Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
7509c6db76dc1290950464d0a235c41f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7509c6db76dc1290950464d0a235c41f.exe
Resource
win10v2004-20231222-en
General
-
Target
7509c6db76dc1290950464d0a235c41f.exe
-
Size
196KB
-
MD5
7509c6db76dc1290950464d0a235c41f
-
SHA1
6cf611c5a1cb65a2bfff30918d9fd7db67a27061
-
SHA256
9b29a05ee7b258c6d63243041b20a8321b453d300b402b4206d925cfe0fa2e2c
-
SHA512
d5ac76d9a55787f32f7ab4cc34aa0daf501c770ac2325e4db3fc9e5eefbfe51c8ed8152f469ffaa462821d85f48b476b8b4d7226ca500d591a50405b5854b5b4
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8Mh1thz/Q:o68i3odBiTl2+TCU/61thzQ
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7509c6db76dc1290950464d0a235c41f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" 7509c6db76dc1290950464d0a235c41f.exe -
Drops file in Windows directory 13 IoCs
Processes:
7509c6db76dc1290950464d0a235c41f.exedescription ioc process File created C:\Windows\winhash_up.exe 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\winhash_up.exez 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\SHARE_TEMP\Icon5.ico 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\SHARE_TEMP\Icon6.ico 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\SHARE_TEMP\Icon7.ico 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\SHARE_TEMP\Icon10.ico 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\SHARE_TEMP\Icon3.ico 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\SHARE_TEMP\Icon14.ico 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\SHARE_TEMP\Icon13.ico 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\SHARE_TEMP\Icon2.ico 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\SHARE_TEMP\Icon12.ico 7509c6db76dc1290950464d0a235c41f.exe File created C:\Windows\bugMAKER.bat 7509c6db76dc1290950464d0a235c41f.exe File opened for modification C:\Windows\winhash_up.exez 7509c6db76dc1290950464d0a235c41f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7509c6db76dc1290950464d0a235c41f.exedescription pid process target process PID 760 wrote to memory of 2792 760 7509c6db76dc1290950464d0a235c41f.exe cmd.exe PID 760 wrote to memory of 2792 760 7509c6db76dc1290950464d0a235c41f.exe cmd.exe PID 760 wrote to memory of 2792 760 7509c6db76dc1290950464d0a235c41f.exe cmd.exe PID 760 wrote to memory of 2792 760 7509c6db76dc1290950464d0a235c41f.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7509c6db76dc1290950464d0a235c41f.exe"C:\Users\Admin\AppData\Local\Temp\7509c6db76dc1290950464d0a235c41f.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bugMAKER.bat2⤵PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\bugMAKER.batFilesize
76B
MD50fc5f84acc5f6db6e85e2fbb854dff47
SHA1d49ae134a7303fd823f8953af36e9d8413d7ad82
SHA25681b45385f877ce1b08e99333bf166b119ac6a3c037bdab6e20f769a1345b005f
SHA512276eed7856beb74120433eefa89e15dbbc1ddbaa2ef177846635d21f3b2129fd148cd345f54e3220d9b948c49a4e19686fa800698af659481e193c6daf53a373
-
memory/760-67-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2792-62-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB