d4b5f4e8ae64cb34b0d42f4281d5c93be92aaf1f649ea71f3508acbf5cd6112f

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4b5f4e8ae64cb34b0d42f4281d5c93be92aaf1f649ea71f3508acbf5cd6112f.exe
Size

12KB
MD5

5e595eba51330caeadcacba1ad2e6888
SHA1

7c4d34f1ff4dd8f77eca8537fb6a4c6ea02776e9
SHA256

d4b5f4e8ae64cb34b0d42f4281d5c93be92aaf1f649ea71f3508acbf5cd6112f
SHA512

a68e529a908304b1403fed7630dc1011b1a81eb60c92a4989eaa780dfbdf75554def7810ff02919d594e37f8c925de492e1017d90f2b14af2ccd1e425ea5bb37
SSDEEP

192:WlrT5QnE0ukSz6PkhYkT5jCUIBP8UR2n+YHuG1617gWlJdxqHgrN:w10u39uBUb1NWlJj+

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
424	240604020005294.exe
212	242604020015825.exe
4732	242604020025669.exe
2972	242604020035388.exe
1268	242604020046372.exe
3940	242604020056888.exe
3820	242604020107200.exe
1536	242604020117825.exe
4920	242604020127450.exe
1248	242604020136966.exe
4124	242604020146825.exe
4448	242604020156231.exe
3588	242604020207935.exe
4472	242604020218138.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 1772	5024	d4b5f4e8ae64cb34b0d42f4281d5c93be92aaf1f649ea71f3508acbf5cd6112f.exe	93
PID 5024 wrote to memory of 1772	5024	d4b5f4e8ae64cb34b0d42f4281d5c93be92aaf1f649ea71f3508acbf5cd6112f.exe	93
PID 1772 wrote to memory of 424	1772	cmd.exe	94
PID 1772 wrote to memory of 424	1772	cmd.exe	94
PID 424 wrote to memory of 4244	424	240604020005294.exe	95
PID 424 wrote to memory of 4244	424	240604020005294.exe	95
PID 4244 wrote to memory of 212	4244	cmd.exe	96
PID 4244 wrote to memory of 212	4244	cmd.exe	96
PID 212 wrote to memory of 4180	212	242604020015825.exe	98
PID 212 wrote to memory of 4180	212	242604020015825.exe	98
PID 4180 wrote to memory of 4732	4180	cmd.exe	99
PID 4180 wrote to memory of 4732	4180	cmd.exe	99
PID 4732 wrote to memory of 4500	4732	242604020025669.exe	100
PID 4732 wrote to memory of 4500	4732	242604020025669.exe	100
PID 4500 wrote to memory of 2972	4500	cmd.exe	101
PID 4500 wrote to memory of 2972	4500	cmd.exe	101
PID 2972 wrote to memory of 4800	2972	242604020035388.exe	102
PID 2972 wrote to memory of 4800	2972	242604020035388.exe	102
PID 4800 wrote to memory of 1268	4800	cmd.exe	103
PID 4800 wrote to memory of 1268	4800	cmd.exe	103
PID 1268 wrote to memory of 2324	1268	242604020046372.exe	104
PID 1268 wrote to memory of 2324	1268	242604020046372.exe	104
PID 2324 wrote to memory of 3940	2324	cmd.exe	105
PID 2324 wrote to memory of 3940	2324	cmd.exe	105
PID 3940 wrote to memory of 2468	3940	242604020056888.exe	106
PID 3940 wrote to memory of 2468	3940	242604020056888.exe	106
PID 2468 wrote to memory of 3820	2468	cmd.exe	107
PID 2468 wrote to memory of 3820	2468	cmd.exe	107
PID 3820 wrote to memory of 3740	3820	242604020107200.exe	108
PID 3820 wrote to memory of 3740	3820	242604020107200.exe	108
PID 3740 wrote to memory of 1536	3740	cmd.exe	109
PID 3740 wrote to memory of 1536	3740	cmd.exe	109
PID 1536 wrote to memory of 4104	1536	242604020117825.exe	110
PID 1536 wrote to memory of 4104	1536	242604020117825.exe	110
PID 4104 wrote to memory of 4920	4104	cmd.exe	111
PID 4104 wrote to memory of 4920	4104	cmd.exe	111
PID 4920 wrote to memory of 3928	4920	242604020127450.exe	112
PID 4920 wrote to memory of 3928	4920	242604020127450.exe	112
PID 3928 wrote to memory of 1248	3928	cmd.exe	113
PID 3928 wrote to memory of 1248	3928	cmd.exe	113
PID 1248 wrote to memory of 2864	1248	242604020136966.exe	114
PID 1248 wrote to memory of 2864	1248	242604020136966.exe	114
PID 2864 wrote to memory of 4124	2864	cmd.exe	115
PID 2864 wrote to memory of 4124	2864	cmd.exe	115
PID 4124 wrote to memory of 1440	4124	242604020146825.exe	116
PID 4124 wrote to memory of 1440	4124	242604020146825.exe	116
PID 1440 wrote to memory of 4448	1440	cmd.exe	117
PID 1440 wrote to memory of 4448	1440	cmd.exe	117
PID 4448 wrote to memory of 5020	4448	242604020156231.exe	118
PID 4448 wrote to memory of 5020	4448	242604020156231.exe	118
PID 5020 wrote to memory of 3588	5020	cmd.exe	119
PID 5020 wrote to memory of 3588	5020	cmd.exe	119
PID 3588 wrote to memory of 4788	3588	242604020207935.exe	120
PID 3588 wrote to memory of 4788	3588	242604020207935.exe	120
PID 4788 wrote to memory of 4472	4788	cmd.exe	121
PID 4788 wrote to memory of 4472	4788	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\d4b5f4e8ae64cb34b0d42f4281d5c93be92aaf1f649ea71f3508acbf5cd6112f.exe
"C:\Users\Admin\AppData\Local\Temp\d4b5f4e8ae64cb34b0d42f4281d5c93be92aaf1f649ea71f3508acbf5cd6112f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240604020005294.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\240604020005294.exe
    C:\Users\Admin\AppData\Local\Temp\240604020005294.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020015825.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\242604020015825.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020015825.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020025669.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\242604020025669.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020025669.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020035388.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\242604020035388.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020035388.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020046372.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\242604020046372.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020046372.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020056888.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\242604020056888.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020056888.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020107200.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\242604020107200.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020107200.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020117825.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\242604020117825.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020117825.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020127450.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\242604020127450.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020127450.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020136966.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\242604020136966.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020136966.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020146825.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\242604020146825.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020146825.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020156231.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\242604020156231.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020156231.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020207935.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\242604020207935.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020207935.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604020218138.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\242604020218138.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604020218138.exe 00000e
        29⤵
        Executes dropped EXE
        
        PID:4472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240604020005294.exe

Filesize
13KB

MD5
e05dd7894e4c663c35e8ecfc32aafc5c

SHA1
5103a6adbced6965f7ff59d137aa963275f5f819

SHA256
39600b2b2534de04258081e43c9ff05ff9152091479bf35db891d7d0fdb56b1e

SHA512
f067769d40d726dbc97a9e908d75db80eb2b654cdca89a25cd6a818f1749c0608163ba5a93e331ada1ed909d0eaad785bd246b3dca00d219717c641270c3c4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020015825.exe

Filesize
12KB

MD5
0e22d372f46f87cb1608d5ac93c92954

SHA1
cae48de9fd8c5ebb226c5d160b0ff9475c565365

SHA256
93771fa65b25806d83cc8ab5e77fb0f002874e49b8b3fa337c45d1c0e45b0087

SHA512
63048959d4e17935be8b893283063659b8cb0792264c80925a6101cd031cdeb44ad9aa07b12c45ec2de77dd7e2cc24da84657af04ec326df3b2ed8f53dba4efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020025669.exe

Filesize
13KB

MD5
caceb1ac529f0b98a035cd0fb09cceee

SHA1
0afa3b5decbd6935514fa4e3f5bf8765757d90a0

SHA256
f7a3276cabd38d5a772962bdce8876f4f1f14747d9ce84a7f9ca7af9209f31ef

SHA512
9f3f8d3bb8f86772c30d272f96fcfcb93d75c5163cbe569caabd0cce76360cd2d3262295d17c033ff89fa26fe2da0630d4fe2d635aad6643b3c10e032c771fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020035388.exe

Filesize
13KB

MD5
e1b15b84e8b5493e4ddc49cacc87a64d

SHA1
d12d90ab03f1737e616f4845e16b42fc554a0776

SHA256
26155b81c650240a24b88ae9a20918708b730111e5be4a75114b323a2bfcfa56

SHA512
28f658db9fee957342dbe6b5806a45c64832403a5cb960899046436479ce6a165d186292d29278a10501d63c7910574f761b32b780b80319aa73d8fea117a5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020046372.exe

Filesize
13KB

MD5
d927aa849cf68c5e5471aa0ee02f0817

SHA1
f4f876545d2c0bb2680a9a40ee7e94aee34304da

SHA256
103cc585ec23362e12c2d8ba83a23af97ba20dae3b8f15cd7b307bc53cd72571

SHA512
52afa6cd8985e47da4763377e3e6bb587451f44989043537409867cd75a083b1e8e9ae575937760678f68a2e66601b5a2405d3bfc18578c36750dcb6ce5a8568

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020056888.exe

Filesize
13KB

MD5
7874483f7a441d0e875c62b97620c70f

SHA1
3e3957dec453d26581680e2f9adf79ae82bae277

SHA256
63136f429cceb05e31e0bcf91ee9989f07f6de83f891a7bc61b607dffc0add50

SHA512
0cd9d26862ed8a378595118d1508666f4beba29d9dc8a090b012e351753a7c570bb32a1211446ef0e2cc3649635460f07294515191a0f4628616e36920127a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020107200.exe

Filesize
12KB

MD5
fbf2888b0d979299d69933b6561f3a31

SHA1
6060350c9189cba9e6a23fe195619445a68a0f5b

SHA256
29d2c54bd3067c4d7fad008774c916f56918cdfdebf84f0c7d77f44585223b81

SHA512
3865deec082e89b43a851ceca7452e95cfb7b56beb45de84bd2b52b27a48f54ac27c37a843899e63b786c3bd4a84c685c58ecf2429a90bc5aee469e2b1f0900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020117825.exe

Filesize
13KB

MD5
6fcd974f8a24b3a4a3b33b723afd7ed0

SHA1
6621d9269cae3c874fb5f979789910e674334e97

SHA256
5be3ae09fa3bc852c100847979cc65ae982faf8b1a95a6977804d7adee111acb

SHA512
a42572c7cfe60272354f187d4ea73b2cfa3a7ef4f558c53f3037498c04899f3f620620503ceb249953eb7b5249adeca1782ad19ff544c5553ad466274bc1074f

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020127450.exe

Filesize
13KB

MD5
fc2c35ad5e109de5db9e7d6fa522e5e8

SHA1
6fb121af439c539d15a66c389da49db67d9e7357

SHA256
2bb456312406255f81ea95b4517ccd0661d51cae9e7ba31f20fa64854ed05a69

SHA512
d82254b4d154a3495ddd0305d2bdc696897d1fdb2dbeb88686ec7186b0c3e97d6f623d05a90fef739855dcdd0f943121bc689f9a474beb7b4be6d2702cd44fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020136966.exe

Filesize
13KB

MD5
cb81adde2a48287723d5339a14365f72

SHA1
29b75d19d4100029fd03fde83d1914d4bf8c9fa9

SHA256
15d32ca185463c0f2d9af57578dd2fab776886c0b801cefa10dadc4abe823716

SHA512
072dbc6a19ac4e369d2d659e437b2ffe19695da03e48cc6aa2b79c36bcdc909ea381555a1b7ef574e0b3f47d76390743c14408b31f181c0246e1accfccf4425e

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020146825.exe

Filesize
13KB

MD5
3126a6a378dba887453c0af66ff63a72

SHA1
47157f7042819e6a8093a34336e72cafa5ab6662

SHA256
fa1729f7cc3866fb6d4050e7e0a8349c891cba0fc22db691820008f2231416a2

SHA512
529f7c2d9348fc559b6d1c9c5cbe68780690eeaf9455076c8c8c5853549a1b86836c3af67a2de47be1c2e8d68f24192a2292f0497d2e028b005274673aa49fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020156231.exe

Filesize
13KB

MD5
a779761a4d878b28667b314baaed7c78

SHA1
93e8f65e9296c7d6cacc16422f1e62615f866017

SHA256
520615d4c4c904e679c54884cfc5ae2e485ade3c0d591057faf1a13cd9545a64

SHA512
249a43956c240435ce0f328ce0eb62f1dd27327fcc374cc486810dabadf665c8ba57220ca88b7a9e4db6bd86e56d8fcefcf6449545f0b01d8ad391db9326b232

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020207935.exe

Filesize
13KB

MD5
04b8040764606fbf282b2fd23c7f6e2c

SHA1
16afd1fb8c1059b17f5812da7b48018e0fedf0ec

SHA256
e7247102ba827a76c268d0ca00a63b45208c57a7f6b2904f3b94bad1c66e0e9c

SHA512
3bbd6abc07302b4803219b232e918a045444eba6dfdd9d765de3a3a8f7e9e0e1a5066aca3c50fe02bd653241ebb49d8e73d7a0e8db6f1d2efe96c97ad09bf9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604020218138.exe

Filesize
13KB

MD5
b0caa49025e1d3abbbc498e93e4d255f

SHA1
c1e16be749c9c63389c0a36f2f936f6c43d554f3

SHA256
7acac89f2bab0aaea09ff8c2a5a4dc316d56440442e080c143c8b70ed98adb70

SHA512
7e05ff6937c8716729c8ba2229363f3da11bbd6c8d8c6ca23b0edae9666e7fc484a99465f540fa792eb47405c427f09a5f384e8f5bce63bd80b2bc38d8524a19

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads