c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

369d4078dffc246a568f7580e9070405.exe
Size

122KB
MD5

369d4078dffc246a568f7580e9070405
SHA1

744d88ce6e5909dbc862c8761eaddb317ff64a4e
SHA256

c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac
SHA512

f20a743a84e1b7c8f85a7063dadad3050d2f5bd6b2cd5dbe00fe677f8948d63d798ce356b332e27a392a8d08a3739d067444077517ca94b2b440e8195d143b15
SSDEEP

3072:3D/CAVb0mlP6szyAy25rJ4bj56FjS1myXxa9X2g9Ytn2D:Tb0AP60B3Lgm2xYYtn2D

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
3640	winusb.exe
2164	winusb.exe
2068	winusb.exe
2548	winusb.exe
4920	winusb.exe
1964	winusb.exe
3732	winusb.exe
940	winusb.exe
4248	winusb.exe
568	winusb.exe
4184	winusb.exe
1436	winusb.exe
632	winusb.exe
3452	winusb.exe
2824	winusb.exe
4840	winusb.exe
2276	winusb.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	369d4078dffc246a568f7580e9070405.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	369d4078dffc246a568f7580e9070405.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File opened for modification	C:\Windows\SysWOW64\winusb.exe	winusb.exe
File created	C:\Windows\SysWOW64\winusb.exe	winusb.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 3640	4252	369d4078dffc246a568f7580e9070405.exe	92
PID 4252 wrote to memory of 3640	4252	369d4078dffc246a568f7580e9070405.exe	92
PID 4252 wrote to memory of 3640	4252	369d4078dffc246a568f7580e9070405.exe	92
PID 4252 wrote to memory of 1368	4252	369d4078dffc246a568f7580e9070405.exe	93
PID 4252 wrote to memory of 1368	4252	369d4078dffc246a568f7580e9070405.exe	93
PID 4252 wrote to memory of 1368	4252	369d4078dffc246a568f7580e9070405.exe	93
PID 4252 wrote to memory of 1368	4252	369d4078dffc246a568f7580e9070405.exe	93
PID 3640 wrote to memory of 2164	3640	winusb.exe	94
PID 3640 wrote to memory of 2164	3640	winusb.exe	94
PID 3640 wrote to memory of 2164	3640	winusb.exe	94
PID 3640 wrote to memory of 2068	3640	winusb.exe	95
PID 3640 wrote to memory of 2068	3640	winusb.exe	95
PID 3640 wrote to memory of 2068	3640	winusb.exe	95
PID 3640 wrote to memory of 2068	3640	winusb.exe	95
PID 2164 wrote to memory of 2548	2164	winusb.exe	99
PID 2164 wrote to memory of 2548	2164	winusb.exe	99
PID 2164 wrote to memory of 2548	2164	winusb.exe	99
PID 2164 wrote to memory of 4920	2164	winusb.exe	100
PID 2164 wrote to memory of 4920	2164	winusb.exe	100
PID 2164 wrote to memory of 4920	2164	winusb.exe	100
PID 2164 wrote to memory of 4920	2164	winusb.exe	100
PID 2548 wrote to memory of 1964	2548	winusb.exe	111
PID 2548 wrote to memory of 1964	2548	winusb.exe	111
PID 2548 wrote to memory of 1964	2548	winusb.exe	111
PID 2548 wrote to memory of 3732	2548	winusb.exe	112
PID 2548 wrote to memory of 3732	2548	winusb.exe	112
PID 2548 wrote to memory of 3732	2548	winusb.exe	112
PID 2548 wrote to memory of 3732	2548	winusb.exe	112
PID 1964 wrote to memory of 940	1964	winusb.exe	113
PID 1964 wrote to memory of 940	1964	winusb.exe	113
PID 1964 wrote to memory of 940	1964	winusb.exe	113
PID 1964 wrote to memory of 4248	1964	winusb.exe	114
PID 1964 wrote to memory of 4248	1964	winusb.exe	114
PID 1964 wrote to memory of 4248	1964	winusb.exe	114
PID 1964 wrote to memory of 4248	1964	winusb.exe	114
PID 940 wrote to memory of 568	940	winusb.exe	115
PID 940 wrote to memory of 568	940	winusb.exe	115
PID 940 wrote to memory of 568	940	winusb.exe	115
PID 940 wrote to memory of 4184	940	winusb.exe	116
PID 940 wrote to memory of 4184	940	winusb.exe	116
PID 940 wrote to memory of 4184	940	winusb.exe	116
PID 940 wrote to memory of 4184	940	winusb.exe	116
PID 568 wrote to memory of 1436	568	winusb.exe	118
PID 568 wrote to memory of 1436	568	winusb.exe	118
PID 568 wrote to memory of 1436	568	winusb.exe	118
PID 568 wrote to memory of 632	568	winusb.exe	119
PID 568 wrote to memory of 632	568	winusb.exe	119
PID 568 wrote to memory of 632	568	winusb.exe	119
PID 568 wrote to memory of 632	568	winusb.exe	119
PID 1436 wrote to memory of 3452	1436	winusb.exe	120
PID 1436 wrote to memory of 3452	1436	winusb.exe	120
PID 1436 wrote to memory of 3452	1436	winusb.exe	120
PID 1436 wrote to memory of 2824	1436	winusb.exe	121
PID 1436 wrote to memory of 2824	1436	winusb.exe	121
PID 1436 wrote to memory of 2824	1436	winusb.exe	121
PID 1436 wrote to memory of 2824	1436	winusb.exe	121
PID 3452 wrote to memory of 4840	3452	winusb.exe	122
PID 3452 wrote to memory of 4840	3452	winusb.exe	122
PID 3452 wrote to memory of 4840	3452	winusb.exe	122
PID 3452 wrote to memory of 2276	3452	winusb.exe	123
PID 3452 wrote to memory of 2276	3452	winusb.exe	123
PID 3452 wrote to memory of 2276	3452	winusb.exe	123
PID 3452 wrote to memory of 2276	3452	winusb.exe	123

C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe
"C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\winusb.exe
  C:\Windows\system32\winusb.exe 1192 "C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\winusb.exe
    C:\Windows\system32\winusb.exe 1140 "C:\Windows\SysWOW64\winusb.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\winusb.exe
      C:\Windows\system32\winusb.exe 1104 "C:\Windows\SysWOW64\winusb.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1124 "C:\Windows\SysWOW64\winusb.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1088 "C:\Windows\SysWOW64\winusb.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1132 "C:\Windows\SysWOW64\winusb.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1136 "C:\Windows\SysWOW64\winusb.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1144 "C:\Windows\SysWOW64\winusb.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\winusb.exe
        
        C:\Windows\system32\winusb.exe 1148 "C:\Windows\SysWOW64\winusb.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        10⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        9⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        8⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        7⤵
        Executes dropped EXE
        
        PID:4184
      - C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        6⤵
        Executes dropped EXE
        
        PID:4248
    - - C:\Windows\SysWOW64\winusb.exe
        
        "C:\Windows\SysWOW64\winusb.exe"
        5⤵
        Executes dropped EXE
        
        PID:3732
  - - C:\Windows\SysWOW64\winusb.exe
      "C:\Windows\SysWOW64\winusb.exe"
      4⤵
      Executes dropped EXE
      PID:4920
- - C:\Windows\SysWOW64\winusb.exe
    "C:\Windows\SysWOW64\winusb.exe"
    3⤵
    - Executes dropped EXE
    PID:2068
- C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe
  "C:\Users\Admin\AppData\Local\Temp\369d4078dffc246a568f7580e9070405.exe"
  2⤵
  PID:1368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winusb.exe

Filesize
122KB

MD5
369d4078dffc246a568f7580e9070405

SHA1
744d88ce6e5909dbc862c8761eaddb317ff64a4e

SHA256
c6e4528479cabadd9e15e3c0e9ea819a0f766a1b051c14d5e5a979534d954aac

SHA512
f20a743a84e1b7c8f85a7063dadad3050d2f5bd6b2cd5dbe00fe677f8948d63d798ce356b332e27a392a8d08a3739d067444077517ca94b2b440e8195d143b15

Download Submit
memory/568-37-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/632-40-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/632-39-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/940-32-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1368-8-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1368-9-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1436-43-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1436-36-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1964-27-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2068-13-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2068-14-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2164-17-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2276-50-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2276-49-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2548-22-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2824-44-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2824-45-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3452-48-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3640-11-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3732-23-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/3732-24-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4184-34-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4184-33-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4248-28-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4248-29-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4252-7-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4252-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4920-18-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4920-19-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads