476c393c90eeb922d1d8e33ca0027948cd78b2faac5d1c1747f88a98ee7160a8

General

Target

45dcb22196560c2c3c95d71405c5e10a_JC.exe
Size

1.5MB
MD5

45dcb22196560c2c3c95d71405c5e10a
SHA1

881dd3488eb93b923ab6a1e90dd7ec1df5e4b339
SHA256

476c393c90eeb922d1d8e33ca0027948cd78b2faac5d1c1747f88a98ee7160a8
SHA512

c3d22a27641f659013c171d05ec21c9378f2af745c28e4e1c5f340e6da7b80bfb9b045fd78ccd8adcd48320d6a8e8a2c5a540dfc680af18d647186f3b27c8683
SSDEEP

3072:ZaHSp3tGXRvjxCb5NgXDY7uSlkJcUa7kYQTcqW2NdQQGH/UDhSCUc4aqTBZ9:QHHlKgzelZNQSBQGH/CSpWqT

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened (read-only)	\??\J:	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened (read-only)	\??\N:	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened (read-only)	\??\O:	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened (read-only)	\??\E:	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened (read-only)	\??\I:	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened (read-only)	\??\K:	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened (read-only)	\??\L:	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened (read-only)	\??\M:	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened (read-only)	\??\H:	45dcb22196560c2c3c95d71405c5e10a_JC.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCXDEAE.tmp	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File created	C:\Program Files\7-Zip\7z.exe	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File created	C:\Program Files\7-Zip\7zFM.cab	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File created	C:\Program Files\7-Zip\7z.cab	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXDE8D.tmp	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXDE8E.tmp	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXB611.tmp	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXB622.tmp	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File created	C:\Program Files\7-Zip\7zFM.exe	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File created	C:\Program Files\readme.1xt	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXDC39.tmp	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCXDE7C.tmp	45dcb22196560c2c3c95d71405c5e10a_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCXDEBE.tmp	45dcb22196560c2c3c95d71405c5e10a_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1440	3828	WerFault.exe	83

C:\Users\Admin\AppData\Local\Temp\45dcb22196560c2c3c95d71405c5e10a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\45dcb22196560c2c3c95d71405c5e10a_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
PID:3828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 692
  2⤵
  - Program crash
  PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3828 -ip 3828
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
9d1a300b5db300b62cc3f3c0a3dceafe

SHA1
c0acc57e0da2b164e05757c2c6654b8f1b5e9e47

SHA256
a401fe4a24a7f1b45b7f15c25eb0cfdd3fafe23b4f334272ca7a06e2d6db747f

SHA512
cabd352ff3f2bebdd6b7bbd8f32138680f836f20d23b4b8490dc852cf64bc6169748ad08636122a2bcfc988439278c331be0bbcae38d9ecadad5df7bd19f1ba3

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\RCXDEAE.tmp

Filesize
216KB

MD5
3149702cb338aed2aa937e4c0e1a149f

SHA1
ea74bf6fabde23d6176ea7bdd81ec7688ba0a45b

SHA256
219ccb6c565ce24ebfcd102eddabcdf0106428df5b8ef9bc7911f90b0c00f228

SHA512
59cc2ca5e6170e33597bea7583c27936bfe5842f40d5c22338ab23a870879ab4f7871eccf7aa8e8e6ef60424f3d896fc5e3e38c26430645c5894e181c4afa3dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab

Filesize
2.1MB

MD5
b8d69fa2755c3ab1f12f8866a8e2a4f7

SHA1
8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d

SHA256
7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd

SHA512
5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

Download Submit

Analysis

Sharing