c70900329c557c0fb8f6a8ec2d6987d29a73dd0bc12cb43eee51c54a946c03e4

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b469f17734cca213f4d0500ded15e41.exe
Size

211KB
MD5

0b469f17734cca213f4d0500ded15e41
SHA1

5dd80170764c3d88bd25bf1dbdbf69fe8cbc3faf
SHA256

c70900329c557c0fb8f6a8ec2d6987d29a73dd0bc12cb43eee51c54a946c03e4
SHA512

1ae91d80902ac01938afaa0ccdcda45777254368d6eaa981e6dc88462ce1c868b5c2229a4e2a605e5252679360eedff6ee2db53492f632085976f7f034322888
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8EpjBFy11AwH:o68i3odBiTl2+TCU/chuhuIp9

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	0b469f17734cca213f4d0500ded15e41.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SHARE_TEMP\Icon7.ico	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\winhash_up.exe	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	0b469f17734cca213f4d0500ded15e41.exe
File opened for modification	C:\Windows\winhash_up.exez	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\bugMAKER.bat	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\winhash_up.exez	0b469f17734cca213f4d0500ded15e41.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	0b469f17734cca213f4d0500ded15e41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2824	2212	0b469f17734cca213f4d0500ded15e41.exe	28
PID 2212 wrote to memory of 2824	2212	0b469f17734cca213f4d0500ded15e41.exe	28
PID 2212 wrote to memory of 2824	2212	0b469f17734cca213f4d0500ded15e41.exe	28
PID 2212 wrote to memory of 2824	2212	0b469f17734cca213f4d0500ded15e41.exe	28

C:\Users\Admin\AppData\Local\Temp\0b469f17734cca213f4d0500ded15e41.exe
"C:\Users\Admin\AppData\Local\Temp\0b469f17734cca213f4d0500ded15e41.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
6f53dd0d78038203f6d7153c0a56a7b6

SHA1
de5f5911b9b2bc3ad8fddbb815dee4c7ef6179dd

SHA256
26fb7087e6e2a989889ad2c2940b238052db0f31bca0872fa04dd6a4cf9e11c8

SHA512
cd2c745cfe2d92f846c1a807cafab8f02cc5b87ccf72b2a2c1ab8c80b789b18c13f61b4065e67b6d4635aeec254d35cbcf91e085224ae0c6f5d43accaba7070b

Download Submit
memory/2212-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2824-62-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads