12a8d5eefabfd922f518bc2a84b6fa9212fa9b5394ee04d84d2caba8fcb4d989

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 11:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ce00f9692e2621d84b65f4dc3195d320.exe
Size

181KB
MD5

ce00f9692e2621d84b65f4dc3195d320
SHA1

580d7caf236cd28be89fd5223f2c12ab469a8d88
SHA256

12a8d5eefabfd922f518bc2a84b6fa9212fa9b5394ee04d84d2caba8fcb4d989
SHA512

1962b63964582e65a82d000f8f508203d8030a5ec6cc4a1479ff1c0115c7d1cd1a0b00186a5b27a98b1079fdb7d6347d2babc593f35ab03aa4219b6037e49aba
SSDEEP

3072:ViTgLAPpNEBRuB1lSSrjne1vq4iVXA3rbFYyxLDYjlSI56oNO9:ViMsELYlSSrjnmvqftK2yxf9sO9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

pid	Process
3960	wins.exe
5016	wins.exe
2484	wins.exe
2380	wins.exe
4624	wins.exe
2904	wins.exe
4264	wins.exe
2064	wins.exe
3300	wins.exe
2496	wins.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	wins.exe
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File created	C:\Windows\SysWOW64\wins.exe	ce00f9692e2621d84b65f4dc3195d320.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	ce00f9692e2621d84b65f4dc3195d320.exe
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	wins.exe
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	wins.exe
File created	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	wins.exe
File opened for modification	C:\Windows\SysWOW64\wins.exe	wins.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 3960	3496	ce00f9692e2621d84b65f4dc3195d320.exe	96
PID 3496 wrote to memory of 3960	3496	ce00f9692e2621d84b65f4dc3195d320.exe	96
PID 3496 wrote to memory of 3960	3496	ce00f9692e2621d84b65f4dc3195d320.exe	96
PID 3960 wrote to memory of 5016	3960	wins.exe	107
PID 3960 wrote to memory of 5016	3960	wins.exe	107
PID 3960 wrote to memory of 5016	3960	wins.exe	107
PID 5016 wrote to memory of 2484	5016	wins.exe	111
PID 5016 wrote to memory of 2484	5016	wins.exe	111
PID 5016 wrote to memory of 2484	5016	wins.exe	111
PID 2484 wrote to memory of 2380	2484	wins.exe	114
PID 2484 wrote to memory of 2380	2484	wins.exe	114
PID 2484 wrote to memory of 2380	2484	wins.exe	114
PID 2380 wrote to memory of 4624	2380	wins.exe	115
PID 2380 wrote to memory of 4624	2380	wins.exe	115
PID 2380 wrote to memory of 4624	2380	wins.exe	115
PID 4624 wrote to memory of 2904	4624	wins.exe	117
PID 4624 wrote to memory of 2904	4624	wins.exe	117
PID 4624 wrote to memory of 2904	4624	wins.exe	117
PID 2904 wrote to memory of 4264	2904	wins.exe	118
PID 2904 wrote to memory of 4264	2904	wins.exe	118
PID 2904 wrote to memory of 4264	2904	wins.exe	118
PID 4264 wrote to memory of 2064	4264	wins.exe	123
PID 4264 wrote to memory of 2064	4264	wins.exe	123
PID 4264 wrote to memory of 2064	4264	wins.exe	123
PID 2064 wrote to memory of 3300	2064	wins.exe	128
PID 2064 wrote to memory of 3300	2064	wins.exe	128
PID 2064 wrote to memory of 3300	2064	wins.exe	128
PID 3300 wrote to memory of 2496	3300	wins.exe	129
PID 3300 wrote to memory of 2496	3300	wins.exe	129
PID 3300 wrote to memory of 2496	3300	wins.exe	129

C:\Users\Admin\AppData\Local\Temp\ce00f9692e2621d84b65f4dc3195d320.exe
"C:\Users\Admin\AppData\Local\Temp\ce00f9692e2621d84b65f4dc3195d320.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\SysWOW64\wins.exe
  C:\Windows\system32\wins.exe 1188 "C:\Users\Admin\AppData\Local\Temp\ce00f9692e2621d84b65f4dc3195d320.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\SysWOW64\wins.exe
    C:\Windows\system32\wins.exe 1152 "C:\Windows\SysWOW64\wins.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\wins.exe
      C:\Windows\system32\wins.exe 1124 "C:\Windows\SysWOW64\wins.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\SysWOW64\wins.exe
        
        C:\Windows\system32\wins.exe 1120 "C:\Windows\SysWOW64\wins.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\SysWOW64\wins.exe
        
        C:\Windows\system32\wins.exe 1128 "C:\Windows\SysWOW64\wins.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\wins.exe
        
        C:\Windows\system32\wins.exe 1132 "C:\Windows\SysWOW64\wins.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\wins.exe
        
        C:\Windows\system32\wins.exe 1136 "C:\Windows\SysWOW64\wins.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\wins.exe
        
        C:\Windows\system32\wins.exe 1140 "C:\Windows\SysWOW64\wins.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\wins.exe
        
        C:\Windows\system32\wins.exe 1144 "C:\Windows\SysWOW64\wins.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\wins.exe
        
        C:\Windows\system32\wins.exe 1160 "C:\Windows\SysWOW64\wins.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wins.exe

Filesize
181KB

MD5
ce00f9692e2621d84b65f4dc3195d320

SHA1
580d7caf236cd28be89fd5223f2c12ab469a8d88

SHA256
12a8d5eefabfd922f518bc2a84b6fa9212fa9b5394ee04d84d2caba8fcb4d989

SHA512
1962b63964582e65a82d000f8f508203d8030a5ec6cc4a1479ff1c0115c7d1cd1a0b00186a5b27a98b1079fdb7d6347d2babc593f35ab03aa4219b6037e49aba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads