Malware Analysis Report

2025-08-05 17:00

Sample ID 240108-d89pksaebn
Target 4a58343be43aabd8208f96368dd71d4a
SHA256 31eacd3117d660daf79e221ac449d77b7bb8f216871cc749ade733361b307c04
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

31eacd3117d660daf79e221ac449d77b7bb8f216871cc749ade733361b307c04

Threat Level: Shows suspicious behavior

The file 4a58343be43aabd8208f96368dd71d4a was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 03:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 03:41

Reported

2024-01-08 03:44

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SHARE_TEMP\Icon7.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon12.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon14.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon3.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon5.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon6.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\bugMAKER.bat C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File opened for modification C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\winhash_up.exe C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon2.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon10.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe

"C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Windows\bugMAKER.bat

MD5 624c0b02fc3786bc1fe11308fa5c4b9d
SHA1 aeeef34030f30a6363b3e6669fb2a78214329fda
SHA256 9cdd23f204c83a989bd8ff8c3b6db08e1da0d9cd759ca0b69147d03aa8ca634c
SHA512 724db6ded73c24b015330f1ce44778eaecebac235ac13db4fd99a43c841cfe57b5e4f2839418929def4236c6996e63f91126b0f54b52c4f1dd54be54a2c9379c

memory/4380-24-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 03:41

Reported

2024-01-08 03:44

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File opened for modification C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\winhash_up.exe C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon3.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon6.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon14.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon10.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon12.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\bugMAKER.bat C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon2.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon5.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon7.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A
File created C:\Windows\SHARE_TEMP\Icon13.ico C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe

"C:\Users\Admin\AppData\Local\Temp\4a58343be43aabd8208f96368dd71d4a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\bugMAKER.bat

Network

N/A

Files

C:\Windows\bugMAKER.bat

MD5 624c0b02fc3786bc1fe11308fa5c4b9d
SHA1 aeeef34030f30a6363b3e6669fb2a78214329fda
SHA256 9cdd23f204c83a989bd8ff8c3b6db08e1da0d9cd759ca0b69147d03aa8ca634c
SHA512 724db6ded73c24b015330f1ce44778eaecebac235ac13db4fd99a43c841cfe57b5e4f2839418929def4236c6996e63f91126b0f54b52c4f1dd54be54a2c9379c

memory/3052-62-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/2960-67-0x0000000000400000-0x000000000042D000-memory.dmp