9bf936c5581ea04d9979a6c223342f6067b18ceb810fd6f3060a0287ab3edcee

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
Size

209KB
MD5

8b2dae0ca4fcaa27a4ee6993c6d925bc
SHA1

4150ff0af606c65846df49dbb4daa5a813e4947a
SHA256

9bf936c5581ea04d9979a6c223342f6067b18ceb810fd6f3060a0287ab3edcee
SHA512

943d24ccda52984a43a51fb1ca4643c3422ca0516f1a9a4ef3a48dc4c17a8ed8990e58aef381375da851004fd924c195d6035c70f102874f6bf1b707c259a8b9
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B8dpjBFy11Awi:o68i3odBiTl2+TCU/ihuhuIp4

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\winhash_up.exez	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File opened for modification	C:\Windows\winhash_up.exez	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File created	C:\Windows\winhash_up.exe	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
File created	C:\Windows\bugMAKER.bat	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1020	1284	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe	84
PID 1284 wrote to memory of 1020	1284	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe	84
PID 1284 wrote to memory of 1020	1284	8b2dae0ca4fcaa27a4ee6993c6d925bc.exe	84

C:\Users\Admin\AppData\Local\Temp\8b2dae0ca4fcaa27a4ee6993c6d925bc.exe
"C:\Users\Admin\AppData\Local\Temp\8b2dae0ca4fcaa27a4ee6993c6d925bc.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat
  2⤵
  PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
1a24f0d49e8ca89bcba1ef514d752470

SHA1
271e22b448b5806a1304ea43b528af7d69478200

SHA256
bc15d0797df9d2339737ab441be03d96f108a740aaae90bb8de6b053f14365f1

SHA512
50535598e67f4dd7198ff555624ac52901714cc12d506e3ae21c46f1a2e02345353a92b15fe849a3f6e54a36bd7267d6654701c5939d1090076bfc89df909b8b

Download Submit
memory/1284-24-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads