c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac

Analysis

max time kernel
140s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

369d4078dffc246a568f7580e9070405.exe
Size

122KB
MD5

369d4078dffc246a568f7580e9070405
SHA1

744d88ce6e5909dbc862c8761eaddb317ff64a4e
SHA256

c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac
SHA512

f20a743a84e1b7c8f85a7063dadad3050d2f5bd6b2cd5dbe00fe677f8948d63d798ce356b332e27a392a8d08a3739d067444077517ca94b2b440e8195d143b15
SSDEEP

3072:3D/CAVb0mlP6szyAy25rJ4bj56FjS1myXxa9X2g9Ytn2D:Tb0AP60B3Lgm2xYYtn2D

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
848	winusb.exe
912	winusb.exe
384	winusb.exe
4988	winusb.exe
4812	winusb.exe
1360	winusb.exe
4992	winusb.exe
1552	winusb.exe
2388	winusb.exe
4832	winusb.exe
4052	winusb.exe
1012	winusb.exe
1920	winusb.exe
1796	winusb.exe
224	winusb.exe
4228	winusb.exe
4788	winusb.exe
1740	winusb.exe
3220	winusb.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	369d4078dffc246a568f7580e9070405.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	369d4078dffc246a568f7580e9070405.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 848	4960	369d4078dffc246a568f7580e9070405.exe	93
PID 4960 wrote to memory of 848	4960	369d4078dffc246a568f7580e9070405.exe	93
PID 4960 wrote to memory of 848	4960	369d4078dffc246a568f7580e9070405.exe	93
PID 4960 wrote to memory of 2388	4960	369d4078dffc246a568f7580e9070405.exe	94
PID 4960 wrote to memory of 2388	4960	369d4078dffc246a568f7580e9070405.exe	94
PID 4960 wrote to memory of 2388	4960	369d4078dffc246a568f7580e9070405.exe	94
PID 4960 wrote to memory of 2388	4960	369d4078dffc246a568f7580e9070405.exe	94
PID 848 wrote to memory of 912	848	winusb.exe	97
PID 848 wrote to memory of 912	848	winusb.exe	97
PID 848 wrote to memory of 912	848	winusb.exe	97
PID 848 wrote to memory of 384	848	winusb.exe	98
PID 848 wrote to memory of 384	848	winusb.exe	98
PID 848 wrote to memory of 384	848	winusb.exe	98
PID 848 wrote to memory of 384	848	winusb.exe	98
PID 912 wrote to memory of 4988	912	winusb.exe	104
PID 912 wrote to memory of 4988	912	winusb.exe	104
PID 912 wrote to memory of 4988	912	winusb.exe	104
PID 912 wrote to memory of 4812	912	winusb.exe	105
PID 912 wrote to memory of 4812	912	winusb.exe	105
PID 912 wrote to memory of 4812	912	winusb.exe	105
PID 912 wrote to memory of 4812	912	winusb.exe	105
PID 4988 wrote to memory of 1360	4988	winusb.exe	106
PID 4988 wrote to memory of 1360	4988	winusb.exe	106
PID 4988 wrote to memory of 1360	4988	winusb.exe	106
PID 4988 wrote to memory of 4992	4988	winusb.exe	107
PID 4988 wrote to memory of 4992	4988	winusb.exe	107
PID 4988 wrote to memory of 4992	4988	winusb.exe	107
PID 4988 wrote to memory of 4992	4988	winusb.exe	107
PID 1552 wrote to memory of 4832	1552	winusb.exe	111
PID 1552 wrote to memory of 4832	1552	winusb.exe	111
PID 1552 wrote to memory of 4832	1552	winusb.exe	111
PID 1552 wrote to memory of 4052	1552	winusb.exe	112
PID 1552 wrote to memory of 4052	1552	winusb.exe	112
PID 1552 wrote to memory of 4052	1552	winusb.exe	112
PID 1552 wrote to memory of 4052	1552	winusb.exe	112
PID 4832 wrote to memory of 1012	4832	winusb.exe	113
PID 4832 wrote to memory of 1012	4832	winusb.exe	113
PID 4832 wrote to memory of 1012	4832	winusb.exe	113
PID 4832 wrote to memory of 1920	4832	winusb.exe	114
PID 4832 wrote to memory of 1920	4832	winusb.exe	114
PID 4832 wrote to memory of 1920	4832	winusb.exe	114
PID 4832 wrote to memory of 1920	4832	winusb.exe	114
PID 1012 wrote to memory of 1796	1012	winusb.exe	115
PID 1012 wrote to memory of 1796	1012	winusb.exe	115
PID 1012 wrote to memory of 1796	1012	winusb.exe	115
PID 1012 wrote to memory of 224	1012	winusb.exe	116
PID 1012 wrote to memory of 224	1012	winusb.exe	116
PID 1012 wrote to memory of 224	1012	winusb.exe	116
PID 1012 wrote to memory of 224	1012	winusb.exe	116
PID 1796 wrote to memory of 4228	1796	winusb.exe	117
PID 1796 wrote to memory of 4228	1796	winusb.exe	117
PID 1796 wrote to memory of 4228	1796	winusb.exe	117
PID 1796 wrote to memory of 4788	1796	winusb.exe	118
PID 1796 wrote to memory of 4788	1796	winusb.exe	118
PID 1796 wrote to memory of 4788	1796	winusb.exe	118
PID 1796 wrote to memory of 4788	1796	winusb.exe	118
PID 4228 wrote to memory of 1740	4228	winusb.exe	119
PID 4228 wrote to memory of 1740	4228	winusb.exe	119
PID 4228 wrote to memory of 1740	4228	winusb.exe	119
PID 4228 wrote to memory of 3220	4228	winusb.exe	120
PID 4228 wrote to memory of 3220	4228	winusb.exe	120
PID 4228 wrote to memory of 3220	4228	winusb.exe	120
PID 4228 wrote to memory of 3220	4228	winusb.exe	120

C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe
"C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\winusb.exe
  C:\Windows\system32\winusb.exe 1148 "C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\winusb.exe
    C:\Windows\system32\winusb.exe 1152 "C:\Windows\SysWOW64\winusb.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\winusb.exe
      C:\Windows\system32\winusb.exe 1100 "C:\Windows\SysWOW64\winusb.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1112 "C:\Windows\SysWOW64\winusb.exe"
        5⤵
        Executes dropped EXE
        
        PID:1360
      - C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1132 "C:\Windows\SysWOW64\winusb.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1128 "C:\Windows\SysWOW64\winusb.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1136 "C:\Windows\SysWOW64\winusb.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1140 "C:\Windows\SysWOW64\winusb.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1104 "C:\Windows\SysWOW64\winusb.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1156 "C:\Windows\SysWOW64\winusb.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        11⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        10⤵
        Executes dropped EXE
        
        PID:4788
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        9⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        8⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        7⤵
        Executes dropped EXE
        
        PID:4052
      - C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        6⤵
        Executes dropped EXE
        
        PID:2388
    - - C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        5⤵
        Executes dropped EXE
        
        PID:4992
  - - C:\Windows\SysWOW64\winusb.exe
      "C:\Windows\SysWOW64\winusb.exe"
      4⤵
      Executes dropped EXE
      PID:4812
- - C:\Windows\SysWOW64\winusb.exe
    "C:\Windows\SysWOW64\winusb.exe"
    3⤵
    - Executes dropped EXE
    PID:384
- C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe
  "C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
  2⤵
  PID:2388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winusb.exe

Filesize
26KB

MD5
9e91d9f6a531534482ea8afb3f720d36

SHA1
8f7776a7beb48ae7da345d3e76fe3420079b1059

SHA256
3cca8fa74cfbd22ef8817f26afaf0f0d8f60ff76be55c28a2ecf6caff2580b07

SHA512
31f8ef87e96b77d04e3f4ee8ad7c180911b83a569265efc08d87e37dc91a7d21c16579883e1390e67d52bccfb608ac8b36927a7809e4606eeb52f5acaec31f42

Download Submit
C:\Windows\SysWOW64\winusb.exe

Filesize
58KB

MD5
08605671d32690f099d5d3116ba71d00

SHA1
9f79f549d87f7cdd37e251443cf1676b85d6bbe4

SHA256
e86852339d28bd29434b9f3f7667c6eea6f3c3a56bf4c949b43e3fd6db7a4e30

SHA512
6423c9dcd8dffb9447e256739d5b634193ae20380ccf546130abf88b5e5e7533513a3e97ae755a7bf181607db423af8cc276b9e3e7e3cff08323dd4ed61763df

Download Submit
C:\Windows\SysWOW64\winusb.exe

Filesize
22KB

MD5
f3de8465dbe09f62fdc0df212d73ba1e

SHA1
24a5e7ea120b15ef8f4e87e2ca486f2f24f9d80b

SHA256
3dabad731ed82c5e5eebb65df18b2114b6fed9724e90b2210926fb06d04b195d

SHA512
c7552c85a0297d364390a87b83cf10401d6bf7f7114135c757892a08db0fba798bae94367657f17ff37a7c16a6b438ca10328200ef26d2655e679c9924cee4b3

Download Submit
C:\Windows\SysWOW64\winusb.exe

Filesize
122KB

MD5
369d4078dffc246a568f7580e9070405

SHA1
744d88ce6e5909dbc862c8761eaddb317ff64a4e

SHA256
c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac

SHA512
f20a743a84e1b7c8f85a7063dadad3050d2f5bd6b2cd5dbe00fe677f8948d63d798ce356b332e27a392a8d08a3739d067444077517ca94b2b440e8195d143b15

Download Submit
memory/224-52-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/224-51-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/384-15-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/384-16-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/848-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/848-7-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/912-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/912-20-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1012-42-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1012-50-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1360-24-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1360-32-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1552-38-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1552-30-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1796-48-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1796-56-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1920-46-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1920-45-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2388-10-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2388-33-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2388-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2388-34-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3220-62-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3220-63-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4052-39-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4052-40-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4228-60-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4228-54-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4788-58-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4788-57-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4812-22-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4812-21-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4832-44-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4832-36-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4960-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4960-8-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4988-18-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4988-25-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4992-28-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4992-27-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads