0637a082f593fdd8dbae7a8b1e901a75f9d0b0691477ec97c3cdef0101d0e28c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05c0f09b3d7a2f2c50771184cf3a7450.exe
Size

74KB
MD5

05c0f09b3d7a2f2c50771184cf3a7450
SHA1

8d21da3772e49716107bdcb5cadb41e226c6380d
SHA256

0637a082f593fdd8dbae7a8b1e901a75f9d0b0691477ec97c3cdef0101d0e28c
SHA512

535a45b911a4b4a54cbf92c15d298d5b5248e3ae91f1359aecd6db79e2ab5c0ba0242e27310085cc0b404a70bc471cd1362f17ab03cec3441d8cc0ee97cafd21
SSDEEP

1536:7FAOTkKitXnOWcnZ+NcpOvjYrRSEPR1Wq35b/w6oQYw:pAAkz9o0NcpOviRSyR1Wi/w7Qz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2336	fixweb.exe
1916	fixweb.exe
2356	fixweb.exe
3580	fixweb.exe
2336	fixweb.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fixweb.exe	fixweb.exe
File created	C:\Windows\SysWOW64\fixweb.exe	fixweb.exe
File created	C:\Windows\SysWOW64\fixweb.exe	fixweb.exe
File created	C:\Windows\SysWOW64\fixweb.exe	fixweb.exe
File created	C:\Windows\SysWOW64\fixweb.exe	05c0f09b3d7a2f2c50771184cf3a7450.exe
File opened for modification	C:\Windows\SysWOW64\fixweb.exe	05c0f09b3d7a2f2c50771184cf3a7450.exe
File created	C:\Windows\SysWOW64\fixweb.exe	fixweb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
4132	05c0f09b3d7a2f2c50771184cf3a7450.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
1916	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
2356	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
3580	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe
2336	fixweb.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 2336	4132	05c0f09b3d7a2f2c50771184cf3a7450.exe	90
PID 4132 wrote to memory of 2336	4132	05c0f09b3d7a2f2c50771184cf3a7450.exe	90
PID 4132 wrote to memory of 2336	4132	05c0f09b3d7a2f2c50771184cf3a7450.exe	90
PID 2336 wrote to memory of 1916	2336	fixweb.exe	95
PID 2336 wrote to memory of 1916	2336	fixweb.exe	95
PID 2336 wrote to memory of 1916	2336	fixweb.exe	95
PID 1916 wrote to memory of 2356	1916	fixweb.exe	98
PID 1916 wrote to memory of 2356	1916	fixweb.exe	98
PID 1916 wrote to memory of 2356	1916	fixweb.exe	98
PID 2356 wrote to memory of 3580	2356	fixweb.exe	100
PID 2356 wrote to memory of 3580	2356	fixweb.exe	100
PID 2356 wrote to memory of 3580	2356	fixweb.exe	100
PID 3580 wrote to memory of 2336	3580	fixweb.exe	104
PID 3580 wrote to memory of 2336	3580	fixweb.exe	104
PID 3580 wrote to memory of 2336	3580	fixweb.exe	104

C:\Users\Admin\AppData\Local\Temp\05c0f09b3d7a2f2c50771184cf3a7450.exe
"C:\Users\Admin\AppData\Local\Temp\05c0f09b3d7a2f2c50771184cf3a7450.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Windows\SysWOW64\fixweb.exe
  C:\Windows\system32\fixweb.exe -bai C:\Users\Admin\AppData\Local\Temp\05c0f09b3d7a2f2c50771184cf3a7450.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\fixweb.exe
    C:\Windows\system32\fixweb.exe -bai C:\Windows\SysWOW64\fixweb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\SysWOW64\fixweb.exe
      C:\Windows\system32\fixweb.exe -bai C:\Windows\SysWOW64\fixweb.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\SysWOW64\fixweb.exe
        
        C:\Windows\system32\fixweb.exe -bai C:\Windows\SysWOW64\fixweb.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Windows\SysWOW64\fixweb.exe
        
        C:\Windows\system32\fixweb.exe -bai C:\Windows\SysWOW64\fixweb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fixweb.exe

Filesize
74KB

MD5
05c0f09b3d7a2f2c50771184cf3a7450

SHA1
8d21da3772e49716107bdcb5cadb41e226c6380d

SHA256
0637a082f593fdd8dbae7a8b1e901a75f9d0b0691477ec97c3cdef0101d0e28c

SHA512
535a45b911a4b4a54cbf92c15d298d5b5248e3ae91f1359aecd6db79e2ab5c0ba0242e27310085cc0b404a70bc471cd1362f17ab03cec3441d8cc0ee97cafd21

Download Submit
memory/1916-14-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1916-17-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2336-29-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2336-6-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2336-9-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2336-12-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2356-19-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2356-22-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3580-24-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3580-27-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4132-8-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4132-0-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4132-1-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download