c8775b02623b03aac29b57f01dc81939ee44ac5a59c8f13bf971c6535c589fc3

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3918b3ee29d0db4eb31b9de64e32bfdb.exe
Size

239KB
MD5

3918b3ee29d0db4eb31b9de64e32bfdb
SHA1

f489ed9450cff10f4e75bfe9ff1638a6e192b0a9
SHA256

c8775b02623b03aac29b57f01dc81939ee44ac5a59c8f13bf971c6535c589fc3
SHA512

66ea8659eff1be52d7c1f6f18af8ba85c10fe9a21b89f8c9bf338fd86475456d020592f46b459b98ad02e3f038d60e0903a02bf372dbe9aced24080e708f35ad
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B8ptkaZgxktEB:o68i3odBiTl2+TCU/EtkqxrqLckP+xn8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	3918b3ee29d0db4eb31b9de64e32bfdb.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winhash_up.exez	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\winhash_up.exe	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\bugMAKER.bat	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\winhash_up.exez	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	3918b3ee29d0db4eb31b9de64e32bfdb.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	3918b3ee29d0db4eb31b9de64e32bfdb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2064	2080	3918b3ee29d0db4eb31b9de64e32bfdb.exe	28
PID 2080 wrote to memory of 2064	2080	3918b3ee29d0db4eb31b9de64e32bfdb.exe	28
PID 2080 wrote to memory of 2064	2080	3918b3ee29d0db4eb31b9de64e32bfdb.exe	28
PID 2080 wrote to memory of 2064	2080	3918b3ee29d0db4eb31b9de64e32bfdb.exe	28

C:\Users\Admin\AppData\Local\Temp\3918b3ee29d0db4eb31b9de64e32bfdb.exe
"C:\Users\Admin\AppData\Local\Temp\3918b3ee29d0db4eb31b9de64e32bfdb.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
45737f0127485468e136980673a20800

SHA1
0175f6fd8565ecd4b4e51d514cd9e3cff6e8549a

SHA256
6fbc4a4e75f779102f31abf0fabf3ec63252232206bc73e139a81d844d6fa6e7

SHA512
b17df4d7223d427c3e5f626496b86356fd0f3b0e47853f46e69d0a422d4a5e4f210186b028dead0874a04e50ef946a8d6274e9ad958f2fa3fb89c8e8caa99be5

Download Submit
memory/2064-62-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2080-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads