5b

SHA256
61b70e60796ac6adb7a4f5c7dd2e698d9e2f57df7c2fab5c28adef678492e6bd

SHA512
0d7fb2137264d2d00b72ec83270fce6726b9df2987b553436f8cf370840569287dd33bd02b48997cb38ad7531b510fbf1b7a18d1d682a7b7f1ed489c33b2fd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140759193.exe

Filesize
12KB

MD5
50b81763058102968c1ff7ca32efbdba

SHA1
877046ebd93f1ed52714e7dd06889b077660fba9

SHA256
ea4d7d7cecc4f1633c37c62137c150c45a3251866a0808e1bd577d9ce08b4fb9

SHA512
7a896bfbafa6932e7dcc326d4a717d43439c6a935ee2f9f39c9806259eb0a93b86b13cf41f53409d5cdad59a170e88b6e64472993869300d689b640b1fe5478d

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140809818.exe

Filesize
12KB

MD5
0dfe4ff7aae61e842b952e6c4e36f51f

SHA1
8359a2bfc944d400255c84eb626bf2873b09f70f

SHA256
94f17da7325921e22775f11f8edf3dea635ea98bf42937707ad4dab10cedf076

SHA512
054dd5333fe21e33f1742a4f5f9109cbdda1dc45dab0a919080f8b39fe138b9c987c028ea833b9a316cbc2d3d7e5c2d2637556085301ff3c2836ca54cd8194b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140819943.exe

Filesize
12KB

MD5
f53aa9de1facc0c88986de3b24f8c225

SHA1
5eb4fcfb58368947815cb88a85443f868c1f8811

SHA256
9f09821c780f95089f490f671da03ea95c7e7d8f25e8b78c779b5289114333eb

SHA512
2927927aa84c85c9571c3d1dcceb19a9c0e0afe833ec71efde080e17944c6871810bcf8257a3c931efb4586eb00fa8395cdd13b55a58a226468600daad579833

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140830927.exe

Filesize
12KB

MD5
6cc86fe7f61568185bda9b6c5f4c013a

SHA1
3b913836cdbee392b62636ce3cd8b999d4742f6f

SHA256
f1196859939983fb1898d278e8ec9cbe2dc95495cc92bb427082f3b2705fbc1f

SHA512
8edd525715a52685942e08effcbe0e90e13b1ea98bea0f87a7826a290c74b3e927a386ed19e0d6f391fff5fb882540180ca9d7c18eec78c19008f57b23a2c75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140840630.exe

Filesize
13KB

MD5
322326e4de04ef1b8b4b076cdf3abe17

SHA1
84c392c714f999b2dc670dbba4a6b3b9ebf9db0b

SHA256
9ab68472c899e3e18e61ed01c80ef80f97b1f388d1c1df573e1ec1aaf0ff6118

SHA512
eeda64d0f66f652922702332ebca517a1a34ed0b65f73fec97a9e2fc4ba013dd9bdcb1cbd153422cae9d538fad69603773f8d0287b87d2d220122c89f83b6fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140850739.exe

Filesize
12KB

MD5
e9f18fe57fb6e7badcaecfdcd86d4d30

SHA1
4a2b6330689d8c6174fa8678658d7ce77371ab10

SHA256
9aa02aeeb49237e6fea87d3b36712e2a3973d2a391cbcfff83e530cfa12e4610

SHA512
f82ac0223d6a9c352c3df908a7f6ab3f2c71219efe0a161d3b4c22443cb9a5f61af4ec94c7d15b1145361e28113ed204b3ca7e187f0fbafec46b6ed9846679cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140900193.exe

Filesize
12KB

MD5
cabe2ba57e9b59c757054dc74449abea

SHA1
a3ea1e35c1680c702f27b7304f2f12d61abc2ca1

SHA256
b77b247799501ef21e9968123f756934a074df55f6df6d128360bd2f0c9dc3d3

SHA512
40da1ad279112bbfe1687a2150b45ca2e28862d253a93f5394f4c3313f6c5d0e5ab6ab5f4507c56394f2b64112b0757cd26631157f6202ed0d0044137dc8d06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603140909052.exe

Filesize
12KB

MD5
896c07352f991799483bba1e1f895016

SHA1
7a4ca260f5b4f48887d0158d472cf7c2351f8645

SHA256
d279c9a905bb7a86bcf4663707294ad46688fc5352b7897b68fbca6cb4a74de3

SHA512
3fc7695441517dbaadbc331aa36c302dca22c0075e8d6324f9934e7bb2b5e302300d40edd74951a0b4b7cc836609850d488d79587a0b86755281ea22de17a7ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads