152925837420d51eb900eef23dbce276233b9d4a5b1612dc299fd4e51e9889ff

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dec3a0c145298b014e1cf94b9b3a2742.exe
Size

175KB
MD5

dec3a0c145298b014e1cf94b9b3a2742
SHA1

64973740e28511849fafdb5ed307653ba051f673
SHA256

152925837420d51eb900eef23dbce276233b9d4a5b1612dc299fd4e51e9889ff
SHA512

60d17ec44520abc272de91a3aec95ab50438304f07357ef0642d60029125fef14eb9490e05e478f8e13237fdae944dffb3706713756c0d971bd06dce3e793c65
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8Jd:o68i3odBiTl2+TCU//d

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	dec3a0c145298b014e1cf94b9b3a2742.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\winhash_up.exez	dec3a0c145298b014e1cf94b9b3a2742.exe
File opened for modification	C:\Windows\winhash_up.exez	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\bugMAKER.bat	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\winhash_up.exe	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon13.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon2.ico	dec3a0c145298b014e1cf94b9b3a2742.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2980	2492	dec3a0c145298b014e1cf94b9b3a2742.exe	28
PID 2492 wrote to memory of 2980	2492	dec3a0c145298b014e1cf94b9b3a2742.exe	28
PID 2492 wrote to memory of 2980	2492	dec3a0c145298b014e1cf94b9b3a2742.exe	28
PID 2492 wrote to memory of 2980	2492	dec3a0c145298b014e1cf94b9b3a2742.exe	28

C:\Users\Admin\AppData\Local\Temp\dec3a0c145298b014e1cf94b9b3a2742.exe
"C:\Users\Admin\AppData\Local\Temp\dec3a0c145298b014e1cf94b9b3a2742.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\bugMAKER.bat
  2⤵
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
de357f21c6ab8aebeb217b37cf650b79

SHA1
bc5a183c361a6407acbcf7b19bacf11798fd34cd

SHA256
a11fe339183ead12ca842ac34d9ddf098a79c1daf736fea7aa6163b15bc33b7c

SHA512
7122743d74ad12f3d3b0f3453e471e0f707572a19b8f68a36838d15f48b23ac957d6bcbfc71c684d31fa4d810d36d633952a9b1a551d711693e8328f44bcb246

Download Submit
memory/2492-67-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2980-62-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads