2f0c397eaa8ea5cfb225648954f4e9e0278876846f2d8d67f983be0f19c71a82

Analysis

max time kernel
112s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba7e7f269cce0a3f0224c28371dd54c0N.exe
Size

1.5MB
MD5

ba7e7f269cce0a3f0224c28371dd54c0
SHA1

c4f7d9bea19e6614e07d499aef0ee85726a7dfe3
SHA256

2f0c397eaa8ea5cfb225648954f4e9e0278876846f2d8d67f983be0f19c71a82
SHA512

401a9fd9aba801d6864be40ae8f4c399b48c7c8334d3e890dada151ebe2c24c4ec6a9634a58fa7cdb4d774fdf838c08431d16f9be6d7fbed44ff838edaf924d6
SSDEEP

6144:zJuXtXxog5E+FWPNfrf6yGEssQxNpbMceWdbjMMqcXmr8MMtjyhX9+FL:98XNE+FuNfrSyGEssQJy03MMq/r8MMP

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened (read-only)	\??\H:	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened (read-only)	\??\K:	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened (read-only)	\??\O:	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened (read-only)	\??\M:	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened (read-only)	\??\N:	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened (read-only)	\??\G:	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened (read-only)	\??\I:	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened (read-only)	\??\J:	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened (read-only)	\??\L:	ba7e7f269cce0a3f0224c28371dd54c0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\readme.1xt	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX1E9D.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX21E4.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX2312.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX1E7D.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX217E.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2217.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\7-Zip\7z.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\7-Zip\7zFM.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\7-Zip\7zFM.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX20A1.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2190.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX1E4A.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX20C1.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2206.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX21D3.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX21F5.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX20D2.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\DVD Maker\DVDMaker.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX21D2.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX1E6B.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX218F.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX2218.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX2324.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX21A0.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX1E6C.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX21C2.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX21F4.tmp	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	ba7e7f269cce0a3f0224c28371dd54c0N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2244	2292	WerFault.exe	29

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2244	2292	ba7e7f269cce0a3f0224c28371dd54c0N.exe	30
PID 2292 wrote to memory of 2244	2292	ba7e7f269cce0a3f0224c28371dd54c0N.exe	30
PID 2292 wrote to memory of 2244	2292	ba7e7f269cce0a3f0224c28371dd54c0N.exe	30
PID 2292 wrote to memory of 2244	2292	ba7e7f269cce0a3f0224c28371dd54c0N.exe	30

C:\Users\Admin\AppData\Local\Temp\ba7e7f269cce0a3f0224c28371dd54c0N.exe
"C:\Users\Admin\AppData\Local\Temp\ba7e7f269cce0a3f0224c28371dd54c0N.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 744
  2⤵
  - Program crash
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.5MB

MD5
ddbd956c911910f2b3ea1d400a854478

SHA1
0ccc29de20b5fa62d0fff7354bc27b75136b8711

SHA256
8c10d39f36365254f243f78fb324f9fde656f1eea47d25f5db79ed6a4b85c0f9

SHA512
4f10be2fc73b8aec07a1ea768da38ea936376d64594613b831c9bdb5d3c40a1508d094a9ef30ce9532391027ff1326f9f568a166911bec90165b1162e2b3a9a3

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

Filesize
365KB

MD5
f8608cca15def12340b1721e20c35d4c

SHA1
75fc7cf51006a2d8a78ba9e65ed1496e1b9ac7b4

SHA256
ee22bd97391b4f390b6e14d8de4fd4b54c466acf29253e74678d228e01ffd943

SHA512
af911eac749e400d85827318fca7bfda076361328b2d924744b4334610ba53d64a2751ef4ff51b3c73d0f8ee903dd207e4535146c8533c8106f884302a9abba2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab

Filesize
118KB

MD5
f45a7db6aec433fd579774dfdb3eaa89

SHA1
2f8773cc2b720143776a0909d19b98c4954b39cc

SHA256
2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a

SHA512
03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX20A1.tmp

Filesize
174KB

MD5
a98298a86c5458481de58e9fd0b8eb53

SHA1
191a6b30a91748bc4d8c8d537d0bbd7407bec5e9

SHA256
e9eb1bcbb9fafd08d555ef4df2ea3a9dc846d15c2ac719e9d203d81d459729ec

SHA512
5210b465cae90236320fce93c0de599cd62632875714907ddcbc45b5196e36e0c2499f4d4461595f23b6899031a1ddce858a80f8511d5c294e0bbcdc48fa8018

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.cab

Filesize
1.6MB

MD5
527e039ba9add8a7fac3a6bc30a6d476

SHA1
729a329265eda72cada039c1941e7c672addfc19

SHA256
4b8a72fc81b733ed2e6e70d4c5401f954002783dbf14927849ad579860780b94

SHA512
9e73e14e33a5f07a87e9c1fecfdaee09d1408471052aacfde3d1e877dad4d253b525ebefca6bddabc23cf81d8dcce0785aedcc2f135d171ecbb1feaeb922c449

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.cab

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
399KB

MD5
543be01a7923661f942dc4a82df56f70

SHA1
ba40ae4e11e7aa33ca768b28ea2c8735ec53af3f

SHA256
760eeefadcb5b72eb4c8c6faecab89475d2ea004f33813cd018b75c772782922

SHA512
9c60e5fad08910ff47323dcdb49ed690c2ce7c9d9336d5e49489df665159ddeb64810e036d298bac0ac18c66269d971d83e447d3f38b4597d89eca50902394b3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.cab

Filesize
1020KB

MD5
b65d7344b0a7faa207d2e1a7adaafb60

SHA1
755ad15b1745b0e730d658d4a92e2b754425b7db

SHA256
f4b91fbbcba8a46eefe4965e4a24c6ede3decbd1fec96e141a1953173efd1c92

SHA512
f17ac73c2df7c73a31b11ce0f533d6db91bdb0cdeea653dcd52ac72c3cf28da0c236b79586ddc7a6c825fdd171290722f888465e776f12ac2cae75be82726b22

Download Submit
memory/2292-0-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2292-212-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download