d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5

General

Target

d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
Size

326KB
MD5

ae99ad5db5b6bbceebc7f54dfeac487e
SHA1

5251c9ce4db8b81c2f4c13564de9c1e734f4cc9d
SHA256

d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5
SHA512

b9b940453070b0ce329a40ede2853440c3fc397ec6ed452e2e2f12cb6e5b00c8991749a86f376f7e4b65f9d30f47300adfdb9ed7aed9eeb2fe94390417b42ce6
SSDEEP

3072:ymyvMnbtGXRvjxCb5NgXDY7uSlkJcUa7kYQTcqW2NdQQGH/UDhSCUc4aqTB3RtCE:ozlKgzelZNQSBQGH/CSpWqTfmQ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 11 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe

description	ioc	process
File opened (read-only)	\??\F:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened (read-only)	\??\H:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened (read-only)	\??\I:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened (read-only)	\??\J:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened (read-only)	\??\K:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened (read-only)	\??\L:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened (read-only)	\??\N:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened (read-only)	\??\E:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened (read-only)	\??\O:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened (read-only)	\??\M:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened (read-only)	\??\G:	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe

Drops file in Program Files directory 64 IoCs

Processes:

d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Internet Explorer\ielowutil.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\7-Zip\7z.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\RCXFDF2.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXE204.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Windows Media Player\wmplayer.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXE234.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\7-Zip\RCXE551.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCXE6FD.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCXE71D.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\RCXF4A4.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCXAE58.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\7-Zip\RCXE591.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\RCXED67.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\RCXFABF.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\7-Zip\RCXE407.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\7-Zip\RCXE5D1.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\RCXED37.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXE8ED.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\RCXFD45.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXDA4C.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File created	C:\Program Files\Windows Security\BrowserCore\BrowserCore.cab	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
File opened for modification	C:\Program Files\7-Zip\RCXE571.tmp	d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe

C:\Users\Admin\AppData\Local\Temp\d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe
"C:\Users\Admin\AppData\Local\Temp\d7fa748fc75094b0273bb893a23bedf1b831df9f942e12a445e5805ae135abe5.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
PID:4820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4820-132-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing