ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353

General

Target

ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
Size

1.5MB
MD5

5a963b31ea10f1e3d1affe5d66003835
SHA1

c683fa187d9eaa83a7d59da9042942984de7345c
SHA256

ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353
SHA512

29ccf5bb0a6781ebf464f014e06cd8e4cab87dac7d146f42d12bac1ead2de25470ad87729681f39a7b9f55eca566f86dae88922a0a35bf5435c1b21ab920a428
SSDEEP

6144:sZSE8UGJwiYwUfWeR7oHYnOW111mFW+3:03GFY/jWHYt1yW+

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 4 IoCs

resource	yara_rule
behavioral2/memory/4504-0-0x0000000000400000-0x000000000044E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0002000000022aa8-13.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000023457-57.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4504-67-0x0000000000400000-0x000000000044E000-memory.dmp	INDICATOR_EXE_Packed_MPress

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened (read-only)	\??\H:	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened (read-only)	\??\I:	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened (read-only)	\??\J:	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened (read-only)	\??\L:	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened (read-only)	\??\N:	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened (read-only)	\??\G:	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened (read-only)	\??\K:	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened (read-only)	\??\M:	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened (read-only)	\??\O:	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\7-Zip\RCX3A16.tmp	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\7-Zip\RCX3A17.tmp	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File created	C:\Program Files\7-Zip\7zFM.cab	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File created	C:\Program Files\7-Zip\7zFM.exe	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\7-Zip\RCX3A39.tmp	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File created	C:\Program Files\7-Zip\7z.exe	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX3A9A.tmp	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\7-Zip\RCX3A3A.tmp	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File created	C:\Program Files\readme.1xt	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File created	C:\Program Files\7-Zip\7z.cab	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\7-Zip\RCX3A28.tmp	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\7-Zip\RCX3A38.tmp	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX3A99.tmp	ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1404	4504	WerFault.exe	83

C:\Users\Admin\AppData\Local\Temp\ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe
"C:\Users\Admin\AppData\Local\Temp\ad264ef2b11e2350d2343a4d242a6a6b6f42fa8c7d848728bb27f25b256cc353.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
PID:4504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 724
  2⤵
  - Program crash
  PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4504 -ip 4504
1⤵
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
cd9929057952f46fae8bc1d5461cd092

SHA1
77d0aa02ded4a790ff1d9e892b30be05ee2d6e75

SHA256
40ce03722600f55269139f776c7716a97bbcc6572ba59c67531dc9098e867e27

SHA512
9e205d45a0674fd2980dc0d4e47fba3415308332805b10ebe6bcfe5ccee8443efedd8bb5307c6c720651f9a370efd9d5364ef703c0880961f5dea59c68b3a4e5

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\RCX3A99.tmp

Filesize
170KB

MD5
32e2cae7e76918b070f8c32616ab6bd5

SHA1
0aa207dea9e3cf5669b6f486cf9c660825b4f4b9

SHA256
58f07057ad332b7ce92d297fccb1636e5c6a1bd5b7b770adaee6b5a09a0b2e79

SHA512
7d2f860072871e603d389bb81222168050819d25c5de1176beb8520159aae0a40526aec7c40cf9f26e09a85bfa3f72e6426887bd9f927c1756261a52acc09845

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.cab

Filesize
2.1MB

MD5
b8d69fa2755c3ab1f12f8866a8e2a4f7

SHA1
8e3cdfb20e158c2906323ba0094a18c7dd2aaf2d

SHA256
7e0976036431640ae1d9f1c0b52bcea5dd37ef86cd3f5304dc8a96459d9483cd

SHA512
5acac46068b331216978500f67a7fa5257bc5b05133fab6d88280b670ae4885ef2d5d1f531169b66bf1952e082f56b1ad2bc3901479b740f96c53ea405adda18

Download Submit
memory/4504-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4504-67-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing