cf6cb96559fe9af2519e31499ef5b4f8ef732066bb0bd6d162b9b310ff578b6a

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49ad2764a77bc908747c473020197b34.exe
Size

203KB
MD5

49ad2764a77bc908747c473020197b34
SHA1

c2d927551b848355844ed22fd407e14c0cb0fb50
SHA256

cf6cb96559fe9af2519e31499ef5b4f8ef732066bb0bd6d162b9b310ff578b6a
SHA512

c73fd4277ddac7655b44bce818cc9dc27736abd662168695ebb189656a02218ebe33452d8e17a91c2d3ed9b67c2c34ca5abed8f3dcbcad702fe3def31cb6b849
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/k8ZpYpjmtutv:o68i3odBiTl2+TCU/6mtutv

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	49ad2764a77bc908747c473020197b34.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SHARE_TEMP\Icon5.ico	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\bugMAKER.bat	49ad2764a77bc908747c473020197b34.exe
File opened for modification	C:\Windows\winhash_up.exez	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\winhash_up.exez	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\winhash_up.exe	49ad2764a77bc908747c473020197b34.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	49ad2764a77bc908747c473020197b34.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2800	1976	49ad2764a77bc908747c473020197b34.exe	20
PID 1976 wrote to memory of 2800	1976	49ad2764a77bc908747c473020197b34.exe	20
PID 1976 wrote to memory of 2800	1976	49ad2764a77bc908747c473020197b34.exe	20
PID 1976 wrote to memory of 2800	1976	49ad2764a77bc908747c473020197b34.exe	20

C:\Users\Admin\AppData\Local\Temp\49ad2764a77bc908747c473020197b34.exe
"C:\Users\Admin\AppData\Local\Temp\49ad2764a77bc908747c473020197b34.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
ba8cc373999299d5374e4e4ef032a124

SHA1
eddf25a2ea5b6ee368add39f5cdc612f879e9f8c

SHA256
7bbf487c4b28e45575ed12ca875e5e9feee7ccd223cdfb7fc093ddf3b76196b1

SHA512
b37850a901d69badc219f3ea0e7a42f0b21a77aab1f43fea299e7283f43f3c906b034dc6fbac2d9e948450813bbe5042f9ab4ea78caa78c178ba9a94c9de912f

Download Submit
memory/1976-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2800-62-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads