c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac

Analysis

max time kernel
138s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

369d4078dffc246a568f7580e9070405.exe
Size

122KB
MD5

369d4078dffc246a568f7580e9070405
SHA1

744d88ce6e5909dbc862c8761eaddb317ff64a4e
SHA256

c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac
SHA512

f20a743a84e1b7c8f85a7063dadad3050d2f5bd6b2cd5dbe00fe677f8948d63d798ce356b332e27a392a8d08a3739d067444077517ca94b2b440e8195d143b15
SSDEEP

3072:3D/CAVb0mlP6szyAy25rJ4bj56FjS1myXxa9X2g9Ytn2D:Tb0AP60B3Lgm2xYYtn2D

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
1756	winusb.exe
2636	winusb.exe
2916	winusb.exe
2912	winusb.exe
2704	winusb.exe
1048	winusb.exe
1680	winusb.exe
1816	winusb.exe
824	winusb.exe
1524	winusb.exe
1492	winusb.exe
1908	winusb.exe
3008	winusb.exe
584	winusb.exe
2444	winusb.exe
2480	winusb.exe
1004	winusb.exe
788	winusb.exe
1036	winusb.exe

Loads dropped DLL 20 IoCs

pid	Process
3068	369d4078dffc246a568f7580e9070405.exe
3068	369d4078dffc246a568f7580e9070405.exe
1756	winusb.exe
1756	winusb.exe
2636	winusb.exe
2636	winusb.exe
2912	winusb.exe
2912	winusb.exe
1048	winusb.exe
1048	winusb.exe
1816	winusb.exe
1816	winusb.exe
1524	winusb.exe
1524	winusb.exe
1908	winusb.exe
1908	winusb.exe
584	winusb.exe
584	winusb.exe
2480	winusb.exe
2480	winusb.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	369d4078dffc246a568f7580e9070405.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	369d4078dffc246a568f7580e9070405.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1756	3068	369d4078dffc246a568f7580e9070405.exe	20
PID 3068 wrote to memory of 1756	3068	369d4078dffc246a568f7580e9070405.exe	20
PID 3068 wrote to memory of 1756	3068	369d4078dffc246a568f7580e9070405.exe	20
PID 3068 wrote to memory of 1756	3068	369d4078dffc246a568f7580e9070405.exe	20
PID 3068 wrote to memory of 2380	3068	369d4078dffc246a568f7580e9070405.exe	19
PID 3068 wrote to memory of 2380	3068	369d4078dffc246a568f7580e9070405.exe	19
PID 3068 wrote to memory of 2380	3068	369d4078dffc246a568f7580e9070405.exe	19
PID 3068 wrote to memory of 2380	3068	369d4078dffc246a568f7580e9070405.exe	19
PID 3068 wrote to memory of 2380	3068	369d4078dffc246a568f7580e9070405.exe	19
PID 1756 wrote to memory of 2636	1756	winusb.exe	31
PID 1756 wrote to memory of 2636	1756	winusb.exe	31
PID 1756 wrote to memory of 2636	1756	winusb.exe	31
PID 1756 wrote to memory of 2636	1756	winusb.exe	31
PID 1756 wrote to memory of 2916	1756	winusb.exe	30
PID 1756 wrote to memory of 2916	1756	winusb.exe	30
PID 1756 wrote to memory of 2916	1756	winusb.exe	30
PID 1756 wrote to memory of 2916	1756	winusb.exe	30
PID 1756 wrote to memory of 2916	1756	winusb.exe	30
PID 2636 wrote to memory of 2912	2636	winusb.exe	33
PID 2636 wrote to memory of 2912	2636	winusb.exe	33
PID 2636 wrote to memory of 2912	2636	winusb.exe	33
PID 2636 wrote to memory of 2912	2636	winusb.exe	33
PID 2636 wrote to memory of 2704	2636	winusb.exe	32
PID 2636 wrote to memory of 2704	2636	winusb.exe	32
PID 2636 wrote to memory of 2704	2636	winusb.exe	32
PID 2636 wrote to memory of 2704	2636	winusb.exe	32
PID 2636 wrote to memory of 2704	2636	winusb.exe	32
PID 2912 wrote to memory of 1048	2912	winusb.exe	35
PID 2912 wrote to memory of 1048	2912	winusb.exe	35
PID 2912 wrote to memory of 1048	2912	winusb.exe	35
PID 2912 wrote to memory of 1048	2912	winusb.exe	35
PID 2912 wrote to memory of 1680	2912	winusb.exe	34
PID 2912 wrote to memory of 1680	2912	winusb.exe	34
PID 2912 wrote to memory of 1680	2912	winusb.exe	34
PID 2912 wrote to memory of 1680	2912	winusb.exe	34
PID 2912 wrote to memory of 1680	2912	winusb.exe	34
PID 1048 wrote to memory of 1816	1048	winusb.exe	39
PID 1048 wrote to memory of 1816	1048	winusb.exe	39
PID 1048 wrote to memory of 1816	1048	winusb.exe	39
PID 1048 wrote to memory of 1816	1048	winusb.exe	39
PID 1048 wrote to memory of 824	1048	winusb.exe	38
PID 1048 wrote to memory of 824	1048	winusb.exe	38
PID 1048 wrote to memory of 824	1048	winusb.exe	38
PID 1048 wrote to memory of 824	1048	winusb.exe	38
PID 1048 wrote to memory of 824	1048	winusb.exe	38
PID 1816 wrote to memory of 1524	1816	winusb.exe	40
PID 1816 wrote to memory of 1524	1816	winusb.exe	40
PID 1816 wrote to memory of 1524	1816	winusb.exe	40
PID 1816 wrote to memory of 1524	1816	winusb.exe	40
PID 1816 wrote to memory of 1492	1816	winusb.exe	41
PID 1816 wrote to memory of 1492	1816	winusb.exe	41
PID 1816 wrote to memory of 1492	1816	winusb.exe	41
PID 1816 wrote to memory of 1492	1816	winusb.exe	41
PID 1816 wrote to memory of 1492	1816	winusb.exe	41
PID 1524 wrote to memory of 1908	1524	winusb.exe	42
PID 1524 wrote to memory of 1908	1524	winusb.exe	42
PID 1524 wrote to memory of 1908	1524	winusb.exe	42
PID 1524 wrote to memory of 1908	1524	winusb.exe	42
PID 1524 wrote to memory of 3008	1524	winusb.exe	43
PID 1524 wrote to memory of 3008	1524	winusb.exe	43
PID 1524 wrote to memory of 3008	1524	winusb.exe	43
PID 1524 wrote to memory of 3008	1524	winusb.exe	43
PID 1524 wrote to memory of 3008	1524	winusb.exe	43
PID 1908 wrote to memory of 584	1908	winusb.exe	45

C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe
"C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe
  "C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\winusb.exe
  C:\Windows\system32\winusb.exe 532 "C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\winusb.exe
    "C:\Windows\SysWOW64\winusb.exe"
    3⤵
    - Executes dropped EXE
    PID:2916
- - C:\Windows\SysWOW64\winusb.exe
    C:\Windows\system32\winusb.exe 528 "C:\Windows\SysWOW64\winusb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\winusb.exe
      "C:\Windows\SysWOW64\winusb.exe"
      4⤵
      Executes dropped EXE
      PID:2704
  - - C:\Windows\SysWOW64\winusb.exe
      C:\Windows\system32\winusb.exe 540 "C:\Windows\SysWOW64\winusb.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        5⤵
        Executes dropped EXE
        
        PID:1680
    - - C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 536 "C:\Windows\SysWOW64\winusb.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        6⤵
        Executes dropped EXE
        
        PID:824
      - C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 544 "C:\Windows\SysWOW64\winusb.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 548 "C:\Windows\SysWOW64\winusb.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 556 "C:\Windows\SysWOW64\winusb.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        9⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 564 "C:\Windows\SysWOW64\winusb.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:584
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 552 "C:\Windows\SysWOW64\winusb.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 560 "C:\Windows\SysWOW64\winusb.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:788
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        11⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        10⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        8⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        7⤵
        Executes dropped EXE
        
        PID:1492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winusb.exe

Filesize
92KB

MD5
15724b568d329894e977269f752abc67

SHA1
46ad333cb4781bcfecc7f3e9262ba982c7805f25

SHA256
229eca98b0208be7ec58ba0f198e8bdc003bdd7cf9d85f1799aa75692aa17072

SHA512
357a0b5bf8d503d56eaec95722c3e3b2a74ae678b9bd16d302d748dc56bef9e1779ab6c8f2f7f92f192c007d09c5796f8c6b6afbc79ffffdc5a5a3272cca6512

Download Submit
\Windows\SysWOW64\winusb.exe

Filesize
122KB

MD5
369d4078dffc246a568f7580e9070405

SHA1
744d88ce6e5909dbc862c8761eaddb317ff64a4e

SHA256
c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac

SHA512
f20a743a84e1b7c8f85a7063dadad3050d2f5bd6b2cd5dbe00fe677f8948d63d798ce356b332e27a392a8d08a3739d067444077517ca94b2b440e8195d143b15

Download Submit
memory/584-76-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/584-84-0x0000000002630000-0x00000000026A4000-memory.dmp

Filesize
464KB

Download
memory/584-86-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/788-94-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/824-53-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/824-54-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1004-89-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1004-88-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1036-98-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1036-97-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1048-41-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1048-49-0x0000000002000000-0x0000000002074000-memory.dmp

Filesize
464KB

Download
memory/1048-51-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1492-63-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1492-62-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-59-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1524-68-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1680-44-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1680-45-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1756-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1756-22-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1816-60-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1816-58-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1816-50-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1908-75-0x00000000026C0000-0x0000000002734000-memory.dmp

Filesize
464KB

Download
memory/1908-78-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1908-67-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2380-16-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2380-17-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2444-79-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2444-80-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2480-95-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2480-93-0x0000000002720000-0x0000000002794000-memory.dmp

Filesize
464KB

Download
memory/2480-85-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2636-29-0x0000000001E10000-0x0000000001E84000-memory.dmp

Filesize
464KB

Download
memory/2636-30-0x0000000001E10000-0x0000000001E84000-memory.dmp

Filesize
464KB

Download
memory/2636-32-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2636-21-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2704-34-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2704-35-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2912-40-0x0000000001F10000-0x0000000001F84000-memory.dmp

Filesize
464KB

Download
memory/2912-42-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2912-31-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2912-39-0x0000000001F10000-0x0000000001F84000-memory.dmp

Filesize
464KB

Download
memory/2916-24-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2916-25-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3008-71-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3008-70-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3068-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3068-15-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3068-13-0x0000000001F20000-0x0000000001F94000-memory.dmp

Filesize
464KB

Download
memory/3068-5-0x0000000001F20000-0x0000000001F94000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads