5813ab8cc0fa63d51f67694cd1b3858a7d5950b646096b81fdcb6057746ba667

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19/09/2023, 19:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00094d2221c22770d26f6e6380e6628a_JC.exe
Size

1.5MB
MD5

00094d2221c22770d26f6e6380e6628a
SHA1

fa234d1dca3dbd74acc625d3dda500f7abd9d0fd
SHA256

5813ab8cc0fa63d51f67694cd1b3858a7d5950b646096b81fdcb6057746ba667
SHA512

3bc72ed7c8606858c264c4a4e2a79d156e19f2c3cec5019ee37dc68d7e062def685b079dc562320d1ad9fde64708a6a80f781ee9649fd82c2343ae5d2903264f
SSDEEP

3072:GCOPi3tGoUa7kYQTcqW2NdQQGH/UDhSCUc4aqTBdfkvb0AXj5iNyPpT4bG2k:EFINQSBQGH/CSpWqT4oAXjiU4bz

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened (read-only)	\??\I:	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened (read-only)	\??\J:	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened (read-only)	\??\N:	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened (read-only)	\??\E:	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened (read-only)	\??\K:	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened (read-only)	\??\L:	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened (read-only)	\??\M:	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened (read-only)	\??\O:	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened (read-only)	\??\G:	00094d2221c22770d26f6e6380e6628a_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\RCX682A.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX6D0A.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX67F7.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX6A8E.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX6D6C.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX6CD1.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\7-Zip\7zFM.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX6828.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX6CF8.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX6D09.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX6CE4.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX6CE7.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX6CF7.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\7-Zip\7z.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX6827.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX6CD3.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\7-Zip\7z.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX6D6B.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\7-Zip\7zFM.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\readme.1xt	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX6807.tmp	00094d2221c22770d26f6e6380e6628a_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab	00094d2221c22770d26f6e6380e6628a_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	00094d2221c22770d26f6e6380e6628a_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2352	2296	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2352	2296	00094d2221c22770d26f6e6380e6628a_JC.exe	28
PID 2296 wrote to memory of 2352	2296	00094d2221c22770d26f6e6380e6628a_JC.exe	28
PID 2296 wrote to memory of 2352	2296	00094d2221c22770d26f6e6380e6628a_JC.exe	28
PID 2296 wrote to memory of 2352	2296	00094d2221c22770d26f6e6380e6628a_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\00094d2221c22770d26f6e6380e6628a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\00094d2221c22770d26f6e6380e6628a_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 744
  2⤵
  - Program crash
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
cc4ae8d5bf8febb118fade517bbd84a7

SHA1
0827101e52f08aa47298887582d211ce703776d4

SHA256
d7edd828c131c29dd67c735a7a873b9d15f65373f013373dab6d775c8b46ddf5

SHA512
1721975524516158ed423c3216e96d5f7765efaee3e972c63e6c6fc02def477f1c631a3c52012580887d4c7846131a8e250455444cae6648b3e179250229e6da

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab

Filesize
118KB

MD5
f45a7db6aec433fd579774dfdb3eaa89

SHA1
2f8773cc2b720143776a0909d19b98c4954b39cc

SHA256
2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a

SHA512
03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX6A6D.tmp

Filesize
284KB

MD5
04ff51951d2b8b1573187231c516468a

SHA1
2a0093b0dc7220fe27fb3022dd049c405b203481

SHA256
660ddfc1232a709acd4624f2b20b733abf0ff234d966007046af163c59e40c3d

SHA512
8a516f41523166377bffd8413de385a2c3b84f823f5a1f15c7732632f1a4ed41bc5d3429cf44097dbab2546693f9f6a575b1ea6c86b3a13dae57e03191669024

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab

Filesize
1.6MB

MD5
527e039ba9add8a7fac3a6bc30a6d476

SHA1
729a329265eda72cada039c1941e7c672addfc19

SHA256
4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94

SHA512
9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

Download Submit
C:\Program Files\Google\Chrome\Application\RCX6CE4.tmp

Filesize
284KB

MD5
5d3d333b498d7e520fdc1ca75b10167f

SHA1
e6443bba32b8b74e7caf3e0c40fd0bb6763b0f3c

SHA256
206abb8544a646c6ae9e7ee59983cf77a1ed8265e4718f3b247569ffaa5b7676

SHA512
cf0b2fc5af23ca6ccbce5915cfa4e2df0e676e6af5f87001c5007eeb07d084f9a6e61115f4f83fb13507b9fa5e2aadc512aad1e088f617cc74836363b2690ebd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.cab

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.cab

Filesize
1020KB

MD5
b65d7344b0a7faa207d2e1a7adaafb60

SHA1
755ad15b1745b0e730d658d4a92e2b754425b7db

SHA256
f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92

SHA512
f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

Download Submit