94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa

Analysis

max time kernel
229s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
Size

472KB
MD5

17277b2463783f3b7953af33bc7b6b3e
SHA1

8553d26ede23578d2debf60e149316aed45cad68
SHA256

94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa
SHA512

e76710b96620a8028059a5fee46f67e287bcd56a58b515ab10dc42c852e7a856d80df3c4e879b7a916d4a5cbaa2a31a0703d2b7153ee2a913814f7702dc9955e
SSDEEP

3072:WtpC8AwLefk/9+oZSTpdW1UKezpATNX2lmhjsxFZOZ27Z7YV9E6+sWBMV1Skq+A7:0EAF3GdW1vC28Us6+dkLMMqLhSDM5I0

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\H:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\R:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\S:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\V:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\T:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\B:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\F:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\L:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\M:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\N:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\O:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\Q:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\E:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\G:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\J:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\K:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\W:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\Y:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\I:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\P:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\U:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\X:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\Z:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\diagnostics\system\Networking\UtilitySetConstants.ps1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\ehome\es-ES\mcplayer.dll.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\ehome\Microsoft.MediaCenter.Bml.dll	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\ESENT\0409\esentprf.ini	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\prnbr007.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Boot\EFI\ru-RU\bootmgr.efi.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\ehome\es-ES\ehvid.exe.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\PerfCounters_D.ini	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\busy_i.cur	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\no_il.cur	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\PCW\de-DE\DiagPackage.dll.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Power\es-ES\RS_ChangeProcessorState.psd1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\mdmirmdm.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\.NETFramework\0411\corperfmonsymbols_D.ini	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\prngt004.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\bootstat.dat	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\hmeshare.H1S	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\mf.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Performance\TS_VisualEffects.ps1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\hmeshare.H1S	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\bitlock.h1s	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\mdmrock3.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\prnok302.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\es-ES\DiagPackage.dll.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\netefe3e.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\prnfx002.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\Windows\en-US\Recopack.h1s	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\.NET Data Provider for Oracle\0407\_DataOracleClientPerfCounters_shared12_neutral_D.ini	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\megasr.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\prnky005.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\setupapi.ev3	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\dshowext.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\mdmntt1.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\speech.h1s	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\prnky008.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\prnrc007.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\tsprint.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\busy_r.cur	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Power\RS_ResetIdleDiskTimeout.ps1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_IdleDiskTimeout.ps1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\ehome\ehiTVMSMusic.dll	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\ehome\es-ES\WTVConverter.exe.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\browser.h1s	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\PERFLIB\0410\perfd.dat	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\prncs302.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\UpdatePrinterDriver.dll	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsUpdate\DiagPackage.diagpkg	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\ehome\mcplayerinterop.dll	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\mui\040C\iscsi_init.CHM	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\pen_im.cur	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\Help\fr-FR\Help_AssetId.H1K	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\domain.h1s	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\IME\de-DE\SpTip.dll.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\mstape.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\rdvgwddm.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\no_rl.cur	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\ehome\wow\ehuihlp.dll	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\mui\0409\authm.CHM	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\mui\040C\applocker_help.CHM	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Device\de-DE\DiagPackage.dll.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\network.h1s	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\ASP.NET\0015\aspnet_perf2.ini	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\aspnet_state\0011\aspnet_state_perf.ini	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\inf\usbhub\0000\usbperf.ini	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe

C:\Users\Admin\AppData\Local\Temp\94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
"C:\Users\Admin\AppData\Local\Temp\94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...