e78aec31b25dc624e723224a73d253554e90d10a67aa6e0ffc73dcdb549fc1ff

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b5ea526947993eb04c0a1b877f18f82.exe
Size

210KB
MD5

1b5ea526947993eb04c0a1b877f18f82
SHA1

af25fa546d4016dc8678fbe55f9ac75099737104
SHA256

e78aec31b25dc624e723224a73d253554e90d10a67aa6e0ffc73dcdb549fc1ff
SHA512

19c7a8f9865fefec4a31fffc6cb8082d35d7e1259b18cf568e49641aa0df25d07d9256274a8eb7355c459c3d5ae0dd8ce4f3781fb44ada3748e581c35f9aaff3
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B89OpjNtkaZgb:o68i3odBiTl2+TCU/EENtkqxY

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	1b5ea526947993eb04c0a1b877f18f82.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SHARE_TEMP\Icon3.ico	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\winhash_up.exez	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\winhash_up.exe	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	1b5ea526947993eb04c0a1b877f18f82.exe
File opened for modification	C:\Windows\winhash_up.exez	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	1b5ea526947993eb04c0a1b877f18f82.exe
File created	C:\Windows\bugMAKER.bat	1b5ea526947993eb04c0a1b877f18f82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2848	2104	1b5ea526947993eb04c0a1b877f18f82.exe	18
PID 2104 wrote to memory of 2848	2104	1b5ea526947993eb04c0a1b877f18f82.exe	18
PID 2104 wrote to memory of 2848	2104	1b5ea526947993eb04c0a1b877f18f82.exe	18
PID 2104 wrote to memory of 2848	2104	1b5ea526947993eb04c0a1b877f18f82.exe	18

C:\Users\Admin\AppData\Local\Temp\1b5ea526947993eb04c0a1b877f18f82.exe
"C:\Users\Admin\AppData\Local\Temp\1b5ea526947993eb04c0a1b877f18f82.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
55c8660a95f6dc99d41aaa5208eb1bd4

SHA1
19c422bd01837f1fa4c30bbb8f003166aca83701

SHA256
e3704c6ac15eb9c5c410542162149ee2fb60a722c7cbdc6820c3ffb4c3fab204

SHA512
b7143af2ec76c1dca4e37f94edc9a59f816f86ffb4ec986c7e5032e717efbbf6012a1b942bf38472d36df87ab79afe2a35de2dea81924225a2d60dbf1f00579f

Download Submit
memory/2104-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2848-62-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads