Analysis
-
max time kernel
118s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2024, 07:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
888e7a17ddea532d6614291bda4d65f0N.exe
Resource
win7-20240704-en
windows7-x64
5 signatures
120 seconds
Behavioral task
behavioral2
Sample
888e7a17ddea532d6614291bda4d65f0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
4 signatures
120 seconds
General
-
Target
888e7a17ddea532d6614291bda4d65f0N.exe
-
Size
312KB
-
MD5
888e7a17ddea532d6614291bda4d65f0
-
SHA1
c503cd593c73c82fd1723fd8357c00c9f33b10d2
-
SHA256
889f0d3cbdfd0f6adee7a872ade7d7bbdf5ad6d531d1481adbe0ff7041de636c
-
SHA512
d8b4debbab9c968bebcaa0df5ada03d54bf730898d146802c07c5123eee240f05abc7aa24723c44858cc933f373d1a46b8e69134af7cd9d777b0537a1176f0e3
-
SSDEEP
6144:nk3YUCNyQnLMlwGjH9PaxjU4Yu+P3hu6b/j7p:nfNHEdp4Yuyh
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4512 wmedia.exe 648 wmedia.exe 4696 wmedia.exe 4080 wmedia.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\wmedia.exe 888e7a17ddea532d6614291bda4d65f0N.exe File opened for modification C:\Windows\SysWOW64\wmedia.exe 888e7a17ddea532d6614291bda4d65f0N.exe File created C:\Windows\SysWOW64\wmedia.exe wmedia.exe File created C:\Windows\SysWOW64\wmedia.exe wmedia.exe File created C:\Windows\SysWOW64\wmedia.exe wmedia.exe File created C:\Windows\SysWOW64\wmedia.exe wmedia.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 1468 888e7a17ddea532d6614291bda4d65f0N.exe 4512 wmedia.exe 4512 wmedia.exe 4512 wmedia.exe 4512 wmedia.exe 4512 wmedia.exe 4512 wmedia.exe 4512 wmedia.exe 4512 wmedia.exe 4512 wmedia.exe 4512 wmedia.exe 4512 wmedia.exe 4512 wmedia.exe 648 wmedia.exe 648 wmedia.exe 648 wmedia.exe 648 wmedia.exe 648 wmedia.exe 648 wmedia.exe 648 wmedia.exe 648 wmedia.exe 648 wmedia.exe 648 wmedia.exe 648 wmedia.exe 648 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4696 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe 4080 wmedia.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1468 wrote to memory of 4512 1468 888e7a17ddea532d6614291bda4d65f0N.exe 86 PID 1468 wrote to memory of 4512 1468 888e7a17ddea532d6614291bda4d65f0N.exe 86 PID 1468 wrote to memory of 4512 1468 888e7a17ddea532d6614291bda4d65f0N.exe 86 PID 4512 wrote to memory of 648 4512 wmedia.exe 89 PID 4512 wrote to memory of 648 4512 wmedia.exe 89 PID 4512 wrote to memory of 648 4512 wmedia.exe 89 PID 648 wrote to memory of 4696 648 wmedia.exe 91 PID 648 wrote to memory of 4696 648 wmedia.exe 91 PID 648 wrote to memory of 4696 648 wmedia.exe 91 PID 4696 wrote to memory of 4080 4696 wmedia.exe 92 PID 4696 wrote to memory of 4080 4696 wmedia.exe 92 PID 4696 wrote to memory of 4080 4696 wmedia.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\888e7a17ddea532d6614291bda4d65f0N.exe"C:\Users\Admin\AppData\Local\Temp\888e7a17ddea532d6614291bda4d65f0N.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\wmedia.exeC:\Windows\system32\wmedia.exe -bai C:\Users\Admin\AppData\Local\Temp\888e7a17ddea532d6614291bda4d65f0N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\wmedia.exeC:\Windows\system32\wmedia.exe -bai C:\Windows\SysWOW64\wmedia.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\wmedia.exeC:\Windows\system32\wmedia.exe -bai C:\Windows\SysWOW64\wmedia.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\wmedia.exeC:\Windows\system32\wmedia.exe -bai C:\Windows\SysWOW64\wmedia.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4080
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD5888e7a17ddea532d6614291bda4d65f0
SHA1c503cd593c73c82fd1723fd8357c00c9f33b10d2
SHA256889f0d3cbdfd0f6adee7a872ade7d7bbdf5ad6d531d1481adbe0ff7041de636c
SHA512d8b4debbab9c968bebcaa0df5ada03d54bf730898d146802c07c5123eee240f05abc7aa24723c44858cc933f373d1a46b8e69134af7cd9d777b0537a1176f0e3