db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b

General

Target

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
Size

164KB
MD5

9a2888ddc389ecde165446d6e3c27f80
SHA1

bf77c02c5a58b5efb29db4191f7e38853dcc3c90
SHA256

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b
SHA512

9473b40f0b50d3960395e59ca23b8809cb982185f684989d1641c9193c8d2325d2d0843e66421bfdedac26e850bb3d4a9abae06741f7dfb11cf402abcfbdf3b7

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

description	ioc	process
File opened (read-only)	\??\A:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\E:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\N:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\Q:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\X:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\Z:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\B:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\M:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\O:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\S:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\T:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\F:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\H:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\J:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\K:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\R:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\U:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\W:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\Y:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\G:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\I:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\L:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\P:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\V:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

Drops file in Windows directory 64 IoCs

Processes:

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_1f49ce93103c3e39_comctl32.dll.mui_0da4e682	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_de-de_07c23c1fe40f7920_infdefaultinstall.exe.mui_ea4c5b8c	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-explorerframe_31bf3856ad364e35_6.1.7601.17514_none_20a30ed28a70711b.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_8514fixg.fon_f6656725	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ae8938add7fda7b2.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pl-pl_4871a5da2b2cebc2.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2507f83c52d906be_iscsiprf.mfl_24c6459c	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_de-de_9450c441b822af1a_winhttp.dll.mui_f661192f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pt-br_4ab86a2ef34170bc.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rmcast_31bf3856ad364e35_6.1.7601.17514_none_b2a3d1a09e8a89b1_netpgm.inf_76514a00	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4730168dcf6e8468_advapi32.dll.mui_28c7718f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc_31bf3856ad364e35_6.1.7601.17514_none_f83a40e7de7c47da_mpssvc.dll_662b267c	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_82dac7a36bd74688_bootmgr.exe.mui_c434701f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e2e88a7682b25068.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5ad8e52591f53bae_ole32.dll.mui_5035d60a	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_et-ee_42b4826dc12f503b.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_747e69daca85f63e_advapi32.dll.mui_28c7718f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_cga80866.fon_2e78de72	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_23268e5d5ff07ea1.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mpr_31bf3856ad364e35_6.1.7600.16385_none_adac1f95b944e712_mpr.dll_e8c35b01	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cd82ef8cc53045c3.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8b52ed91fe5d105f.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9a8171aceaed6fe4_aelupsvc.dll.mui_5d6cb110	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-f..temutilitylibraries_31bf3856ad364e35_6.1.7601.17514_none_eb9dc1c34def72a3.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86_iscsidsc.dll_20ed5065	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c4841ba31dc446fc_msxml3r.dll.mui_cd6e1e8f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-gdi32_31bf3856ad364e35_6.1.7601.17514_none_c1f959bd9451d7a7_gdi32.dll_1f014d57	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c27c626d1e4bdd06.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_79b8d8cfc8e56a7e_mprdim.dll.mui_11b5ef08	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff_apphelp.dll_7ce69c4a	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c3c89a0484c588c8.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ityclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c0b44891b985bfda.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-nbsmb_31bf3856ad364e35_6.1.7600.16385_none_bb5f82db11a747df.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_be8acdd10de3b1a6_netbt.sys_9226f314	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0d09bfa184af61af.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_54e0b44114fa502d.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5ebc31e0daac1f4_winmm.dll.mui_224f6445	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_th-th_48e4d94ee906cf10.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-irdaircomm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7b2c41ca0486ec4.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d3dd093ad06026e1.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_70787288cf854a52_aclui.dll.mui_adadbfb7	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a028059d8dcbea2_setupapi.dll.mui_bcc172a4	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_291c6c0621fdacf4.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_426ded3684825f0a.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b28bd85e0d0ff6f1_iscsicli.exe.mui_64c0a23c	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_de-de_402dac258d03220a_scesrv.dll.mui_c6e979b7	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_6.1.7600.16385_none_946e6d209fe56342_bootvid.dll_c188118d	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fe3eecc5f0d634fc_provsvc.dll.mui_3a2926ae	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8f1e1b0781b835e8_msorcl32.chm_650a727b	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_02e1f48d8d7f349c.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1e62076fa8dcca99_mfc42.dll.mui_66106d85	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-pshed.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1e597e7a501b6698.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..ificateenrollmentui_31bf3856ad364e35_6.1.7600.16385_none_86663b85e279cca2.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_1423e918b2cd2d4b_rasbase-rassstp-repl.man_f9e15598	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e8934bff7a284e2f_axinstsv.dll.mui_be092a2d	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_be640d0cafcb6896_comctl32.dll.mui_0da4e682	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6e3ba8f78468edc8_pautoenr.dll.mui_9667d15f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_de-de_86a905149145b37c.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5f8cc8189e9fc533_wmiapsrv.exe.mui_b1567840	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7350090b7b32c466_provsvc.dll.mui_3a2926ae	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.1.7601.17514_none_c9617fb603a37c36.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c3c89a0484c588c8_userenv.dll.mui_e516a7e7	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_10d22dcfce04430a_axinstui.exe.mui_aea34130	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20586841c610d801	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exepowershell.exe

pid	process
740	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
740	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
760	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	760	powershell.exe
Token: SeBackupPrivilege	604	vssvc.exe
Token: SeRestorePrivilege	604	vssvc.exe
Token: SeAuditPrivilege	604	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

description	pid	process	target process
PID 740 wrote to memory of 760	740	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe	powershell.exe
PID 740 wrote to memory of 760	740	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe	powershell.exe
PID 740 wrote to memory of 760	740	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe	powershell.exe
PID 740 wrote to memory of 760	740	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
"C:\Users\Admin\AppData\Local\Temp\db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:604

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-54-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download
memory/740-56-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/740-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/740-58-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/740-59-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/740-55-0x0000000000C20000-0x0000000000CE9000-memory.dmp

Filesize
804KB

Download
memory/740-61-0x0000000000EB0000-0x0000000000FDD000-memory.dmp

Filesize
1.2MB

Download
memory/740-62-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/740-63-0x00000000026A0000-0x00000000027A9000-memory.dmp

Filesize
1.0MB

Download
memory/740-64-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/760-65-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download
memory/760-66-0x000007FEF30A0000-0x000007FEF3BFD000-memory.dmp

Filesize
11.4MB

Download
memory/760-68-0x00000000028F2000-0x00000000028F4000-memory.dmp

Filesize
8KB

Download
memory/760-67-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/760-69-0x00000000028F4000-0x00000000028F7000-memory.dmp

Filesize
12KB

Download
memory/760-70-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/760-71-0x00000000028FB000-0x000000000291A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads