f5e4a9deaacb6bb09196605a2fbd0cdb69d9362d1265ae8c33348587bddae480

Analysis

max time kernel
120s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a29f0340c311773ca162b6835e001e5.exe
Size

217KB
MD5

0a29f0340c311773ca162b6835e001e5
SHA1

b703c09d960c505b27ea8d85166b01fb2469afa1
SHA256

f5e4a9deaacb6bb09196605a2fbd0cdb69d9362d1265ae8c33348587bddae480
SHA512

7ce6d5c0bdd430544a691dd447b29d1a39e40451e8872fafe0b4bf05190c06251b4c5a3067c0f1beb75785da6dc018aadc922d403bb3724025af122c0a037dd1
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B8dh1thz/Y9:o68i3odBiTl2+TCU/s1thzA

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	0a29f0340c311773ca162b6835e001e5.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winhash_up.exez	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\winhash_up.exez	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\winhash_up.exe	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\bugMAKER.bat	0a29f0340c311773ca162b6835e001e5.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	0a29f0340c311773ca162b6835e001e5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2848	840	0a29f0340c311773ca162b6835e001e5.exe	28
PID 840 wrote to memory of 2848	840	0a29f0340c311773ca162b6835e001e5.exe	28
PID 840 wrote to memory of 2848	840	0a29f0340c311773ca162b6835e001e5.exe	28
PID 840 wrote to memory of 2848	840	0a29f0340c311773ca162b6835e001e5.exe	28

C:\Users\Admin\AppData\Local\Temp\0a29f0340c311773ca162b6835e001e5.exe
"C:\Users\Admin\AppData\Local\Temp\0a29f0340c311773ca162b6835e001e5.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
e223140d95895155bf0054e156b147dc

SHA1
1661455a7938f8077aa6143ad2113897af2c84cf

SHA256
4d6b1f46c17b1e788a2101815a7f78a6220647c5203ef00da6a8d48f8d863039

SHA512
4e936d2688359aedca0f7eaeebe2700a2ab30db8a2f50cce66411e2dc4dc0c2c9e8eaa2da03fb554bdf295c9a66ad72f409e199a0e7d7a466e0503f022a37636

Download Submit
memory/840-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2848-62-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads