c4a12b5e082a51113934a386b0bb552d0192d682a4c8dbb9063a347174a36c73

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4a12b5e082a51113934a386b0bb552d0192d682a4c8dbb9063a347174a36c73.exe
Size

12KB
MD5

52a5d4b6927c573e7c263977a1b6a504
SHA1

97de038adcb49314159910342c3a821d661ae3b9
SHA256

c4a12b5e082a51113934a386b0bb552d0192d682a4c8dbb9063a347174a36c73
SHA512

717521ec52ca422652ac87c79043804c5b4a186aa1c7446866ba3beccb9352de51a5fb62245ffc78f1ad41eda2e16ed6b47517769dddc5d4a1e352bffd46fdfb
SSDEEP

192:gV4I16j1TAa+HA96on8mBi7kRy3XO2ScGbwxP/blcdcQYGVeWlJdxqHH1x:FAan8D3Yb2HQ5wWlJj+V

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
3868	242604015100446.exe
4696	242604015109759.exe
3728	242604015120462.exe
1920	242604015130540.exe
1084	242604015140571.exe
3636	242604015149884.exe
3184	242604015159618.exe
1548	242604015209962.exe
1028	242604015220087.exe
1160	242604015229321.exe
3552	242604015239259.exe
1036	242604015248493.exe
636	242604015258774.exe
624	242604015308353.exe
2168	242604015317634.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 3556	1528	c4a12b5e082a51113934a386b0bb552d0192d682a4c8dbb9063a347174a36c73.exe	93
PID 1528 wrote to memory of 3556	1528	c4a12b5e082a51113934a386b0bb552d0192d682a4c8dbb9063a347174a36c73.exe	93
PID 3556 wrote to memory of 3868	3556	cmd.exe	94
PID 3556 wrote to memory of 3868	3556	cmd.exe	94
PID 3868 wrote to memory of 5028	3868	242604015100446.exe	97
PID 3868 wrote to memory of 5028	3868	242604015100446.exe	97
PID 5028 wrote to memory of 4696	5028	cmd.exe	98
PID 5028 wrote to memory of 4696	5028	cmd.exe	98
PID 4696 wrote to memory of 4116	4696	242604015109759.exe	100
PID 4696 wrote to memory of 4116	4696	242604015109759.exe	100
PID 4116 wrote to memory of 3728	4116	cmd.exe	101
PID 4116 wrote to memory of 3728	4116	cmd.exe	101
PID 3728 wrote to memory of 4056	3728	242604015120462.exe	102
PID 3728 wrote to memory of 4056	3728	242604015120462.exe	102
PID 4056 wrote to memory of 1920	4056	cmd.exe	103
PID 4056 wrote to memory of 1920	4056	cmd.exe	103
PID 1920 wrote to memory of 2644	1920	242604015130540.exe	104
PID 1920 wrote to memory of 2644	1920	242604015130540.exe	104
PID 2644 wrote to memory of 1084	2644	cmd.exe	105
PID 2644 wrote to memory of 1084	2644	cmd.exe	105
PID 1084 wrote to memory of 1368	1084	242604015140571.exe	106
PID 1084 wrote to memory of 1368	1084	242604015140571.exe	106
PID 1368 wrote to memory of 3636	1368	cmd.exe	107
PID 1368 wrote to memory of 3636	1368	cmd.exe	107
PID 3636 wrote to memory of 1868	3636	242604015149884.exe	108
PID 3636 wrote to memory of 1868	3636	242604015149884.exe	108
PID 1868 wrote to memory of 3184	1868	cmd.exe	109
PID 1868 wrote to memory of 3184	1868	cmd.exe	109
PID 3184 wrote to memory of 2012	3184	242604015159618.exe	110
PID 3184 wrote to memory of 2012	3184	242604015159618.exe	110
PID 2012 wrote to memory of 1548	2012	cmd.exe	111
PID 2012 wrote to memory of 1548	2012	cmd.exe	111
PID 1548 wrote to memory of 4992	1548	242604015209962.exe	112
PID 1548 wrote to memory of 4992	1548	242604015209962.exe	112
PID 4992 wrote to memory of 1028	4992	cmd.exe	113
PID 4992 wrote to memory of 1028	4992	cmd.exe	113
PID 1028 wrote to memory of 4528	1028	242604015220087.exe	114
PID 1028 wrote to memory of 4528	1028	242604015220087.exe	114
PID 4528 wrote to memory of 1160	4528	cmd.exe	115
PID 4528 wrote to memory of 1160	4528	cmd.exe	115
PID 1160 wrote to memory of 4708	1160	242604015229321.exe	116
PID 1160 wrote to memory of 4708	1160	242604015229321.exe	116
PID 4708 wrote to memory of 3552	4708	cmd.exe	117
PID 4708 wrote to memory of 3552	4708	cmd.exe	117
PID 3552 wrote to memory of 3924	3552	242604015239259.exe	118
PID 3552 wrote to memory of 3924	3552	242604015239259.exe	118
PID 3924 wrote to memory of 1036	3924	cmd.exe	119
PID 3924 wrote to memory of 1036	3924	cmd.exe	119
PID 1036 wrote to memory of 1628	1036	242604015248493.exe	120
PID 1036 wrote to memory of 1628	1036	242604015248493.exe	120
PID 1628 wrote to memory of 636	1628	cmd.exe	121
PID 1628 wrote to memory of 636	1628	cmd.exe	121
PID 636 wrote to memory of 440	636	242604015258774.exe	122
PID 636 wrote to memory of 440	636	242604015258774.exe	122
PID 440 wrote to memory of 624	440	cmd.exe	123
PID 440 wrote to memory of 624	440	cmd.exe	123
PID 624 wrote to memory of 4064	624	242604015308353.exe	124
PID 624 wrote to memory of 4064	624	242604015308353.exe	124
PID 4064 wrote to memory of 2168	4064	cmd.exe	125
PID 4064 wrote to memory of 2168	4064	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\c4a12b5e082a51113934a386b0bb552d0192d682a4c8dbb9063a347174a36c73.exe
"C:\Users\Admin\AppData\Local\Temp\c4a12b5e082a51113934a386b0bb552d0192d682a4c8dbb9063a347174a36c73.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015100446.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\242604015100446.exe
    C:\Users\Admin\AppData\Local\Temp\242604015100446.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015109759.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Users\Admin\AppData\Local\Temp\242604015109759.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015109759.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015120462.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\242604015120462.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015120462.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015130540.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\242604015130540.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015130540.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015140571.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\242604015140571.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015140571.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015149884.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\242604015149884.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015149884.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015159618.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\242604015159618.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015159618.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015209962.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\242604015209962.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015209962.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015220087.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\242604015220087.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015220087.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015229321.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\242604015229321.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015229321.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015239259.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\242604015239259.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015239259.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015248493.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\242604015248493.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015248493.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015258774.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\242604015258774.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015258774.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015308353.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\242604015308353.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015308353.exe 00000e
        29⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604015317634.exe 00000f
        30⤵
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\242604015317634.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604015317634.exe 00000f
        31⤵
        Executes dropped EXE
        
        PID:2168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\242604015100446.exe

Filesize
13KB

MD5
b31671578b6ce6ce1b0d8cb8aa171896

SHA1
c0edacafd210df4d974625f06219e8ee8f1786c0

SHA256
e47fccc2071455135633aa57b9d3cea35cf7ad9f8d67c6cede04941ca4f59793

SHA512
0c6a2223e7414fb3a3eb77341f8ba379aa6959095a69385933648f0463779426500ee3d2a5d99642efb28650e155d72aa00de36d6169e305d3e2dd144c77e21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015109759.exe

Filesize
13KB

MD5
d9a0fdf8ee8c9397ecddade4c7230e6e

SHA1
9fcc299cc357524d24a64f0d0a67c9dd40992429

SHA256
8525927098a76c669488dc9fb360b48cbc8078538d028ebf8fcb06c0246fbd96

SHA512
87b79dc705786733daedb612174681d3719bd2ca89ffd9c816b7cfdf42ba754985b0505f0b6efe1cd17efca48a8160a661d380e883d35845298bc6dafc28b292

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015120462.exe

Filesize
13KB

MD5
6212c3f7dbbb5aee8db7a023031f7fce

SHA1
231f2953f51d4554adad872de91b81b372c6ca82

SHA256
0224917e26b1a580153dece40f1fee5e554add56ce81a6064b2d4bdd2ea902ad

SHA512
0127ac0d56e2e111279229c4ea8454fe586ac75222cdc7c5cefcedfb0681baa97c2396b75efbe58d62961e2ed9883b1c9165a1bdf110a0e8901c4c692b578634

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015130540.exe

Filesize
13KB

MD5
fcd4fac25c7540c7c1ed5f76bde134b9

SHA1
4fb2d0cc190a44f9810fccda7e7e5306823400e1

SHA256
6a7e1efd85c2794f567c8438908cc52316e698041cb22d4c6d4281c617fbac54

SHA512
a9ab779a68ca43de8ef4485a26130f8eec6d2412b19c06b65f42543f1b8e74a0efff6db8bbf79a1ca6a436844c7bf81a9ec6f9703fe1c64593efcbaf3681b0be

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015140571.exe

Filesize
13KB

MD5
7ecf614d38727a1747c53c759ff797fd

SHA1
cd1cc5a2b5ccff95c772f29d5c873b3d9715bdbe

SHA256
ae47bbdb4d07724c21a7b7a186c9af66f4cc12725167c0e4e3f846a5bd0de03d

SHA512
9c422f8f3b024f5f7b56e01876b40810b408b8ac7c67dad26b30bba2935f6531209c2a0befa39a1b8d9da94b28d0bae43cf9a81a4344167f9e181f14fac17218

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015149884.exe

Filesize
13KB

MD5
eb68f43e2ca3ac1a41fac370d1bbc965

SHA1
4eae1c61df20a15989c8f6e9a1b0f6271bebfdb2

SHA256
9d111657c84113063102fd1ff244e8f95bcad1f13769f30bc900fb2e63594381

SHA512
c79c8c4636d6779568ebeda9841f7b347bced30e788937ac16d92a58940c1de68a8f30c3599fdb3fca7c35bcb35ecc52ab469f19ad7939abdd85f3cda741ddaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015159618.exe

Filesize
13KB

MD5
1a5e5daa0413e845453ee6524737e5dc

SHA1
cb4f9f77372304a396771a2812e4b8b8a6c15a6c

SHA256
72a4577be4503f2391b4640ecf9f2f11df70946205004249f65ab6b221ec3222

SHA512
4cf5c29bbc0dc6b5a4befce512b74d6094dbc295590e87b5cc035f2f202748cc5098384b0b3eae96d67ca1b66004f4bf3256cad007b9d10da0ce65e904ba829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015209962.exe

Filesize
12KB

MD5
7862bc05f4812ca3698061224b373d58

SHA1
eeafc24386f9d4656a5847b2893746230f22e2f6

SHA256
e1b7b17c1a3995d41258a917dd08427e96c834104bb454df780ab22c68e8fd69

SHA512
8eb7681de713886f5bd35104a17e9ae8897e5713b10b4986c47b861cfc4b4093a0841a8e4a80727efa10cf2563cd762ae3d2c7b59dd6def3fab8abe523686bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015220087.exe

Filesize
12KB

MD5
c1189aed9f98bab3e5a5e8f35ccd0f06

SHA1
6296ff3388c838f28cc93b09781d22bb94a4ae80

SHA256
0206c9113e42ce59c6f4da38c171d6c761e9a02925516ba2100428118438b306

SHA512
f9e4fb787e643dd9b53be36bbcd1bd6be6b7a8d33fee06294c026d4fb61e64de458ea220475f4cf62db20066e95251e1ef9e74d2a2036999ee7f235cb0d234fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015229321.exe

Filesize
13KB

MD5
a1f86eb1d41c819b8b02fcf7b381e80f

SHA1
c21b92f61e85d841a8decb5876ecd380f17d0f41

SHA256
a50eac526310113e1617e32e064d8a29d31230a6f7df0dfda2b7e683c1606b5d

SHA512
83665176be3feb3f9e66e9f08788fae213a124c56ff4b0ff069bfd47d3956ff33262b9d3573dfeb935bb9c4a056f6604f65e3cf94f4b01b64296a9aa7bbc84bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015239259.exe

Filesize
13KB

MD5
b731d501fec50cdd484ddd9efef16210

SHA1
a6a235c7fbb83fe79b0bb55a66e9ec582f648cb5

SHA256
46ee348aed16d8e6ee0aaa6ea7dfbbb1664add027d6431cc55ec16bb6076064a

SHA512
09432564e81459002c9d740ce79ea6f8e9e544bedc94fc07426f2009b8654d82d24f8ff324f98c14e8e342720d5324c89014caa4c8eab28cd47f12443a57d174

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015248493.exe

Filesize
13KB

MD5
de95f3d26605153ff4b47f0ec9663d45

SHA1
a541f4caed813024d223eb44b44008c1d33fb6fe

SHA256
02d2ef94c5071d9e1e0316162888a550c01fbfc5a42e78b7fbea2759fa9a0457

SHA512
4e16a7372ca7ccbd0ef9926ba456749cae8b38b24f3bf8b805e4d6723046de719bedb61422180a237b2d5c6ab5acd72005e2e9bff89cf7623c8361a0ea764973

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015258774.exe

Filesize
12KB

MD5
dd54520fa2c5762fcd9cbffd24c6f4a0

SHA1
7b879baea161fc15df217b9c654b79f0866028ed

SHA256
4013ae55e5f8da27cb373782891dfa9438b7d8576f555c41b70d43e58ea08fb1

SHA512
7b23dcdd00e047c67b121b5b688df1749f0271b6de616c18c68c7309ca79fafb150f769743182e1d1e730a039cf6dbffa04fe25ebcebda519ed4b09cf2c6d0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015308353.exe

Filesize
12KB

MD5
316c3838c763689bf00451dccce11fd4

SHA1
bce34fe51a1fc0c6438c47ba286bc1100a5586ac

SHA256
929031e55c9bc90257bdb42a74a6b31f7ef667bc1b6a5cafca9884c7c7f4e672

SHA512
d57a10a8ef3f9586cd22647c334e85b4bb015e9180bfccc6e44a1efed82a6272318da0f5ab2e0a4ce4a98560afe1c73beb022c40d0d0eb49328b126f33935e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604015317634.exe

Filesize
12KB

MD5
92bb8a57b19ebd21711a064d0831fb86

SHA1
e6abd2fbafea1749fafa8ec8aef0a64f27bf2a59

SHA256
e27dd67714bf9375ea5bb1cdf053fe72c8f63afa2b8c20d53c065176cfe74f24

SHA512
8cebc3423ea02f8723c46f03a2682f1b009b1210c63aa1898b9a58d65d6ea75402b41e05609a3c4f547ad5acd4ee7e0e04a571ef4535d7612fe3c3c0bc97044a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads