63b9e01e885d01fc3783497ade1a93115f4094d1c89fcc8b52d2e4e9917599be

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63b9e01e885d01fc3783497ade1a93115f4094d1c89fcc8b52d2e4e9917599be.exe
Size

12KB
MD5

abcf5e54d1d891188e37d063b61fcd12
SHA1

b5c0c4c764aa2ebec1a6ed8951326999ade3753a
SHA256

63b9e01e885d01fc3783497ade1a93115f4094d1c89fcc8b52d2e4e9917599be
SHA512

0dc94b8170d28293d9271594590e1060275b5d5dd7950ceca2d5ef22b30742200c65f7d9d55c1492b576e5754dce6b45a75f48eb309f647545bc877241bcd9b7
SSDEEP

192:k584I1yn8k6BEF6s5Mi1KVtwxjgMOO6kboPtRDLE1BUFxs5mpWlJdxqHiYrc1xN:kJok6WB8fkbj1uxpWlJj+mj

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
2180	242604012752513.exe
1420	242604012802388.exe
4880	242604012812231.exe
408	242604012822263.exe
2212	242604012832638.exe
2464	242604012842200.exe
2248	242604012851560.exe
4604	242604012900966.exe
4352	242604012909841.exe
2332	242604012919497.exe
3384	242604012929528.exe
2888	242604012938888.exe
4272	242604012947810.exe
3244	242604012957185.exe
3704	242604013007544.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 404	3552	63b9e01e885d01fc3783497ade1a93115f4094d1c89fcc8b52d2e4e9917599be.exe	93
PID 3552 wrote to memory of 404	3552	63b9e01e885d01fc3783497ade1a93115f4094d1c89fcc8b52d2e4e9917599be.exe	93
PID 404 wrote to memory of 2180	404	cmd.exe	94
PID 404 wrote to memory of 2180	404	cmd.exe	94
PID 2180 wrote to memory of 3948	2180	242604012752513.exe	95
PID 2180 wrote to memory of 3948	2180	242604012752513.exe	95
PID 3948 wrote to memory of 1420	3948	cmd.exe	96
PID 3948 wrote to memory of 1420	3948	cmd.exe	96
PID 1420 wrote to memory of 1720	1420	242604012802388.exe	98
PID 1420 wrote to memory of 1720	1420	242604012802388.exe	98
PID 1720 wrote to memory of 4880	1720	cmd.exe	99
PID 1720 wrote to memory of 4880	1720	cmd.exe	99
PID 4880 wrote to memory of 2704	4880	242604012812231.exe	100
PID 4880 wrote to memory of 2704	4880	242604012812231.exe	100
PID 2704 wrote to memory of 408	2704	cmd.exe	101
PID 2704 wrote to memory of 408	2704	cmd.exe	101
PID 408 wrote to memory of 264	408	242604012822263.exe	102
PID 408 wrote to memory of 264	408	242604012822263.exe	102
PID 264 wrote to memory of 2212	264	cmd.exe	103
PID 264 wrote to memory of 2212	264	cmd.exe	103
PID 2212 wrote to memory of 4284	2212	242604012832638.exe	104
PID 2212 wrote to memory of 4284	2212	242604012832638.exe	104
PID 4284 wrote to memory of 2464	4284	cmd.exe	105
PID 4284 wrote to memory of 2464	4284	cmd.exe	105
PID 2464 wrote to memory of 1916	2464	242604012842200.exe	106
PID 2464 wrote to memory of 1916	2464	242604012842200.exe	106
PID 1916 wrote to memory of 2248	1916	cmd.exe	107
PID 1916 wrote to memory of 2248	1916	cmd.exe	107
PID 2248 wrote to memory of 1340	2248	242604012851560.exe	108
PID 2248 wrote to memory of 1340	2248	242604012851560.exe	108
PID 1340 wrote to memory of 4604	1340	cmd.exe	109
PID 1340 wrote to memory of 4604	1340	cmd.exe	109
PID 4604 wrote to memory of 4980	4604	242604012900966.exe	110
PID 4604 wrote to memory of 4980	4604	242604012900966.exe	110
PID 4980 wrote to memory of 4352	4980	cmd.exe	111
PID 4980 wrote to memory of 4352	4980	cmd.exe	111
PID 4352 wrote to memory of 1248	4352	242604012909841.exe	112
PID 4352 wrote to memory of 1248	4352	242604012909841.exe	112
PID 1248 wrote to memory of 2332	1248	cmd.exe	113
PID 1248 wrote to memory of 2332	1248	cmd.exe	113
PID 2332 wrote to memory of 3320	2332	242604012919497.exe	114
PID 2332 wrote to memory of 3320	2332	242604012919497.exe	114
PID 3320 wrote to memory of 3384	3320	cmd.exe	115
PID 3320 wrote to memory of 3384	3320	cmd.exe	115
PID 3384 wrote to memory of 4384	3384	242604012929528.exe	116
PID 3384 wrote to memory of 4384	3384	242604012929528.exe	116
PID 4384 wrote to memory of 2888	4384	cmd.exe	117
PID 4384 wrote to memory of 2888	4384	cmd.exe	117
PID 2888 wrote to memory of 3688	2888	242604012938888.exe	118
PID 2888 wrote to memory of 3688	2888	242604012938888.exe	118
PID 3688 wrote to memory of 4272	3688	cmd.exe	119
PID 3688 wrote to memory of 4272	3688	cmd.exe	119
PID 4272 wrote to memory of 4948	4272	242604012947810.exe	120
PID 4272 wrote to memory of 4948	4272	242604012947810.exe	120
PID 4948 wrote to memory of 3244	4948	cmd.exe	121
PID 4948 wrote to memory of 3244	4948	cmd.exe	121
PID 3244 wrote to memory of 1968	3244	242604012957185.exe	122
PID 3244 wrote to memory of 1968	3244	242604012957185.exe	122
PID 1968 wrote to memory of 3704	1968	cmd.exe	123
PID 1968 wrote to memory of 3704	1968	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\63b9e01e885d01fc3783497ade1a93115f4094d1c89fcc8b52d2e4e9917599be.exe
"C:\Users\Admin\AppData\Local\Temp\63b9e01e885d01fc3783497ade1a93115f4094d1c89fcc8b52d2e4e9917599be.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012752513.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\242604012752513.exe
    C:\Users\Admin\AppData\Local\Temp\242604012752513.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012802388.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\242604012802388.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012802388.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1420
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012812231.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\242604012812231.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012812231.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012822263.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\242604012822263.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012822263.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012832638.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\242604012832638.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012832638.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012842200.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\242604012842200.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012842200.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012851560.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\242604012851560.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012851560.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012900966.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\242604012900966.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012900966.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012909841.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\242604012909841.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012909841.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012919497.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\242604012919497.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012919497.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012929528.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\242604012929528.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012929528.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012938888.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\242604012938888.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012938888.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012947810.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\242604012947810.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012947810.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604012957185.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\242604012957185.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604012957185.exe 00000e
        29⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604013007544.exe 00000f
        30⤵
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\242604013007544.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604013007544.exe 00000f
        31⤵
        Executes dropped EXE
        
        PID:3704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\242604012752513.exe

Filesize
12KB

MD5
b5b62eff264c950ffa08fb15cba606b4

SHA1
ec3b053ddcf272306324bacfce547a469c600250

SHA256
ae4eeb9a7beafa09eb7c50f5cf7689b803204dafc7df1e3c9e319bd2ecb337e1

SHA512
3e8b4091278cf08901fbada3284b1186143a0a49f6055a107978d5da5a8138ec62676bb0cf0d01b478217040bf76b0cf57a79ce7ba71ab0a84ce07705bceca47

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012802388.exe

Filesize
12KB

MD5
316d46abcc3b361c6324ecaaf44ac4f0

SHA1
12a12c03e4d692afffdd1081b5a96c5f7f75d57c

SHA256
258b5bc5c8b5f0bb7b0612d463b8108e17a6577c62a3cdc504573154eb889662

SHA512
80cf1bdd016746f521bfb759564a554ff9960e076bfe9a18d9105203fcea52c4ed8f29d57a3e785b3c45a526bda03aa14684fbb41bead6e4839f46459085442a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012812231.exe

Filesize
13KB

MD5
3413c6de26af36dad02afdaa455ee448

SHA1
b4bccb13f73f70fd40bf3bf8d850cf4ac4b9b8e3

SHA256
e72dc4b5d9657a1b4a5d409688b5233ee5bfcab03d0aa6fe740b16f9a8b9eb7a

SHA512
8db00889d6da58a979edfe27b1c750ea09a1215a48a4b319b6abacb3f995ce2a07452b518c0df04698cd8f456894f6e8329f275a781a382550a807c3edb649c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012822263.exe

Filesize
13KB

MD5
1818959f1996d798b610c71a3db23edb

SHA1
0e23208c69fc1ce36bc84d9c8a434dd8b6066f9c

SHA256
2c90ded2a38dea446c4b553641dec341410980a8d8dd21f75ca807f0456d9319

SHA512
31924cff31316e00806902a9aa72b9e084cc63ff37e5d33c3cf2d8f251d4999ba55d2f292a9670750074bf82cca439e3c7d9a518d47cb56fb8a665ccc0a180e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012832638.exe

Filesize
13KB

MD5
8208c7ee91237e5b056a0c251f596c14

SHA1
b1f9b444e170008a7b0bfe4d58c41f7bb5484cbf

SHA256
8b5becd1f37b53614b03bbd99d103e720d260d3ced1f5d320d6c9e05bc24c2b5

SHA512
55dd291153b78217a5f4097cf19926d8223c7458e96209b36057349dcdc8b37fad1d7d0b1fb3e4393156953b93e182c73fb53461dedc4770d17e6e185c39068f

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012842200.exe

Filesize
13KB

MD5
3135a97753e4ff326d983b22346568e8

SHA1
9379fff1e720c35b8c33ce420bd060a5b4238be2

SHA256
0d716c3b6a15ed3d1109574eaf94dd902b10081296e3a27972947569e9fb34d4

SHA512
544024e5da512e345ef3e2a9cfc31dc83c53e4f44b365682d2f422ea8ea6d4a241a306d6d2bef13139693a047eb715a4ced59cbdf16d246e6e433eeacb8d2f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012851560.exe

Filesize
12KB

MD5
451e8e3ac8c69321a1a68fa581b652ca

SHA1
a6e9158a63bbf6c61a72e5a248772da62e2b1313

SHA256
e176f13e044b6f9e8da724a857cb117b676f24b1bc6711aa0e6cad0fa43d6fe8

SHA512
f74cfb66c58ed97c883f75042431eb71fc1b584b311ea7c2b8440da722550b1adf513938578d2305d261742bd8768db0b3f5fced02157a156a06189c02162bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012900966.exe

Filesize
13KB

MD5
bcf7c392d77321d94cfae2357945e775

SHA1
c0f8c0a650ee7d0af329ce4215018c7db6003250

SHA256
13927d5bd326b5a7f1d48fd10e367e0b5f4f7173142f29e7c70e0197bff6467c

SHA512
2609cb5943ee19d848e2cafcecbd7882021a2db6c517fe7e5ece63f98882ded28dcb443feda426d7af72b2b32c04043554e06e8ece8c47b98e33f13bb0dff661

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012909841.exe

Filesize
12KB

MD5
ad8cc772ba982ecbdf26c48542c8bee8

SHA1
b1f37c16958eddbbe2d4bb1b3da1eca52985e28f

SHA256
cfe0ada89f51f1ac2122de18ac3bea251fb21af909f6016326125cadae051ca1

SHA512
e88eda90b40cdf7d9476b8eb650c177026b9ff5e370c43d77ba4f5f8f4432947936efe5c0cafa6cdd3d811bf3ab6966dc36d516c6f4943a7f10c35893abd592a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012919497.exe

Filesize
13KB

MD5
c4fdef170237109c01513605790fcf95

SHA1
8394c73a02f678c64b53efbac2b9a6fa817075ce

SHA256
3b13190285d94c57c655799f6fc36adc6bd792dd3dc7bad44bf9045156686747

SHA512
0df262bc5dcef6d6fd7e79ca4a8f8e16914375bc2b38b71d40b2e203df8da75a17906bdf122788b89da640e9f01e1733b37e190815db97600f88f054969673ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012929528.exe

Filesize
13KB

MD5
37c72ed83e243024c635b18371d7ef0f

SHA1
5224f14bd0263649246f3f71edd0cb64b8487daf

SHA256
2f633aa3827ce837f2d069f3fd3c0631d4d79acdce0241dfb8f23340ed74e9da

SHA512
9f7ce2a60b4d0498f04a06e30569e9afe98415f4e681bc5fa48eee1e8d7f2807dc9057e6a4eb66a91faa2e329b3c5b9a92101ef195ba5ea97c759d22f7dfb004

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012938888.exe

Filesize
12KB

MD5
057b44dda7e1f583d9e40f66a609cfe0

SHA1
d8fe4bd5de3e936a86cb6d048c1a2e887d7c198a

SHA256
1a4b79c2028e6ee5b902abad647fbfed842ae2b6cd1677c4554856b390807b53

SHA512
439e8f1c1037f9d61fa2e9e4765d362a36c2121ffd6e944184bb853923e7914e986700e99642f9f8764f663913e29cddcb5cb4584ee26049d59a76d07cda2d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012947810.exe

Filesize
13KB

MD5
0c513b346037b259ed05a9099256ec28

SHA1
6d7cffaa8eb70465713551a5a1291f7f1801534b

SHA256
1193bfde96c5c1547f8f3b44eeb224ce3397880910b78ad1a41fdc3bc796d3c4

SHA512
6ea386086a4e12304acf41ad1008756dc1b25eca3c86767900b1e953c406fad56f3daa05d42501d37ddfdc291b1a0d91516cd04e7cc86026a0a21e428cc80f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604012957185.exe

Filesize
12KB

MD5
1150eb127437c8178f8a9531be7fd198

SHA1
e8001c3b16d386624590dccc95308ed316c6c3bc

SHA256
0e73e8c66e7fee2be67746871ef4b1ee2808559042aa25bd5c949c82f4b2d770

SHA512
1188576076e561e149ef8de57243a14931051bd0afb750d6807e469d4db855ea0fc2a1f3b475c89c3e17171899095552f9309d0f4d15091375364efa04ca0752

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604013007544.exe

Filesize
12KB

MD5
541ee7146ffc70beab917ff409125d32

SHA1
e191a7c082c64811a8199975aa587c15fae8ae9b

SHA256
b870f4b81d99d2203a663e5cb6c9ba6fd79f50ea1a5793f84aeb4d58dc68c9c2

SHA512
afe793bc4b1ac1aa138965f6414d62da889d6ed6f4d934e786d0ad4311c38cd9a1b40232d94e214ac586e54e55f72013f1431f89284ba5008a33061cd88c185d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads