8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89

General

Target

8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
Size

164KB
MD5

c3946505bd4a3bcce107a45a4ffad5d5
SHA1

0fc1e4f3cffa9feb647500041adb118bf999f981
SHA256

8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89
SHA512

dd9878d53967ef6c34946d784c5174e175abd05887e10fd67ec1f7fc3f9513f5bd73e2b07ea92a9965bacf767f9f6e92c783bb6407da35f6750603f5a73caab2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe

description	ioc	process
File opened (read-only)	\??\I:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\J:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\M:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\R:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\X:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\H:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\B:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\N:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\O:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\Z:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\A:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\L:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\P:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\V:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\Y:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\F:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\G:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\K:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\Q:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\S:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\T:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\U:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\W:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened (read-only)	\??\E:	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe

Drops file in Windows directory 64 IoCs

Processes:

8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_10.0.19041.1_none_3c0e438aa4ca8107.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d2104853b0241561.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_1484daa47b73afab.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_en-us_f67040d980990d3f.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..n-cmdline.resources_31bf3856ad364e35_10.0.19041.1_en-us_858e75016ce6ee41.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_zh-tw_2ee3d4c657bdc65b_comctl32.dll.mui_0da4e682	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_lt-lt_ef598ca8aecfa1ed_bootmgr.exe.mui_c434701f	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directcomposition_31bf3856ad364e35_10.0.19041.1266_none_123a7540f6f47a8e_dcomp.dll_a2e93a7d	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_24b659bf5f7a8d1f_netiougc.exe.mui_ad7a9e4d	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ar-sa_90a6dad6f86cae6b_msimsg.dll.mui_72e8994f	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_uk-ua_8b4dd277974fc3d7.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_8514oem.fon_c20e1190	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.985_none_9acd392c5a6ac8a8_oleaut32.dll_730e3d41	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-us_1b939d7f8a8ff478_hidserv.dll.mui_561adfc8	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-themeservice_31bf3856ad364e35_10.0.19041.1_none_5ff38e2f67ba1cd1.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_379018f38e600fa9.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winlogon-sysntfy_31bf3856ad364e35_10.0.19041.1_none_0b6400a5af10cbc9_sysntfy.dll_6c0b60ae	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_es-es_12d9c0bd87ce2a84.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_he-il_b203a7874c9318ce.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-h..p-listsvc.resources_31bf3856ad364e35_10.0.19041.1_en-us_20f3d5cee3d27b50_listsvc.dll.mui_27f0fc85	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_10.0.19041.264_none_5c643b8f866d5e2b.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_10.0.19041.1_none_b3552a6f4dc424b4_8514oeme.fon_dbdae0a9	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-winsock-helper-tcpip_31bf3856ad364e35_10.0.19041.546_none_b400f714c4b791cc_wship6.dll_db4127c3	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_10.0.19041.1_it-it_ac991dc48f7da1c1_services.exe.mui_86ea5e71	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-userenv_31bf3856ad364e35_10.0.19041.572_none_6e154087aa2e1290.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_8514fixr.fon_f67069da	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_10.0.19041.1_none_ca60666860ba12d7_app950.fon_e2e577aa	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_zh-tw_88c9261aa201eecd_msimsg.dll.mui_72e8994f	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-f..e-microsoftjhenghei_31bf3856ad364e35_10.0.19041.1_none_1b31c6067f7278ae.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1266_none_1a0aa046bfbc05b6.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4_vds.exe_cb461c29	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_b40cbfe2afd2c015_wowreg32.exe_94fc2d06	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ndowmanager-effects_31bf3856ad364e35_10.0.19041.546_none_cefcfcd89d8d8a93.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.telemetry.ppkg_8b58160d	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_f9852e0df4948a55_memtest.efi.mui_71e15c22	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-gdi32_31bf3856ad364e35_10.0.19041.1_none_0f6fb77fe8af11e6.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-w..sition-coreservices_31bf3856ad364e35_10.0.19041.264_none_1aca864646957638.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..opactivitymoderator_31bf3856ad364e35_10.0.19041.1_none_bfdba9ed0ba30611.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasserver.resources_31bf3856ad364e35_10.0.19041.1_de-de_88414bd06cbad686_iprtrmgr.dll.mui_eb023b92	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_pt-pt_158c69c9f3caa65a.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_es-es_8f13fec659aa866c.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-winsock-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_01a52ac31deb1307.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c68aa74741937c24.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..erservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_33634d5efb5cf151_umpo.dll.mui_cac12e54	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_en-us_83d24a0903134528_mswsock.dll.mui_d7c2a730	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ng-client-overrides_31bf3856ad364e35_10.0.19041.1266_none_8e5f726ca832e39d_power.settings.idleresiliency.ppkg_de8e690f	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_cs-cz_1dee5804823a393a_comctl32.dll.mui_0da4e682	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-shlwapi_31bf3856ad364e35_10.0.19041.1023_none_6eb1689259d35752.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ole-automation_31bf3856ad364e35_10.0.19041.985_none_a521e37e8ecb8aa3_oleaut32.dll_730e3d41	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.19041.1_none_32a7dab59b322918.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.19041.1023_none_636449faa48a1497.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..-usermode.resources_31bf3856ad364e35_10.0.19041.1_es-es_7ca0f0fcf72fec95_wudfplatform.dll.mui_d815d31a	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_10.0.19041.153_none_15f950fa37f594d9.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_85f1257.fon_77baa7cb	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..orkconnectionbroker_31bf3856ad364e35_10.0.19041.1_none_12a05db5643f5444.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-gdi32full_31bf3856ad364e35_10.0.19041.1110_none_d50c487210d0dafe_gdi32full.dll_ffcb16f4	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-advapi32_31bf3856ad364e35_10.0.19041.1_none_a38e09805a400126.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1202_en-us_e2d6f3ca6473453d_dsregtask.dll.mui_5e1b9353	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1202_none_5e2a05871a9a6485.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.19041.1_none_4b7cc143c2832061.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_25a24f5a6fa3eb67_storsvc.dll.mui_2fc7b1d3	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_10.0.19041.1_none_84ce53e99093d752.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_en-gb_f58a427402f53bb2.manifest	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_8a83f8a2672d374c_wmiapsrv.exe.mui_b1567840	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe

pid	process
4656	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
4656	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe

description	pid	process	target process
PID 4656 wrote to memory of 2184	4656	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe	cmd.exe
PID 4656 wrote to memory of 2184	4656	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe	cmd.exe
PID 4656 wrote to memory of 2184	4656	8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe
"C:\Users\Admin\AppData\Local\Temp\8e5cd93d172b6575914ab1b5f73b139ce7f101cb0a20328d5a55190046a43d89.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:2184

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2184-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads