3782c33858c038458823ae31e67e59a206dd4286fc65d17aa440c64be2dfc230

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6b9e3b804d187a3a0051051f10d22e8_JC.exe
Size

1.5MB
MD5

a6b9e3b804d187a3a0051051f10d22e8
SHA1

bac6dfb58bc5369ca75f29e14123223f4e87771c
SHA256

3782c33858c038458823ae31e67e59a206dd4286fc65d17aa440c64be2dfc230
SHA512

bb1e644a00b080a8f89662ed90ff701ea93ea6f4f4dc7a5ac6140a6c2316aa66d585f846770cd8cd70d2b6d4c0f105bc2b5a8cdc6713e8543f37a25804ebb142
SSDEEP

3072:1xv/y9LJ3tGXRvjxCb5NgXDY7uSK4aqTBwfuDUcMgmQD:PamlKgzeYqTLmQ

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened (read-only)	\??\I:	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened (read-only)	\??\K:	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened (read-only)	\??\M:	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened (read-only)	\??\N:	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened (read-only)	\??\E:	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened (read-only)	\??\G:	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened (read-only)	\??\O:	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened (read-only)	\??\J:	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened (read-only)	\??\L:	a6b9e3b804d187a3a0051051f10d22e8_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX813E.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX814F.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\7-Zip\7zFM.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7DCC.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\7-Zip\7zFM.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX83B8.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX813C.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX813D.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7DA8.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7DA9.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX818F.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX8191.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX812A.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX812B.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\7-Zip\7z.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\DVD Maker\DVDMaker.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX83E8.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\7-Zip\7z.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7DCB.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX7ED8.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\readme.1xt	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX83E9.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX7ED9.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\7-Zip\RCX7DBA.tmp	a6b9e3b804d187a3a0051051f10d22e8_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	a6b9e3b804d187a3a0051051f10d22e8_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1624	3004	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1624	3004	a6b9e3b804d187a3a0051051f10d22e8_JC.exe	28
PID 3004 wrote to memory of 1624	3004	a6b9e3b804d187a3a0051051f10d22e8_JC.exe	28
PID 3004 wrote to memory of 1624	3004	a6b9e3b804d187a3a0051051f10d22e8_JC.exe	28
PID 3004 wrote to memory of 1624	3004	a6b9e3b804d187a3a0051051f10d22e8_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\a6b9e3b804d187a3a0051051f10d22e8_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a6b9e3b804d187a3a0051051f10d22e8_JC.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 744
  2⤵
  - Program crash
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
52dd1550a2847a811fffb7a3ad6b0437

SHA1
6f939affec36ed83ad43d51b097df578b00efebc

SHA256
94bcdfa8a26a120223ef9a07573c3567ebe22a01e6cc51c4f030dc0aee024fc7

SHA512
f82f0828762c85b285c25b945c2a8595a13c8468b05e6c38ac55f0b84b5fdd51c85b9fe7a908b99e96d5065e3dcd3e2e2cb2aef0b0574d0bde571974ab8a62a5

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
847KB

MD5
c8f40f25f783a52262bdaedeb5555427

SHA1
e45e198607c8d7398745baa71780e3e7a2f6deca

SHA256
e81b44ee7381ae3b630488b6fb7e3d9ffbdd9ac3032181d4ccaaff3409b57316

SHA512
f5944743f54028eb1dd0f2d68468726b177d33185324da0da96cdd20768bab4ca2e507ae9157b2733fd6240c920b7e15a5f5b9f284ee09d0fd385fc895b97191

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab

Filesize
118KB

MD5
f45a7db6aec433fd579774dfdb3eaa89

SHA1
2f8773cc2b720143776a0909d19b98c4954b39cc

SHA256
2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a

SHA512
03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX7EC7.tmp

Filesize
224KB

MD5
b69c1cb444aceb16fe7164a73858aef5

SHA1
6d5818f953731d7f52ec95dd7affc865c0ce4ad2

SHA256
a0f772692c9704250a8d88351438a6e6eb546bfa035747f19b9598136104517b

SHA512
ebf4160cdc2d6da31587e2d809d423bb29346117e4a1c5e33d9e7568aad6ed60e64ce109a40898b3e8a1205fb2727806e8fb5dfa67a0cebe956e8e9e982efe9f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab

Filesize
1.6MB

MD5
527e039ba9add8a7fac3a6bc30a6d476

SHA1
729a329265eda72cada039c1941e7c672addfc19

SHA256
4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94

SHA512
9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

Download Submit
C:\Program Files\Google\Chrome\Application\RCX813E.tmp

Filesize
224KB

MD5
e88b4bb1ce196187a12fda5f02797c1a

SHA1
c1ba2583315cc0903a5d2a5c0748cc4739f42553

SHA256
ec4c6209c28d81aa3f7dce2714a87423fbaae9dfa07ee465b2f085bbcf1623aa

SHA512
ab5f26ed0ece22bccb6be5ce3ff0380df76262565cc42473a8455e256f96bfaf56f53a8c135d43e36902f25e8ec1d1d54192cf1818fb8da94f5957ca4fc3030d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.cab

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
1.5MB

MD5
da8e191316cfe3f986cea35729108aa0

SHA1
a5b001328834ce6148ec24aacaac77203cba7e69

SHA256
ce194a99db13ff28fae4d5c339c0cc8e4414787b7c33352f9686901c04de155b

SHA512
5d22a2f4a69cc422ef751f377012128fbad4c9a69f8bf9730305aee3f2e5fcd1562e72d15ca7134000e87f275805e5737816ad6cf4eb2b482ecf93218f9da30f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.cab

Filesize
1020KB

MD5
b65d7344b0a7faa207d2e1a7adaafb60

SHA1
755ad15b1745b0e730d658d4a92e2b754425b7db

SHA256
f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92

SHA512
f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
261KB

MD5
36cdedc717e70f561ecebb5b7292d6b0

SHA1
be73d06fac9f5c56f540535a3667a3b8d5032980

SHA256
519073e8315dffa9d4518cbb4b840648f14695f4c5075415c4ea6fe094230957

SHA512
56e201f19a32037fda8ba40107e0bd26ceeb0ecbbdaa8ee23a14044e207b5d015bd7d548043bf046915d05c66af9308846a4251e493f6afbf9477acf6d0941c8

Download Submit