934f6918882ba26b90818f0eeccf389d203ecce5bf6b3f77e21bb362cec02ed3

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 07:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file_recovery.exe
Size

268KB
MD5

acc87c6705f56fbe192b263edb237d1e
SHA1

5b68b8542a3980ce4b4ec9d687546701c4bc2b53
SHA256

694d17ed2b2c44be9d116323c7f595ae82ba33e2257debebc59c81ba33eea70f
SHA512

f15f273e94d6f294268b5f1ce65100e50d4e9680942433e515224e19aaf8143799c0c00c4250fd5e55f9e384af41524a62a0f677803c147b2248aff36f951e04
SSDEEP

6144:4xidTKuNV6cW5kEpZmLQAHi/BdXZX9eweBovQm12KKLx14HfL6f:4xn6hAfzjAo8ovB12L1+L

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	file_recovery.exe
File opened (read-only)	\??\e:	file_recovery.exe
File opened (read-only)	\??\g:	file_recovery.exe
File opened (read-only)	\??\b:	file_recovery.exe
File opened (read-only)	\??\i:	file_recovery.exe
File opened (read-only)	\??\j:	file_recovery.exe
File opened (read-only)	\??\p:	file_recovery.exe
File opened (read-only)	\??\r:	file_recovery.exe
File opened (read-only)	\??\s:	file_recovery.exe
File opened (read-only)	\??\w:	file_recovery.exe
File opened (read-only)	\??\k:	file_recovery.exe
File opened (read-only)	\??\m:	file_recovery.exe
File opened (read-only)	\??\q:	file_recovery.exe
File opened (read-only)	\??\t:	file_recovery.exe
File opened (read-only)	\??\x:	file_recovery.exe
File opened (read-only)	\??\z:	file_recovery.exe
File opened (read-only)	\??\h:	file_recovery.exe
File opened (read-only)	\??\l:	file_recovery.exe
File opened (read-only)	\??\n:	file_recovery.exe
File opened (read-only)	\??\o:	file_recovery.exe
File opened (read-only)	\??\u:	file_recovery.exe
File opened (read-only)	\??\v:	file_recovery.exe
File opened (read-only)	\??\y:	file_recovery.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\file_recovery.exe
"C:\Users\Admin\AppData\Local\Temp\file_recovery.exe"
1⤵
- Enumerates connected drives
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3480-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3480-1-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/3480-2-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3480-4-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download