2f8d8b0e24305467561a82681c6fa541be5865bf12f25f44987d76a946895921

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8679b3896b242fc81caabb89eb0341a0N.exe
Size

1.5MB
MD5

8679b3896b242fc81caabb89eb0341a0
SHA1

913f951c5d3ed04deaf0b7c1a993f7a0b6757eda
SHA256

2f8d8b0e24305467561a82681c6fa541be5865bf12f25f44987d76a946895921
SHA512

ded933372634a5c429d39d09ee650c8596af172c425882267839f90d16c50fb53edfea7b97a42758e0d49e177f6621aa4100affd7dbce2213cc955e421968a86
SSDEEP

3072:CmyvMnbtGXRvjxCb5NgXDY7uSlkJcUa7kYQTcqW2NdQQGH/UDhSCUc4aqTB3RtPW:4zlKgzelZNQSBQGH/CSpWqTemQ

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	8679b3896b242fc81caabb89eb0341a0N.exe
File opened (read-only)	\??\G:	8679b3896b242fc81caabb89eb0341a0N.exe
File opened (read-only)	\??\I:	8679b3896b242fc81caabb89eb0341a0N.exe
File opened (read-only)	\??\L:	8679b3896b242fc81caabb89eb0341a0N.exe
File opened (read-only)	\??\O:	8679b3896b242fc81caabb89eb0341a0N.exe
File opened (read-only)	\??\H:	8679b3896b242fc81caabb89eb0341a0N.exe
File opened (read-only)	\??\J:	8679b3896b242fc81caabb89eb0341a0N.exe
File opened (read-only)	\??\K:	8679b3896b242fc81caabb89eb0341a0N.exe
File opened (read-only)	\??\M:	8679b3896b242fc81caabb89eb0341a0N.exe
File opened (read-only)	\??\N:	8679b3896b242fc81caabb89eb0341a0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D4C.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\DVD Maker\DVDMaker.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D34.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX9CB2.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\readme.1xt	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\7-Zip\7z.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX9CE3.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D4D.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX9CE2.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D33.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D4A.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\7-Zip\7z.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX9CA0.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D32.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX9C9D.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX9C9E.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\7-Zip\7zFM.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\7-Zip\7z.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX9C9F.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D45.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D49.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D4B.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX9CE1.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\7-Zip\RCX9CB1.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D46.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D48.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX9D47.tmp	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\7-Zip\7zFM.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	8679b3896b242fc81caabb89eb0341a0N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.cab	8679b3896b242fc81caabb89eb0341a0N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.cab	8679b3896b242fc81caabb89eb0341a0N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1956	2356	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8679b3896b242fc81caabb89eb0341a0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1956	2356	8679b3896b242fc81caabb89eb0341a0N.exe	30
PID 2356 wrote to memory of 1956	2356	8679b3896b242fc81caabb89eb0341a0N.exe	30
PID 2356 wrote to memory of 1956	2356	8679b3896b242fc81caabb89eb0341a0N.exe	30
PID 2356 wrote to memory of 1956	2356	8679b3896b242fc81caabb89eb0341a0N.exe	30

C:\Users\Admin\AppData\Local\Temp\8679b3896b242fc81caabb89eb0341a0N.exe
"C:\Users\Admin\AppData\Local\Temp\8679b3896b242fc81caabb89eb0341a0N.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 736
  2⤵
  - Program crash
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.cab

Filesize
544KB

MD5
9a1dd1d96481d61934dcc2d568971d06

SHA1
f136ef9bf8bd2fc753292fb5b7cf173a22675fb3

SHA256
8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525

SHA512
7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

Download Submit
C:\Program Files\7-Zip\7zFM.cab

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Program Files\7-Zip\RCX9C9D.tmp

Filesize
236KB

MD5
8cd2aa0ee0b335031b8e62cb7dc9da1c

SHA1
4e0467fd9bf84aff97d3b28c699adf5dee7026cb

SHA256
a4cc644fae1146aeca0b570e8c8ab67e7d1869662c1c903d6a8ea53337aa9c5d

SHA512
c1397efbec996b47e98369722a4afcf080e6c7e107f062d171367e69ce08c6b585b52381feb894fefea48c511585b5bc65ee34e58083e30a5faa1662e4a108b0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.cab

Filesize
118KB

MD5
f45a7db6aec433fd579774dfdb3eaa89

SHA1
2f8773cc2b720143776a0909d19b98c4954b39cc

SHA256
2bc2372cfabd26933bc4012046e66a5d2efc9554c0835d1a0aa012d3bd1a6f9a

SHA512
03a4b7c53373ff6308a0292bb84981dc1566923e93669bbb11cb03d9f58a8d477a1a2399aac5059f477bbf1cf14b17817d208bc7c496b8675ece83cdabec5662

Download Submit
C:\Program Files\Google\Chrome\Application\RCX9D46.tmp

Filesize
236KB

MD5
2c97ddbf08c1afa9c9c1d17b2d60e3b6

SHA1
8a4873445c3771f99f44ac541578b2a50353b86a

SHA256
5424b6ab6c0aba75e25ce472806e4fe9c3412df3de5dc451d7d63d6e87f5437d

SHA512
6516e971bd317456b185d52848d0119626fbcf57e562853ace7777dd8cc3d9f6c4e68e4405a70515b7cf8013a62f1f6930ad7292700c2348b647c3a0d357b386

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.cab

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
memory/2356-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2356-169-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download