bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d

General

Target

bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
Size

168KB
MD5

7cf0ec8e986c475de7732e29171994b5
SHA1

30d7cc5efde2772389afcfb8061aaff726fbe1e7
SHA256

bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d
SHA512

4f35d16c746618ed52143693827d014e00b2b0550a9d5f70a1fd5a6c0fb2cdd324837e23a4fc90268c4e5fd3bee55bbb727d6ea2cddc146bea0eb21467909cd0

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe

description	ioc	process
File opened (read-only)	\??\E:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\F:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\O:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\S:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\T:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\U:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\W:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\X:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\B:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\L:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\N:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\P:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\Q:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\Y:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\A:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\H:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\J:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\M:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\V:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\G:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\I:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\K:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\R:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened (read-only)	\??\Z:	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe

Drops file in Windows directory 64 IoCs

Processes:

bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-htmlhelp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_72a70ca7e03b9b86.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-cryptui-dll.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_3439e058b9e16165_cryptui.dll.mui_9728c1dd	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2e336fbd1d49b11b_winscard.dll.mui_4a82d97e	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_6.1.7600.16385_none_20318e130fcade6a.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1c75890c739f1b00.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_keypadbase.xml_be056c50	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-themeservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ec2d87cac9a713a6_themeservice.dll.mui_9e71f1ab	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..assdriver.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_886e569d9951dc2a.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_121d0d73cc0b7c92_pautoenr.dll.mui_9667d15f	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-webio.resources_31bf3856ad364e35_6.1.7601.17514_es-es_014c5fb597133b29_webio.dll.mui_e805c4b7	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_es-es_91ead78ec6b2bd15_appidapi.dll.mui_b6af37bb	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_372c37e840df1158_wldap32.dll.mui_065dbd9c	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ef3f3b3b9e7e8bff_umpo.dll.mui_cac12e54	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_de-de_f333274052deb889_user32.dll.mui_14652dbb	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c9241b147178dc55.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0cb9f658cbaed504.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_el-gr_be640d0cafcb6896_comctl32.dll.mui_0da4e682	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_b35e5a8cb554f3c8.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f7c9fbadf81b5982_apphelp.dll.mui_59096153	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1a2f0b6630a66a2f_drvinst.exe.mui_e88f4c73	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0a1287b745a0addd.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cc18cf7c2e77940e_netiougc.exe.mui_ad7a9e4d	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f3317575c0f924ac.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_ac18c667d7c3743b_iprtrmgr.dll.mui_eb023b92	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b40d05c5d0aff0b4_dhcpcsvc.dll.mui_186571e1	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.1.7601.17514_none_500a4c5042ab494a_esent.dll_35f49bdd	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_f212a9458fcfdbd5_perfi.dat_e3a35ecf	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-themeservice_31bf3856ad364e35_6.1.7600.16385_none_05f77252e20d9cfd_themeservice.dll_223a3220	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-unimodem-config_31bf3856ad364e35_6.1.7600.16385_none_50f69335385bc360_uicom.dll_d72e5b75	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..oradapter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0b0ea14b1ebdba53.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_91cbec40d69be922_sendmail.dll.mui_cbac108c	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c3c89a0484c588c8.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_c622c1b2dbc95119.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-riched32_31bf3856ad364e35_6.1.7601.17514_none_9f081dc1e0ddbddb_riched20.dll_fb578f95	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_vgaf874.fon_577765e0	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-symbol_31bf3856ad364e35_6.1.7600.16385_none_2b1957ff6a01d63e.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-h..p-provsvc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fe3eecc5f0d634fc.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3760db0440b81fb3.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-partitionmanager_31bf3856ad364e35_6.1.7601.17514_none_3fc218fad10f1ad4.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_en-us_354c8605d3d714f3_wiaservc.dll.mui_54051b53	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6e0c114cf82ecf59_netmsg.dll.mui_ab0f7c73	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_18bebc54f8bc1876_dnsapi.dll.mui_97465f8a	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_sk-sk_ca73b0dc729ea456.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ba88bec7f5c72fd7_netlogon.dll.mui_ecbeb9bd	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pt-br_ee99ceab3ae3ff86_comdlg32.dll.mui_ac8e62f4	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bad94050bb1079fc.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_27bdda6ccd542631_acledit.dll.mui_5f932ccb	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_365b53d91b3ce4ff.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e0ac3a3491076c7a_dhcpcsvc6.dll.mui_b45c7567	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-shruti_31bf3856ad364e35_6.1.7600.16385_none_295c980d6b8c1975_shruti.ttf_c4dbca5d	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-standardvga_31bf3856ad364e35_6.1.7600.16385_none_f881232cf3b0c322_vga.sys_ccdb57c9	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_edf33f857603a056_wship6.dll.mui_1cca9bd8	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_3e4f8e47e730ab98_bootmgr.efi.mui_be5d0075	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f5d83b1064d90ccb_rasauto.dll.mui_12fa2c50	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cbe42c602e9e85b3.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_47c3a7a7b5db2631_dnsrslvr.dll.mui_1e1a1ed1	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ed3d9a150a4801e.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-khmerui_31bf3856ad364e35_6.1.7600.16385_none_a4fa82598434113b.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-irdaircomm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_552ff139ad4f66bd.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a3cb925fbca77833.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bf44ea0282c54ebb_hbaapi.mfl_4e36195e	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_en-us_3d419a3aa700badf_winhttp.dll.mui_f661192f	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_5abc71b3b20b3a94.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_ee690d31c664eee4.manifest	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exepowershell.exe

pid process

1068 bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
700 powershell.exe

pid	process
1068	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
700	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	700	powershell.exe
Token: SeBackupPrivilege	1988	vssvc.exe
Token: SeRestorePrivilege	1988	vssvc.exe
Token: SeAuditPrivilege	1988	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe

description	pid	process	target process
PID 1068 wrote to memory of 700	1068	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe	powershell.exe
PID 1068 wrote to memory of 700	1068	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe	powershell.exe
PID 1068 wrote to memory of 700	1068	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe	powershell.exe
PID 1068 wrote to memory of 700	1068	bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe
"C:\Users\Admin\AppData\Local\Temp\bf4079e3f3de0c27dc621da957f15b866f2211c1cab60d99d43420d3e4623e0d.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/700-55-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download
memory/700-57-0x0000000002AC0000-0x0000000002AC2000-memory.dmp

Filesize
8KB

Download
memory/700-58-0x0000000002AC2000-0x0000000002AC4000-memory.dmp

Filesize
8KB

Download
memory/700-59-0x0000000002AC4000-0x0000000002AC7000-memory.dmp

Filesize
12KB

Download
memory/700-56-0x000007FEF2660000-0x000007FEF31BD000-memory.dmp

Filesize
11.4MB

Download
memory/700-60-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/700-61-0x0000000002ACB000-0x0000000002AEA000-memory.dmp

Filesize
124KB

Download
memory/1068-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads