Analysis

  • max time kernel
    126s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/06/2024, 20:25

General

  • Target

    299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee.exe

  • Size

    12KB

  • MD5

    00092311416e64e5e753335c5d7873fe

  • SHA1

    40588d511c09da227ce340e5b11f01ee26817e15

  • SHA256

    299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee

  • SHA512

    f3efffba0c2f210445a6074d8683732a1c6cfca24c1620747436fb17f9c1124a91c12ff06028a56dcd0075de2b380851a05afd5a3110a5d201a399ad16ebbd95

  • SSDEEP

    192:klDI1qNwmxiN6d86w0db0x2MbCtmY7rYzPKraARYGc1pqWlJdxqHgrV1x:mhd432ouZnWlJj+K

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee.exe
    "C:\Users\Admin\AppData\Local\Temp\299afa0d4eb6aee26835f649723d41684c55a1d302a051479c4736d77e3a15ee.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203309525.exe 000001
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Local\Temp\242606203309525.exe
        C:\Users\Admin\AppData\Local\Temp\242606203309525.exe 000001
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203318150.exe 000002
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3884
          • C:\Users\Admin\AppData\Local\Temp\242606203318150.exe
            C:\Users\Admin\AppData\Local\Temp\242606203318150.exe 000002
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3516
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203329166.exe 000003
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1744
              • C:\Users\Admin\AppData\Local\Temp\242606203329166.exe
                C:\Users\Admin\AppData\Local\Temp\242606203329166.exe 000003
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1132
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203339760.exe 000004
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2420
                  • C:\Users\Admin\AppData\Local\Temp\242606203339760.exe
                    C:\Users\Admin\AppData\Local\Temp\242606203339760.exe 000004
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:3056
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203350666.exe 000005
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1956
                      • C:\Users\Admin\AppData\Local\Temp\242606203350666.exe
                        C:\Users\Admin\AppData\Local\Temp\242606203350666.exe 000005
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:1636
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203401885.exe 000006
                          12⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2256
                          • C:\Users\Admin\AppData\Local\Temp\242606203401885.exe
                            C:\Users\Admin\AppData\Local\Temp\242606203401885.exe 000006
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:4340
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203412478.exe 000007
                              14⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3692
                              • C:\Users\Admin\AppData\Local\Temp\242606203412478.exe
                                C:\Users\Admin\AppData\Local\Temp\242606203412478.exe 000007
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:4260
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203421760.exe 000008
                                  16⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3408
                                  • C:\Users\Admin\AppData\Local\Temp\242606203421760.exe
                                    C:\Users\Admin\AppData\Local\Temp\242606203421760.exe 000008
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of WriteProcessMemory
                                    PID:408
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203433697.exe 000009
                                      18⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4876
                                      • C:\Users\Admin\AppData\Local\Temp\242606203433697.exe
                                        C:\Users\Admin\AppData\Local\Temp\242606203433697.exe 000009
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of WriteProcessMemory
                                        PID:3556
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203445119.exe 00000a
                                          20⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:60
                                          • C:\Users\Admin\AppData\Local\Temp\242606203445119.exe
                                            C:\Users\Admin\AppData\Local\Temp\242606203445119.exe 00000a
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of WriteProcessMemory
                                            PID:1688
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203454916.exe 00000b
                                              22⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:3900
                                              • C:\Users\Admin\AppData\Local\Temp\242606203454916.exe
                                                C:\Users\Admin\AppData\Local\Temp\242606203454916.exe 00000b
                                                23⤵
                                                • Executes dropped EXE
                                                PID:3400
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203511619.exe 00000c
                                                  24⤵
                                                    PID:1868
                                                    • C:\Users\Admin\AppData\Local\Temp\242606203511619.exe
                                                      C:\Users\Admin\AppData\Local\Temp\242606203511619.exe 00000c
                                                      25⤵
                                                        PID:2140
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\242606203523197.exe 00000d
                                                          26⤵
                                                            PID:400
                                                            • C:\Users\Admin\AppData\Local\Temp\242606203523197.exe
                                                              C:\Users\Admin\AppData\Local\Temp\242606203523197.exe 00000d
                                                              27⤵
                                                                PID:1996

          Network

                MITRE ATT&CK Matrix

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\242606203309525.exe

                  Filesize

                  13KB

                  MD5

                  6769c52cd5ff08b25a199fa7cdbd1768

                  SHA1

                  79b40d8ac95fe4a8a6bf6317341677ea889e548c

                  SHA256

                  c9765a2097b5160a57e89ede620e53c775f3d8a64f5dae233e5823f0ae30b1ec

                  SHA512

                  c442fddfdf7172e93c1309d8903d0b7a2fec535e7f253b952b09159d2e1a05275c531ef82fc18c345c693cecc9f95b1d02457850fa7f929945a489b7e9d94ee6

                • C:\Users\Admin\AppData\Local\Temp\242606203318150.exe

                  Filesize

                  13KB

                  MD5

                  073953a8bc246df27bc22b8024c8316a

                  SHA1

                  b11a2df4846da1996c939d26d92c57f80e1125eb

                  SHA256

                  e8202d16bd459b353b7439187e89f2233546696e716f6544e472cc7cb499d265

                  SHA512

                  74decfb49c5007a46e80b64afd0a962f70d4e17ab92b50780c2f771c852e5b0042a5d16c2257c9ac1df4ab0d3ca5d408a5c2460492ee3b40581b7b1e2216edf9

                • C:\Users\Admin\AppData\Local\Temp\242606203329166.exe

                  Filesize

                  12KB

                  MD5

                  358e279f96c5326de739e3dcc96b3921

                  SHA1

                  ebe46ea0d3856163dfefa75bc66f404178341bcc

                  SHA256

                  da3d15696317bc7a3afafb8622fbf07bd53c29d46a7ac206b5ec5784b0f3245b

                  SHA512

                  e26fa277758c0684d882e1ed24a3f8518dcc7989840009d90ee9e3c4ab794061919eac06e52e4a1d9b308e533f8c292312f60a11eeb3c3f8e2dc495ca1e811ea

                • C:\Users\Admin\AppData\Local\Temp\242606203339760.exe

                  Filesize

                  12KB

                  MD5

                  f548a71606553c7d2687feb1bd261173

                  SHA1

                  4e36e74bc925e2dfd3f237290703e54cde6183f3

                  SHA256

                  442a2d0f2dc643547da6d6632ca2ea3beab3f50bd5f452865cb8147366659994

                  SHA512

                  c2deef63c1ac6668276db7592c8ebc4574a04272e6a08b159ebf45cc78c417cbe0cca6e53642a85616cd8909d9bae2f2bfa032dac2d8b026f03d6c2abdaec2cb

                • C:\Users\Admin\AppData\Local\Temp\242606203350666.exe

                  Filesize

                  13KB

                  MD5

                  a6d564e6f6c7027c8fc4f3001e3ae818

                  SHA1

                  d8b737c94fba713ea94fb4ba42221894be6ce98b

                  SHA256

                  6639e6c6cc97ffa886002c51cc0d5b49d1a63646e5194374742941325ce4a6ef

                  SHA512

                  259a8b617441e94d3e0663b79efabe49f0607c180d38fe0eae8aecb56239ca630302c85cb19e02ecc24f763c58ec22949ae4672fee5b25f73647cb15a8540e15

                • C:\Users\Admin\AppData\Local\Temp\242606203401885.exe

                  Filesize

                  14KB

                  MD5

                  2a482612181404ddb1c670ec9257575b

                  SHA1

                  41cde184dd9911a92191ff1b8d0da430973cb088

                  SHA256

                  30c77ea4deb3307079d897d5840b16ce7687f4c3bfb43d8c4d05393300af76e4

                  SHA512

                  51fe788380dc2fe39944744632b205baafcd068e6e14976f29c645ba95dc0e7acfc62c7409b65b919c39a1664158a98e4d4152a67ddb523227f72ce720012de9

                • C:\Users\Admin\AppData\Local\Temp\242606203412478.exe

                  Filesize

                  13KB

                  MD5

                  14ea85411aee25a41d1ac29761d537b2

                  SHA1

                  f1fd1723781a24c18145d2c9b917fbd8cd28f61e

                  SHA256

                  5578bc3ddbe61f4473697867a412edd71560f5c56bd4c3881e60507b38b3a296

                  SHA512

                  c4d9109243ff4e7c9560b479565ab1b342e8d874070dd4ecbe5c12675775a3f81e3a076a3f592dbe6dce2c6cd8cfb2122c54fcf8bedff4b5923073e8d160ff5f

                • C:\Users\Admin\AppData\Local\Temp\242606203421760.exe

                  Filesize

                  13KB

                  MD5

                  0192658ff91a4019a6f92265353cd47c

                  SHA1

                  410f097a6f28002f4c5246e8fdcb0f7a4c9c86bd

                  SHA256

                  fe02488d3548e826c75ec6db8636e3b22a8d2e80fc6b18691e6c015c855c290a

                  SHA512

                  31b0094b3eda2eb655b70bc13607e1b0e460f3c560570e855076fa0b23bc84018fae0f624475ad2992bdfcb3c53bd6a9871a087eb149bc1abacfbfec4529d338

                • C:\Users\Admin\AppData\Local\Temp\242606203433697.exe

                  Filesize

                  13KB

                  MD5

                  f0dbba78657109200efc97c2f18256e2

                  SHA1

                  9851838e5f7ee0945dd5a27a694687541528abe4

                  SHA256

                  ddee56fa1d41f4aaf4f2bb0d7f2c411cf0f4278e4747c77bf986b81a79dad682

                  SHA512

                  6d2d06a2ea4d1b57d9f6afaad99bc382754e21cfc416f40e8be722d1e50e288616f6f5bac21005037fe2122a9bcd9e090409701261542c0578b4cd0254b0bfda

                • C:\Users\Admin\AppData\Local\Temp\242606203445119.exe

                  Filesize

                  13KB

                  MD5

                  e34bba41a37e9423227c6704f3113e32

                  SHA1

                  53f0f1c7c6eb943d17fc6dff010dcfc917dab434

                  SHA256

                  c99cbbded3b57cf37fabbcac672affc687b2342f085f592918022bf78a1371ee

                  SHA512

                  486159e3c81df8bad3eecfe18da6e86827e2c079bac1c31bb084c15f42832c5603daf55463cfffb5bca8ad1307926f80494eae062ac10908221f5c356a4903bd

                • C:\Users\Admin\AppData\Local\Temp\242606203454916.exe

                  Filesize

                  13KB

                  MD5

                  5ad56445b924bf71d7cde1016416be9a

                  SHA1

                  6874663fa4489fa9a7644b0e346a60d520abc588

                  SHA256

                  c5ba65e0e66a06af2027e9afa431e049f1fe8b3f337c1f3f1bb33c56a678c8f8

                  SHA512

                  84394107140ce4350a7b54ead71cb1bb1097d55a9910f9b3bdbdc601c5a1948ca7d3fa9b97301e3a7172d1ebea00b707dc6f933c4686656f6793786c8e1901ad

                • C:\Users\Admin\AppData\Local\Temp\242606203511619.exe

                  Filesize

                  13KB

                  MD5

                  9ea31969ef6789ba06b9694b370f37b2

                  SHA1

                  f00ed6c58396fc71089fb796f23585db49a820f8

                  SHA256

                  a0845ca6a437dd78f1b088bc6b909909e00d5a15560a7bf44b69aa2b3eac4a8a

                  SHA512

                  8c04841d5b8e3d60b01790670561390bc4fa4a3974be0f236af4a0c2ce0b5b4e9b984ae113acb7e8e66f9699721e00e720631212d91b6b60d4d89f0e772726ea

                • C:\Users\Admin\AppData\Local\Temp\242606203523197.exe

                  Filesize

                  13KB

                  MD5

                  2c4da28c22af477ef1f4147a27f2c7f7

                  SHA1

                  5dee555535641c60b72bbcab806c94bb73a0e329

                  SHA256

                  6e4860ddda230a965af4dcfc39f442b58441a6d5dccef4f2f2fbb2dca014d8cb

                  SHA512

                  5e4ca6a760a80187a88bbb12310402153c31b74825bf6a8d01624678a100eabf5476268e85de5d0ff840bc2d17414398debfb748606a847ecabaea71b9ef0cd7