f852706d8e5a460a798a26ad4f2113fdf2ff54812916f8adfe1e6bc83328bd03

Analysis

max time kernel
206s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28c0a9b257bfade703487e1b3263bf1c.exe
Size

163KB
MD5

28c0a9b257bfade703487e1b3263bf1c
SHA1

1044052eebeac81434c730f8743df92a9ae04474
SHA256

f852706d8e5a460a798a26ad4f2113fdf2ff54812916f8adfe1e6bc83328bd03
SHA512

47ed2745700aa25eb9c12eddfb81cb3a1fa5884a71db5d8f2f45a6da7a49ab5528ec587958a3708883276759e7da6e15e31297d1243aa1ece5f2bbeefef7f739
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8U:o68i3odBiTl2+TCU/e

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	28c0a9b257bfade703487e1b3263bf1c.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SHARE_TEMP\Icon2.ico	28c0a9b257bfade703487e1b3263bf1c.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	28c0a9b257bfade703487e1b3263bf1c.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	28c0a9b257bfade703487e1b3263bf1c.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	28c0a9b257bfade703487e1b3263bf1c.exe
File created	C:\Windows\winhash_up.exez	28c0a9b257bfade703487e1b3263bf1c.exe
File opened for modification	C:\Windows\winhash_up.exez	28c0a9b257bfade703487e1b3263bf1c.exe
File created	C:\Windows\winhash_up.exe	28c0a9b257bfade703487e1b3263bf1c.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	28c0a9b257bfade703487e1b3263bf1c.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	28c0a9b257bfade703487e1b3263bf1c.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	28c0a9b257bfade703487e1b3263bf1c.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	28c0a9b257bfade703487e1b3263bf1c.exe
File created	C:\Windows\bugMAKER.bat	28c0a9b257bfade703487e1b3263bf1c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 3440	4672	28c0a9b257bfade703487e1b3263bf1c.exe	91
PID 4672 wrote to memory of 3440	4672	28c0a9b257bfade703487e1b3263bf1c.exe	91
PID 4672 wrote to memory of 3440	4672	28c0a9b257bfade703487e1b3263bf1c.exe	91

C:\Users\Admin\AppData\Local\Temp\28c0a9b257bfade703487e1b3263bf1c.exe
"C:\Users\Admin\AppData\Local\Temp\28c0a9b257bfade703487e1b3263bf1c.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat
  2⤵
  PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
feb562a95dbd5fa37b8db2294f10e95a

SHA1
47f7dab58f4862d5187ba2f11a6a8e497cb6d5de

SHA256
6c387661d4ada2711fa090402de670cf0852e7e7d99610e8fd4e70c4ce09bf06

SHA512
ce44ae6173cff084defcdfa1ad46702307581010724926404abd45f694bb25a087d3946a48b104ace10310eac484b5d45fb09abe42115bf083d5e426ba151d01

Download Submit
memory/4672-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4672-25-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads