94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
Size

472KB
MD5

17277b2463783f3b7953af33bc7b6b3e
SHA1

8553d26ede23578d2debf60e149316aed45cad68
SHA256

94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa
SHA512

e76710b96620a8028059a5fee46f67e287bcd56a58b515ab10dc42c852e7a856d80df3c4e879b7a916d4a5cbaa2a31a0703d2b7153ee2a913814f7702dc9955e
SSDEEP

3072:WtpC8AwLefk/9+oZSTpdW1UKezpATNX2lmhjsxFZOZ27Z7YV9E6+sWBMV1Skq+A7:0EAF3GdW1vC28Us6+dkLMMqLhSDM5I0

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\F:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\G:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\I:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\L:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\P:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\Y:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\Z:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\B:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\M:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\O:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\S:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\U:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\W:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\J:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\K:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\R:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\T:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\V:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\X:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\A:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\H:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\N:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened (read-only)	\??\Q:	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\iscsi.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\kdnic.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\mdmnis1u.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\netnvm64.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\FileSys.adml	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\etfsboot.com	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Boot\Misc\PCAT\bootspaces.dll	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Power\de-DE\RS_Adjustwirelessadaptersettings.psd1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\microsoft_bluetooth_hfp.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\WinInit.adml	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\bcastdvr\broadcastpause720.h264	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\en-US\efisys.bin	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Bluetooth\es-ES\DiagPackage.dll.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Video\RS_viddrv_hwdrmcheck.ps1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking\_NetworkingPerfCounters_v2.h	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\errdev.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\SMSvcHost 4.0.0.0\_SMSvcHostPerfCounters.h	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\wvid.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\PeerToPeerCaching.adml	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Boot\PCAT\qps-plocm\bootmgr.exe.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\up_m.cur	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Device\en-US\DiagPackage.dll.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Globalization\ELS\Transliteration\cyrl-to-latin.nlt	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\bcmfn2.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\LSM\lagcounterdef.h	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\volsnap.PNF	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\wsynth3dvsc.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Installer	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\aero_busy_l.ani	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\CL_Utility.ps1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Help\mui\0407\odbcjet.chm	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\c_fsantivirus.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\WirelessDisplay.adml	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\aero_link_i.cur	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsUpdate\VF_Pendingupdates.ps1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\Windows Workflow Foundation 4.0.0.0\PerfCounters.h	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\PLA\Reports\ja-JP\Report.System.Memory.xml	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Boot\EFI\pt-BR\bootmgr.efi.mui	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\libeam.cur	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\c_printer.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\ipoib6x.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Keyboard\en-US\CL_LocalizationData.psd1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Video\de-DE\CL_LocalizationData.psd1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Globalization\ELS\Transliteration\decompose-hangul.nlt	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\mdmdcm6.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\mdmtdkj5.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Panther\MainQueueOnline0.que	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\Display.adml	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\de-DE\bootfix.bin	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\.NETFramework\0410\corperfmonsymbols_d.ini	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\diagnostics\system\Keyboard\TS_Cicero.ps1	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\adp80xx.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\BITS\040C\bitsctrs.ini	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.Disk.xml	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\AppPrivacy.adml	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\EnhancedStorage.adml	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\MSAPolicy.adml	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\busy_im.cur	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\en-US\charactermap.json	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\mdmatm2k.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\INF\wmiacpi.inf	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Logs\SIH\SIH.20221114.080805.495.1.etl	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Boot\EFI\kd_02_1af4.dll	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
File opened for modification	C:\Windows\Cursors\up_il.cur	94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe

C:\Users\Admin\AppData\Local\Temp\94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe
"C:\Users\Admin\AppData\Local\Temp\94baa43beb62ffaaedef6551770c5c68287fe51e4f35a106efca38190e3e94fa.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:4964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...