152925837420d51eb900eef23dbce276233b9d4a5b1612dc299fd4e51e9889ff

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dec3a0c145298b014e1cf94b9b3a2742.exe
Size

175KB
MD5

dec3a0c145298b014e1cf94b9b3a2742
SHA1

64973740e28511849fafdb5ed307653ba051f673
SHA256

152925837420d51eb900eef23dbce276233b9d4a5b1612dc299fd4e51e9889ff
SHA512

60d17ec44520abc272de91a3aec95ab50438304f07357ef0642d60029125fef14eb9490e05e478f8e13237fdae944dffb3706713756c0d971bd06dce3e793c65
SSDEEP

3072:/cT9g8immW6Pozkk2eKs/CSr2nQ/E2S5ny+bF2u1I+ddDK7Hlq/e8Jd:o68i3odBiTl2+TCU//d

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft I Service = "C:\\Windows\\winhash_up.exe /REGstart"	dec3a0c145298b014e1cf94b9b3a2742.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SHARE_TEMP\Icon2.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon3.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon5.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon12.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon14.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\bugMAKER.bat	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\winhash_up.exez	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\winhash_up.exe	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon6.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon7.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File created	C:\Windows\SHARE_TEMP\Icon10.ico	dec3a0c145298b014e1cf94b9b3a2742.exe
File opened for modification	C:\Windows\winhash_up.exez	dec3a0c145298b014e1cf94b9b3a2742.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1912	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 1912	2752	dec3a0c145298b014e1cf94b9b3a2742.exe	87
PID 2752 wrote to memory of 1912	2752	dec3a0c145298b014e1cf94b9b3a2742.exe	87
PID 2752 wrote to memory of 1912	2752	dec3a0c145298b014e1cf94b9b3a2742.exe	87

C:\Users\Admin\AppData\Local\Temp\dec3a0c145298b014e1cf94b9b3a2742.exe
"C:\Users\Admin\AppData\Local\Temp\dec3a0c145298b014e1cf94b9b3a2742.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\bugMAKER.bat
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\bugMAKER.bat

Filesize
76B

MD5
de357f21c6ab8aebeb217b37cf650b79

SHA1
bc5a183c361a6407acbcf7b19bacf11798fd34cd

SHA256
a11fe339183ead12ca842ac34d9ddf098a79c1daf736fea7aa6163b15bc33b7c

SHA512
7122743d74ad12f3d3b0f3453e471e0f707572a19b8f68a36838d15f48b23ac957d6bcbfc71c684d31fa4d810d36d633952a9b1a551d711693e8328f44bcb246

Download Submit
memory/2752-24-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads