35a0c249246ce7566e4d26135fd620f6b9f236af61a5b29ada248aeb644e68e0

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35a0c249246ce7566e4d26135fd620f6b9f236af61a5b29ada248aeb644e68e0.exe
Size

13KB
MD5

3d49a58a133030771a4a784a5b811925
SHA1

859bea3bfa90818a36d6598f2750b0fbbe092a3e
SHA256

35a0c249246ce7566e4d26135fd620f6b9f236af61a5b29ada248aeb644e68e0
SHA512

2b2cae88d644ac5b7d00b515a5087fb4e28e99c1304552f8cd277b8c1ce8295cdefd13826855368304e73b45f4f5ee98369c0d79fd148203ec1508343a16a932
SSDEEP

192:WOOpT55VOi+ir6LN5Vy7IktNBo87q9BOjiUVnLknBmBA0mYWlJdxqHeYrnV4r:opYi1yqX3q4Ve1YWlJj+

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
408	240603141212394.exe
1152	242603141218160.exe
1436	242603141228035.exe
4500	242603141236988.exe
3328	242603141247378.exe
3784	242603141256519.exe
3648	242603141305519.exe
632	242603141314472.exe
4372	242603141324363.exe
1140	242603141334300.exe
4308	242603141344035.exe
3224	242603141354597.exe
756	242603141403972.exe
1112	242603141412785.exe
2684	242603141422644.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 4604	1324	35a0c249246ce7566e4d26135fd620f6b9f236af61a5b29ada248aeb644e68e0.exe	90
PID 1324 wrote to memory of 4604	1324	35a0c249246ce7566e4d26135fd620f6b9f236af61a5b29ada248aeb644e68e0.exe	90
PID 4604 wrote to memory of 408	4604	cmd.exe	91
PID 4604 wrote to memory of 408	4604	cmd.exe	91
PID 408 wrote to memory of 1796	408	240603141212394.exe	96
PID 408 wrote to memory of 1796	408	240603141212394.exe	96
PID 1796 wrote to memory of 1152	1796	cmd.exe	97
PID 1796 wrote to memory of 1152	1796	cmd.exe	97
PID 1152 wrote to memory of 4052	1152	242603141218160.exe	98
PID 1152 wrote to memory of 4052	1152	242603141218160.exe	98
PID 4052 wrote to memory of 1436	4052	cmd.exe	99
PID 4052 wrote to memory of 1436	4052	cmd.exe	99
PID 1436 wrote to memory of 1332	1436	242603141228035.exe	101
PID 1436 wrote to memory of 1332	1436	242603141228035.exe	101
PID 1332 wrote to memory of 4500	1332	cmd.exe	102
PID 1332 wrote to memory of 4500	1332	cmd.exe	102
PID 4500 wrote to memory of 2356	4500	242603141236988.exe	103
PID 4500 wrote to memory of 2356	4500	242603141236988.exe	103
PID 2356 wrote to memory of 3328	2356	cmd.exe	104
PID 2356 wrote to memory of 3328	2356	cmd.exe	104
PID 3328 wrote to memory of 976	3328	242603141247378.exe	105
PID 3328 wrote to memory of 976	3328	242603141247378.exe	105
PID 976 wrote to memory of 3784	976	cmd.exe	106
PID 976 wrote to memory of 3784	976	cmd.exe	106
PID 3784 wrote to memory of 1064	3784	242603141256519.exe	107
PID 3784 wrote to memory of 1064	3784	242603141256519.exe	107
PID 1064 wrote to memory of 3648	1064	cmd.exe	108
PID 1064 wrote to memory of 3648	1064	cmd.exe	108
PID 3648 wrote to memory of 3904	3648	242603141305519.exe	109
PID 3648 wrote to memory of 3904	3648	242603141305519.exe	109
PID 3904 wrote to memory of 632	3904	cmd.exe	110
PID 3904 wrote to memory of 632	3904	cmd.exe	110
PID 632 wrote to memory of 2432	632	242603141314472.exe	111
PID 632 wrote to memory of 2432	632	242603141314472.exe	111
PID 2432 wrote to memory of 4372	2432	cmd.exe	112
PID 2432 wrote to memory of 4372	2432	cmd.exe	112
PID 4372 wrote to memory of 316	4372	242603141324363.exe	113
PID 4372 wrote to memory of 316	4372	242603141324363.exe	113
PID 316 wrote to memory of 1140	316	cmd.exe	114
PID 316 wrote to memory of 1140	316	cmd.exe	114
PID 1140 wrote to memory of 3496	1140	242603141334300.exe	115
PID 1140 wrote to memory of 3496	1140	242603141334300.exe	115
PID 3496 wrote to memory of 4308	3496	cmd.exe	116
PID 3496 wrote to memory of 4308	3496	cmd.exe	116
PID 4308 wrote to memory of 948	4308	242603141344035.exe	117
PID 4308 wrote to memory of 948	4308	242603141344035.exe	117
PID 948 wrote to memory of 3224	948	cmd.exe	118
PID 948 wrote to memory of 3224	948	cmd.exe	118
PID 3224 wrote to memory of 3208	3224	242603141354597.exe	119
PID 3224 wrote to memory of 3208	3224	242603141354597.exe	119
PID 3208 wrote to memory of 756	3208	cmd.exe	120
PID 3208 wrote to memory of 756	3208	cmd.exe	120
PID 756 wrote to memory of 2864	756	242603141403972.exe	121
PID 756 wrote to memory of 2864	756	242603141403972.exe	121
PID 2864 wrote to memory of 1112	2864	cmd.exe	122
PID 2864 wrote to memory of 1112	2864	cmd.exe	122
PID 1112 wrote to memory of 1300	1112	242603141412785.exe	123
PID 1112 wrote to memory of 1300	1112	242603141412785.exe	123
PID 1300 wrote to memory of 2684	1300	cmd.exe	124
PID 1300 wrote to memory of 2684	1300	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\35a0c249246ce7566e4d26135fd620f6b9f236af61a5b29ada248aeb644e68e0.exe
"C:\Users\Admin\AppData\Local\Temp\35a0c249246ce7566e4d26135fd620f6b9f236af61a5b29ada248aeb644e68e0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240603141212394.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Users\Admin\AppData\Local\Temp\240603141212394.exe
    C:\Users\Admin\AppData\Local\Temp\240603141212394.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141218160.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\242603141218160.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141218160.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141228035.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\242603141228035.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141228035.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141236988.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\242603141236988.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141236988.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141247378.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\242603141247378.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141247378.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141256519.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\242603141256519.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141256519.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141305519.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\242603141305519.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141305519.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141314472.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\242603141314472.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141314472.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141324363.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\242603141324363.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141324363.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141334300.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\242603141334300.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141334300.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141344035.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\242603141344035.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141344035.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141354597.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\242603141354597.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141354597.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141403972.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\242603141403972.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141403972.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141412785.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\242603141412785.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141412785.exe 00000e
        29⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242603141422644.exe 00000f
        30⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\242603141422644.exe
        
        C:\Users\Admin\AppData\Local\Temp\242603141422644.exe 00000f
        31⤵
        Executes dropped EXE
        
        PID:2684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240603141212394.exe

Filesize
13KB

MD5
bd5da5508043809294ca230a79096f90

SHA1
ba8e2f36ea188df8c8ffa92983d7f2ebd7fd89c1

SHA256
9243c0de741e25fdfe1577c306336b8b2bfe36e1a08a5b9581c0a1b4978f0536

SHA512
0613af95e9ad5ca95b0f4221d48b43611ae5122f18c145e01d47787cd11c1af272fc9397c82eab4691d049537cadd7035c9d750c269bd50c5c58008606aba054

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141218160.exe

Filesize
12KB

MD5
aa5396224618f848065071358337969b

SHA1
42fe19366cb7b7106e8c1c9496d2851a5529f594

SHA256
4b02ced076c054db2282185ded88c1ccd4a39b28c05b0a92041af3d0c6a6ec86

SHA512
12578dd151e6e939473042ae35bf1aef9ec1a8408fd1a25695d045f146f5957519ee855a57adf1e56456d6be8db7a15427a42cb586737194f1cb7bdf16f209c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141228035.exe

Filesize
13KB

MD5
9262fdc52dccb03b01782880d7ad4354

SHA1
fd99422ea3780c3d80c3558a80e02caa100243c0

SHA256
d0d1cf73107a5f48ffb8f6bd85a9023639be6c047a074271eb543d9389e37ba1

SHA512
34be7d354e0d57db976709aa16a7388473ada33ed833966a501b15ff2a327beda833a76ff97c0f4164b7368a3896fed00fbf57859304d8af0ebeefee1e28b500

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141236988.exe

Filesize
13KB

MD5
cf417f29d0d7a8dceff79cc1fda0a36a

SHA1
bf7bd7aefd052a0e9b52822fdb49185a8a4b8806

SHA256
88359cab0d77dafd26bb12c9ca9de15ac39f828073ceeeac3b6da78ed4704886

SHA512
7581c560bfe428349434465b76455cbd889e371817dade5d367da27f14d7df73b760fd8683247a2423a393c04c84e547d2c3e7b1bd2196a0b28db921103fdf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141247378.exe

Filesize
13KB

MD5
c64e9f5df8f0a466760c31fa870f8914

SHA1
e49b8b76fbd41e7ed0256beb40c7fd5b1fa352e2

SHA256
2ff02d3c834b024d37baf4f13b82bca5d6cf7ed753a9991f573a89d0a852e7df

SHA512
639e42ad853d31d1e3deef11d2e3c61bd5a466f0d5838566a41ebd8a3e4e63ae037d4d8188015129841a63e597ebc6cf7ca1c81e0b713d10043720d099a9dd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141256519.exe

Filesize
12KB

MD5
0fe38875d47b6d787026732bbeff731a

SHA1
34037e106a5d731d0dd590e03aa61f2c567151e9

SHA256
5c0ff6f25312f8f7afa25c70231c3a72a4135ac7ef80ee35963f349468661d54

SHA512
a1ab17386b1020a44943b3dbdce763f9415a63b2413e33dfccafd442c6747a6a24ecaada0309772b59e1ab97aff7e9b14520927e0eab72e85f414ee07fc46db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141305519.exe

Filesize
13KB

MD5
37dbc3d3b2f66ae18fc8d647b255743b

SHA1
084d545fdf7b781391f6e632525b261c2bb6e5d7

SHA256
1e0e69bcff772982399fd60da7d1015fa2850284a068e622d2244278727f1c34

SHA512
34effaa7d55a4145942d67b529331f5d7d91b6416a9b1a10689b66840f315d8c0e5e53df9df91669dc52ed6e0e8a2faabceb5100b4e4fdbfe5aea1fda0a17cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141314472.exe

Filesize
12KB

MD5
11639f641f5c532d317274e30df37da4

SHA1
9fb21f67d8944645acabcef09ca02dd870ee5df9

SHA256
d5b68e43fa9742adf5c8013eabe88bb33828731e7df40d7eaebb36e14caa8e5e

SHA512
a1d82e44bfa8c4d31b9bd9ab003bb73653cecca19501b3c4249709e023c6fffb634853efad505c0d461b1e1917f7d61f0f9552795a3d4a1bb8b09fd879575cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141324363.exe

Filesize
13KB

MD5
e08a4b1b91fea9da02fc7e80ee105485

SHA1
7c60dcd2e1b5177a05f318b3998a76a7892db296

SHA256
01725b338fb548d4a8b9a24cd821257a07afc0f68eeb5bab70541c26c6eae8b6

SHA512
08e68e0ae0f2a1c7833ad5d142f7a11eea1d0bb168a647a6ea0529927d699bcd5b68251784ecf9217d124f60e11b73e9f64483b9532a285dd4a657e6b4b6e2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141334300.exe

Filesize
13KB

MD5
fcb496fc73fb96979f7907abe76e3a8c

SHA1
f0efcff0a04e3cb7cc2720c41475bfe6b3977ed0

SHA256
2d21f48913a6387109a0e8cdcea52a34fa65a45f2247c621bf6e48c6df587d85

SHA512
5e232531a4a452d047465950a46531fc8b4769082560b3c368507789e0124a3aee3651a881991df7acf1b03ad3d061882a206a2c148b163052a4ae7a0f61cfd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141344035.exe

Filesize
12KB

MD5
002512958902bc89542b6ac594a19462

SHA1
7de048db079c290e29f87c1647f10a748ef0d73e

SHA256
96d8d033fcbae362d50601c3c961233da7a5d90ef3cbeed01717dfeb637da5c5

SHA512
d467b9997ee96ed3e0239b3227686b23bc14e37c762d35b102986457e98af2fca77deb50ac4e954ca16089d3df30cbf6d988d7ca32932cbc1eafda20ccc32e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141354597.exe

Filesize
13KB

MD5
a660c1e0c57e73a4a26cb7d0e9d9661f

SHA1
93dd67f6b125ee5a6f3233a84b217762b5d01fc7

SHA256
76e56de95b1c3aa14c804cd9a00ddb38632c1275cb92e68afa532e3f7685eaae

SHA512
06944feea859d19a8d6130bd12b38961d636a7024e1910491331742666ea548292f76fafb42572ae6758d6dec873409d3b37072fcfd48ab18354930a152adc15

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141403972.exe

Filesize
12KB

MD5
53fbd02db68a4283f8f50d6ca1e7e75c

SHA1
dec16ab509698d63749567a4498db6efebdde3bd

SHA256
abe2577063911a0ed575d4b0b2d470e87645396fb769c89bbe1e42880ba6c800

SHA512
445e4de3f8530477f0125f4b70ab36247ec653bbc70ed4b6bec781ee80120fa9bc6116c70925bec9087849fb66ac1c46bc4dfa8bdc48fedd1b96348e665d5959

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141412785.exe

Filesize
12KB

MD5
aa6dac91dc6e19cfb3e0f559121febeb

SHA1
7463ca8ece18ba51e5d17d1b41b4fc6c26dc4018

SHA256
48fc3a10149990069fd7613289d0e2c2267b13650a4507744348daef75b86a83

SHA512
6c594f55fd8617da75ce2718c986031f79818c58ed45487fee02a2d931c9af4dc81c0f39c921fe8c74b73807f1004f405af24d3b378e4e0f1e38f8fe53d1e6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\242603141422644.exe

Filesize
13KB

MD5
b991bed3c5cb80ea06475a53eae59899

SHA1
6d39f2d8c43ebfb3a6bafa55a0ecbca44f3542ac

SHA256
77b07d25f0cf36e4e973916a733e99ae064b0cf7f5f86793089a0d3f8406737c

SHA512
04ef36d8d17e2fc3584738bf189bbea98b0d1557309ac6a4a7b0811ba29da9ab247429f250bb729f80ba651a317de3ba742d33ee447e102cbb87ab2f37758955

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads