Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:30
Static task
static1
Behavioral task
behavioral1
Sample
75198acf24bd3666da2e237a607989e9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
75198acf24bd3666da2e237a607989e9.exe
Resource
win10v2004-20231215-en
General
-
Target
75198acf24bd3666da2e237a607989e9.exe
-
Size
196KB
-
MD5
75198acf24bd3666da2e237a607989e9
-
SHA1
cccd75a3cd8616b3dd16964b8536942b67010611
-
SHA256
d8d1fd42f99a1fe1622bbc19d36bf59eff5f06eed6033a53c2640b71bc74a350
-
SHA512
5583a37cce860b789a25f75a4c90ae53e567f8b264bd74002bf333bee16083c6e42ac8d38047a935e6b4c16c4bf1af2414ea9909fdc3c71d2122f9d812b890fd
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8FpS:o68i3odBiTl2+TCU/4
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
75198acf24bd3666da2e237a607989e9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" 75198acf24bd3666da2e237a607989e9.exe -
Drops file in Windows directory 13 IoCs
Processes:
75198acf24bd3666da2e237a607989e9.exedescription ioc process File created C:\Windows\SHARE_TEMP\Icon13.ico 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\SHARE_TEMP\Icon7.ico 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\SHARE_TEMP\Icon3.ico 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\SHARE_TEMP\Icon10.ico 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\SHARE_TEMP\Icon14.ico 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\SHARE_TEMP\Icon2.ico 75198acf24bd3666da2e237a607989e9.exe File opened for modification C:\Windows\winhash_up.exez 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\winhash_up.exe 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\SHARE_TEMP\Icon5.ico 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\SHARE_TEMP\Icon6.ico 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\SHARE_TEMP\Icon12.ico 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\bugMAKER.bat 75198acf24bd3666da2e237a607989e9.exe File created C:\Windows\winhash_up.exez 75198acf24bd3666da2e237a607989e9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
75198acf24bd3666da2e237a607989e9.exedescription pid process target process PID 1152 wrote to memory of 2436 1152 75198acf24bd3666da2e237a607989e9.exe cmd.exe PID 1152 wrote to memory of 2436 1152 75198acf24bd3666da2e237a607989e9.exe cmd.exe PID 1152 wrote to memory of 2436 1152 75198acf24bd3666da2e237a607989e9.exe cmd.exe PID 1152 wrote to memory of 2436 1152 75198acf24bd3666da2e237a607989e9.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75198acf24bd3666da2e237a607989e9.exe"C:\Users\Admin\AppData\Local\Temp\75198acf24bd3666da2e237a607989e9.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bugMAKER.bat2⤵PID:2436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\bugMAKER.batFilesize
76B
MD5e2cc402b2eb6ce98c3643238b1d0439f
SHA1cad9e74cc8d8c96985e60669b0ffb78797759149
SHA256cb4533fd72a428cd6b740b836a35cb8635fa52d6d99c28172faefb2e9efa3f90
SHA512c5bd226a9169e172414444242886dba3ac8df9e666a78f90721cb3d5e83217e068f2c809ff8d881230ed8c1ba20087f51d9443021305a1c5b8976f4669f0cc7d
-
memory/1152-67-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2436-62-0x0000000002320000-0x0000000002321000-memory.dmpFilesize
4KB