d77a562b77b147616b6ebe245fe2ca92bee22da4f13d92be731bf5262842738e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

750ec45944d77c6e8967fd1c3e3bf188.exe
Size

197KB
MD5

750ec45944d77c6e8967fd1c3e3bf188
SHA1

eb6afdd3c7236e7ca5d0016c2f51b02f7d4403a2
SHA256

d77a562b77b147616b6ebe245fe2ca92bee22da4f13d92be731bf5262842738e
SHA512

8f435ef2d6a79e6322784591000d96ec9c464d61bc520bc1e5ac216e9ae24d9bc4bd2b4b624f3fe36615ff1ed8696c702fce31830994ceab4adaf8e0da626e43
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B87pjIkgnq:o68i3odBiTl2+TCU/WIk8q

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

750ec45944d77c6e8967fd1c3e3bf188.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	750ec45944d77c6e8967fd1c3e3bf188.exe

Drops file in Windows directory 13 IoCs

Processes:

750ec45944d77c6e8967fd1c3e3bf188.exe

description	ioc	process
File created	C:\Windows\SHARE_TEMP\Icon14.ico	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\bugMAKER.bat	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\winhash_up.exe	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\winhash_up.exez	750ec45944d77c6e8967fd1c3e3bf188.exe
File opened for modification	C:\Windows\winhash_up.exez	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	750ec45944d77c6e8967fd1c3e3bf188.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	750ec45944d77c6e8967fd1c3e3bf188.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

750ec45944d77c6e8967fd1c3e3bf188.exe

description	pid	process	target process
PID 1392 wrote to memory of 2076	1392	750ec45944d77c6e8967fd1c3e3bf188.exe	cmd.exe
PID 1392 wrote to memory of 2076	1392	750ec45944d77c6e8967fd1c3e3bf188.exe	cmd.exe
PID 1392 wrote to memory of 2076	1392	750ec45944d77c6e8967fd1c3e3bf188.exe	cmd.exe
PID 1392 wrote to memory of 2076	1392	750ec45944d77c6e8967fd1c3e3bf188.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\750ec45944d77c6e8967fd1c3e3bf188.exe
"C:\Users\Admin\AppData\Local\Temp\750ec45944d77c6e8967fd1c3e3bf188.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Windows\bugMAKER.bat
2⤵
PID:2076

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat
Filesize
76B

MD5
11a3dc9004e11ca2ecbad46cb0ea392d

SHA1
24a3ce616e15875cef31ccd2dbc93a5d6c627e26

SHA256
69d975bf2b33ac2fe381a8ab25073218d1de7d560e17b4d785930b9efac21a3e

SHA512
2ecd2f42e2f0bbcbece17c475db469f65f3a7cb006b916ba7de75508c013611f34b9119aad4db8ddc992857fbd1d0fc76a6aa6162916c67013ce060442891821

Download Submit
memory/1392-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2076-62-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads