d67310448c0d94f5709246c1153fcaba9d6f3b1b3b895e463b22b25f1d9ecb13

Analysis

max time kernel
91s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aee95e91a71cf0562808f9527e44e19.exe
Size

226KB
MD5

7aee95e91a71cf0562808f9527e44e19
SHA1

db94729ac77f484aba8a8f1feb6644c36ca7c8b3
SHA256

d67310448c0d94f5709246c1153fcaba9d6f3b1b3b895e463b22b25f1d9ecb13
SHA512

f152d5de4624cf98e4fbe40672c23139fb201c5aa4a97d657304c95329566af227181d4953a86eea0211943618b5ce63ba24d5b65698f1b383997729ff15e761
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8VpjBFy11AwO:o68i3odBiTl2+TCU/1huhuIpRLa

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	7aee95e91a71cf0562808f9527e44e19.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SHARE_TEMP\Icon7.ico	7aee95e91a71cf0562808f9527e44e19.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	7aee95e91a71cf0562808f9527e44e19.exe
File opened for modification	C:\Windows\winhash_up.exez	7aee95e91a71cf0562808f9527e44e19.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	7aee95e91a71cf0562808f9527e44e19.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	7aee95e91a71cf0562808f9527e44e19.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	7aee95e91a71cf0562808f9527e44e19.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	7aee95e91a71cf0562808f9527e44e19.exe
File created	C:\Windows\bugMAKER.bat	7aee95e91a71cf0562808f9527e44e19.exe
File created	C:\Windows\winhash_up.exez	7aee95e91a71cf0562808f9527e44e19.exe
File created	C:\Windows\winhash_up.exe	7aee95e91a71cf0562808f9527e44e19.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	7aee95e91a71cf0562808f9527e44e19.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	7aee95e91a71cf0562808f9527e44e19.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3076	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3076	3948	7aee95e91a71cf0562808f9527e44e19.exe	86
PID 3948 wrote to memory of 3076	3948	7aee95e91a71cf0562808f9527e44e19.exe	86
PID 3948 wrote to memory of 3076	3948	7aee95e91a71cf0562808f9527e44e19.exe	86

C:\Users\Admin\AppData\Local\Temp\7aee95e91a71cf0562808f9527e44e19.exe
"C:\Users\Admin\AppData\Local\Temp\7aee95e91a71cf0562808f9527e44e19.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
d96ba2fff2eca09c00b45360a3e14c77

SHA1
9e0dcc8417ea566f30a81fb73ff78ff89a9c2e9d

SHA256
b385262b714cbab29933f07e1febab7b5dcd3b90b40a9060b99404ed9afc626a

SHA512
7bb29a2b5d34f217465a2b9eb6a347ec773a2768175aaa82474e6393a6949395c7978f9036309a329b65979bef429e51cf3d11a679347c561b90da6d0f28a39e

Download Submit
memory/3948-24-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads