a5435aa94081c40345e05fd402e0184d8d9b40357069c6be834738ce7fcbe116

General

Target

affb33ba276092afb065286b88567b94_JC.exe
Size

1.5MB
MD5

affb33ba276092afb065286b88567b94
SHA1

83e56e95408a8fdaf925cefbd6063906f0c426e3
SHA256

a5435aa94081c40345e05fd402e0184d8d9b40357069c6be834738ce7fcbe116
SHA512

a6cdc5fe561637d66604152490b00c4a16b876e56b995b457c61105cf30578d6232d47d2884b0dbff78648e948f4318420f052497117a177af15bec77c0cc0c7
SSDEEP

3072:PQXi3tGXRvjxCb5NgXDY7uSK4aqTBgWrl37oTjCpugmQTe:K9lKgzeYqTWjqxmQS

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\M:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\E:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\K:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\I:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\J:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\N:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\O:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\G:	affb33ba276092afb065286b88567b94_JC.exe
File opened (read-only)	\??\H:	affb33ba276092afb065286b88567b94_JC.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCXC7CA.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXC777.tmp	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\7-Zip\7zFM.exe	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\readme.1xt	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXC788.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXC799.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCXC7DB.tmp	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\7-Zip\7z.cab	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\7-Zip\7z.exe	affb33ba276092afb065286b88567b94_JC.exe
File created	C:\Program Files\7-Zip\7zFM.cab	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXC79A.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXC7AA.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXC757.tmp	affb33ba276092afb065286b88567b94_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	affb33ba276092afb065286b88567b94_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3432	4592	WerFault.exe	83

C:\Users\Admin\AppData\Local\Temp\affb33ba276092afb065286b88567b94_JC.exe
"C:\Users\Admin\AppData\Local\Temp\affb33ba276092afb065286b88567b94_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
PID:4592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 712
  2⤵
  - Program crash
  PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4592 -ip 4592
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
507d5a9854d46179f03b4b39efb39001

SHA1
e0513f520d078963eea0fb9d5cd50b6a20e186d5

SHA256
3867b28f10b9726cc9defbb483d07c7f839149448867a27551ac55b37b85b259

SHA512
724620366a2e97539c7465df50b57a46ec405428e3d3de7c80f44a637e8116028dd337e1b63ee6d171ffa5be7b5afd32e2a36a6546c7607d22f5b4702b48a0b6

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\RCXC7CA.tmp

Filesize
216KB

MD5
4467caaae548ca354469a932734b5de6

SHA1
ce93d37187f62c67fce44ff1029a038914d52329

SHA256
4e8fcd79b96ece9089dcabeddecc14697595a850b0f1d3027b9040cdb1f6a095

SHA512
2d584cd278f1efe363fa80bccdc7555f95d8efed37b400cd7894dd0f4e783cc4670db8d0e511ed95e9568171f936ee54d95e753f6c1b1885237e12cc7e13b424

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab

Filesize
2.1MB

MD5
b8d69fa2755c3ab1f12f8866a8e2a4f7

SHA1
8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d

SHA256
7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd

SHA512
5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

Download Submit

Analysis

Sharing