8d8bc92b282cca14b8ea675f13ca29ab431a68a75a0a48f0f86b97c0af1aac4a

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25d3b5c19554b5b572cfbcf26b43552a.exe
Size

163KB
MD5

25d3b5c19554b5b572cfbcf26b43552a
SHA1

c03c0337fa31dc8c98d16a17a421f3c59c1802aa
SHA256

8d8bc92b282cca14b8ea675f13ca29ab431a68a75a0a48f0f86b97c0af1aac4a
SHA512

dffb57c17ee2376e2ffc876e976534ddc1c70358271b331b2cc393ac03865feb53aa0caec260c6c7481bfa7fea7b47554df1103c4fc1b6897f75e6f1f1ca743b
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e89:o68i3odBiTl2+TCU/f

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	25d3b5c19554b5b572cfbcf26b43552a.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winhash_up.exez	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\winhash_up.exe	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\winhash_up.exez	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	25d3b5c19554b5b572cfbcf26b43552a.exe
File created	C:\Windows\bugMAKER.bat	25d3b5c19554b5b572cfbcf26b43552a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2692	1684	25d3b5c19554b5b572cfbcf26b43552a.exe	27
PID 1684 wrote to memory of 2692	1684	25d3b5c19554b5b572cfbcf26b43552a.exe	27
PID 1684 wrote to memory of 2692	1684	25d3b5c19554b5b572cfbcf26b43552a.exe	27
PID 1684 wrote to memory of 2692	1684	25d3b5c19554b5b572cfbcf26b43552a.exe	27

C:\Users\Admin\AppData\Local\Temp\25d3b5c19554b5b572cfbcf26b43552a.exe
"C:\Users\Admin\AppData\Local\Temp\25d3b5c19554b5b572cfbcf26b43552a.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
975f99c2481824741894e11cbb6261e1

SHA1
17279796f96055d79110b063d517e2f2015456ad

SHA256
f0a5bf434505cadacd08d5cde58a5ce92a7d9642fa667471ff774136cde184a1

SHA512
8c0047d08c5ec11655383ffffc0a3b6512591aa81f0d54f1d4460be73dbcc31e86fdee97dca360a5d8dbf37867e1bd6c8a49046ed9db1d1a36f31dc73ad2d318

Download Submit
memory/1684-62-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2692-63-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads