d2f2ef1d181c977cdbbaf7853430062cdba5b14445a533dd63813a4a939aa86d

Analysis

max time kernel
113s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e2e15021cbe792e303d713175bebc40N.exe
Size

241KB
MD5

5e2e15021cbe792e303d713175bebc40
SHA1

c8eb771df2ca8098910952a9efd5a73fb713107c
SHA256

d2f2ef1d181c977cdbbaf7853430062cdba5b14445a533dd63813a4a939aa86d
SHA512

e90a3573f4d0a247d1d344ac33144d9a0542295aad600328bdada230efbcdffba164a8602ad94c5f16e6958980cdee502d58455d3cf97be2a68d9baf9dc932ff
SSDEEP

6144:TfL+oqZk4prAN+O/LE11c7ojuZUvyejrRZ:TfLikBg11GojuHefRZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
1384	doges.exe
3676	angolans.exe
4688	doges.exe
208	angolans.exe
4704	doges.exe
1240	angolans.exe
4784	doges.exe
4612	angolans.exe
832	doges.exe
4740	angolans.exe
3720	doges.exe
4648	angolans.exe
3964	doges.exe
4488	angolans.exe
2660	doges.exe
4364	angolans.exe
4928	doges.exe
220	angolans.exe
628	doges.exe
4940	angolans.exe
4680	doges.exe
4256	angolans.exe
2988	doges.exe
1588	angolans.exe
2088	doges.exe
3204	angolans.exe

Loads dropped DLL 1 IoCs

pid	Process
2724	5e2e15021cbe792e303d713175bebc40N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1384	doges.exe
1384	doges.exe
1384	doges.exe
1384	doges.exe
3676	angolans.exe
3676	angolans.exe
3676	angolans.exe
3676	angolans.exe
4688	doges.exe
4688	doges.exe
4688	doges.exe
4688	doges.exe
208	angolans.exe
208	angolans.exe
208	angolans.exe
208	angolans.exe
4704	doges.exe
4704	doges.exe
4704	doges.exe
4704	doges.exe
1240	angolans.exe
1240	angolans.exe
1240	angolans.exe
1240	angolans.exe
4784	doges.exe
4784	doges.exe
4784	doges.exe
4784	doges.exe
4612	angolans.exe
4612	angolans.exe
4612	angolans.exe
4612	angolans.exe
832	doges.exe
832	doges.exe
832	doges.exe
832	doges.exe
4740	angolans.exe
4740	angolans.exe
4740	angolans.exe
4740	angolans.exe
3720	doges.exe
3720	doges.exe
3720	doges.exe
3720	doges.exe
4648	angolans.exe
4648	angolans.exe
4648	angolans.exe
4648	angolans.exe
3964	doges.exe
3964	doges.exe
3964	doges.exe
3964	doges.exe
4488	angolans.exe
4488	angolans.exe
4488	angolans.exe
4488	angolans.exe
2660	doges.exe
2660	doges.exe
2660	doges.exe
2660	doges.exe
4364	angolans.exe
4364	angolans.exe
4364	angolans.exe
4364	angolans.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 1384	2724	5e2e15021cbe792e303d713175bebc40N.exe	85
PID 2724 wrote to memory of 1384	2724	5e2e15021cbe792e303d713175bebc40N.exe	85
PID 2724 wrote to memory of 3676	2724	5e2e15021cbe792e303d713175bebc40N.exe	87
PID 2724 wrote to memory of 3676	2724	5e2e15021cbe792e303d713175bebc40N.exe	87
PID 2724 wrote to memory of 3676	2724	5e2e15021cbe792e303d713175bebc40N.exe	87
PID 2724 wrote to memory of 4688	2724	5e2e15021cbe792e303d713175bebc40N.exe	89
PID 2724 wrote to memory of 4688	2724	5e2e15021cbe792e303d713175bebc40N.exe	89
PID 2724 wrote to memory of 208	2724	5e2e15021cbe792e303d713175bebc40N.exe	90
PID 2724 wrote to memory of 208	2724	5e2e15021cbe792e303d713175bebc40N.exe	90
PID 2724 wrote to memory of 208	2724	5e2e15021cbe792e303d713175bebc40N.exe	90
PID 2724 wrote to memory of 4704	2724	5e2e15021cbe792e303d713175bebc40N.exe	91
PID 2724 wrote to memory of 4704	2724	5e2e15021cbe792e303d713175bebc40N.exe	91
PID 2724 wrote to memory of 1240	2724	5e2e15021cbe792e303d713175bebc40N.exe	92
PID 2724 wrote to memory of 1240	2724	5e2e15021cbe792e303d713175bebc40N.exe	92
PID 2724 wrote to memory of 1240	2724	5e2e15021cbe792e303d713175bebc40N.exe	92
PID 2724 wrote to memory of 4784	2724	5e2e15021cbe792e303d713175bebc40N.exe	93
PID 2724 wrote to memory of 4784	2724	5e2e15021cbe792e303d713175bebc40N.exe	93
PID 2724 wrote to memory of 4612	2724	5e2e15021cbe792e303d713175bebc40N.exe	94
PID 2724 wrote to memory of 4612	2724	5e2e15021cbe792e303d713175bebc40N.exe	94
PID 2724 wrote to memory of 4612	2724	5e2e15021cbe792e303d713175bebc40N.exe	94
PID 2724 wrote to memory of 832	2724	5e2e15021cbe792e303d713175bebc40N.exe	97
PID 2724 wrote to memory of 832	2724	5e2e15021cbe792e303d713175bebc40N.exe	97
PID 2724 wrote to memory of 4740	2724	5e2e15021cbe792e303d713175bebc40N.exe	98
PID 2724 wrote to memory of 4740	2724	5e2e15021cbe792e303d713175bebc40N.exe	98
PID 2724 wrote to memory of 4740	2724	5e2e15021cbe792e303d713175bebc40N.exe	98
PID 2724 wrote to memory of 3720	2724	5e2e15021cbe792e303d713175bebc40N.exe	100
PID 2724 wrote to memory of 3720	2724	5e2e15021cbe792e303d713175bebc40N.exe	100
PID 2724 wrote to memory of 4648	2724	5e2e15021cbe792e303d713175bebc40N.exe	101
PID 2724 wrote to memory of 4648	2724	5e2e15021cbe792e303d713175bebc40N.exe	101
PID 2724 wrote to memory of 4648	2724	5e2e15021cbe792e303d713175bebc40N.exe	101
PID 2724 wrote to memory of 3964	2724	5e2e15021cbe792e303d713175bebc40N.exe	102
PID 2724 wrote to memory of 3964	2724	5e2e15021cbe792e303d713175bebc40N.exe	102
PID 2724 wrote to memory of 4488	2724	5e2e15021cbe792e303d713175bebc40N.exe	103
PID 2724 wrote to memory of 4488	2724	5e2e15021cbe792e303d713175bebc40N.exe	103
PID 2724 wrote to memory of 4488	2724	5e2e15021cbe792e303d713175bebc40N.exe	103
PID 2724 wrote to memory of 2660	2724	5e2e15021cbe792e303d713175bebc40N.exe	104
PID 2724 wrote to memory of 2660	2724	5e2e15021cbe792e303d713175bebc40N.exe	104
PID 2724 wrote to memory of 4364	2724	5e2e15021cbe792e303d713175bebc40N.exe	105
PID 2724 wrote to memory of 4364	2724	5e2e15021cbe792e303d713175bebc40N.exe	105
PID 2724 wrote to memory of 4364	2724	5e2e15021cbe792e303d713175bebc40N.exe	105
PID 2724 wrote to memory of 4928	2724	5e2e15021cbe792e303d713175bebc40N.exe	106
PID 2724 wrote to memory of 4928	2724	5e2e15021cbe792e303d713175bebc40N.exe	106
PID 2724 wrote to memory of 220	2724	5e2e15021cbe792e303d713175bebc40N.exe	107
PID 2724 wrote to memory of 220	2724	5e2e15021cbe792e303d713175bebc40N.exe	107
PID 2724 wrote to memory of 220	2724	5e2e15021cbe792e303d713175bebc40N.exe	107
PID 2724 wrote to memory of 628	2724	5e2e15021cbe792e303d713175bebc40N.exe	108
PID 2724 wrote to memory of 628	2724	5e2e15021cbe792e303d713175bebc40N.exe	108
PID 2724 wrote to memory of 4940	2724	5e2e15021cbe792e303d713175bebc40N.exe	109
PID 2724 wrote to memory of 4940	2724	5e2e15021cbe792e303d713175bebc40N.exe	109
PID 2724 wrote to memory of 4940	2724	5e2e15021cbe792e303d713175bebc40N.exe	109
PID 2724 wrote to memory of 4680	2724	5e2e15021cbe792e303d713175bebc40N.exe	110
PID 2724 wrote to memory of 4680	2724	5e2e15021cbe792e303d713175bebc40N.exe	110
PID 2724 wrote to memory of 4256	2724	5e2e15021cbe792e303d713175bebc40N.exe	111
PID 2724 wrote to memory of 4256	2724	5e2e15021cbe792e303d713175bebc40N.exe	111
PID 2724 wrote to memory of 4256	2724	5e2e15021cbe792e303d713175bebc40N.exe	111
PID 2724 wrote to memory of 2988	2724	5e2e15021cbe792e303d713175bebc40N.exe	112
PID 2724 wrote to memory of 2988	2724	5e2e15021cbe792e303d713175bebc40N.exe	112
PID 2724 wrote to memory of 1588	2724	5e2e15021cbe792e303d713175bebc40N.exe	113
PID 2724 wrote to memory of 1588	2724	5e2e15021cbe792e303d713175bebc40N.exe	113
PID 2724 wrote to memory of 1588	2724	5e2e15021cbe792e303d713175bebc40N.exe	113
PID 2724 wrote to memory of 2088	2724	5e2e15021cbe792e303d713175bebc40N.exe	114
PID 2724 wrote to memory of 2088	2724	5e2e15021cbe792e303d713175bebc40N.exe	114
PID 2724 wrote to memory of 3204	2724	5e2e15021cbe792e303d713175bebc40N.exe	115
PID 2724 wrote to memory of 3204	2724	5e2e15021cbe792e303d713175bebc40N.exe	115

C:\Users\Admin\AppData\Local\Temp\5e2e15021cbe792e303d713175bebc40N.exe
"C:\Users\Admin\AppData\Local\Temp\5e2e15021cbe792e303d713175bebc40N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:208
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1240
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3720
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4648
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe
  "C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:3204

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x150
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\angolans.exe

Filesize
139KB

MD5
fda656c75b581d0dce6537d159052bcd

SHA1
a06523896f54e51a1a7269356634cc0bbb069edd

SHA256
4ce66c1b06bab37a85a93c5e7d7c9ba6f79da608fab33a00c44b8b0a9443309d

SHA512
8e7928c0e0439da880b7f2b036aa4f89cabb365bfe83c17184336580101c96d3b1f2c2ddc254a99a73d7cd0e203c40a1b22f68ad803070d2537c82fb95718106

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\doges.exe

Filesize
189KB

MD5
9101a7f1e09281d413ece6d825020d92

SHA1
9df34287601a77e65cec58843474108dd0309f54

SHA256
781c6b118a97dd0301788d1882b18242d2768ad40752cb622f70e80d7e3a0a88

SHA512
8f3e5068f47817593ddd3eeb48848a1a49ffbb62fbc935c3d90757625ab3aec2e19f34d45b583dbe39dbd5cad11e00e0eb888dda6ffa9952b0851d0ada616425

Download Submit