279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f

General

Target

279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
Size

164KB
MD5

51c70865e429c06eceababa1212c5cf8
SHA1

3b9a7f6ec14e36eac04f8f4841dd238e346ef634
SHA256

279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f
SHA512

eccffd88a50588e7345300f600dc1b2f501ee4eec2bc53e8b248103df8067a23d63dcd4abc4d293d1eb760445dd827cc2aeadf342e7deafe30fe2c95dd7ae93d

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe

description	ioc	process
File opened (read-only)	\??\N:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\O:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\U:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\X:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\H:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\I:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\J:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\M:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\Y:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\Z:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\F:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\K:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\Q:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\W:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\R:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\S:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\V:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\A:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\E:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\L:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\P:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\B:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\G:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened (read-only)	\??\T:	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe

Drops file in Windows directory 64 IoCs

Processes:

279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_uk-ua_8b4dd277974fc3d7.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.1_none_9d1d02bbe396027f.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..e-ws2ifsl.resources_31bf3856ad364e35_10.0.19041.1_it-it_6c512b243847d5d6.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ja-jp_5416c68d7ab537ab.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_lv-lv_354120845477e45d_comctl32.dll.mui_0da4e682	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-system_31bf3856ad364e35_10.0.19041.1_none_3947da6a963cb0d8_8514syst.fon_d6a29820	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_30aa1615db0a20c2.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_et-ee_72df6430111dde0e.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1023_ar-sa_4244e753a064bf19.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_d3af63f17d8b58b9_bootmgfw.efi.mui_a6e78cfa	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_57ddbaad8b8daad0_sens.dll.mui_64739194	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-twinapi_31bf3856ad364e35_10.0.19041.264_none_993ed006c57fc816.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.1288_none_dbd2bd89b002cded_bootuwf.dll_c8bed798	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-basedependencies_31bf3856ad364e35_10.0.19041.546_none_e09b38c4879eb2b7_psapi.dll_e8b5b4d1	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_de-de_ab07071d714e7ecb_wevtsvc.dll.mui_f41bf7b7	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_sr-..-rs_b2c524b47939e030.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_10.0.19041.610_none_a556313cd729d07d_msobjs.dll_052c8a60	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-sens-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_22421b8ad284b186.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1_none_f53b118699fc22cb.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_nb-no_27a70b04b2458f02.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_tr-tr_fb03b1546153a4c3.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_10.0.19041.1_none_60f873a5caaf6704_winmgmt.exe_8f8eb7b1	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_nb-no_cddb09fa0f832b11_comctl32.dll.mui_0da4e682	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-user32_31bf3856ad364e35_10.0.19041.1288_none_4c54bd1d56ecfd46.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ce50872d244d15c5_deviceregistration.dll.mui_5b79527a	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sv-se_19e50489d0787aec_bootmgr.efi.mui_be5d0075	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ui-xaml-controls_31bf3856ad364e35_10.0.19041.1023_none_8ab455d5934af9be_windows.ui.xaml.controls.dll_4c861b99	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_59dedd2b6ac5922c.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.19041.546_none_cefcfcd89d8d8a93_wuceffects.dll_0c15b7d5	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_10.0.19041.1_none_9ab96313e8d638bb_iscsitarget.cdxml_1fec77bc	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-pt_c0ec67041f3e7ed5_comctl32.dll.mui_0da4e682	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_10.0.19041.1_it-it_3ac41f540029466c_sdbinst.exe.mui_258ad624	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_1aebdebe097e4aa4_appidsvc.dll.mui_6717e231	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_th-th_8739216e3790b2ba.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon.resources_31bf3856ad364e35_10.0.19041.1_en-us_80e99f0ea373f8b5.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus.systemcopy_31bf3856ad364e35_10.0.19041.1288_none_5ba23d0eab3d4017_gdiplus.dll_423f7010	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_36dd2ad842e4f8c3.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2be345c8bb63eed7.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.systemcompatible_6595b64144ccf1df_6.0.19041.1_none_bcf22701031bcbf3.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sl-si_1c174079cf03759e.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_pt-br_c00a97981fcf0ef9.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..turalauthentication_31bf3856ad364e35_10.0.19041.746_none_d1b446a5fe3076f1_naturalauth.dll_90858e23	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5b5a0fc040a75c4e_winresume.exe.mui_ff8b5358	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_sl-si_e4613bab44d6f02b.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_1cad2165a3d16b35.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_10.0.19041.1_none_e86919b4bac0ee7b.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4a63e5b647d5f3d8_hidserv.dll.mui_561adfc8	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1_none_9f5ae62104c19365.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodepowerservice_31bf3856ad364e35_10.0.19041.1023_none_d2e23d980197bef4.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1288_qps-ploc_f6c6cc73660e3177_bootmgr.exe.mui_c434701f	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..memanager.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd076cb21a41edb1_volmgrx.sys.mui_b0c205d7	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3_dciman32.dll_a41dd515	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ucrt_31bf3856ad364e35_10.0.19041.789_none_89924141786cea16.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_en-us_8f48a1e2598394c7_wiarpc.dll.mui_0c913b87	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_hu-hu_fd01b7045f001002_comctl32.dll.mui_0da4e682	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..services-publicapis_31bf3856ad364e35_10.0.19041.546_none_a52a325e25248692.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_en-us_83d24a0903134528.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_he-il_b203a7874c9318ce.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua-onecore.resources_31bf3856ad364e35_10.0.19041.1_en-us_2d74d8104df16972.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..-configuration-data_31bf3856ad364e35_10.0.19041.546_none_eaba62c4b31f4bbe_bcd.dll_047e2c4d	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_ar-sa_29cebd93ee18877a.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..onal-keyboard-kbdus_31bf3856ad364e35_10.0.19041.1_none_34a329b3b3f01d7b.manifest	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shell32_31bf3856ad364e35_10.0.19041.1266_none_e0eefe63c72d43e8_windowsshell.manifest_ad1cb5ce	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe

pid	process
2368	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
2368	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe

description	pid	process	target process
PID 2368 wrote to memory of 4820	2368	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe	cmd.exe
PID 2368 wrote to memory of 4820	2368	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe	cmd.exe
PID 2368 wrote to memory of 4820	2368	279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe
"C:\Users\Admin\AppData\Local\Temp\279c2c28e099fa543dfb77f25cc384ce2d993b785bc6b5241ed736c29d3eaf7f.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:4820

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4820-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads