142cef1fe383cec4860458f512d303aa54607fee163b11ecce7bc9175806a56d

Analysis

max time kernel
118s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66426dddef87f01dfaa3dc9a7ae1324b.exe
Size

182KB
MD5

66426dddef87f01dfaa3dc9a7ae1324b
SHA1

9c4b4d1e056667b6599084ed6afc1fed07b1299f
SHA256

142cef1fe383cec4860458f512d303aa54607fee163b11ecce7bc9175806a56d
SHA512

3c9908d9f910f5a039d358b566242c24e7b3f6d37756feb613e906c449c738f8596b002bfdc3c1921d8e05ff92f1440355636d509e1c913f66e38ed6b34a8d7b
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8ltkaZgxk+:o68i3odBiTl2+TCU/Ltkq+

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	66426dddef87f01dfaa3dc9a7ae1324b.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\bugMAKER.bat	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\winhash_up.exez	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	66426dddef87f01dfaa3dc9a7ae1324b.exe
File opened for modification	C:\Windows\winhash_up.exez	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\winhash_up.exe	66426dddef87f01dfaa3dc9a7ae1324b.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	66426dddef87f01dfaa3dc9a7ae1324b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2752	2172	66426dddef87f01dfaa3dc9a7ae1324b.exe	18
PID 2172 wrote to memory of 2752	2172	66426dddef87f01dfaa3dc9a7ae1324b.exe	18
PID 2172 wrote to memory of 2752	2172	66426dddef87f01dfaa3dc9a7ae1324b.exe	18
PID 2172 wrote to memory of 2752	2172	66426dddef87f01dfaa3dc9a7ae1324b.exe	18

C:\Users\Admin\AppData\Local\Temp\66426dddef87f01dfaa3dc9a7ae1324b.exe
"C:\Users\Admin\AppData\Local\Temp\66426dddef87f01dfaa3dc9a7ae1324b.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
3547e6dfdf6ad9a80e3c6a936b26e6bc

SHA1
bebbd548eb89cf3fc1e148cacaa0482c4f17d3ce

SHA256
8ad820181fd507cda1bb7cab517219758c0a4629bcce92cb587854aa276a39a0

SHA512
2d3eaa878475ae762c5f412728824184e821c098352d2ce0166d2b7fd9b33f7991dd7ba6c8a5c5799b521bcaa87ff38f05af40a2cd17fa41a082010e06a11873

Download Submit
memory/2172-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2752-62-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads