438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f

General

Target

438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
Size

7.8MB
MD5

3dd0d5754f94d3af673c56e4e22ed214
SHA1

659c586dd99ce37c96b7c22ae5da055679aa69a2
SHA256

438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f
SHA512

6979408a3ebfd9bb185934af7fcbc283a25f4641cf503b7db11ec92fcf3b8d912544e4420174ae160a5dfc95d022084e48f70bcf4fd24b364d6d52f2ce5eac58
SSDEEP

196608:JNQUf3px7m0dYrVnVc5dNj0sg5zA/gEL9mBxMpn:JT37Wcx2AV9m

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\R:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\S:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\Y:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\H:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\O:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\G:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\P:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\V:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\W:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\Z:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\A:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\B:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\L:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\X:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\J:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\K:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\M:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\N:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\T:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\U:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\E:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
File opened (read-only)	\??\I:	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84
PID 4540 wrote to memory of 2372	4540	438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe	84

C:\Users\Admin\AppData\Local\Temp\438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
"C:\Users\Admin\AppData\Local\Temp\438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Users\Admin\AppData\Local\Temp\438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe
  "C:\Users\Admin\AppData\Local\Temp\438fe0008eeda1aec9e6a2835880d96d93125ba1ee99e7c7fb3a482ddf89ca6f.exe"
  2⤵
  - Enumerates connected drives
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2372-154-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2372-162-0x0000000000D50000-0x0000000000FF5000-memory.dmp

Filesize
2.6MB

Download
memory/2372-169-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/2372-168-0x0000000004320000-0x0000000004323000-memory.dmp

Filesize
12KB

Download
memory/2372-140-0x0000000000D50000-0x0000000000FF5000-memory.dmp

Filesize
2.6MB

Download
memory/2372-166-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2372-146-0x0000000000D50000-0x0000000000FF5000-memory.dmp

Filesize
2.6MB

Download
memory/2372-147-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/2372-165-0x0000000000400000-0x0000000000A49000-memory.dmp

Filesize
6.3MB

Download
memory/2372-149-0x0000000000D50000-0x0000000000FF5000-memory.dmp

Filesize
2.6MB

Download
memory/2372-144-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2372-139-0x0000000000400000-0x0000000000A49000-memory.dmp

Filesize
6.3MB

Download
memory/2372-151-0x0000000000D50000-0x0000000000FF5000-memory.dmp

Filesize
2.6MB

Download
memory/2372-152-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/2372-164-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/2372-158-0x0000000000400000-0x0000000000A49000-memory.dmp

Filesize
6.3MB

Download
memory/2372-163-0x0000000000D50000-0x0000000000FF5000-memory.dmp

Filesize
2.6MB

Download
memory/2372-155-0x0000000004320000-0x0000000004323000-memory.dmp

Filesize
12KB

Download
memory/2372-156-0x0000000000400000-0x0000000000A49000-memory.dmp

Filesize
6.3MB

Download
memory/2372-153-0x0000000000D50000-0x0000000000FF5000-memory.dmp

Filesize
2.6MB

Download
memory/2372-159-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/2372-160-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/2372-150-0x0000000000400000-0x0000000000A49000-memory.dmp

Filesize
6.3MB

Download
memory/4540-133-0x0000000000400000-0x0000000000D50000-memory.dmp

Filesize
9.3MB

Download
memory/4540-134-0x0000000002AB0000-0x0000000002AB3000-memory.dmp

Filesize
12KB

Download
memory/4540-148-0x0000000000400000-0x0000000000D50000-memory.dmp

Filesize
9.3MB

Download
memory/4540-142-0x0000000010000000-0x00000000107B3000-memory.dmp

Filesize
7.7MB

Download
memory/4540-136-0x0000000010000000-0x00000000107B3000-memory.dmp

Filesize
7.7MB

Download
memory/4540-135-0x0000000010000000-0x00000000107B3000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing