a5435aa94081c40345e05fd402e0184d8d9b40357069c6be834738ce7fcbe116

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18/09/2023, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

affb33ba276092afb065286b88567b94_JC.exe
Size

1.5MB
MD5

affb33ba276092afb065286b88567b94
SHA1

83e56e95408a8fdaf925cefbd6063906f0c426e3
SHA256

a5435aa94081c40345e05fd402e0184d8d9b40357069c6be834738ce7fcbe116
SHA512

a6cdc5fe561637d66604152490b00c4a16b876e56b995b457c61105cf30578d6232d47d2884b0dbff78648e948f4318420f052497117a177af15bec77c0cc0c7
SSDEEP

3072:PQXi3tGXRvjxCb5NgXDY7uSK4aqTBgWrl37oTjCpugmQTe:K9lKgzeYqTWjqxmQS

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\E:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\G:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\I:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\J:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\K:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\H:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\L:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\N:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\O:	affb33ba276092afb065286b88567b94_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\RCX46D1.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX4704.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX482F.tmp	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX481E.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\7-Zip\7z.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX4702.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\readme.1xt	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX491F.tmp	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX490B.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX4932.tmp	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX490E.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX4943.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX490C.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX4930.tmp	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\7-Zip\7zFM.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\7-Zip\7z.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX481F.tmp	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX4942.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX4944.tmp	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\DVD Maker\DVDMaker.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX46D0.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX4703.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\7-Zip\7zFM.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX490D.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX490F.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX4701.tmp	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	affb33ba276092afb065286b88567b94_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
660	1560	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 660	1560	affb33ba276092afb065286b88567b94_JC.exe	28
PID 1560 wrote to memory of 660	1560	affb33ba276092afb065286b88567b94_JC.exe	28
PID 1560 wrote to memory of 660	1560	affb33ba276092afb065286b88567b94_JC.exe	28
PID 1560 wrote to memory of 660	1560	affb33ba276092afb065286b88567b94_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\affb33ba276092afb065286b88567b94_JC.exe
"C:\Users\Admin\AppData\Local\Temp\affb33ba276092afb065286b88567b94_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 736
  2⤵
  - Program crash
  PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
0149c435de2bd6536926db8714290e91

SHA1
a618e1879155452271a78d84c043bf383cdf0302

SHA256
708077a58c2c7a333c0aed15205a9eabe68b4d854e7675fcb0098152bbc16b9d

SHA512
b9b290786571ff9e9a72e9c2b45fbe0f92d636432146281f3c2beae434866ae466f881d1cf684273776fa7bc319c6c0a347a2a3d49381246d530e8509bb39b96

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab

Filesize
118KB

MD5
f45a7db6aec433fd579774dfdb3eaa89

SHA1
2f8773cc2b720143776a0909d19b98c4954b39cc

SHA256
2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a

SHA512
03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX481E.tmp

Filesize
216KB

MD5
4467caaae548ca354469a932734b5de6

SHA1
ce93d37187f62c67fce44ff1029a038914d52329

SHA256
4e8fcd79b96ece9089dcabeddecc14697595a850b0f1d3027b9040cdb1f6a095

SHA512
2d584cd278f1efe363fa80bccdc7555f95d8efed37b400cd7894dd0f4e783cc4670db8d0e511ed95e9568171f936ee54d95e753f6c1b1885237e12cc7e13b424

Download Submit
C:\Program Files\Google\Chrome\Application\RCX490F.tmp

Filesize
488KB

MD5
7c51a8a11c5ed505e23126d5cbde604b

SHA1
52ba0bf3dc67c22c536ac8019943283f0587cd46

SHA256
887fed961f8daebeceb92dbc573411ccbc03cc583e6364be6c745f8190b08649

SHA512
b36f4c48b8b07f06d207076d8932ba6118372e7fc1cd9cbe66ea15193ded70cdad52a7902b6c5a8e485bbcc4a293d621f62da2808b563da91025e41584c45d86

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.cab

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit