Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
88s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/10/2022, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe
-
Size
971KB
-
MD5
72611f4dcf19f7acaaa94370ef1d459d
-
SHA1
dc951218427ed469d37a5b69663048a4a0980617
-
SHA256
ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a
-
SHA512
300a3129b3905416be43e0248c8d9ade8c63ddf8bc58d14fedecb30de70ac4e821b28d8762b7801baf4cb4f35c0bca4fd3ec9c03bb06c6fbb54a203209ebd62c
-
SSDEEP
12288:rjS3Yvyn/0TkLFU64gLF5LFjxIZhKp1NpLC:ru3Y54x4kXlIZha7LC
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe" ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Executes dropped EXE 1 IoCs
pid Process 1644 04204.exe -
Loads dropped DLL 4 IoCs
pid Process 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1644 04204.exe 1644 04204.exe 1644 04204.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe" reg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe" reg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\setupSNK.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\cttunesvr.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\ddodiag.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\DevicePairingWizard.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\ntoskrnl.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\PushPrinterConnections.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\winrs.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\CertEnrollCtrl.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\compact.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\IME\IMESC5\IMSCPROP.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\TCPSVCS.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\WerFault.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\PresentationHost.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\raserver.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\schtasks.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\dllhost.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\efsui.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\ktmutil.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\netbtugc.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\sort.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\wbem\WinMgmt.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\tcmsetup.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\bootcfg.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\fontview.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMig.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\prevhost.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\dccw.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\diskperf.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\setx.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\timeout.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\DpiScaling.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\extrac32.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\hh.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\mfpmp.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\regedt32.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\regedit.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\pcaui.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\perfmon.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\whoami.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\xwizard.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\ssText3d.scr ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\wlanext.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\com\MigRegDB.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\diskpart.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\migwiz\mighost.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\rasdial.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\NAPSTAT.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\sethc.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\SetIEInstalledDate.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\autofmt.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\cmmon32.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\dcomcnfg.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_e54666f6a3e5af91\fsquirt.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\ftp.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\colorcpl.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\diskraid.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\find.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\fsutil.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Windows Mail\wab.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Windows Media Player\WMPDMC.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\BackupAssert.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_6.1.7600.16385_none_94861149bb66249c\powershell_ise.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_11b913172f0cb26f\ieUnatt.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_6.1.7601.17514_none_f8852afc12f84e8e\nltest.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.1.7601.17514_none_4f18faed6aae2509\bitsadmin.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-regini_31bf3856ad364e35_6.1.7600.16385_none_0c2c92921b2478ef\regini.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\SvcIni.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_11.2.9600.16428_none_3bb1024f1e6bc086\mshta.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..essagingcoreservice_31bf3856ad364e35_6.1.7601.17514_none_412fcd2afecdc412\mqsvc.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tscon.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_6.1.7601.17514_none_e1cb175aef3b13bb\UserAccountControlSettings.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.2.9600.16428_none_8cae83b0cdeb7a9b\ielowutil.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_3a2a6a811d2b5065\PresentationHost.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_7551b4792ac9630d\csc.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\ehome\mcupdate.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-makecab_31bf3856ad364e35_6.1.7600.16385_none_4cc4738d82efdf85\makecab.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.1.7601.17514_none_0c19cef0ed2a642e\setup_wm.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\ndadmin.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_6.1.7601.17514_none_28c78887678afbb1\mip.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-a..-experience-apphelp_31bf3856ad364e35_6.1.7600.16385_none_81d82fe9c216eb89\pcaui.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-bootconfig_31bf3856ad364e35_6.1.7600.16385_none_0becd32d7b9ba9e5\bootcfg.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-i..eoptionalcomponents_31bf3856ad364e35_8.0.7601.17514_none_1e7b93842c84c912\ConfigureIEOptionalComponents.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\write.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_6.1.7600.16385_none_975df0a6f5a54628\gpupdate.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.7600.16385_none_a61138e7aab17fed\ieUnatt.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-management-console_31bf3856ad364e35_6.1.7600.16385_none_6b683cb78f534561\mmc.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-snmp-agent-service_31bf3856ad364e35_6.1.7601.17514_none_555ae6d66ee2630d\snmp.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\ARP.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-tpm-adminsnapin_31bf3856ad364e35_6.1.7600.16385_none_77536d124094b997\TpmInit.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-efs-ui_31bf3856ad364e35_6.1.7600.16385_none_f64b1e25e8ea1172\efsui.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..llercommandlinetool_31bf3856ad364e35_6.1.7600.16385_none_7444913c36004801\sc.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_2b95a17838063e9b\AtBroker.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nbtstat_31bf3856ad364e35_6.1.7600.16385_none_fa057619380ff901\nbtstat.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_6.1.7600.16385_none_bfa748753634ba48\SystemPropertiesProtection.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_6.1.7600.16385_none_5e9e78a6dd413413\sapisvr.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasautou.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7601.17514_none_a54b31331066c8e2\Dxpserver.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_6.1.7601.17514_none_dfe02de35bf41e0b\PrintBrmEngine.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_6.1.7601.17514_none_935e5e07aa28aa00\rdpsign.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\wsmprovhost.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_netfx-clrgc_b03f5f7f11d50a3a_6.1.7601.17514_none_ad7a390fa131c970\clrgc.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-c..mplus-admin-comrepl_31bf3856ad364e35_6.1.7600.16385_none_e9dfd464f0c2ad1f\comrepl.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-credwiz_31bf3856ad364e35_6.1.7600.16385_none_9fb106cecd28b3f9\credwiz.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_6.1.7600.16385_none_6388acf17dd74912\SystemPropertiesProtection.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_44b0c76c35d4b76d\wab.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\oobeldr.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_f387767e655cd5ab\cmd.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_37575b7e71a86712\sidebar.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\twunk_16.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_6.1.7600.16385_none_5a9496fc0f35b80b\DWWIN.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-iediag_31bf3856ad364e35_11.2.9600.16428_none_f937400aa65f97cc\iediagcmd.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.7601.17514_none_e292664733bd5af6\ie4uinit.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File created C:\WINDOWS\svchost.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_ca4e9bcdcac7feed\ntoskrnl.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7601.17514_none_da00ad1949e715ad\unlodctr.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-tapisetup_31bf3856ad364e35_6.1.7600.16385_none_d03cc6bce93bce83\TapiUnattend.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-wtvconverter_31bf3856ad364e35_6.1.7600.16385_none_a8464accb5a91f59\WTVConverter.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1800 wrote to memory of 1572 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 28 PID 1800 wrote to memory of 1572 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 28 PID 1800 wrote to memory of 1572 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 28 PID 1800 wrote to memory of 1572 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 28 PID 1800 wrote to memory of 908 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 29 PID 1800 wrote to memory of 908 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 29 PID 1800 wrote to memory of 908 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 29 PID 1800 wrote to memory of 908 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 29 PID 908 wrote to memory of 1704 908 cmd.exe 33 PID 908 wrote to memory of 1704 908 cmd.exe 33 PID 908 wrote to memory of 1704 908 cmd.exe 33 PID 908 wrote to memory of 1704 908 cmd.exe 33 PID 1572 wrote to memory of 624 1572 cmd.exe 32 PID 1572 wrote to memory of 624 1572 cmd.exe 32 PID 1572 wrote to memory of 624 1572 cmd.exe 32 PID 1572 wrote to memory of 624 1572 cmd.exe 32 PID 1800 wrote to memory of 1644 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 34 PID 1800 wrote to memory of 1644 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 34 PID 1800 wrote to memory of 1644 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 34 PID 1800 wrote to memory of 1644 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 34 PID 1800 wrote to memory of 1644 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 34 PID 1800 wrote to memory of 1644 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 34 PID 1800 wrote to memory of 1644 1800 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe"C:\Users\Admin\AppData\Local\Temp\ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\cmd.execmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\reg.exereg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f3⤵
- Adds Run key to start application
PID:624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\reg.exereg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f3⤵
- Adds Run key to start application
PID:1704
-
-
-
C:\windows\temp\04204.exe"C:\windows\temp\04204.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD55ff1667abbd26132c3e2784f3c16878e
SHA13e9db39bddb6abad25193633e206c57046e8524e
SHA2568663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c
SHA5125745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e
-
Filesize
11KB
MD55ff1667abbd26132c3e2784f3c16878e
SHA13e9db39bddb6abad25193633e206c57046e8524e
SHA2568663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c
SHA5125745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e
-
Filesize
11KB
MD55ff1667abbd26132c3e2784f3c16878e
SHA13e9db39bddb6abad25193633e206c57046e8524e
SHA2568663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c
SHA5125745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e
-
Filesize
11KB
MD55ff1667abbd26132c3e2784f3c16878e
SHA13e9db39bddb6abad25193633e206c57046e8524e
SHA2568663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c
SHA5125745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e
-
Filesize
11KB
MD55ff1667abbd26132c3e2784f3c16878e
SHA13e9db39bddb6abad25193633e206c57046e8524e
SHA2568663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c
SHA5125745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e
-
Filesize
11KB
MD55ff1667abbd26132c3e2784f3c16878e
SHA13e9db39bddb6abad25193633e206c57046e8524e
SHA2568663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c
SHA5125745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e