Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 17:11
Static task
static1
Behavioral task
behavioral1
Sample
750ec45944d77c6e8967fd1c3e3bf188.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
750ec45944d77c6e8967fd1c3e3bf188.exe
Resource
win10v2004-20231215-en
General
-
Target
750ec45944d77c6e8967fd1c3e3bf188.exe
-
Size
197KB
-
MD5
750ec45944d77c6e8967fd1c3e3bf188
-
SHA1
eb6afdd3c7236e7ca5d0016c2f51b02f7d4403a2
-
SHA256
d77a562b77b147616b6ebe245fe2ca92bee22da4f13d92be731bf5262842738e
-
SHA512
8f435ef2d6a79e6322784591000d96ec9c464d61bc520bc1e5ac216e9ae24d9bc4bd2b4b624f3fe36615ff1ed8696c702fce31830994ceab4adaf8e0da626e43
-
SSDEEP
3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B87pjIkgnq:o68i3odBiTl2+TCU/WIk8q
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
750ec45944d77c6e8967fd1c3e3bf188.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" 750ec45944d77c6e8967fd1c3e3bf188.exe -
Drops file in Windows directory 13 IoCs
Processes:
750ec45944d77c6e8967fd1c3e3bf188.exedescription ioc process File created C:\Windows\SHARE_TEMP\Icon14.ico 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\bugMAKER.bat 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\SHARE_TEMP\Icon5.ico 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\SHARE_TEMP\Icon13.ico 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\winhash_up.exe 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\winhash_up.exez 750ec45944d77c6e8967fd1c3e3bf188.exe File opened for modification C:\Windows\winhash_up.exez 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\SHARE_TEMP\Icon7.ico 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\SHARE_TEMP\Icon12.ico 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\SHARE_TEMP\Icon6.ico 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\SHARE_TEMP\Icon10.ico 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\SHARE_TEMP\Icon2.ico 750ec45944d77c6e8967fd1c3e3bf188.exe File created C:\Windows\SHARE_TEMP\Icon3.ico 750ec45944d77c6e8967fd1c3e3bf188.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
750ec45944d77c6e8967fd1c3e3bf188.exedescription pid process target process PID 1392 wrote to memory of 2076 1392 750ec45944d77c6e8967fd1c3e3bf188.exe cmd.exe PID 1392 wrote to memory of 2076 1392 750ec45944d77c6e8967fd1c3e3bf188.exe cmd.exe PID 1392 wrote to memory of 2076 1392 750ec45944d77c6e8967fd1c3e3bf188.exe cmd.exe PID 1392 wrote to memory of 2076 1392 750ec45944d77c6e8967fd1c3e3bf188.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\750ec45944d77c6e8967fd1c3e3bf188.exe"C:\Users\Admin\AppData\Local\Temp\750ec45944d77c6e8967fd1c3e3bf188.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\bugMAKER.bat2⤵PID:2076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\bugMAKER.batFilesize
76B
MD511a3dc9004e11ca2ecbad46cb0ea392d
SHA124a3ce616e15875cef31ccd2dbc93a5d6c627e26
SHA25669d975bf2b33ac2fe381a8ab25073218d1de7d560e17b4d785930b9efac21a3e
SHA5122ecd2f42e2f0bbcbece17c475db469f65f3a7cb006b916ba7de75508c013611f34b9119aad4db8ddc992857fbd1d0fc76a6aa6162916c67013ce060442891821
-
memory/1392-67-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/2076-62-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB