Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe
Resource
win7-20220812-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe
-
Size
971KB
-
MD5
72611f4dcf19f7acaaa94370ef1d459d
-
SHA1
dc951218427ed469d37a5b69663048a4a0980617
-
SHA256
ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a
-
SHA512
300a3129b3905416be43e0248c8d9ade8c63ddf8bc58d14fedecb30de70ac4e821b28d8762b7801baf4cb4f35c0bca4fd3ec9c03bb06c6fbb54a203209ebd62c
-
SSDEEP
12288:rjS3Yvyn/0TkLFU64gLF5LFjxIZhKp1NpLC:ru3Y54x4kXlIZha7LC
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe" ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Executes dropped EXE 1 IoCs
pid Process 1652 04204.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe" reg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe" reg.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\smrss.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Windows\SysWOW64\smrss.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File created C:\WINDOWS\SysWOW64\freizer.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\7-Zip\7z.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\svchost.exe ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4636 wrote to memory of 1516 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 81 PID 4636 wrote to memory of 1516 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 81 PID 4636 wrote to memory of 1516 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 81 PID 4636 wrote to memory of 4988 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 82 PID 4636 wrote to memory of 4988 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 82 PID 4636 wrote to memory of 4988 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 82 PID 4988 wrote to memory of 4856 4988 cmd.exe 85 PID 4988 wrote to memory of 4856 4988 cmd.exe 85 PID 4988 wrote to memory of 4856 4988 cmd.exe 85 PID 1516 wrote to memory of 4968 1516 cmd.exe 86 PID 1516 wrote to memory of 4968 1516 cmd.exe 86 PID 1516 wrote to memory of 4968 1516 cmd.exe 86 PID 4636 wrote to memory of 1652 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 87 PID 4636 wrote to memory of 1652 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 87 PID 4636 wrote to memory of 1652 4636 ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe"C:\Users\Admin\AppData\Local\Temp\ed056225871cdbb01d3c0481d4363d7ea261ec89f999d9399c049d665fda057a.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\cmd.execmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\reg.exereg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f3⤵
- Adds Run key to start application
PID:4968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\reg.exereg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f3⤵
- Adds Run key to start application
PID:4856
-
-
-
C:\windows\temp\04204.exe"C:\windows\temp\04204.exe"2⤵
- Executes dropped EXE
PID:1652
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD55ff1667abbd26132c3e2784f3c16878e
SHA13e9db39bddb6abad25193633e206c57046e8524e
SHA2568663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c
SHA5125745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e
-
Filesize
11KB
MD55ff1667abbd26132c3e2784f3c16878e
SHA13e9db39bddb6abad25193633e206c57046e8524e
SHA2568663e8ee4644dfd0fcfac08218092fcc5eeea4a2d55a55bccaca0ab2e70bc65c
SHA5125745a57ae14f3a27db41066895d137418ded8291fd5d33e819ac6cb865c80c2947bb52bec41305bf375606ded11a4d7ad9397cb7fc177b8fdba09d0b8818e60e