77afaf12ff239213bae212a0e7d4d79e9e645334e96e75524b2e378673c2d127

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77afaf12ff239213bae212a0e7d4d79e9e645334e96e75524b2e378673c2d127.exe
Size

12KB
MD5

5e9fcc2dc20ebc2da3a412af37dd0fd5
SHA1

b81e1a892ed990e6edf6aba01be9d2b9d6b93c8b
SHA256

77afaf12ff239213bae212a0e7d4d79e9e645334e96e75524b2e378673c2d127
SHA512

7984fc3ec3ac3fe97cdd5b29d46e6a670285b4b4fa2f5c2dbaba30545fef2adc5f3d6d729ebe520c72fee362f430c1d4a152a931ed201b2708fec33d0de7d717
SSDEEP

192:zabI16JNGIT8N6BORFKvftUs8bf3PALPl5GjQ8WXftGZlLGm2AMWlJdxqHgrM91x:E9NGIIXsKAyimIm6WlJj+n

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
3332	242605014338323.exe
2004	242605014349276.exe
3224	242605014359261.exe
5016	242605014408745.exe
4348	242605014417776.exe
4440	242605014427042.exe
4052	242605014436839.exe
1268	242605014448511.exe
4888	242605014500245.exe
2296	242605014511058.exe
1992	242605014521417.exe
808	242605014530933.exe
228	242605014545479.exe
3900	242605014555214.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2396	4280	77afaf12ff239213bae212a0e7d4d79e9e645334e96e75524b2e378673c2d127.exe	105
PID 4280 wrote to memory of 2396	4280	77afaf12ff239213bae212a0e7d4d79e9e645334e96e75524b2e378673c2d127.exe	105
PID 2396 wrote to memory of 3332	2396	cmd.exe	106
PID 2396 wrote to memory of 3332	2396	cmd.exe	106
PID 3332 wrote to memory of 4292	3332	242605014338323.exe	107
PID 3332 wrote to memory of 4292	3332	242605014338323.exe	107
PID 4292 wrote to memory of 2004	4292	cmd.exe	108
PID 4292 wrote to memory of 2004	4292	cmd.exe	108
PID 2004 wrote to memory of 2776	2004	242605014349276.exe	110
PID 2004 wrote to memory of 2776	2004	242605014349276.exe	110
PID 2776 wrote to memory of 3224	2776	cmd.exe	111
PID 2776 wrote to memory of 3224	2776	cmd.exe	111
PID 3224 wrote to memory of 1396	3224	242605014359261.exe	113
PID 3224 wrote to memory of 1396	3224	242605014359261.exe	113
PID 1396 wrote to memory of 5016	1396	cmd.exe	114
PID 1396 wrote to memory of 5016	1396	cmd.exe	114
PID 5016 wrote to memory of 2096	5016	242605014408745.exe	115
PID 5016 wrote to memory of 2096	5016	242605014408745.exe	115
PID 2096 wrote to memory of 4348	2096	cmd.exe	116
PID 2096 wrote to memory of 4348	2096	cmd.exe	116
PID 4348 wrote to memory of 4540	4348	242605014417776.exe	117
PID 4348 wrote to memory of 4540	4348	242605014417776.exe	117
PID 4540 wrote to memory of 4440	4540	cmd.exe	118
PID 4540 wrote to memory of 4440	4540	cmd.exe	118
PID 4440 wrote to memory of 1624	4440	242605014427042.exe	120
PID 4440 wrote to memory of 1624	4440	242605014427042.exe	120
PID 1624 wrote to memory of 4052	1624	cmd.exe	121
PID 1624 wrote to memory of 4052	1624	cmd.exe	121
PID 4052 wrote to memory of 4480	4052	242605014436839.exe	122
PID 4052 wrote to memory of 4480	4052	242605014436839.exe	122
PID 4480 wrote to memory of 1268	4480	cmd.exe	123
PID 4480 wrote to memory of 1268	4480	cmd.exe	123
PID 1268 wrote to memory of 216	1268	242605014448511.exe	124
PID 1268 wrote to memory of 216	1268	242605014448511.exe	124
PID 216 wrote to memory of 4888	216	cmd.exe	125
PID 216 wrote to memory of 4888	216	cmd.exe	125
PID 4888 wrote to memory of 4864	4888	242605014500245.exe	133
PID 4888 wrote to memory of 4864	4888	242605014500245.exe	133
PID 4864 wrote to memory of 2296	4864	cmd.exe	134
PID 4864 wrote to memory of 2296	4864	cmd.exe	134
PID 2296 wrote to memory of 3804	2296	242605014511058.exe	135
PID 2296 wrote to memory of 3804	2296	242605014511058.exe	135
PID 3804 wrote to memory of 1992	3804	cmd.exe	136
PID 3804 wrote to memory of 1992	3804	cmd.exe	136
PID 1992 wrote to memory of 1324	1992	242605014521417.exe	137
PID 1992 wrote to memory of 1324	1992	242605014521417.exe	137
PID 1324 wrote to memory of 808	1324	cmd.exe	138
PID 1324 wrote to memory of 808	1324	cmd.exe	138
PID 808 wrote to memory of 2424	808	242605014530933.exe	141
PID 808 wrote to memory of 2424	808	242605014530933.exe	141
PID 2424 wrote to memory of 228	2424	cmd.exe	142
PID 2424 wrote to memory of 228	2424	cmd.exe	142
PID 228 wrote to memory of 1460	228	242605014545479.exe	143
PID 228 wrote to memory of 1460	228	242605014545479.exe	143
PID 1460 wrote to memory of 3900	1460	cmd.exe	144
PID 1460 wrote to memory of 3900	1460	cmd.exe	144

C:\Users\Admin\AppData\Local\Temp\77afaf12ff239213bae212a0e7d4d79e9e645334e96e75524b2e378673c2d127.exe
"C:\Users\Admin\AppData\Local\Temp\77afaf12ff239213bae212a0e7d4d79e9e645334e96e75524b2e378673c2d127.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014338323.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\242605014338323.exe
    C:\Users\Admin\AppData\Local\Temp\242605014338323.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014349276.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Users\Admin\AppData\Local\Temp\242605014349276.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014349276.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014359261.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\242605014359261.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014359261.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014408745.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\242605014408745.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014408745.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014417776.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\242605014417776.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014417776.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014427042.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\242605014427042.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014427042.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014436839.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\242605014436839.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014436839.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014448511.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\242605014448511.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014448511.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014500245.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\242605014500245.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014500245.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014511058.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\242605014511058.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014511058.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014521417.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\242605014521417.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014521417.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014530933.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\242605014530933.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014530933.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014545479.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\242605014545479.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014545479.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242605014555214.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\242605014555214.exe
        
        C:\Users\Admin\AppData\Local\Temp\242605014555214.exe 00000e
        29⤵
        Executes dropped EXE
        
        PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4744,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:2424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\242605014338323.exe

Filesize
13KB

MD5
9287555ded69390e38dcd85e4bc47c6e

SHA1
27966f7efc3ffba227020976dc5461fc865d4fed

SHA256
57309db5af94a19c38c001cc3f45a23e2487409867fc76a888d08601bdcb3a39

SHA512
661ff1eb2dd18a08f8d1de601540940c42f2a88cd684e4ddffc68f7852ba8329dfde03f85004b670150712ecf8ad5b8b0fd448741ca7648e5c38c5eebed7d4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014349276.exe

Filesize
13KB

MD5
fcc0e3d8fc2566bad6bcc96ea6a0b091

SHA1
5d84d523a0beef4110e6ead317f470051f9a4438

SHA256
3f2bdb748e50c631cf3a0bee848d1b09fb35e40212ab269064b7d4be31ed80b5

SHA512
0f85466ce0b8f0a8d51d61d03d9ef26c9555988d3a3a2f9ea2b5d3cc0223e2eebf1279e839f05d93bc7c249f5079b74a3f93a89ace0659148922cc9c219f22e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014359261.exe

Filesize
12KB

MD5
f7a1d53ff07cb1b17219ca3f6f6079ee

SHA1
6e5c9937fef6c7fe0f5d4176ea21e0472ed2ce17

SHA256
e3e59824ce81612914639754afe69b49db1c84277e413aa52d9b447497849f89

SHA512
1f3d0438d7f762b68bc2157f9843e2b23c2191d2fc2852ad36d1635fd3412fd0f4daa87ee5b2ce847017004e00e7dcb5fb1ac96d5e3c7e20a2ec4c20415737b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014408745.exe

Filesize
13KB

MD5
5e02c8921f31a93248c93562f238dcd2

SHA1
138e3627a447d2667087dd2675d01d9a8e9307f1

SHA256
17bd8bccb5c69062d649436cbdd65da85490f21e393ced4a89d0a3ca5de57961

SHA512
44317c677217c9a280d2493a5a51d37af9209a6d791770431ed7a6d1c05e973beda73fadc0aa3cc1b82cf0bd92115a385ac96165ee149cf1d400b0f323f4d8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014417776.exe

Filesize
13KB

MD5
d25e2793f5cce67c4c6232d6a62fa3dc

SHA1
d70b3b8dde10009a25142c26635bef94c62924c5

SHA256
4c33ad6640ab736b12dd8b6182cc657a1e242d575126e90978214291be80a0f3

SHA512
2973487769e87b034063df5036f3f67a4503804d1e3546098ad23c035202d24679631efdff216f40173d2e8cbafa9d532d41f8dac2f0ca21032d754007ec0877

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014427042.exe

Filesize
13KB

MD5
b1b48ef129175d71c6b8cb43afe37976

SHA1
bb6946430831047a62c76525d4c1c25efb06bf28

SHA256
6b771c1d206aebfc470ab584b3e3b228d07496f5cfa171c9365f09b0381fc61e

SHA512
a4085e82edfff03f25e20d27cc12b46e7d8737ee498ba103a750536f8689cb49a8e25b46277ca697ff7c46936e8c3e8984f24b2b86ef42caf63f5e0bc5af7efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014436839.exe

Filesize
12KB

MD5
9b1722cb87ad27e7959d14db6edd7a03

SHA1
3624feea52943b80a90dacbd514097255dbc18a6

SHA256
7394360866cbac6167223ac8de539ede41081000e8ac70765e2ea175c4b822a9

SHA512
4ea984a25aac057e6f0b1385a19614d97d1d1c9915f4afa5292e91d17adf8dc146d596c6334408dd38b69c9118b9aff793a645a6e3c76914dd5c1c5acab8ec4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014448511.exe

Filesize
12KB

MD5
ce5d9e13fc617f1734f023d1b1a5b034

SHA1
db3b243adc3b4a00249e8a4980cae90748ca5f12

SHA256
c6edea3df3d44778a64b2d66ac43d8ba1dbf889e20560791624c69d97953820d

SHA512
9e0d67e1ce6c05e36b7b59146206254bd5c3e1a683c35b07c8a8ada34a17bdb5d5169330e07c462225e3e1796b2159063a5d4bb06dbf3240eeccc9bcd04e3a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014500245.exe

Filesize
12KB

MD5
98ed5058f907fffa898c568875e20a69

SHA1
405f42e60de8ed58f483fcfee310824f20462cb5

SHA256
ba94938359ecfc5de41125b4d802200b6df06bca75e451d33da41d789b5f2b55

SHA512
56fca27b0460165a61b2d6de68c0efae328fcc47e85e15dc8935dd55b2411e59778cf5e6b43884dc03caec6a4f2c46c1df88ee9d18126f6d572edda0919cb642

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014511058.exe

Filesize
13KB

MD5
14ccea6a8c32b1e54e49c15418ffb83a

SHA1
dad92fa4a99342558d649029976cd8634c866a42

SHA256
8091738a190d804a49f74fd13169bbcbfac72b595796a458595aae95ac795138

SHA512
cc4d05807da36c347bf67b6f0456442ccf10980a74f481d0cd52cbcde4467d86545c2670f7370ec649126308baf93d00d7e03dfe314b32747017e7dbf26024ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014521417.exe

Filesize
12KB

MD5
8ecb5ca121905ec4a9392da3bfca8798

SHA1
0eea2f852bf993becf3edbf8bcb0a64ab4ecfcd8

SHA256
794747d9149e906cacaf2dbe194525e58dd9905f610867afc9a46c66b67a02ab

SHA512
be2a20161f53f9b76f93b22229376c3ed86848be3f315563c67a2c0ff22ad5b91f1c29f57ce66fb9f31c809fd2f8d78d3ad6e15be9386e8ea283bcc4efa666cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014530933.exe

Filesize
12KB

MD5
b805dbc7cdfe645d5d7bce8ca02b7e4f

SHA1
66551646d70d1c5a44792852515707c8147d4362

SHA256
a9197fcd5eef8ef9e4149c6f576793288ee2cfb94f83a7f723c2a10d73c2bf6e

SHA512
4a9ac6af2caeb0e9c19b35bf80f5c7c6936cd9c864253e98a3028104e4c2abf1fc0b66aeefe979c6bc9b5da5c00209a661ee7cc826b631090e439c0e2cda7b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014545479.exe

Filesize
12KB

MD5
a841afdab2d434ae976dde3fb5363dd6

SHA1
ebdb124a0a1632890477eaa74c821e9a6ce57a1b

SHA256
541db11c9abd0566588c94ee774ab59812ae9ef1635e1f47c1bdd9312dbf059a

SHA512
0032ac3746e52347e584d7d303712ed287adab49a26540f16025129c684f551a4bf128fceffa2839dab8cb5c62281e70017b5a428e2b7c9872736c19479ed926

Download Submit
C:\Users\Admin\AppData\Local\Temp\242605014555214.exe

Filesize
12KB

MD5
2d3d570bcdcc08f849806a3e4edd1fe6

SHA1
f2099306028fa6501a85e43a91a61b58b01b097d

SHA256
7bfd4b254c15a8f27dc6d4de57a8b4eaa2190f0650700fccd0a9d5afa2005c7e

SHA512
9e4c3813beb72024742b074fedc04e036c64c1f608fb9028ea0ad2f4824ffef6e6801438ae6bd8494df59078645afe170635990f2dde0ef65b7281b00a1c2fe4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads