Malware Analysis Report

2025-03-14 22:30

Sample ID 240304-q6dkksch35
Target b249c3b71582873b624c95ca35749e4c
SHA256 c47f904de040740820b09c3790e111189266a14875ac4422ae1002be5f4eab5d
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c47f904de040740820b09c3790e111189266a14875ac4422ae1002be5f4eab5d

Threat Level: Shows suspicious behavior

The file b249c3b71582873b624c95ca35749e4c was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 13:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 13:52

Reported

2024-03-04 13:54

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SHARE_TEMP\Icon13.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon14.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon2.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon7.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon3.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon10.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon12.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\winhash_up.exe C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon5.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\bugMAKER.bat C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File opened for modification C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon6.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe

"C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\bugMAKER.bat

Network

N/A

Files

C:\Windows\bugMAKER.bat

MD5 7e8909952d5e1817201f31584fc4cc06
SHA1 833558bdebdee2b412d9e6941c89c2607fb2b574
SHA256 a2e4a0f4067c5d5be575bb078cba5670744a84b06ddf7a6cf48ed5dd5f138a9b
SHA512 10997ef6181227f51aaa2fbe25aab84ddeebf0ac113795149834c1b8297c2244fec9b60ef9ed5b4e993100652d1731070592c68e1366796bc810786571cb6e7a

memory/2604-62-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/2272-67-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 13:52

Reported

2024-03-04 13:54

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart" C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon5.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon7.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon12.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\winhash_up.exez C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon2.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon3.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon6.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon10.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\SHARE_TEMP\Icon14.ico C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\bugMAKER.bat C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A
File created C:\Windows\winhash_up.exe C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe

"C:\Users\Admin\AppData\Local\Temp\b249c3b71582873b624c95ca35749e4c.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 170.191.110.104.in-addr.arpa udp

Files

C:\Windows\bugMAKER.bat

MD5 7e8909952d5e1817201f31584fc4cc06
SHA1 833558bdebdee2b412d9e6941c89c2607fb2b574
SHA256 a2e4a0f4067c5d5be575bb078cba5670744a84b06ddf7a6cf48ed5dd5f138a9b
SHA512 10997ef6181227f51aaa2fbe25aab84ddeebf0ac113795149834c1b8297c2244fec9b60ef9ed5b4e993100652d1731070592c68e1366796bc810786571cb6e7a

memory/3384-24-0x0000000000400000-0x000000000042D000-memory.dmp