Analysis
-
max time kernel
118s -
max time network
15s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 07:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
888e7a17ddea532d6614291bda4d65f0N.exe
Resource
win7-20240704-en
windows7-x64
5 signatures
120 seconds
Behavioral task
behavioral2
Sample
888e7a17ddea532d6614291bda4d65f0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
4 signatures
120 seconds
General
-
Target
888e7a17ddea532d6614291bda4d65f0N.exe
-
Size
312KB
-
MD5
888e7a17ddea532d6614291bda4d65f0
-
SHA1
c503cd593c73c82fd1723fd8357c00c9f33b10d2
-
SHA256
889f0d3cbdfd0f6adee7a872ade7d7bbdf5ad6d531d1481adbe0ff7041de636c
-
SHA512
d8b4debbab9c968bebcaa0df5ada03d54bf730898d146802c07c5123eee240f05abc7aa24723c44858cc933f373d1a46b8e69134af7cd9d777b0537a1176f0e3
-
SSDEEP
6144:nk3YUCNyQnLMlwGjH9PaxjU4Yu+P3hu6b/j7p:nfNHEdp4Yuyh
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2900 wmedia.exe 2972 wmedia.exe 2632 wmedia.exe 1972 wmedia.exe -
Loads dropped DLL 8 IoCs
pid Process 2120 888e7a17ddea532d6614291bda4d65f0N.exe 2120 888e7a17ddea532d6614291bda4d65f0N.exe 2900 wmedia.exe 2900 wmedia.exe 2972 wmedia.exe 2972 wmedia.exe 2632 wmedia.exe 2632 wmedia.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\wmedia.exe 888e7a17ddea532d6614291bda4d65f0N.exe File opened for modification C:\Windows\SysWOW64\wmedia.exe 888e7a17ddea532d6614291bda4d65f0N.exe File created C:\Windows\SysWOW64\wmedia.exe wmedia.exe File created C:\Windows\SysWOW64\wmedia.exe wmedia.exe File created C:\Windows\SysWOW64\wmedia.exe wmedia.exe File created C:\Windows\SysWOW64\wmedia.exe wmedia.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2120 888e7a17ddea532d6614291bda4d65f0N.exe 2120 888e7a17ddea532d6614291bda4d65f0N.exe 2120 888e7a17ddea532d6614291bda4d65f0N.exe 2120 888e7a17ddea532d6614291bda4d65f0N.exe 2120 888e7a17ddea532d6614291bda4d65f0N.exe 2120 888e7a17ddea532d6614291bda4d65f0N.exe 2900 wmedia.exe 2900 wmedia.exe 2900 wmedia.exe 2900 wmedia.exe 2900 wmedia.exe 2900 wmedia.exe 2972 wmedia.exe 2972 wmedia.exe 2972 wmedia.exe 2972 wmedia.exe 2972 wmedia.exe 2972 wmedia.exe 2632 wmedia.exe 2632 wmedia.exe 2632 wmedia.exe 2632 wmedia.exe 2632 wmedia.exe 2632 wmedia.exe 1972 wmedia.exe 1972 wmedia.exe 1972 wmedia.exe 1972 wmedia.exe 1972 wmedia.exe 1972 wmedia.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2900 2120 888e7a17ddea532d6614291bda4d65f0N.exe 29 PID 2120 wrote to memory of 2900 2120 888e7a17ddea532d6614291bda4d65f0N.exe 29 PID 2120 wrote to memory of 2900 2120 888e7a17ddea532d6614291bda4d65f0N.exe 29 PID 2120 wrote to memory of 2900 2120 888e7a17ddea532d6614291bda4d65f0N.exe 29 PID 2900 wrote to memory of 2972 2900 wmedia.exe 30 PID 2900 wrote to memory of 2972 2900 wmedia.exe 30 PID 2900 wrote to memory of 2972 2900 wmedia.exe 30 PID 2900 wrote to memory of 2972 2900 wmedia.exe 30 PID 2972 wrote to memory of 2632 2972 wmedia.exe 31 PID 2972 wrote to memory of 2632 2972 wmedia.exe 31 PID 2972 wrote to memory of 2632 2972 wmedia.exe 31 PID 2972 wrote to memory of 2632 2972 wmedia.exe 31 PID 2632 wrote to memory of 1972 2632 wmedia.exe 32 PID 2632 wrote to memory of 1972 2632 wmedia.exe 32 PID 2632 wrote to memory of 1972 2632 wmedia.exe 32 PID 2632 wrote to memory of 1972 2632 wmedia.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\888e7a17ddea532d6614291bda4d65f0N.exe"C:\Users\Admin\AppData\Local\Temp\888e7a17ddea532d6614291bda4d65f0N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\wmedia.exeC:\Windows\system32\wmedia.exe -bai C:\Users\Admin\AppData\Local\Temp\888e7a17ddea532d6614291bda4d65f0N.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\wmedia.exeC:\Windows\system32\wmedia.exe -bai C:\Windows\SysWOW64\wmedia.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\wmedia.exeC:\Windows\system32\wmedia.exe -bai C:\Windows\SysWOW64\wmedia.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\wmedia.exeC:\Windows\system32\wmedia.exe -bai C:\Windows\SysWOW64\wmedia.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1972
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD5888e7a17ddea532d6614291bda4d65f0
SHA1c503cd593c73c82fd1723fd8357c00c9f33b10d2
SHA256889f0d3cbdfd0f6adee7a872ade7d7bbdf5ad6d531d1481adbe0ff7041de636c
SHA512d8b4debbab9c968bebcaa0df5ada03d54bf730898d146802c07c5123eee240f05abc7aa24723c44858cc933f373d1a46b8e69134af7cd9d777b0537a1176f0e3