Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 13:20
Static task
static1
Behavioral task
behavioral1
Sample
9fa5d0f5f63752a2e62954eb2b8f5ea3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9fa5d0f5f63752a2e62954eb2b8f5ea3.exe
Resource
win10v2004-20231215-en
General
-
Target
9fa5d0f5f63752a2e62954eb2b8f5ea3.exe
-
Size
170KB
-
MD5
9fa5d0f5f63752a2e62954eb2b8f5ea3
-
SHA1
f38117aea0530a32c5de2aa0435ffda78c69e88d
-
SHA256
2d3c6aceecb6a3bcc55c842833bdaf6345148a84c41509c477d6f877ff7798ea
-
SHA512
62b5ea73d7d79171914956edec1a2abfed4e9db6ead906a8615f2fc6e511bbf1a178c47c392b576459665b99960133e171880f5d8e4b72a27c635b602a0576f4
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8t:o68i3odBiTl2+TCU/P
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\winhash_up.exez 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\SHARE_TEMP\Icon2.ico 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\SHARE_TEMP\Icon5.ico 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\SHARE_TEMP\Icon14.ico 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\winhash_up.exe 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\SHARE_TEMP\Icon10.ico 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\SHARE_TEMP\Icon3.ico 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\SHARE_TEMP\Icon7.ico 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\bugMAKER.bat 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\winhash_up.exez 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\SHARE_TEMP\Icon6.ico 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\SHARE_TEMP\Icon12.ico 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe File created C:\Windows\SHARE_TEMP\Icon13.ico 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2268 1732 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe 28 PID 1732 wrote to memory of 2268 1732 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe 28 PID 1732 wrote to memory of 2268 1732 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe 28 PID 1732 wrote to memory of 2268 1732 9fa5d0f5f63752a2e62954eb2b8f5ea3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fa5d0f5f63752a2e62954eb2b8f5ea3.exe"C:\Users\Admin\AppData\Local\Temp\9fa5d0f5f63752a2e62954eb2b8f5ea3.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bugMAKER.bat2⤵PID:2268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD5e54724f108541b6a8e24457080e7a630
SHA1ea8fced4a0a76cc32521c66a242d8afb94062f1f
SHA2565db329d00550b621315ce59afbb8f528dfa3d39ea265837348f795f58e4a4e9c
SHA5125c28925c29d292050a85766d209731bb1521a07c538d4c0fab1db96039284d0d6f1703e077b53d5278928e4b919c3d9843d0246610e3ab5d633f9dcd2c45da9e