92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408a

General

Target

92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
Size

1.5MB
MD5

72b164ed5921204ab340f132cd836a60
SHA1

451ea871fe6af4560433c42465ae2ec4e34fbcb7
SHA256

92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408a
SHA512

308bb0d04f3ef40b1fc7015b91405d76f0786255fbaa602d95ed11514a1d37254e948dd78c306f2192f20440ccf2a77b5a36c981edce872503b81bc1c47d53b4
SSDEEP

24576:2LwAsgGKKlcmSAw2WpG+6oZJoAOM08/85RkptVIJqcVfs:tKKemS3UKOMjUfkptVxcVE

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\V:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\A:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\I:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\K:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\Y:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\G:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\T:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\U:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\O:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\P:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\R:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\L:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\M:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\N:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\J:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\Q:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\W:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\X:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\Z:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\B:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\E:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened (read-only)	\??\H:	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2860	3060	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe	30
PID 3060 wrote to memory of 2860	3060	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe	30
PID 3060 wrote to memory of 2860	3060	92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe	30

C:\Users\Admin\AppData\Local\Temp\92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe
"C:\Users\Admin\AppData\Local\Temp\92ceb573b351536d6b969a049a1f5a682e8b692048386847b520cea27260408aN.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3060 -s 132
  2⤵
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JavaLauncher.log

Filesize
1KB

MD5
f4ca348c2a85fd78fda02d4de8d1ffb8

SHA1
8562a41d678dd1a1de9ef27aa938210b4144b61d

SHA256
edc354a3247968d82f3255275078f5389d14807c4b0af3e304329689b22deb95

SHA512
3e0321d813433d66edef22c0007f893a2a6a3d168f41c955fdf523f0511504718e4432bd3f49e806755f9d2aa0c0ab4d0f0b5b3eb2167015d8497d02a4a1dc00

Download Submit
memory/3060-8-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/3060-11-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/3060-7-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/3060-1-0x00000000000F0000-0x00000000000F5000-memory.dmp

Filesize
20KB

Download
memory/3060-0-0x000000013F760000-0x000000013F8CD000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing