93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7

General

Target

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
Size

4.5MB
MD5

be059dd5f3442f498bde97f69265ccbd
SHA1

28a8eae3633023961f3bcc3d473b0aa1943676c4
SHA256

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7
SHA512

493de3059a33e9ce8bcf67dfea31af6525764917729aeb7705eec20ab78eae3d216ddc6d9d4bebcbf7fa7748e92aa4efa1f0dbcd4e67c142c8c33a317c7c421d

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe

description	ioc	process
File opened (read-only)	\??\K:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\M:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\Q:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\W:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\Z:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\F:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\J:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\E:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\H:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\I:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\P:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\T:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\U:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\V:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\A:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\B:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\G:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\L:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\N:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\O:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\R:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\S:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\X:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\Y:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe

Drops file in Windows directory 64 IoCs

Processes:

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-halftone-ui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_11659fed3eedfa29.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ced8c5f5522508f7_msxml3r.dll.mui_cd6e1e8f	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.1.7601.17514_none_f59e20ddece8f922.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_2bf2f100dfb34cb2_mpssvc.dll.mui_4b194b5f	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5797a7f9b2be5a11_volmgrx.sys.mui_b0c205d7	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_43a267568efeb4cc.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_compstui.dll_a5f72f50	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..endencies.resources_31bf3856ad364e35_6.1.7600.16385_de-de_01a4b28a61e811ab.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70_31bf3856ad364e35_6.1.7600.16385_none_578b05f45f6e5c68_dui70.dll_5f097b0b	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_en-us_453be6e96bdadb18.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..integrity.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ac389c4f782d818f.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-segoeui_31bf3856ad364e35_6.1.7600.16385_none_2cb0f5602bedb50f_segoeuib.ttf_ea2ef279	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0d09bfa184af61af.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rpc-local_31bf3856ad364e35_6.1.7601.17514_none_1220a4865bb3d9a0_rpcrt4.dll_5aa847dd	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-pcw_31bf3856ad364e35_6.1.7600.16385_none_165b3257a4922fbe_pcwum.dll_d77c78c6	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_es-es_85e455db744936f4.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647_appidpolicyconverter.exe_83972af0	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7601.17514_none_8649674dfda23046_gpapi.dll_868dd225	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0e75d0c5c59459cc_iscsidsc.dll.mui_6acb64a6	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.17514_none_a505d556c9de886a.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17514_none_114417c17d05cb37_tcpip.sys_3339bd51	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_6.1.7600.16385_en-us_354c8605d3d714f3_wiaservc.dll.mui_54051b53	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_6.1.7600.16385_none_df4bbe8e10903104_hvgasys.fon_9f580ce4	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-htmlhelp-infotech_31bf3856ad364e35_6.1.7601.17514_none_f8ab56ff71fc562a_itss.dll_f5d929eb	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_fc675397c4309dd0_loadperf.dll.mui_f6faeae0	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ntmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_98cd7f54591f01d7_mountmgr.sys.mui_71b54a25	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-nbsmb_31bf3856ad364e35_6.1.7600.16385_none_bb5f82db11a747df.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f148573ead9e671e_mfc42.dll.mui_66106d85	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-core-library_31bf3856ad364e35_6.1.7601.17514_none_b4c7e8f4ae2a1921_efscore.dll_2a98ded7	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7600.16385_none_257c28acbf0ea870_csrsrv.dll_f50da7f9	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bea9fe0db5a8675c_ulib.dll.mui_bb7d4db5	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3946be823da1aac0.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4b67b4e19c005251.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-sens-service_31bf3856ad364e35_6.1.7600.16385_none_17ae1ea8d8a86ab0.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winbio.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4ededf901613f76b_winbio.dll.mui_7a8d17bd	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-xmllite_31bf3856ad364e35_6.1.7600.16385_none_e5307039bcff94de_xmllite.dll_ce078c31	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_sv-se_a3dab79bf7c211cf.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_findnetprinters.dll_d9721533	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0abd8371bd7222cc_win32k.sys.mui_c0d34fe8	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-e..e-library.resources_31bf3856ad364e35_6.1.7600.16385_de-de_694f3c78860517ad.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ef5bd8db7860b785_sxproxy.dll.mui_f9d8f818	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_de-de_3c9de3a8b639aa1c_firewallapi.dll.mui_43c7a05b	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_cd970b6106ea9e70_perfhost.exe.mui_2046145e	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_3006d43cee449c00.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-config_31bf3856ad364e35_6.1.7600.16385_none_f4d7f7b17ffe522a_modemmigplugin.dll_6b9e1a82	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_23268e5d5ff07ea1.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-filtermanager-core_31bf3856ad364e35_6.1.7601.17514_none_6f2f7861416b9bc6.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_ega40850.fon_5e8f5479	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_a6821d2940c2bcdc.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mprmsg.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0fa510c7a4b9037a.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76_base_altgr.xml_da14b41b	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1c8666cba19c26e1_modemui.dll.mui_a710bc71	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-f..libraries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_33867737402be86b.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-c..ermodepnp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_477d5eb32bbddc05_umpnpmgr.dll.mui_d66aed17	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..rvice_mof.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2507f83c52d906be_iscsidsc.mfl_20ed5374	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.1.7601.17514_none_10145eccb79418a5_samlib.dll_caeebf04	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..onal-codepage-54936_31bf3856ad364e35_6.1.7600.16385_none_36f037fd59607046_c_g18030.dll_b816b81f	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.1.7601.17514_none_0990ff400fc4c431_cscdll.dll_03753295	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..-usermode.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9d396ba2aef41ee0.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-webservices_31bf3856ad364e35_6.1.7601.17514_none_6ca25da84551ca13_webservices.dll_58f50a80	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-hbaapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e783cbd2d6a14396_hbaapi.mfl_4e36195e	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f36e4f388e096ead_hdwwiz.cpl.mui_cdafedff	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ro-ro_0577819b021e44a4.manifest	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-u..em-config.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_341a55f41ef1be52_mdminst.dll.mui_19a87063	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exepowershell.exe

pid process

832 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
1680 powershell.exe

pid	process
832	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
1680	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe

description	pid	process	target process
PID 832 wrote to memory of 1680	832	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe	powershell.exe
PID 832 wrote to memory of 1680	832	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe	powershell.exe
PID 832 wrote to memory of 1680	832	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe	powershell.exe
PID 832 wrote to memory of 1680	832	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
"C:\Users\Admin\AppData\Local\Temp\93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1680-55-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/1680-56-0x0000000002850000-0x0000000002852000-memory.dmp

Filesize
8KB

Download
memory/1680-58-0x0000000002852000-0x0000000002854000-memory.dmp

Filesize
8KB

Download
memory/1680-59-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1680-57-0x000007FEF3460000-0x000007FEF3FBD000-memory.dmp

Filesize
11.4MB

Download
memory/1680-60-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads