4369a95103acb4f393f2919b3fdd080b14a2559988d4c1ba7eb208184f345895

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 14:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4369a95103acb4f393f2919b3fdd080b14a2559988d4c1ba7eb208184f345895.exe
Size

13KB
MD5

d48f829311ec4aa1b496b655f6f2df95
SHA1

06f935ad0a85ede9479ef1824d27e7be95ca8bd1
SHA256

4369a95103acb4f393f2919b3fdd080b14a2559988d4c1ba7eb208184f345895
SHA512

5d64d5d4d5fae72fa82e87eb3c81f374df0b8ae478cb7e34493c8c63452f778d9642e1b370503f8df2305564ac9cd79008bd8efc8cedb03b0cc5005c0f7cb0ec
SSDEEP

192:f30I1NIChRAVZ+6dGHeubkn4iWZG/hP9V2D+y8l7EAYKyMWlJdxqHiYrQVf1x3U:cIhSP5F/I+py7MWlJj+GxU

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
4332	242606141158415.exe
1016	242606141208384.exe
5032	242606141218353.exe
3344	242606141228571.exe
3088	242606141237478.exe
2752	242606141247587.exe
3812	242606141256602.exe
2688	242606141306321.exe
4900	242606141315634.exe
1776	242606141325149.exe
1392	242606141335165.exe
2732	242606141344837.exe
1504	242606141354306.exe
4404	242606141403227.exe
3544	242606141413321.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 3728	1880	4369a95103acb4f393f2919b3fdd080b14a2559988d4c1ba7eb208184f345895.exe	97
PID 1880 wrote to memory of 3728	1880	4369a95103acb4f393f2919b3fdd080b14a2559988d4c1ba7eb208184f345895.exe	97
PID 3728 wrote to memory of 4332	3728	cmd.exe	98
PID 3728 wrote to memory of 4332	3728	cmd.exe	98
PID 4332 wrote to memory of 632	4332	242606141158415.exe	99
PID 4332 wrote to memory of 632	4332	242606141158415.exe	99
PID 632 wrote to memory of 1016	632	cmd.exe	100
PID 632 wrote to memory of 1016	632	cmd.exe	100
PID 1016 wrote to memory of 3712	1016	242606141208384.exe	102
PID 1016 wrote to memory of 3712	1016	242606141208384.exe	102
PID 3712 wrote to memory of 5032	3712	cmd.exe	103
PID 3712 wrote to memory of 5032	3712	cmd.exe	103
PID 5032 wrote to memory of 1900	5032	242606141218353.exe	105
PID 5032 wrote to memory of 1900	5032	242606141218353.exe	105
PID 1900 wrote to memory of 3344	1900	cmd.exe	106
PID 1900 wrote to memory of 3344	1900	cmd.exe	106
PID 3344 wrote to memory of 1412	3344	242606141228571.exe	107
PID 3344 wrote to memory of 1412	3344	242606141228571.exe	107
PID 1412 wrote to memory of 3088	1412	cmd.exe	108
PID 1412 wrote to memory of 3088	1412	cmd.exe	108
PID 3088 wrote to memory of 4036	3088	242606141237478.exe	109
PID 3088 wrote to memory of 4036	3088	242606141237478.exe	109
PID 4036 wrote to memory of 2752	4036	cmd.exe	110
PID 4036 wrote to memory of 2752	4036	cmd.exe	110
PID 2752 wrote to memory of 1536	2752	242606141247587.exe	112
PID 2752 wrote to memory of 1536	2752	242606141247587.exe	112
PID 1536 wrote to memory of 3812	1536	cmd.exe	113
PID 1536 wrote to memory of 3812	1536	cmd.exe	113
PID 3812 wrote to memory of 4444	3812	242606141256602.exe	114
PID 3812 wrote to memory of 4444	3812	242606141256602.exe	114
PID 4444 wrote to memory of 2688	4444	cmd.exe	115
PID 4444 wrote to memory of 2688	4444	cmd.exe	115
PID 2688 wrote to memory of 1568	2688	242606141306321.exe	116
PID 2688 wrote to memory of 1568	2688	242606141306321.exe	116
PID 1568 wrote to memory of 4900	1568	cmd.exe	117
PID 1568 wrote to memory of 4900	1568	cmd.exe	117
PID 4900 wrote to memory of 1732	4900	242606141315634.exe	118
PID 4900 wrote to memory of 1732	4900	242606141315634.exe	118
PID 1732 wrote to memory of 1776	1732	cmd.exe	119
PID 1732 wrote to memory of 1776	1732	cmd.exe	119
PID 1776 wrote to memory of 4360	1776	242606141325149.exe	127
PID 1776 wrote to memory of 4360	1776	242606141325149.exe	127
PID 4360 wrote to memory of 1392	4360	cmd.exe	128
PID 4360 wrote to memory of 1392	4360	cmd.exe	128
PID 1392 wrote to memory of 2692	1392	242606141335165.exe	129
PID 1392 wrote to memory of 2692	1392	242606141335165.exe	129
PID 2692 wrote to memory of 2732	2692	cmd.exe	130
PID 2692 wrote to memory of 2732	2692	cmd.exe	130
PID 2732 wrote to memory of 2944	2732	242606141344837.exe	131
PID 2732 wrote to memory of 2944	2732	242606141344837.exe	131
PID 2944 wrote to memory of 1504	2944	cmd.exe	132
PID 2944 wrote to memory of 1504	2944	cmd.exe	132
PID 1504 wrote to memory of 4512	1504	242606141354306.exe	133
PID 1504 wrote to memory of 4512	1504	242606141354306.exe	133
PID 4512 wrote to memory of 4404	4512	cmd.exe	134
PID 4512 wrote to memory of 4404	4512	cmd.exe	134
PID 4404 wrote to memory of 2192	4404	242606141403227.exe	137
PID 4404 wrote to memory of 2192	4404	242606141403227.exe	137
PID 2192 wrote to memory of 3544	2192	cmd.exe	138
PID 2192 wrote to memory of 3544	2192	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\4369a95103acb4f393f2919b3fdd080b14a2559988d4c1ba7eb208184f345895.exe
"C:\Users\Admin\AppData\Local\Temp\4369a95103acb4f393f2919b3fdd080b14a2559988d4c1ba7eb208184f345895.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141158415.exe 000001
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Users\Admin\AppData\Local\Temp\242606141158415.exe
    C:\Users\Admin\AppData\Local\Temp\242606141158415.exe 000001
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141208384.exe 000002
      4⤵
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Users\Admin\AppData\Local\Temp\242606141208384.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141208384.exe 000002
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141218353.exe 000003
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\242606141218353.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141218353.exe 000003
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141228571.exe 000004
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\242606141228571.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141228571.exe 000004
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141237478.exe 000005
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\242606141237478.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141237478.exe 000005
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141247587.exe 000006
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\242606141247587.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141247587.exe 000006
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141256602.exe 000007
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\242606141256602.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141256602.exe 000007
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141306321.exe 000008
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\242606141306321.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141306321.exe 000008
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141315634.exe 000009
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\242606141315634.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141315634.exe 000009
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141325149.exe 00000a
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\242606141325149.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141325149.exe 00000a
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141335165.exe 00000b
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\242606141335165.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141335165.exe 00000b
        23⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141344837.exe 00000c
        24⤵
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\242606141344837.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141344837.exe 00000c
        25⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141354306.exe 00000d
        26⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\242606141354306.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141354306.exe 00000d
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141403227.exe 00000e
        28⤵
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\242606141403227.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141403227.exe 00000e
        29⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606141413321.exe 00000f
        30⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\242606141413321.exe
        
        C:\Users\Admin\AppData\Local\Temp\242606141413321.exe 00000f
        31⤵
        Executes dropped EXE
        
        PID:3544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\242606141158415.exe

Filesize
12KB

MD5
126584a835fcbb9f9327d695b1f38807

SHA1
6b5354a75cc6f4f77437e81a2fce166cd94f38eb

SHA256
4bd48b91710daec14cfcb101ce3b287e29ff880cb37219b19461ed88e5128fb6

SHA512
e77d4aa408404a4ee392003ae6231a4e391fd0bf5b56860716b7da1e2566d44262f2e2107df828dc2cef3d23e8f294d383586e8785f998fb8a7967e89050674f

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141208384.exe

Filesize
13KB

MD5
5c1ad4be1105af4093b8463a95892cf5

SHA1
c10423d1b2c788ab2e73f0624cd52272e875091c

SHA256
fbb7e590f7d7dc50aa06674e57dfb39fb694102268dda0db716f8c3d9f7a6d50

SHA512
6cc8bc1668fbb7d77b6fdd069b59b7f8379dcce550ad3d9f340f3934283433631dda12de665cff3620034bba3e00ad493c937c57fa474fd196dfe40e2f52e8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141218353.exe

Filesize
12KB

MD5
d55cbc07edbbd0bcac49c488b8718944

SHA1
2de47ee69d001b6192dd1d06ce23528e0871dc04

SHA256
0deb70e238630ec3c0562ed43e33edc995e9aa5252407974551513f07e6bccad

SHA512
a6937fab12be226b2aeb129fc1af6b89187907f4ca2995dbe5f400cca27cf18672b45235de46344b741287495ce196c7386dfdf7d319b57e4b812d5bf81444f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141228571.exe

Filesize
13KB

MD5
011a3790a7b610d66e14e8b1dd30a295

SHA1
72861f8d0c09d9ddba00e76a186631facce7e1bb

SHA256
de71a6c6a004ba03c05b8a646d15f9fb2191866ff7a494679640054ed597632b

SHA512
d8784a258b82f583e3b8abe9ae5da31166d2f5bf1ebb01ec570d1cfae43740492f60153345a01f43cb43db12575b507c08704df0fdfe9fae82fb936e9dd3d66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141237478.exe

Filesize
14KB

MD5
11e9392647260418453978440bbbfb41

SHA1
835f404534f8470172b50775caa944b7565d049b

SHA256
46768b8c6ee661eff51bbb19af77cbb3bb48b5a6b03544a022d1686e9aa30342

SHA512
026a6caaf2b03ccbc94ec34087ce1605860d65b94f75274ae59428abc1c65f31ce1fb52906eb6c9460c3efbf1294595dd32d81fb172b4d10339f622f352eb512

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141247587.exe

Filesize
13KB

MD5
424feab2984e9540c772b339fcf2cf6d

SHA1
a4cc7eb432e03829f4f5af09642a8af59de2e5a0

SHA256
4eee12a2c1dd880bba3b1201c8a2c87c8b4358b949f46c39b6147f8e414e5837

SHA512
6cb145b7c2e68490484ce82b0af76fd9a5b4e13ce8dbb75a6e0cfc10873cea3bdfbad5888d4173007b12096532e89e50042f833fb1d97d5193659b9925ad9fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141256602.exe

Filesize
12KB

MD5
ee3f27074d226e692e746c158da3bb9d

SHA1
3d4b5eeefe38a3167422038e95c6652a3740cf96

SHA256
9bd7c29544700644e3b7ab894bc8a151eda1272564e73099a4a1803953b9798d

SHA512
677997f937146b259218826796d151f17eed963c9cd72cfa72b5313fe3ea1e21ec6caccec171b21a89fa0a0aafb620564b89820353d22e7ced083d5790518da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141306321.exe

Filesize
13KB

MD5
5e10d126a6009bb135f868992710374e

SHA1
16da20299c131065a66f65767d6a63f427c42139

SHA256
58b320e74afea03613c203019a1c5a9ab844a7ea5110a535a593b3c7a1bf8317

SHA512
10627f68bde8ffa1a28f4413f9396291fefd7a5446ef0c3494a5eaf223609dcaca09fceb26081c75e56d1abe0313711200ffb84a1c1efbbbc266f7d2793c78c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141315634.exe

Filesize
13KB

MD5
72ac63820b4e9fb0a3db88c01c9a7df5

SHA1
5162ba5194a2ca1da41d2020b6a5356ad7c463e4

SHA256
4eecdd72e69f921fa26da6c8554869f7e893ef3f47377a41afb906d59cceac8c

SHA512
1a808a6d915daf21e44741c88fce8a36c00a6ef1e83590cbe213a486275e3c98290d21bf4dc631e6319cc6a719f33607f44e332da93a19b32d34dc660e66a39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141325149.exe

Filesize
13KB

MD5
66e536c0ccbc47c2fec3a5dcddff16b3

SHA1
489892761238282e532834b3636b39e0bf865d6b

SHA256
d35b4b8acf9393332f04a9bff067471cde2ec459198e224f296ada2c4a477ea0

SHA512
786267051f20485112fe00ecfb1ea8273ceeed0bc607f13fe02b6cd715cc76c9340af57fba5d4f1fbb62212f3c57855ce30188125e30b47da1ef7112fd777ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141335165.exe

Filesize
12KB

MD5
058778e9c6a23c3eac34d706d0dc94f0

SHA1
e76d31263b84eec7003914e90dcfb387cdd9960d

SHA256
6d1e5ef9e9b8a6a0056995402b2ffbd702bb3fc575081761a0f89883e7103e0b

SHA512
42c308efbf814915f930134bff8133d1c288bd98634609082f5e4e965d3ada328a654c6271151d0817510758bd221330446fc9b114b5f8d595303282d2c1cb4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141344837.exe

Filesize
13KB

MD5
f351867a21f09ef9cc2b98a2f231e2c7

SHA1
2750a9429d97ea68d70cdad6248b7338ee4f64e7

SHA256
7c07b31665d13c64404a7a4cea0e47da60e68b582c9ace5adfe3e57ee4ac54f1

SHA512
302c29391995c19992e360d2f09039dc065336708b3b1e26329a15270834e496ee3ae2effa62184809e2788cfb04923eacd146df8715e2db8f9c0bcbf87d7409

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141354306.exe

Filesize
13KB

MD5
8ca0613676ae4109a98c851ba39a5bcf

SHA1
f89708df8f9e923df8e90e914e7c1450049decbf

SHA256
829d9170908816fd6de82a7f3701bf1437fa9ea609d6ab3d440b0628832f89fd

SHA512
3bcd76c603868337a5abbeb778f0b12f38a1ee9a72b7026979a6ae127a352eea9cddae5824c9ba35d51df4636cb3ae9101a09cc8bd2b794c2719d10820c5c463

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141403227.exe

Filesize
12KB

MD5
be428e9547b2ac840b978abda7acb02e

SHA1
bda4c3307cd84b6c3bc8913d50efbecd2b09b807

SHA256
0320da3a99c66d743f3f59e73c0ba90b934ba2f118fa67495e90ddf1b81a8d19

SHA512
ecd30f76fa32d594f28d3b99fe3c2abe4ddc9c2b338ecbe8278ed0c2c0cfd234740b44159ad5a9b6bdf1b82b0b96fb29bd60e29286c690ccb62b3d1609444a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\242606141413321.exe

Filesize
13KB

MD5
eb631778709018d88ce27afd64e8d62c

SHA1
221cc7b83fae43887ae4beb0ccc6be64c6e99cd4

SHA256
3fbd823c82bdad1a19dde754a38a211792150b301d56bbae75bb59b3bb61d96d

SHA512
a42b76a1fb7a04b40cf5092e499dff003ae43a140c9c4b52af08a54ef5d810dcb3ba5571899473a0af84d7d875a3a7ac669fe89c290e62d26d7a2d8d8e9a3622

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads