34cc62fe66ddc94f4276d4b672faac10bc6d114b5487fa4815e9bdc219ef9cd9

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e0d9525e4dd035a7384735ef34c3490745fc4159bcd29039d1ba329fe20c8ad.exe
Size

12KB
MD5

fb29b5f45927696d65f2051aa6039957
SHA1

dfdcca3d5903c5d013658078f36e490c25908559
SHA256

7e0d9525e4dd035a7384735ef34c3490745fc4159bcd29039d1ba329fe20c8ad
SHA512

c3dadd55ca593fadd8399887a62fdc0a51c28e6c5ac7d7b2cffa94348bfde5376cac5c187dd4c2b3a494b3d421c0e83520af73cc22c3e07ab43ed99cb4607a84
SSDEEP

192:WYGT5JGfPk8i6J2xaAgnV02EeslfbLpPHtdA3CL7C63WlJdxqHeYrrB:uSfNPKsEFb1G63WlJj+

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
2992	240604034219336.exe
3416	242604034223399.exe
3180	242604034235868.exe
2852	242604034246649.exe
4520	242604034257789.exe
3336	242604034311711.exe
2432	242604034322118.exe
3052	242604034333446.exe
3680	242604034343664.exe
3404	242604034354289.exe
1020	242604034405383.exe
1980	242604034415743.exe
5076	242604034429868.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 948	3900	7e0d9525e4dd035a7384735ef34c3490745fc4159bcd29039d1ba329fe20c8ad.exe	89
PID 3900 wrote to memory of 948	3900	7e0d9525e4dd035a7384735ef34c3490745fc4159bcd29039d1ba329fe20c8ad.exe	89
PID 948 wrote to memory of 2992	948	cmd.exe	90
PID 948 wrote to memory of 2992	948	cmd.exe	90
PID 2992 wrote to memory of 2424	2992	240604034219336.exe	94
PID 2992 wrote to memory of 2424	2992	240604034219336.exe	94
PID 2424 wrote to memory of 3416	2424	cmd.exe	95
PID 2424 wrote to memory of 3416	2424	cmd.exe	95
PID 3416 wrote to memory of 4684	3416	242604034223399.exe	96
PID 3416 wrote to memory of 4684	3416	242604034223399.exe	96
PID 4684 wrote to memory of 3180	4684	cmd.exe	97
PID 4684 wrote to memory of 3180	4684	cmd.exe	97
PID 3180 wrote to memory of 3212	3180	242604034235868.exe	99
PID 3180 wrote to memory of 3212	3180	242604034235868.exe	99
PID 3212 wrote to memory of 2852	3212	cmd.exe	100
PID 3212 wrote to memory of 2852	3212	cmd.exe	100
PID 2852 wrote to memory of 3724	2852	242604034246649.exe	101
PID 2852 wrote to memory of 3724	2852	242604034246649.exe	101
PID 3724 wrote to memory of 4520	3724	cmd.exe	102
PID 3724 wrote to memory of 4520	3724	cmd.exe	102
PID 4520 wrote to memory of 3016	4520	242604034257789.exe	103
PID 4520 wrote to memory of 3016	4520	242604034257789.exe	103
PID 3016 wrote to memory of 3336	3016	cmd.exe	104
PID 3016 wrote to memory of 3336	3016	cmd.exe	104
PID 3336 wrote to memory of 940	3336	242604034311711.exe	105
PID 3336 wrote to memory of 940	3336	242604034311711.exe	105
PID 940 wrote to memory of 2432	940	cmd.exe	106
PID 940 wrote to memory of 2432	940	cmd.exe	106
PID 2432 wrote to memory of 2044	2432	242604034322118.exe	107
PID 2432 wrote to memory of 2044	2432	242604034322118.exe	107
PID 2044 wrote to memory of 3052	2044	cmd.exe	108
PID 2044 wrote to memory of 3052	2044	cmd.exe	108
PID 3052 wrote to memory of 5088	3052	242604034333446.exe	109
PID 3052 wrote to memory of 5088	3052	242604034333446.exe	109
PID 5088 wrote to memory of 3680	5088	cmd.exe	110
PID 5088 wrote to memory of 3680	5088	cmd.exe	110
PID 3680 wrote to memory of 3308	3680	242604034343664.exe	111
PID 3680 wrote to memory of 3308	3680	242604034343664.exe	111
PID 3308 wrote to memory of 3404	3308	cmd.exe	112
PID 3308 wrote to memory of 3404	3308	cmd.exe	112
PID 3404 wrote to memory of 1832	3404	242604034354289.exe	113
PID 3404 wrote to memory of 1832	3404	242604034354289.exe	113
PID 1832 wrote to memory of 1020	1832	cmd.exe	114
PID 1832 wrote to memory of 1020	1832	cmd.exe	114
PID 1020 wrote to memory of 4420	1020	242604034405383.exe	115
PID 1020 wrote to memory of 4420	1020	242604034405383.exe	115
PID 4420 wrote to memory of 1980	4420	cmd.exe	116
PID 4420 wrote to memory of 1980	4420	cmd.exe	116
PID 1980 wrote to memory of 860	1980	242604034415743.exe	117
PID 1980 wrote to memory of 860	1980	242604034415743.exe	117
PID 860 wrote to memory of 5076	860	cmd.exe	118
PID 860 wrote to memory of 5076	860	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\7e0d9525e4dd035a7384735ef34c3490745fc4159bcd29039d1ba329fe20c8ad.exe
"C:\Users\Admin\AppData\Local\Temp\7e0d9525e4dd035a7384735ef34c3490745fc4159bcd29039d1ba329fe20c8ad.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240604034219336.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\240604034219336.exe
    C:\Users\Admin\AppData\Local\Temp\240604034219336.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034223399.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\242604034223399.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034223399.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3416
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034235868.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\242604034235868.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034235868.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034246649.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\242604034246649.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034246649.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034257789.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\242604034257789.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034257789.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034311711.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\242604034311711.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034311711.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034322118.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\242604034322118.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034322118.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034333446.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\242604034333446.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034333446.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034343664.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\242604034343664.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034343664.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034354289.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\242604034354289.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034354289.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034405383.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\242604034405383.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034405383.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034415743.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\242604034415743.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034415743.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604034429868.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\242604034429868.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604034429868.exe 00000d
        27⤵
        Executes dropped EXE
        
        PID:5076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240604034219336.exe

Filesize
13KB

MD5
08a6b7263c4a9915c89552ee8c3cb645

SHA1
dd89ec90e704af74aa3606efd51e229768ce890b

SHA256
3b91f8ef030b9837bcf052ca1a0cd78c0b4a885c45fb679ccc920720886198f5

SHA512
f00149171b359a05a42bc6854e1564072eef48502b0d2cc5a79d065da4d4177c36b0aea25bd74ae86bab5838d3a324eef7ffb75446590898e43128e5925a8983

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034223399.exe

Filesize
12KB

MD5
f462a1a15e01853085bce89662732f99

SHA1
1ad16aadb73e8f9b5dc1cfe3b6e3abfc815f80fb

SHA256
57bc2c425f85cccff5a073d466f0cbb006f5959277a6002c714deb7eb28a56d4

SHA512
09ba9b6ef0c1bce4258ead5730063d389a1e7d4f214ccbdab05269ba24ae980806922dc75dc6788e61170ea8d0f7b885112ff13cba7514d6f174239f0fa0e01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034235868.exe

Filesize
12KB

MD5
d279c83d3b6f999aed9de842cd7f24e7

SHA1
4e8f91a904dab2c7055880c9189c842f37e18e58

SHA256
fefaeefb1e1801f3ba2ff6736dd16117b81479bd78d15708ab15c596a877a09f

SHA512
732514b6259fcf4c67f4b918744b48cc6ba2f23ead3927b74e12db1150582397c92a66dd98128ebd51d4d704fbb6182e4381676c534a6c4eca13078825ba55dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034246649.exe

Filesize
13KB

MD5
850f6bbe2d011391243202a6cc71db1b

SHA1
4b7975e5c23e3350a344332b5be0417b78935b4d

SHA256
828e13b2397a2e1840389cd210d9ac6e1ec7731b85a056463be13f5e5b5c679b

SHA512
c2f28f002ddfa1c0af9b9f0de84a3826b6f15b782d3fef714e72010dd9fd24ea9ea6f7540de59523e4f949fd40511acfb12e8ff245708e9454cd36a0d50ec5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034257789.exe

Filesize
12KB

MD5
038b6e27e18065e5496bf683461ddeb7

SHA1
20ed99cc10ced82b24917f13d2f232fb70bce2f3

SHA256
f49d9c2809f4cb084be215f53628e6fe3acaef9d6a9d5d30de4cba6384a2baa5

SHA512
0a3b230c83631bb075c4677c6f1a1f620e679acdcad14da302f1b4636f51fa63849489f931af4bcfa1c35889975aaba30cc0ffbed6d47846e0220d84d74e1580

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034311711.exe

Filesize
13KB

MD5
6d78f92473264ac5ab0153cb8406c430

SHA1
b59f0ea2dfd524cd4168e5ea797136929443f795

SHA256
bc93e68b8ffb77805e3e6c62d09d16b5a97c9c4c418cf5a7af2dd5891ef2cec7

SHA512
3e93294d0fcf86287ecf62daf980d350dc05603a53e293ef9e4ed343cb19e210a0c95297870020b826444e91f33b15561e60b6e65eb66238f4476db9ff9355c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034322118.exe

Filesize
13KB

MD5
5602a46fd10edc9b94d693b95b0f6f29

SHA1
836ba0ca789f4a28be3c4da47654445c00fbf934

SHA256
91b5f92b9cce5fbfc7918246b07d597c586067061f1ee986e3b3799c7b93a0b6

SHA512
9e203f57993545e8ee1d2e23ea6e5284f22cb258aac57fde8df47c9be8251c0f55e6da08771030f0dd6ae07e35c4dfd0067e51747405a01a93fabdf38d292d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034333446.exe

Filesize
13KB

MD5
1eb45503665de03efa70ebddb9479006

SHA1
e59df8be3118eb9bd25adca1908c7d39ed53de0c

SHA256
2740bd6532dd8c9861cf2d8d125cddef45c6383ffc69a0f187533465b166710b

SHA512
4cbdb4634cd2fad15b26155a75ad6c1d4d42359b84f01bf099207113706528b13f8411d272b591065e766082d72a03da1b738a04fa613eb495d00acae52849e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034343664.exe

Filesize
13KB

MD5
512e7c6ce22dd2dcc0967bae645320b7

SHA1
71ecb21b7629a3352849218e93beebe40e2c8d4e

SHA256
3080c032834904f1276e75fad3c35ff3adfa0ec86a1297b0e80576ff14f2ea1e

SHA512
286949c83dd9c17e94f3a2be899c63b18f5b7c9f1944974f83e708426b8329e4fb23490049a12c441bdf2fb8b78528cf1fcf9c6ff75f4144d4ce52dfdef1473d

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034354289.exe

Filesize
12KB

MD5
b87dee520bb561955ce64a3a41f1a2de

SHA1
ec7bea4df25cc2260ad1068cade1bc37a935e649

SHA256
588237eea77c677ff53662195a93fa71c754cfc7f3d3ccce10b9a1fc17ebb945

SHA512
aace7e09aa83045d90920e98ad8c72ddcc934e171bbcbd2a721cf7b87d035295651f3ac7749427dbe2e4a73ac6f252d4d57e1f5ae8bb6ac9b7bf4104c8b4561f

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034405383.exe

Filesize
12KB

MD5
55d336235af550c48678abd328f03608

SHA1
2a5791807f7d3dcf9f5d9e387c29d1bf0bf1f628

SHA256
1d8dc1fc62aa6ffd858b69fa5a1b0fcb9aa1b464a97e0b9b2515f7e1e324bd43

SHA512
aa4acf2918cf4d15051d6234b436c2e30010a9fc581d7107442adad5e75fa89f435d3623082dce84dba459dbbd54d78be2943606a6d4083fec3b021fd549e3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034415743.exe

Filesize
13KB

MD5
9cf85eee73021220762406497a3991d7

SHA1
0590ba75fe34e6e90fde7dd956e6f6056884d180

SHA256
38cb55dd28a74ad1aea2a782ae71640397622f9992bfe58ca7f3a10a6651236b

SHA512
834f5f8d07a6102821fef8a8348b856fa267dbf70f06515c2584d043fa0fc099857d94b4992cadd8b07daab2d17cb098ffece97feb046813e12df5d2d7393843

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604034429868.exe

Filesize
13KB

MD5
98e9fa1d40dad478d3d1e1f3861ea03b

SHA1
2f835e3eb208d2fe9ded39af65da639ee4b1d2c5

SHA256
393692b4bd7f11ae3363fba148489829a82a6765435fdf9ffefb8200c739fed3

SHA512
23a495bc9103e74f6c926023c561eb7c013cf1a5e04fd518e1c569fb76ce32698877fe17f437cda05a080f8e10a1431a1f7025df21785875b09e27dcbc8d10c7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads