4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 18:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
Size

709KB
MD5

6d6257cc83173b22b6cf40a8b39ad2e5
SHA1

5abab4978391f123275efbad3c6450602d36d78a
SHA256

4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019
SHA512

8fc9c622165bfc7a47c6ca9cfcd0a5137434854c47d65be8ac6b5333cd158c63ff6c13cd0a1774bdcec44f5eb8c5e99133cea4ab41aaf7ff352926066b96bd02
SSDEEP

6144:a+nglw9ayQv3ahvyn/PU7O0KXgTTSjyEN2ERBOzlSmGzzJFB:rjS3Yvyn/0TvSmwR

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe"	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe

Executes dropped EXE 1 IoCs

pid	Process
324	14400.exe

Loads dropped DLL 1 IoCs

pid	Process
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smrss.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Windows\SysWOW64\smrss.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File created	C:\WINDOWS\SysWOW64\freizer.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateSetup.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5FF82FCB-66EC-4D84-9E60-60D03C1CDEBC}\chrome_installer.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPDMC.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\wordpad.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\svchost.exe	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 620	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	27
PID 1480 wrote to memory of 620	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	27
PID 1480 wrote to memory of 620	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	27
PID 1480 wrote to memory of 620	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	27
PID 1480 wrote to memory of 1128	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	29
PID 1480 wrote to memory of 1128	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	29
PID 1480 wrote to memory of 1128	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	29
PID 1480 wrote to memory of 1128	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	29
PID 1128 wrote to memory of 1244	1128	cmd.exe	31
PID 1128 wrote to memory of 1244	1128	cmd.exe	31
PID 1128 wrote to memory of 1244	1128	cmd.exe	31
PID 1128 wrote to memory of 1244	1128	cmd.exe	31
PID 620 wrote to memory of 1100	620	cmd.exe	32
PID 620 wrote to memory of 1100	620	cmd.exe	32
PID 620 wrote to memory of 1100	620	cmd.exe	32
PID 620 wrote to memory of 1100	620	cmd.exe	32
PID 1480 wrote to memory of 324	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	33
PID 1480 wrote to memory of 324	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	33
PID 1480 wrote to memory of 324	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	33
PID 1480 wrote to memory of 324	1480	4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe	33

C:\Users\Admin\AppData\Local\Temp\4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe
"C:\Users\Admin\AppData\Local\Temp\4ce7124eed014203dcd03bea7ae9ed3fb1928c28a6754cf36d426db39820a019.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
    3⤵
    - Adds Run key to start application
    PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
    3⤵
    - Adds Run key to start application
    PID:1244
- C:\windows\temp\14400.exe
  "C:\windows\temp\14400.exe"
  2⤵
  - Executes dropped EXE
  PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\14400.exe

Filesize
14KB

MD5
34a0b44796543ce75f0cf99e31c847f6

SHA1
b388c1903611e0ab9df4097a9deff81f05f5275d

SHA256
57416c130191468a1f9f5c2ba044c01a3f8cc9ae6c942370a68cf9da09ea6e7b

SHA512
a2a06d5c58fd2faab784f4fcd03d08e3cd530e1b0cac1ea4d498a6ffe0da9efcc2e9f6e1ff3b50eb171ba885b3d4a547a7a98e1836ff454dc0ee0cec97bce3c0

Download Submit
\Windows\Temp\14400.exe

Filesize
14KB

MD5
34a0b44796543ce75f0cf99e31c847f6

SHA1
b388c1903611e0ab9df4097a9deff81f05f5275d

SHA256
57416c130191468a1f9f5c2ba044c01a3f8cc9ae6c942370a68cf9da09ea6e7b

SHA512
a2a06d5c58fd2faab784f4fcd03d08e3cd530e1b0cac1ea4d498a6ffe0da9efcc2e9f6e1ff3b50eb171ba885b3d4a547a7a98e1836ff454dc0ee0cec97bce3c0

Download Submit
memory/1480-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download