3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188

Analysis

max time kernel
191s
max time network
231s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
Size

719KB
MD5

56b7763f266f47efcf4514f5e57b7ab3
SHA1

ab0b0a32da00805d393fe0f2ef8d9156c4600b3e
SHA256

3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188
SHA512

f4ef452892b3cd5cc585738339a1522bb505ee047bde0f208a0a09312f4cd8ddfcf9387e956391baebfcbef272f940bde177d6655e63fdec886b172891fd5c02
SSDEEP

12288:rj9l69ZU++3jUOIcr1MFNXJKsg1V5aXiaH8:rDsOIcrMXosg1V5ayaH8

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe"	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe

Executes dropped EXE 1 IoCs

pid	Process
4420	12241.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smrss.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Windows\SysWOW64\smrss.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File created	C:\WINDOWS\SysWOW64\freizer.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\svchost.exe	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 1984	4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe	81
PID 4952 wrote to memory of 1984	4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe	81
PID 4952 wrote to memory of 1984	4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe	81
PID 4952 wrote to memory of 4300	4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe	82
PID 4952 wrote to memory of 4300	4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe	82
PID 4952 wrote to memory of 4300	4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe	82
PID 1984 wrote to memory of 4316	1984	cmd.exe	85
PID 1984 wrote to memory of 4316	1984	cmd.exe	85
PID 1984 wrote to memory of 4316	1984	cmd.exe	85
PID 4300 wrote to memory of 4272	4300	cmd.exe	86
PID 4300 wrote to memory of 4272	4300	cmd.exe	86
PID 4300 wrote to memory of 4272	4300	cmd.exe	86
PID 4952 wrote to memory of 4420	4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe	87
PID 4952 wrote to memory of 4420	4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe	87
PID 4952 wrote to memory of 4420	4952	3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe	87

C:\Users\Admin\AppData\Local\Temp\3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe
"C:\Users\Admin\AppData\Local\Temp\3aa168e2a12fe6ed8ff20f837810ff7b474a60cfe88e582bc98d122472e99188.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
    3⤵
    - Adds Run key to start application
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
    3⤵
    - Adds Run key to start application
    PID:4272
- C:\windows\temp\12241.exe
  "C:\windows\temp\12241.exe"
  2⤵
  - Executes dropped EXE
  PID:4420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\12241.exe

Filesize
11KB

MD5
5ff1667abbd26132c3e2784f3c16878e

SHA1
3e9db39bddb6abad25193633e206c57046e8524e

SHA256
8663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c

SHA512
5745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e

Download Submit
C:\windows\temp\12241.exe

Filesize
11KB

MD5
5ff1667abbd26132c3e2784f3c16878e

SHA1
3e9db39bddb6abad25193633e206c57046e8524e

SHA256
8663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c

SHA512
5745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e

Download Submit