Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 20:39
Behavioral task
behavioral1
Sample
2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe
Resource
win7-20240704-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe
-
Size
608KB
-
MD5
edd6c5d895f0e31271e0c2715ffd37c0
-
SHA1
9194bc41a854f847213cd70b9d1e423b4f7ba738
-
SHA256
2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03
-
SHA512
51fed922b30072dd5029185531103b89b4510dc949a38f308494dd1225e5b28df2547cf19e7d014f50ceed037116b5f9d6790ea6f7494f42181cff666e048e9b
-
SSDEEP
6144:KVj/9nGx+cUgEcmI5qpYDb1MV+w1ILKcmSsP/vSJBl5nNWHR2Nvqld2CCBhW:6D9nGygEcmIopMbv1OcmSsPWBl5Fqui
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 2304 winlogon.exe 2756 AE 0124 BE.exe 4784 winlogon.exe 1172 winlogon.exe -
Loads dropped DLL 3 IoCs
pid Process 2756 AE 0124 BE.exe 4784 winlogon.exe 1172 winlogon.exe -
resource yara_rule behavioral2/memory/2692-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/files/0x000700000002347e-16.dat upx behavioral2/memory/2692-62-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/2756-72-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/4784-86-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/1172-93-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/1172-95-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/2304-254-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/2756-255-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral2/memory/2756-499-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Blocklisted process makes network request 1 IoCs
flow pid Process 2 4668 msiexec.exe -
Drops desktop.ini file(s) 57 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini AE 0124 BE.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops autorun.inf file 1 TTPs 26 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf AE 0124 BE.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\diskperf.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\MsRdpWebAccess.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-DynamicMemory-VirtualDevice-Package~31bf3856ad364e35~amd64~~10.0.19041.928.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\netvwifibus.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\miradisp.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\cmdl32.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\UEV.Types.ps1xml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\svchost.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\cht4vx64.inf_amd64_b03448ba0b72ec47\cht4vx64.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\ieui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\en-US\AssignedAccessMsg.psd1 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mfc120esn.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-SMB-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnms008.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\AMDI2C.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-CA\windows.ui.xaml.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\davhlpr.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\sppc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\es-ES\MsNetImPlatform.mfl AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\es-ES\RunAsHelper.strings.psd1 AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx4-WCF-US-OC-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\stobject.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\sdbus.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\ts_generic.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\InstallService.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\usbui.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\ChargeArbitration.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\microsoft_bluetooth_a2dp.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\it-IT\wsp_sr_uninstall.mfl AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.19041.264.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\v_mscdsc.inf_amd64_05925c79fbad7433\v_mscdsc.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-ApplicationGuard-Shared-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\srm.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\cmstp.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\rastlsext.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\cht4vx64.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\es-ES\AssignedAccessMsg.psd1 AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VMMS-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mfc140cht.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-62-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PCL5URES.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\NETAX88179_178a.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\FusionV2.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\ialpssi_gpio.INF_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\oobe\es-ES\SetupCleanupTask.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\esentutl.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\kbdlisus.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WMVENCOD.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-PMEM-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnms012.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\diskmgmt.msc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Windows.Devices.Custom.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\nvdimm.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr\AuthFWWizFwk.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\DiagnosticInvoker.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Product-Data-EKB-Wrapper-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.264.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-ProfessionalSingleLanguage-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ks.inf_amd64_9fac168e1cbea90c AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_dual_sensorsalsdriver.inf_31bf3856ad364e35_10.0.19041.746_none_7cf0c625c3984554 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_windows-defender-ma..t-onecore.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5a9ae9bc7616e26a\ProtectionManagement.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_11.0.19041.264_none_73920981493ae25d\edgeIso.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-p..mitymessaging-rtapi_31bf3856ad364e35_10.0.19041.746_none_3e2a61dec7a962c0\f\Windows.Networking.Proximity.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..riptedsandboxplugin_31bf3856ad364e35_11.0.19041.1_none_45be66057594eac9.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8c25708636968421\chooseProviderManagement.aspx.ja.resx AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..ion_service_iassvcs_31bf3856ad364e35_10.0.19041.746_none_c075dca01e8b461b\r\iassvcs.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-credssp_31bf3856ad364e35_10.0.19041.264_none_a199d25200715d07\f\TSpkg.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.servicemodel.washosting_v4.0_4.0.0.0_b77a5c561934e089_fcc9ffe6a33d9e56.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_netax88772.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_61daa88b5ddbc931.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_10.0.19041.1_none_a2c8d19f92a1cc22\SSShim.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.1_none_6c93021db54246b0\PasswordOnWakeSettingFlyout.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-cipher.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f886c2c084125df4\cipher.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..layer-vis.resources_31bf3856ad364e35_10.0.19041.1_it-it_42986eb37e2c2dd5.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-h..providers.resources_31bf3856ad364e35_10.0.19041.1_es-es_86030c2dc3475a63 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..eyboard-korean_101b_31bf3856ad364e35_10.0.19041.1_none_460c3d29ee5bc2b8.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-opusdecoder_31bf3856ad364e35_10.0.19041.746_none_c3d16da932a72689\f\MSOpusDecoder.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..a-casting-shell-ext_31bf3856ad364e35_10.0.19041.1_none_85ebd2ce905d7e55 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_10.0.19041.153_none_0d79994266a95258 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-updatepolicy.resources_31bf3856ad364e35_10.0.19041.1266_en-us_6c716d323af42de7\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..grityscan.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc7132dad7f36365.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-onecore-c..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_es-es_00b7b55354503537.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-fileexplorer-common_31bf3856ad364e35_10.0.19041.1_none_2d9750933f9e55df.manifest AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..redential.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_2d4722b503af6bde AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..grams-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_0af04cb6d703a106\AddRemovePrograms.adml AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.19041.844_none_f5f48bc2c8c3f7a0\r\scfilter.sys AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-bcrypt-dll_31bf3856ad364e35_10.0.19041.1023_none_6db8f44cd8ead692\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..texplorer.resources_31bf3856ad364e35_11.0.19041.1_ja-jp_563f43a91c42ca16 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_netfx4-mscordbi_dll_b03f5f7f11d50a3a_4.0.15805.110_none_00498860c18c147d AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-ai-machinelearning_31bf3856ad364e35_10.0.19041.1_none_c4b20c812d897398 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_11.0.19041.264_none_693d5f2f14da2062\r\edgeIso.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..cesclient.resources_31bf3856ad364e35_10.0.19041.1_de-de_819dec421e9dd8e5 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_netfx-aspnetmmcext_b03f5f7f11d50a3a_10.0.19041.1_none_ac1ba58c5a0532e0 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.19041.906_none_a6600355b5f69459.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..cess-connectionflow_31bf3856ad364e35_10.0.19041.1_none_62c1d68f84ec0379.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.19041.1266_none_9a152e76298cd801.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-d..japanese-propertyui_31bf3856ad364e35_10.0.19041.1266_none_11db9eaf53bdd227\r\imjputyc.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\v4.0_4.0.0.0_es_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rpc-locator.resources_31bf3856ad364e35_10.0.19041.1_en-us_d49a8ad7b250df14 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..rofessional-license_31bf3856ad364e35_10.0.19041.1266_none_f0b32d4cab130f07\f\Professional-Volume-MAK-2-ul-store-rtm.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-taskscheduler-client_31bf3856ad364e35_10.0.19041.1_none_f9eb55983dad680b\taskschd.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-photoscreensaver_31bf3856ad364e35_10.0.19041.1_none_c5a0f0d83f7614ce AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.19041.1_de-de_8ecbf4db5ea63fd0\MSFT_EnvironmentResource.schema.mfl AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\FileMaps\users_default_appdata_roaming_microsoft_windows_cloudstore_d1f67ea2fdaaff48.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.es.resx AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_modemcsa.inf.resources_31bf3856ad364e35_10.0.19041.1_de-de_340887fb0c7c7e76 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..ty-common.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_60412636834a21b0\ProximityCommon.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-lua.resources_31bf3856ad364e35_10.0.19041.1_it-it_3126a0afd5d786d5_consent.exe.mui_2eb3b9db AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.1_none_6b92f924ed7df79b.manifest AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\system.dynamic.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\SystemResources\Windows.UI.SettingsHandlers-nt\pris\Windows.UI.SettingsHandlers-nt.fr-FR.pri AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-3daudio-hrtfbins_31bf3856ad364e35_10.0.19041.423_none_21b83299e51c1375\LargeRoom.bin AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_netr28ux.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_583d55fcb94d6860.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..mof-admin.resources_31bf3856ad364e35_10.0.19041.1_es-es_d903f8c51dad7deb.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_networking-mpssvc-ui-cpl_31bf3856ad364e35_10.0.19041.1_none_c20e40d1225a75b6.manifest AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\pdferror.html AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..nailcache.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_32ee795ab5fff887.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-com-complus-admin_31bf3856ad364e35_10.0.19041.746_none_c5b7a9adbffd3a61\r\comrepl.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\msil_system.data.sqlxml.resources_b77a5c561934e089_10.0.19041.1_de-de_c6802d11e9ff8a98.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-r..ility-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_a9d097371bcbf2c6 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_system.numerics.resources_b77a5c561934e089_4.0.15805.0_it-it_758ed06bedec0686 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-e..t-onecore.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_36dc8f5ec2a56cd4.manifest AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002ca5e1034ed00b6a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002ca5e1030000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002ca5e103000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2ca5e103000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002ca5e10300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4008 msiexec.exe 4008 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 4668 msiexec.exe Token: SeIncreaseQuotaPrivilege 4668 msiexec.exe Token: SeSecurityPrivilege 4008 msiexec.exe Token: SeCreateTokenPrivilege 4668 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4668 msiexec.exe Token: SeLockMemoryPrivilege 4668 msiexec.exe Token: SeIncreaseQuotaPrivilege 4668 msiexec.exe Token: SeMachineAccountPrivilege 4668 msiexec.exe Token: SeTcbPrivilege 4668 msiexec.exe Token: SeSecurityPrivilege 4668 msiexec.exe Token: SeTakeOwnershipPrivilege 4668 msiexec.exe Token: SeLoadDriverPrivilege 4668 msiexec.exe Token: SeSystemProfilePrivilege 4668 msiexec.exe Token: SeSystemtimePrivilege 4668 msiexec.exe Token: SeProfSingleProcessPrivilege 4668 msiexec.exe Token: SeIncBasePriorityPrivilege 4668 msiexec.exe Token: SeCreatePagefilePrivilege 4668 msiexec.exe Token: SeCreatePermanentPrivilege 4668 msiexec.exe Token: SeBackupPrivilege 4668 msiexec.exe Token: SeRestorePrivilege 4668 msiexec.exe Token: SeShutdownPrivilege 4668 msiexec.exe Token: SeDebugPrivilege 4668 msiexec.exe Token: SeAuditPrivilege 4668 msiexec.exe Token: SeSystemEnvironmentPrivilege 4668 msiexec.exe Token: SeChangeNotifyPrivilege 4668 msiexec.exe Token: SeRemoteShutdownPrivilege 4668 msiexec.exe Token: SeUndockPrivilege 4668 msiexec.exe Token: SeSyncAgentPrivilege 4668 msiexec.exe Token: SeEnableDelegationPrivilege 4668 msiexec.exe Token: SeManageVolumePrivilege 4668 msiexec.exe Token: SeImpersonatePrivilege 4668 msiexec.exe Token: SeCreateGlobalPrivilege 4668 msiexec.exe Token: SeBackupPrivilege 4404 vssvc.exe Token: SeRestorePrivilege 4404 vssvc.exe Token: SeAuditPrivilege 4404 vssvc.exe Token: SeBackupPrivilege 4008 msiexec.exe Token: SeRestorePrivilege 4008 msiexec.exe Token: SeRestorePrivilege 4008 msiexec.exe Token: SeTakeOwnershipPrivilege 4008 msiexec.exe Token: SeRestorePrivilege 4008 msiexec.exe Token: SeTakeOwnershipPrivilege 4008 msiexec.exe Token: SeBackupPrivilege 4592 srtasks.exe Token: SeRestorePrivilege 4592 srtasks.exe Token: SeSecurityPrivilege 4592 srtasks.exe Token: SeTakeOwnershipPrivilege 4592 srtasks.exe Token: SeBackupPrivilege 4592 srtasks.exe Token: SeRestorePrivilege 4592 srtasks.exe Token: SeSecurityPrivilege 4592 srtasks.exe Token: SeTakeOwnershipPrivilege 4592 srtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4668 msiexec.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2692 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe 2304 winlogon.exe 2756 AE 0124 BE.exe 4784 winlogon.exe 1172 winlogon.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2692 wrote to memory of 4668 2692 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe 86 PID 2692 wrote to memory of 4668 2692 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe 86 PID 2692 wrote to memory of 4668 2692 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe 86 PID 2692 wrote to memory of 2304 2692 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe 87 PID 2692 wrote to memory of 2304 2692 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe 87 PID 2692 wrote to memory of 2304 2692 2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe 87 PID 2304 wrote to memory of 2756 2304 winlogon.exe 90 PID 2304 wrote to memory of 2756 2304 winlogon.exe 90 PID 2304 wrote to memory of 2756 2304 winlogon.exe 90 PID 2304 wrote to memory of 4784 2304 winlogon.exe 92 PID 2304 wrote to memory of 4784 2304 winlogon.exe 92 PID 2304 wrote to memory of 4784 2304 winlogon.exe 92 PID 2756 wrote to memory of 1172 2756 AE 0124 BE.exe 93 PID 2756 wrote to memory of 1172 2756 AE 0124 BE.exe 93 PID 2756 wrote to memory of 1172 2756 AE 0124 BE.exe 93 PID 4008 wrote to memory of 4592 4008 msiexec.exe 98 PID 4008 wrote to memory of 4592 4008 msiexec.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe"C:\Users\Admin\AppData\Local\Temp\2bd22ad9b740574dc0bc7dbe25b1a307e78db82b1b9dfaee1217eacce82a9b03.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4668
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1172
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4784
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
608KB
MD5300754b416af515d18fe4ae46662c768
SHA1e4cf5a0e68693cf2ea54eb993f169256948a76d2
SHA2561bacccc42d02f548cce6480c5c05e21240b9c11b2394cc239ac27c751edb0606
SHA5125632ccb4b37177083e208494d88090dc9fc43a8241d0d5d5d7df43fcc7356dd76f66148e0df1e2c90fd816b312e2961945f60cdc3209fc4bf7005286cddd7ecd
-
Filesize
155KB
MD5d5737f51a147de6b84ca4e7fd88a346f
SHA1717407eef8a94dda373f5e2ef479776c392082ac
SHA256932720c76a3acf3a28a698d7854152a985fb09db17089f3112d7e0b0e0678b4b
SHA5123b3bfab5ecec1a679a7a554674a0b730b3a303217d0d7b65c282c6a02e7c8df2ae68b32c601e7304c35f10b9c2f150dfcf035675d8b20ed34b64d7ad7473038e
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
312KB
MD557abd14e28ef1567ac71c6ddccd0fed0
SHA15262a625551026c82f655a935b92d7cac581ee32
SHA2569ac5fcd79b0b9c8ee46b29a87da8c330a873206cfc5b011d504494f368fe3b77
SHA512d1eb00a871b4facf7b7b2cd890cf79e31560a275734feb01e717d6bd32e4f042393613df46b26b8b1fddcee682aab43171db9e7d91651ab30110b5c52219edc0
-
Filesize
23.7MB
MD573aa9969bc61d343ead83e90dcab60b0
SHA1b2e79b7024511b1a2af7a7ca9cdd1f8e317778e7
SHA256b44c7915c9cc68774f52f1dca729a687ac2882f3a6a78beb4488a0a5667936ce
SHA5124e36196e294b0b227e0437f770fda29d67a3912090437298478979038a6de5f8388e1ad03a9e907f822af294bb5441f76231fec29bde2db18e7c76f8a59b492d
-
\??\Volume{03e1a52c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5f908c6f-e101-4109-b263-874f208a1495}_OnDiskSnapshotProp
Filesize6KB
MD5e1037490452fb9b22b038200ac22f38e
SHA1d37cc554f31e70a670db381235c1e0d06ff34d26
SHA25641293d7dced4adbacfe36ae4f40f43d6cc5c951bfd6cfe01d52d886de84bc6fc
SHA51256c12fc0ee075163f6fefc196f67193b582e665fc2944b4ff15fd488a495379b3cfb1dc2c3865c085be85a99da9b1540a2ecf4e0bcf2110fb8e217212bc6d693
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b