1e970d2ec62fb88c8554e3056db4c3a58299484e64a5e6cb0c963eb163045fa9

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e970d2ec62fb88c8554e3056db4c3a58299484e64a5e6cb0c963eb163045fa9.exe
Size

13KB
MD5

5e5a4562f344876eaeb1f54431136019
SHA1

364948e9c79b03478dc49e77d9e0dcd950eedc8e
SHA256

1e970d2ec62fb88c8554e3056db4c3a58299484e64a5e6cb0c963eb163045fa9
SHA512

40dab106f2858cb42995d5fc5afff5ec0dc851392dea8c6f0f4aa950f06420d19c30085f8333521751d0ddd5866d0f747629eb02b04b08df6bba01e59343e514
SSDEEP

192:rrDT5Rr7LbMD62IliB3BjZs0Fr7e6U3+tiEcYucWwFGPDl5DlLWlJdxqH7YrdV4:bnbAhVcYfHIPh5hLWlJj+

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
4260	240604192533315.exe
5012	242604192542409.exe
4228	242604192557800.exe
3052	242604192611300.exe
2108	242604192621518.exe
2996	242604192633487.exe
2476	242604192644268.exe
4580	242604192701253.exe
2068	242604192710534.exe
3964	242604192720159.exe
748	242604192731378.exe
912	242604192743768.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4292	3636	1e970d2ec62fb88c8554e3056db4c3a58299484e64a5e6cb0c963eb163045fa9.exe	90
PID 3636 wrote to memory of 4292	3636	1e970d2ec62fb88c8554e3056db4c3a58299484e64a5e6cb0c963eb163045fa9.exe	90
PID 4292 wrote to memory of 4260	4292	cmd.exe	91
PID 4292 wrote to memory of 4260	4292	cmd.exe	91
PID 4260 wrote to memory of 1972	4260	240604192533315.exe	94
PID 4260 wrote to memory of 1972	4260	240604192533315.exe	94
PID 1972 wrote to memory of 5012	1972	cmd.exe	95
PID 1972 wrote to memory of 5012	1972	cmd.exe	95
PID 5012 wrote to memory of 1912	5012	242604192542409.exe	97
PID 5012 wrote to memory of 1912	5012	242604192542409.exe	97
PID 1912 wrote to memory of 4228	1912	cmd.exe	98
PID 1912 wrote to memory of 4228	1912	cmd.exe	98
PID 4228 wrote to memory of 1164	4228	242604192557800.exe	99
PID 4228 wrote to memory of 1164	4228	242604192557800.exe	99
PID 1164 wrote to memory of 3052	1164	cmd.exe	100
PID 1164 wrote to memory of 3052	1164	cmd.exe	100
PID 3052 wrote to memory of 4952	3052	242604192611300.exe	101
PID 3052 wrote to memory of 4952	3052	242604192611300.exe	101
PID 4952 wrote to memory of 2108	4952	cmd.exe	102
PID 4952 wrote to memory of 2108	4952	cmd.exe	102
PID 2108 wrote to memory of 3488	2108	242604192621518.exe	103
PID 2108 wrote to memory of 3488	2108	242604192621518.exe	103
PID 3488 wrote to memory of 2996	3488	cmd.exe	104
PID 3488 wrote to memory of 2996	3488	cmd.exe	104
PID 2996 wrote to memory of 808	2996	242604192633487.exe	105
PID 2996 wrote to memory of 808	2996	242604192633487.exe	105
PID 808 wrote to memory of 2476	808	cmd.exe	106
PID 808 wrote to memory of 2476	808	cmd.exe	106
PID 2476 wrote to memory of 4408	2476	242604192644268.exe	107
PID 2476 wrote to memory of 4408	2476	242604192644268.exe	107
PID 4408 wrote to memory of 4580	4408	cmd.exe	108
PID 4408 wrote to memory of 4580	4408	cmd.exe	108
PID 4580 wrote to memory of 1224	4580	242604192701253.exe	109
PID 4580 wrote to memory of 1224	4580	242604192701253.exe	109
PID 1224 wrote to memory of 2068	1224	cmd.exe	110
PID 1224 wrote to memory of 2068	1224	cmd.exe	110
PID 2068 wrote to memory of 512	2068	242604192710534.exe	111
PID 2068 wrote to memory of 512	2068	242604192710534.exe	111
PID 512 wrote to memory of 3964	512	cmd.exe	112
PID 512 wrote to memory of 3964	512	cmd.exe	112
PID 3964 wrote to memory of 1488	3964	242604192720159.exe	113
PID 3964 wrote to memory of 1488	3964	242604192720159.exe	113
PID 1488 wrote to memory of 748	1488	cmd.exe	114
PID 1488 wrote to memory of 748	1488	cmd.exe	114
PID 748 wrote to memory of 876	748	242604192731378.exe	115
PID 748 wrote to memory of 876	748	242604192731378.exe	115
PID 876 wrote to memory of 912	876	cmd.exe	116
PID 876 wrote to memory of 912	876	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\1e970d2ec62fb88c8554e3056db4c3a58299484e64a5e6cb0c963eb163045fa9.exe
"C:\Users\Admin\AppData\Local\Temp\1e970d2ec62fb88c8554e3056db4c3a58299484e64a5e6cb0c963eb163045fa9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\240604192533315.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\240604192533315.exe
    C:\Users\Admin\AppData\Local\Temp\240604192533315.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192542409.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\242604192542409.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192542409.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192557800.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\242604192557800.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192557800.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192611300.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\242604192611300.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192611300.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192621518.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\242604192621518.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192621518.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192633487.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\242604192633487.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192633487.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192644268.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\242604192644268.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192644268.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192701253.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\242604192701253.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192701253.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192710534.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\242604192710534.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192710534.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192720159.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\242604192720159.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192720159.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192731378.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\242604192731378.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192731378.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242604192743768.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\242604192743768.exe
        
        C:\Users\Admin\AppData\Local\Temp\242604192743768.exe 00000c
        25⤵
        Executes dropped EXE
        
        PID:912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240604192533315.exe

Filesize
13KB

MD5
713a4c00352147a1741a43c5bedc7807

SHA1
ab4582550f21dd928ffe58d8f3e3159b9d2f23ef

SHA256
45f5bbb1952b47e6cfbf70a737c4108158ca47373a7a51031d2e39f8acf38d0c

SHA512
0b7514bc6f3797995da70617200ac5f54dc1db7d909ddabb3171161c5d13926c52caaff716e4afc3606797ea926e0cc23fbfcb717ea2fb3cfb37f6c9a03994f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192542409.exe

Filesize
12KB

MD5
856e3923fc557b261dec2acc5e7a7e90

SHA1
4e79b2b5035baee964c0c2c8202c6d03f9f56e27

SHA256
31fbf92cbaa5569de9b0f429c6293d31a0a9446daae77965da596aa526132f01

SHA512
ec6456bc3632181901d4ba7088c8d8640bf9e6542577e24870f844f38587099a213790859b5d2edd4ba19f993ca904d7bbfea79e558f34c4509881a104c7efd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192557800.exe

Filesize
13KB

MD5
44724e7fab06f3fb042f2575c7c22573

SHA1
da24fa4ebeadc73413d8c00c3b76ddbd068b8f40

SHA256
6a22468135f39d39fc2ce97382f73c66af15a925ac31676f2b824247e9230529

SHA512
4b9be7bc9908e23ef7505c452d36a3e9970bba9627c460a34e0455b4cff1fa53ecc6771dc370877d7ca9b55f8e7b52bf558bce8f2fc7c707b494c2dd80f8c052

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192611300.exe

Filesize
13KB

MD5
9a4204c124a51cf3ec8ad511bc1c30a6

SHA1
f9a0fd3de186d49499c79f5e77509524e90c4080

SHA256
07ac93e4c738d7e1ac0a485604befe04e211e8d39837479dd815e56e68959117

SHA512
3f7b3f6408989259e8a62487fd384c9cb344b9291e88a5d5082ffdc56097f52d793d13d12c788e339217c035c2437bdc83558eb6bf934d0caa07758db23764e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192621518.exe

Filesize
13KB

MD5
3adddf0f561dd5fc4c692a511253d963

SHA1
da6f8973c08161178cce8246171fded2278138b4

SHA256
b62b53316a0c5b52a48e669f5da00b596d60d4c14bb021169b72b9039a20d43f

SHA512
9693cfb1faff75fcb8e0dffddd21c68d762c62ea30cac4d30e7e5ca0a2bc2e93226ddcca6994918230e3744f2013ba823d98c2b74012283ff37f198fc8cd4edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192633487.exe

Filesize
13KB

MD5
930871b085aa2784ea4a476d94001528

SHA1
61c41ac97c8d7c6729d96929c328df6af47749f7

SHA256
81f3da37da0e8c71bfc7f990e7ffe8d96c7bd3bdf0d4894a24e021d9ec90dd84

SHA512
bf934128e9bab9cbb8e1c0d1b9a6d0787b9ec89cddfe29543713c18572c807957923b90521837cd11b916a059005e7c947b99a2e2581bd1e5064a3f7ced6329c

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192644268.exe

Filesize
12KB

MD5
a2748d4f1391012a43674b754f877199

SHA1
7c16ad801ae4405b0f37bc0093f453b51cad3e3a

SHA256
6861b5875fce646d7556dfe9ceac42495d513942ee8cf1a4c880940c85dd9a27

SHA512
f454ff5cbf6826e23b59b025e2890174cca52c79bac9c9ed6bec6e4ce925fa05baeaf8325baca4e298e48d149140950efe72b5705610bcfe52b7754f5890103d

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192701253.exe

Filesize
12KB

MD5
a350a0f72f818819351894be82c55325

SHA1
3971d4ade5dbb09162a6ea10f1f12154ca8bae8c

SHA256
0742355ae68107291d07ec821d317aa7398f8c48d986152f1ec84ca8dff30f9d

SHA512
0a0ada6f08184b70b93458f05926e39c4f7ffc67d1e9aca27572aaa5f6a8d5c8f569e3338f44ff60e2e1a6233ef998b0349ff65da0bf7b03fc8869ed142c84bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192710534.exe

Filesize
13KB

MD5
e9df7aec1f6aa3d1b4b132ce20d607cf

SHA1
db9e9756537a841d572e415793432aeefd828f29

SHA256
a4c5fe74942e4bbd575edac413d1d240b6b64c7d2cb1e8aa2a3d08e272e46528

SHA512
5bad2fa1b67f69f5a5acb4f795ed3248d64450b37d2b30f5fbdde79297cbae2d845255eac3e8407f2df7c27bc6ffc0ebf5533c614cb53126ed4ae425dc7a970a

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192720159.exe

Filesize
13KB

MD5
932157d31f63af399e0291c9c2049af3

SHA1
280c92854a7c6d9d092c7250ea9db67131471143

SHA256
7366649b8283feb224ba71c6d00df1cd97e713a1387eba0aa6b4c30c9cc52079

SHA512
ce37c27daa1e14d0afdb3d6115ccef4457451f6b3e4a39aa35cfd0e1fc5e68f3b8fc40410a0af588c04ef7682a7e6cb049c43838ae90889391448e502826e2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192731378.exe

Filesize
12KB

MD5
2f8b1fc261a156714295e3087cf6bcae

SHA1
40a5d479ff77fda219ab9ab4428d9f44166f7a48

SHA256
cf1e9914571c1f20c3803c494154449a211c97961b8293807a8624b0dcad3192

SHA512
f31f1fa58f08193f93ee81a62504d703ec1464b4c37b325fb1623ec9d7432fa9f27dd46b0404fd7db99f5fd7a3a665018418c88e48c523de11ef566db5146c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\242604192743768.exe

Filesize
12KB

MD5
14612edbf78ffcbdcddee504f7857be2

SHA1
0b66c377b2cb2c9ed4a90bd6e83e75eb2a6e225e

SHA256
a92ad1a2ab888aa4ce7198756eaaf1ef1f99919efeeda40128247a6de8cef66e

SHA512
d2d9a8838ccba40f83eb6d3d217d453dca5ac8a41df00df4031abe879fcfede79c001a3a36d0e69fc6e5976580dd086c7fdc2a41791857556671fbb0eb10a416

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads