65c264579eb5b211c1a682692a17c8da248e55c12807b465489f7e61e1e57236

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a37c44feaab05baaa45b322c0438146d.exe
Size

203KB
MD5

a37c44feaab05baaa45b322c0438146d
SHA1

6eb9c2c3d6be8e83cf7d84888045edf8a6cd9b41
SHA256

65c264579eb5b211c1a682692a17c8da248e55c12807b465489f7e61e1e57236
SHA512

677eeeb50a05cd6a69c064036d0d4b61b64aa7e1800645c921cdb3b4cd101ee61228fb650b77677ae90e00d008b59975c121f0bc2528d59f655f3f0d404d4768
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8ykgnYu:o68i3odBiTl2+TCU/Uk8L

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	a37c44feaab05baaa45b322c0438146d.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\winhash_up.exez	a37c44feaab05baaa45b322c0438146d.exe
File opened for modification	C:\Windows\winhash_up.exez	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\winhash_up.exe	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	a37c44feaab05baaa45b322c0438146d.exe
File created	C:\Windows\bugMAKER.bat	a37c44feaab05baaa45b322c0438146d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2592	1696	a37c44feaab05baaa45b322c0438146d.exe	28
PID 1696 wrote to memory of 2592	1696	a37c44feaab05baaa45b322c0438146d.exe	28
PID 1696 wrote to memory of 2592	1696	a37c44feaab05baaa45b322c0438146d.exe	28
PID 1696 wrote to memory of 2592	1696	a37c44feaab05baaa45b322c0438146d.exe	28

C:\Users\Admin\AppData\Local\Temp\a37c44feaab05baaa45b322c0438146d.exe
"C:\Users\Admin\AppData\Local\Temp\a37c44feaab05baaa45b322c0438146d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
d1e101fab15136b8a63fdf8caca6f723

SHA1
8f0f047798e335683f3df9b3d0b3a402e2f09f6a

SHA256
03a9e41229ce817657bfed5a885e765d0048860f85d8a62b6429811991f1cc35

SHA512
d3c519fb96126fab9487982fd79f7871962a5b3ec0a172cbf46cc0cf16e4f068a4ea5a307b7a30d8d6997c8eb4fa0fb8e31fd4196a7b2bc8ed84b4184971af40

Download Submit
memory/1696-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2592-62-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads