26a71e966a89811a6b13d9808647ca6682f67c98f42297aaa7dd2b295eee3466

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e26bb007f9b772cbb973818502d2857.exe
Size

226KB
MD5

8e26bb007f9b772cbb973818502d2857
SHA1

9246b37346b6fe839f5d49686e52022221f144a0
SHA256

26a71e966a89811a6b13d9808647ca6682f67c98f42297aaa7dd2b295eee3466
SHA512

4254287f358b8b1be4d2039d4ac3ad9cd068d80bcb33a5c9c5a7751eb07fadc97ff12c744fcf04dd780c084eab805c931de416ee9f90a2e3fc83fcc16212cbba
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/B89OpjBFy11Ax:o68i3odBiTl2+TCU/EEhuhuQtkq+

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	8e26bb007f9b772cbb973818502d2857.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SHARE_TEMP\Icon6.ico	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\bugMAKER.bat	8e26bb007f9b772cbb973818502d2857.exe
File opened for modification	C:\Windows\winhash_up.exez	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\winhash_up.exe	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\winhash_up.exez	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	8e26bb007f9b772cbb973818502d2857.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	8e26bb007f9b772cbb973818502d2857.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2732	1992	8e26bb007f9b772cbb973818502d2857.exe	28
PID 1992 wrote to memory of 2732	1992	8e26bb007f9b772cbb973818502d2857.exe	28
PID 1992 wrote to memory of 2732	1992	8e26bb007f9b772cbb973818502d2857.exe	28
PID 1992 wrote to memory of 2732	1992	8e26bb007f9b772cbb973818502d2857.exe	28

C:\Users\Admin\AppData\Local\Temp\8e26bb007f9b772cbb973818502d2857.exe
"C:\Users\Admin\AppData\Local\Temp\8e26bb007f9b772cbb973818502d2857.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
2733b916075c992dc58012cb3f90d175

SHA1
9b1394c0f076ddfbd4e0c9048e82ae20ff3b28e7

SHA256
69bb449335745ccfdca3c85810a4c9a47b47bad67df1b0c80f859b11bb9a98b5

SHA512
1ecb239ea24b47a6b176546a9fd0a95fe92c051ca5a8f2cc5cd51ef1e3dad65c7445cd028dd78617c6d31a9dde85beb5ed85aec16e1352d5c84170d7f46cca07

Download Submit
memory/1992-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2732-62-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads