Analysis
-
max time kernel
126s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
06/06/2024, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee.exe
Resource
win10v2004-20240508-en
General
-
Target
299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee.exe
-
Size
12KB
-
MD5
00092311416e64e5e753335c5d7873fe
-
SHA1
40588d511c09da227ce340e5b11f01ee26817e15
-
SHA256
299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee
-
SHA512
f3efffba0c2f210445a6074d8683732a1c6cfca24c1620747436fb17f9c1124a91c12ff06028a56dcd0075de2b380851a05afd5a3110a5d201a399ad16ebbd95
-
SSDEEP
192:klDI1qNwmxiN6d86w0db0x2MbCtmY7rYzPKraARYGc1pqWlJdxqHgrV1x:mhd432ouZnWlJj+K
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
pid Process 1816 242606203309525.exe 3516 242606203318150.exe 1132 242606203329166.exe 3056 242606203339760.exe 1636 242606203350666.exe 4340 242606203401885.exe 4260 242606203412478.exe 408 242606203421760.exe 3556 242606203433697.exe 1688 242606203445119.exe 3400 242606203454916.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 4820 wrote to memory of 764 4820 299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee.exe 96 PID 4820 wrote to memory of 764 4820 299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee.exe 96 PID 764 wrote to memory of 1816 764 cmd.exe 97 PID 764 wrote to memory of 1816 764 cmd.exe 97 PID 1816 wrote to memory of 3884 1816 242606203309525.exe 100 PID 1816 wrote to memory of 3884 1816 242606203309525.exe 100 PID 3884 wrote to memory of 3516 3884 cmd.exe 101 PID 3884 wrote to memory of 3516 3884 cmd.exe 101 PID 3516 wrote to memory of 1744 3516 242606203318150.exe 103 PID 3516 wrote to memory of 1744 3516 242606203318150.exe 103 PID 1744 wrote to memory of 1132 1744 cmd.exe 104 PID 1744 wrote to memory of 1132 1744 cmd.exe 104 PID 1132 wrote to memory of 2420 1132 242606203329166.exe 106 PID 1132 wrote to memory of 2420 1132 242606203329166.exe 106 PID 2420 wrote to memory of 3056 2420 cmd.exe 107 PID 2420 wrote to memory of 3056 2420 cmd.exe 107 PID 3056 wrote to memory of 1956 3056 242606203339760.exe 108 PID 3056 wrote to memory of 1956 3056 242606203339760.exe 108 PID 1956 wrote to memory of 1636 1956 cmd.exe 109 PID 1956 wrote to memory of 1636 1956 cmd.exe 109 PID 1636 wrote to memory of 2256 1636 242606203350666.exe 110 PID 1636 wrote to memory of 2256 1636 242606203350666.exe 110 PID 2256 wrote to memory of 4340 2256 cmd.exe 111 PID 2256 wrote to memory of 4340 2256 cmd.exe 111 PID 4340 wrote to memory of 3692 4340 242606203401885.exe 113 PID 4340 wrote to memory of 3692 4340 242606203401885.exe 113 PID 3692 wrote to memory of 4260 3692 cmd.exe 114 PID 3692 wrote to memory of 4260 3692 cmd.exe 114 PID 4260 wrote to memory of 3408 4260 242606203412478.exe 115 PID 4260 wrote to memory of 3408 4260 242606203412478.exe 115 PID 3408 wrote to memory of 408 3408 cmd.exe 116 PID 3408 wrote to memory of 408 3408 cmd.exe 116 PID 408 wrote to memory of 4876 408 242606203421760.exe 117 PID 408 wrote to memory of 4876 408 242606203421760.exe 117 PID 4876 wrote to memory of 3556 4876 cmd.exe 118 PID 4876 wrote to memory of 3556 4876 cmd.exe 118 PID 3556 wrote to memory of 60 3556 242606203433697.exe 126 PID 3556 wrote to memory of 60 3556 242606203433697.exe 126 PID 60 wrote to memory of 1688 60 cmd.exe 127 PID 60 wrote to memory of 1688 60 cmd.exe 127 PID 1688 wrote to memory of 3900 1688 242606203445119.exe 128 PID 1688 wrote to memory of 3900 1688 242606203445119.exe 128 PID 3900 wrote to memory of 3400 3900 cmd.exe 129 PID 3900 wrote to memory of 3400 3900 cmd.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee.exe"C:\Users\Admin\AppData\Local\Temp\299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203309525.exe 0000012⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\242606203309525.exeC:\Users\Admin\AppData\Local\Temp\242606203309525.exe 0000013⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203318150.exe 0000024⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\242606203318150.exeC:\Users\Admin\AppData\Local\Temp\242606203318150.exe 0000025⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203329166.exe 0000036⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\242606203329166.exeC:\Users\Admin\AppData\Local\Temp\242606203329166.exe 0000037⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203339760.exe 0000048⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\242606203339760.exeC:\Users\Admin\AppData\Local\Temp\242606203339760.exe 0000049⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203350666.exe 00000510⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\242606203350666.exeC:\Users\Admin\AppData\Local\Temp\242606203350666.exe 00000511⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203401885.exe 00000612⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\242606203401885.exeC:\Users\Admin\AppData\Local\Temp\242606203401885.exe 00000613⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203412478.exe 00000714⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\242606203412478.exeC:\Users\Admin\AppData\Local\Temp\242606203412478.exe 00000715⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203421760.exe 00000816⤵
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\242606203421760.exeC:\Users\Admin\AppData\Local\Temp\242606203421760.exe 00000817⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203433697.exe 00000918⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\242606203433697.exeC:\Users\Admin\AppData\Local\Temp\242606203433697.exe 00000919⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203445119.exe 00000a20⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Local\Temp\242606203445119.exeC:\Users\Admin\AppData\Local\Temp\242606203445119.exe 00000a21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203454916.exe 00000b22⤵
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\242606203454916.exeC:\Users\Admin\AppData\Local\Temp\242606203454916.exe 00000b23⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203511619.exe 00000c24⤵PID:1868
-
C:\Users\Admin\AppData\Local\Temp\242606203511619.exeC:\Users\Admin\AppData\Local\Temp\242606203511619.exe 00000c25⤵PID:2140
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203523197.exe 00000d26⤵PID:400
-
C:\Users\Admin\AppData\Local\Temp\242606203523197.exeC:\Users\Admin\AppData\Local\Temp\242606203523197.exe 00000d27⤵PID:1996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD56769c52cd5ff08b25a199fa7cdbd1768
SHA179b40d8ac95fe4a8a6bf6317341677ea889e548c
SHA256c9765a2097b5160a57e89ede620e53c775f3d8a64f5dae233e5823f0ae30b1ec
SHA512c442fddfdf7172e93c1309d8903d0b7a2fec535e7f253b952b09159d2e1a05275c531ef82fc18c345c693cecc9f95b1d02457850fa7f929945a489b7e9d94ee6
-
Filesize
13KB
MD5073953a8bc246df27bc22b8024c8316a
SHA1b11a2df4846da1996c939d26d92c57f80e1125eb
SHA256e8202d16bd459b353b7439187e89f2233546696e716f6544e472cc7cb499d265
SHA51274decfb49c5007a46e80b64afd0a962f70d4e17ab92b50780c2f771c852e5b0042a5d16c2257c9ac1df4ab0d3ca5d408a5c2460492ee3b40581b7b1e2216edf9
-
Filesize
12KB
MD5358e279f96c5326de739e3dcc96b3921
SHA1ebe46ea0d3856163dfefa75bc66f404178341bcc
SHA256da3d15696317bc7a3afafb8622fbf07bd53c29d46a7ac206b5ec5784b0f3245b
SHA512e26fa277758c0684d882e1ed24a3f8518dcc7989840009d90ee9e3c4ab794061919eac06e52e4a1d9b308e533f8c292312f60a11eeb3c3f8e2dc495ca1e811ea
-
Filesize
12KB
MD5f548a71606553c7d2687feb1bd261173
SHA14e36e74bc925e2dfd3f237290703e54cde6183f3
SHA256442a2d0f2dc643547da6d6632ca2ea3beab3f50bd5f452865cb8147366659994
SHA512c2deef63c1ac6668276db7592c8ebc4574a04272e6a08b159ebf45cc78c417cbe0cca6e53642a85616cd8909d9bae2f2bfa032dac2d8b026f03d6c2abdaec2cb
-
Filesize
13KB
MD5a6d564e6f6c7027c8fc4f3001e3ae818
SHA1d8b737c94fba713ea94fb4ba42221894be6ce98b
SHA2566639e6c6cc97ffa886002c51cc0d5b49d1a63646e5194374742941325ce4a6ef
SHA512259a8b617441e94d3e0663b79efabe49f0607c180d38fe0eae8aecb56239ca630302c85cb19e02ecc24f763c58ec22949ae4672fee5b25f73647cb15a8540e15
-
Filesize
14KB
MD52a482612181404ddb1c670ec9257575b
SHA141cde184dd9911a92191ff1b8d0da430973cb088
SHA25630c77ea4deb3307079d897d5840b16ce7687f4c3bfb43d8c4d05393300af76e4
SHA51251fe788380dc2fe39944744632b205baafcd068e6e14976f29c645ba95dc0e7acfc62c7409b65b919c39a1664158a98e4d4152a67ddb523227f72ce720012de9
-
Filesize
13KB
MD514ea85411aee25a41d1ac29761d537b2
SHA1f1fd1723781a24c18145d2c9b917fbd8cd28f61e
SHA2565578bc3ddbe61f4473697867a412edd71560f5c56bd4c3881e60507b38b3a296
SHA512c4d9109243ff4e7c9560b479565ab1b342e8d874070dd4ecbe5c12675775a3f81e3a076a3f592dbe6dce2c6cd8cfb2122c54fcf8bedff4b5923073e8d160ff5f
-
Filesize
13KB
MD50192658ff91a4019a6f92265353cd47c
SHA1410f097a6f28002f4c5246e8fdcb0f7a4c9c86bd
SHA256fe02488d3548e826c75ec6db8636e3b22a8d2e80fc6b18691e6c015c855c290a
SHA51231b0094b3eda2eb655b70bc13607e1b0e460f3c560570e855076fa0b23bc84018fae0f624475ad2992bdfcb3c53bd6a9871a087eb149bc1abacfbfec4529d338
-
Filesize
13KB
MD5f0dbba78657109200efc97c2f18256e2
SHA19851838e5f7ee0945dd5a27a694687541528abe4
SHA256ddee56fa1d41f4aaf4f2bb0d7f2c411cf0f4278e4747c77bf986b81a79dad682
SHA5126d2d06a2ea4d1b57d9f6afaad99bc382754e21cfc416f40e8be722d1e50e288616f6f5bac21005037fe2122a9bcd9e090409701261542c0578b4cd0254b0bfda
-
Filesize
13KB
MD5e34bba41a37e9423227c6704f3113e32
SHA153f0f1c7c6eb943d17fc6dff010dcfc917dab434
SHA256c99cbbded3b57cf37fabbcac672affc687b2342f085f592918022bf78a1371ee
SHA512486159e3c81df8bad3eecfe18da6e86827e2c079bac1c31bb084c15f42832c5603daf55463cfffb5bca8ad1307926f80494eae062ac10908221f5c356a4903bd
-
Filesize
13KB
MD55ad56445b924bf71d7cde1016416be9a
SHA16874663fa4489fa9a7644b0e346a60d520abc588
SHA256c5ba65e0e66a06af2027e9afa431e049f1fe8b3f337c1f3f1bb33c56a678c8f8
SHA51284394107140ce4350a7b54ead71cb1bb1097d55a9910f9b3bdbdc601c5a1948ca7d3fa9b97301e3a7172d1ebea00b707dc6f933c4686656f6793786c8e1901ad
-
Filesize
13KB
MD59ea31969ef6789ba06b9694b370f37b2
SHA1f00ed6c58396fc71089fb796f23585db49a820f8
SHA256a0845ca6a437dd78f1b088bc6b909909e00d5a15560a7bf44b69aa2b3eac4a8a
SHA5128c04841d5b8e3d60b01790670561390bc4fa4a3974be0f236af4a0c2ce0b5b4e9b984ae113acb7e8e66f9699721e00e720631212d91b6b60d4d89f0e772726ea
-
Filesize
13KB
MD52c4da28c22af477ef1f4147a27f2c7f7
SHA15dee555535641c60b72bbcab806c94bb73a0e329
SHA2566e4860ddda230a965af4dcfc39f442b58441a6d5dccef4f2f2fbb2dca014d8cb
SHA5125e4ca6a760a80187a88bbb12310402153c31b74825bf6a8d01624678a100eabf5476268e85de5d0ff840bc2d17414398debfb748606a847ecabaea71b9ef0cd7