c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac

Analysis

max time kernel
148s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

369d4078dffc246a568f7580e9070405.exe
Size

122KB
MD5

369d4078dffc246a568f7580e9070405
SHA1

744d88ce6e5909dbc862c8761eaddb317ff64a4e
SHA256

c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac
SHA512

f20a743a84e1b7c8f85a7063dadad3050d2f5bd6b2cd5dbe00fe677f8948d63d798ce356b332e27a392a8d08a3739d067444077517ca94b2b440e8195d143b15
SSDEEP

3072:3D/CAVb0mlP6szyAy25rJ4bj56FjS1myXxa9X2g9Ytn2D:Tb0AP60B3Lgm2xYYtn2D

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
2360	winusb.exe
828	winusb.exe
2496	winusb.exe
2208	winusb.exe
2636	winusb.exe
2904	winusb.exe
2916	winusb.exe
2044	winusb.exe
1616	winusb.exe
744	winusb.exe
944	winusb.exe
2428	winusb.exe
1008	winusb.exe
2388	winusb.exe
896	winusb.exe
2008	winusb.exe
2432	winusb.exe
2272	winusb.exe
1908	winusb.exe

Loads dropped DLL 20 IoCs

pid	Process
2852	369d4078dffc246a568f7580e9070405.exe
2852	369d4078dffc246a568f7580e9070405.exe
2360	winusb.exe
2360	winusb.exe
828	winusb.exe
828	winusb.exe
2208	winusb.exe
2208	winusb.exe
2904	winusb.exe
2904	winusb.exe
2044	winusb.exe
2044	winusb.exe
744	winusb.exe
744	winusb.exe
2428	winusb.exe
2428	winusb.exe
2388	winusb.exe
2388	winusb.exe
2008	winusb.exe
2008	winusb.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	369d4078dffc246a568f7580e9070405.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	369d4078dffc246a568f7580e9070405.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2360	2852	369d4078dffc246a568f7580e9070405.exe	28
PID 2852 wrote to memory of 2360	2852	369d4078dffc246a568f7580e9070405.exe	28
PID 2852 wrote to memory of 2360	2852	369d4078dffc246a568f7580e9070405.exe	28
PID 2852 wrote to memory of 2360	2852	369d4078dffc246a568f7580e9070405.exe	28
PID 2852 wrote to memory of 2796	2852	369d4078dffc246a568f7580e9070405.exe	29
PID 2852 wrote to memory of 2796	2852	369d4078dffc246a568f7580e9070405.exe	29
PID 2852 wrote to memory of 2796	2852	369d4078dffc246a568f7580e9070405.exe	29
PID 2852 wrote to memory of 2796	2852	369d4078dffc246a568f7580e9070405.exe	29
PID 2852 wrote to memory of 2796	2852	369d4078dffc246a568f7580e9070405.exe	29
PID 2360 wrote to memory of 828	2360	winusb.exe	30
PID 2360 wrote to memory of 828	2360	winusb.exe	30
PID 2360 wrote to memory of 828	2360	winusb.exe	30
PID 2360 wrote to memory of 828	2360	winusb.exe	30
PID 2360 wrote to memory of 2496	2360	winusb.exe	31
PID 2360 wrote to memory of 2496	2360	winusb.exe	31
PID 2360 wrote to memory of 2496	2360	winusb.exe	31
PID 2360 wrote to memory of 2496	2360	winusb.exe	31
PID 2360 wrote to memory of 2496	2360	winusb.exe	31
PID 828 wrote to memory of 2208	828	winusb.exe	34
PID 828 wrote to memory of 2208	828	winusb.exe	34
PID 828 wrote to memory of 2208	828	winusb.exe	34
PID 828 wrote to memory of 2208	828	winusb.exe	34
PID 828 wrote to memory of 2636	828	winusb.exe	35
PID 828 wrote to memory of 2636	828	winusb.exe	35
PID 828 wrote to memory of 2636	828	winusb.exe	35
PID 828 wrote to memory of 2636	828	winusb.exe	35
PID 828 wrote to memory of 2636	828	winusb.exe	35
PID 2208 wrote to memory of 2904	2208	winusb.exe	36
PID 2208 wrote to memory of 2904	2208	winusb.exe	36
PID 2208 wrote to memory of 2904	2208	winusb.exe	36
PID 2208 wrote to memory of 2904	2208	winusb.exe	36
PID 2208 wrote to memory of 2916	2208	winusb.exe	37
PID 2208 wrote to memory of 2916	2208	winusb.exe	37
PID 2208 wrote to memory of 2916	2208	winusb.exe	37
PID 2208 wrote to memory of 2916	2208	winusb.exe	37
PID 2208 wrote to memory of 2916	2208	winusb.exe	37
PID 2904 wrote to memory of 2044	2904	winusb.exe	38
PID 2904 wrote to memory of 2044	2904	winusb.exe	38
PID 2904 wrote to memory of 2044	2904	winusb.exe	38
PID 2904 wrote to memory of 2044	2904	winusb.exe	38
PID 2904 wrote to memory of 1616	2904	winusb.exe	39
PID 2904 wrote to memory of 1616	2904	winusb.exe	39
PID 2904 wrote to memory of 1616	2904	winusb.exe	39
PID 2904 wrote to memory of 1616	2904	winusb.exe	39
PID 2904 wrote to memory of 1616	2904	winusb.exe	39
PID 2044 wrote to memory of 744	2044	winusb.exe	40
PID 2044 wrote to memory of 744	2044	winusb.exe	40
PID 2044 wrote to memory of 744	2044	winusb.exe	40
PID 2044 wrote to memory of 744	2044	winusb.exe	40
PID 2044 wrote to memory of 944	2044	winusb.exe	41
PID 2044 wrote to memory of 944	2044	winusb.exe	41
PID 2044 wrote to memory of 944	2044	winusb.exe	41
PID 2044 wrote to memory of 944	2044	winusb.exe	41
PID 2044 wrote to memory of 944	2044	winusb.exe	41
PID 744 wrote to memory of 2428	744	winusb.exe	42
PID 744 wrote to memory of 2428	744	winusb.exe	42
PID 744 wrote to memory of 2428	744	winusb.exe	42
PID 744 wrote to memory of 2428	744	winusb.exe	42
PID 744 wrote to memory of 1008	744	winusb.exe	43
PID 744 wrote to memory of 1008	744	winusb.exe	43
PID 744 wrote to memory of 1008	744	winusb.exe	43
PID 744 wrote to memory of 1008	744	winusb.exe	43
PID 744 wrote to memory of 1008	744	winusb.exe	43
PID 2428 wrote to memory of 2388	2428	winusb.exe	44

C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe
"C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\winusb.exe
  C:\Windows\system32\winusb.exe 536 "C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\winusb.exe
    C:\Windows\system32\winusb.exe 532 "C:\Windows\SysWOW64\winusb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\SysWOW64\winusb.exe
      C:\Windows\system32\winusb.exe 528 "C:\Windows\SysWOW64\winusb.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 540 "C:\Windows\SysWOW64\winusb.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 544 "C:\Windows\SysWOW64\winusb.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 548 "C:\Windows\SysWOW64\winusb.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 552 "C:\Windows\SysWOW64\winusb.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 556 "C:\Windows\SysWOW64\winusb.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2388
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 560 "C:\Windows\SysWOW64\winusb.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 520 "C:\Windows\SysWOW64\winusb.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        11⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        10⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        9⤵
        Executes dropped EXE
        
        PID:896
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        8⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        7⤵
        Executes dropped EXE
        
        PID:944
      - C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        6⤵
        Executes dropped EXE
        
        PID:1616
    - - C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        5⤵
        Executes dropped EXE
        
        PID:2916
  - - C:\Windows\SysWOW64\winusb.exe
      "C:\Windows\SysWOW64\winusb.exe"
      4⤵
      Executes dropped EXE
      PID:2636
- - C:\Windows\SysWOW64\winusb.exe
    "C:\Windows\SysWOW64\winusb.exe"
    3⤵
    - Executes dropped EXE
    PID:2496
- C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe
  "C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
  2⤵
  PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\winusb.exe

Filesize
122KB

MD5
369d4078dffc246a568f7580e9070405

SHA1
744d88ce6e5909dbc862c8761eaddb317ff64a4e

SHA256
c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac

SHA512
f20a743a84e1b7c8f85a7063dadad3050d2f5bd6b2cd5dbe00fe677f8948d63d798ce356b332e27a392a8d08a3739d067444077517ca94b2b440e8195d143b15

Download Submit
memory/744-57-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/744-66-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/828-21-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/828-31-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/828-29-0x0000000002780000-0x00000000027F4000-memory.dmp

Filesize
464KB

Download
memory/896-76-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/896-75-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/944-61-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/944-60-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1008-67-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1008-68-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1616-51-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1616-52-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1908-93-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1908-92-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2008-88-0x00000000027B0000-0x0000000002824000-memory.dmp

Filesize
464KB

Download
memory/2008-90-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2008-80-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2044-58-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2044-56-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2044-48-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2208-36-0x00000000025F0000-0x0000000002664000-memory.dmp

Filesize
464KB

Download
memory/2208-39-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2208-42-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2208-30-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2272-89-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2360-20-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2360-22-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2360-13-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2388-82-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2388-72-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2428-74-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2432-84-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2432-83-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2496-25-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2496-24-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2636-33-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2636-34-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2796-16-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2796-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2852-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2852-15-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2852-11-0x0000000002490000-0x0000000002504000-memory.dmp

Filesize
464KB

Download
memory/2904-50-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2904-40-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2916-43-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2916-44-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads