Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02/10/2022, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe
Resource
win7-20220812-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe
-
Size
725KB
-
MD5
33909b737637efe050dfc8083630ed66
-
SHA1
21a699845ad17fc3db3608b3c1fd4002ef057145
-
SHA256
bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1
-
SHA512
9d51cd97a6616358fdc8ffe93f249936b1ed9062ca9ecd47abceae1c852bd3334ee2b88536007dfc8b86b947a8dce1171e0f741136a031940953026ffc5d5dd7
-
SSDEEP
6144:a+nglw9ayQv3ahvyn/PU7O0KXgTTSjiZ7ifckWEN4+Ugh+VuSfCpJipyfCpJipb:rjS3Yvyn/0TvhifHW8NUnVuSaXiQaXix
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe" bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe -
Executes dropped EXE 1 IoCs
pid Process 1204 00043.exe -
Loads dropped DLL 2 IoCs
pid Process 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe" reg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe" reg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bthudtask.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\cscript.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\icacls.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\msra.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\raserver.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\mshta.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\rekeywiz.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\SecEdit.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\write.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\diskpart.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\nslookup.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\DisplaySwitch.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\drvinst.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\iscsicpl.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\clip.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\hh.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\mfpmp.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\verclsid.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\charmap.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\efsui.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\help.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\MuiUnattend.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\odbcconf.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\SndVol.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\unregmp2.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\eventvwr.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\SearchProtocolHost.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\wbem\mofcomp.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\dvdplay.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\userinit.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\whoami.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\runonce.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\cacls.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\credwiz.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\fontview.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\mspaint.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\mtstocom.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\Netplwiz.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\RegisterIEPKEYs.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\DWWIN.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\mstsc.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\secinit.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesHardware.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIC.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\convert.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\netiougc.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\runas.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\setupugc.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\Magnify.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\PkgMgr.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\sfc.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\wevtutil.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\certreq.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\choice.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\ipconfig.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\PATHPING.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\SysWOW64\poqexec.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMC.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-bootconfig_31bf3856ad364e35_6.1.7600.16385_none_680b6eb133f91b1b\bootcfg.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ageengine-utilities_31bf3856ad364e35_6.1.7600.16385_none_3580dea4def227d4\esentutl.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.1.7601.17514_none_cde4c4fd7ab159cb\RMActivate_ssp.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_9757fd443892abe7\inetinfo.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\ehome\MediaCenterWebLauncher.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidcertstorecheck.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehsched_31bf3856ad364e35_6.1.7600.16385_none_0167f08155bf1c81\ehsched.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_ce2d22115368db7a\WerFaultSecure.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-pnpui_31bf3856ad364e35_6.1.7600.16385_none_bacc830144fa7791\dinotify.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\hh.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..eoptionalcomponents_31bf3856ad364e35_11.2.9600.16428_none_e410f56f6c4ee930\ConfigureIEOptionalComponents.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_11.2.9600.16428_none_3bb1024f1e6bc086\mshta.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_6.1.7601.17514_none_7f7f66788318015d\lpremove.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_6.1.7600.16385_none_6bcef05d7f04260a\rasautou.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_6.1.7601.17514_none_843a86a1bc33fcd1\bfsvc.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_11.2.9600.16428_none_eace14b8d6178cca\SetIEInstalledDate.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-peertopeercollab_31bf3856ad364e35_6.1.7600.16385_none_f32a402a46d391f3\p2phost.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_2b95a17838063e9b\AtBroker.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_6.1.7600.16385_none_1cc9274696810e2f\wevtutil.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-packagemanager_31bf3856ad364e35_6.1.7601.17514_none_4afdc98b09e3cfe8\PkgMgr.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5023a70bf589ad3e\regedt32.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-bcdboot-cmdlinetool_31bf3856ad364e35_6.1.7601.17514_none_bf7bea0454c3f0cf\bcdboot.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-cttunesvr_31bf3856ad364e35_6.1.7600.16385_none_4befc8eb38093bb1\cttunesvr.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_6.1.7601.17514_none_12d42225a9a7aef7\nfsadmin.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-acluifilefoldercomtool_31bf3856ad364e35_6.1.7600.16385_none_b444164f1eecd3f2\cacls.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-convert_31bf3856ad364e35_6.1.7601.17514_none_fafb502abef1be40\autoconv.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\IMJPDADM.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..otservicing-utility_31bf3856ad364e35_6.1.7600.16385_none_d139a2cea567ce3f\fveupdate.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_6.1.7600.16385_none_b6cb9ed71c8b43d5\SystemPropertiesPerformance.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-credwiz_31bf3856ad364e35_6.1.7600.16385_none_fbcfa2528586252f\credwiz.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dispdiag_31bf3856ad364e35_6.1.7600.16385_none_a0d95afc49c833b6\dispdiag.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce\bridgeunattend.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..g-xpsdocumentwriter_31bf3856ad364e35_6.1.7601.17514_none_80fea45979a5d3f2\MxdwGc.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_6.1.7601.17514_none_1229a6f0546e2346\lpq.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_6.1.7600.16385_none_b70694aa97134f37\rdrleakdiag.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-c..plus-setup-migregdb_31bf3856ad364e35_6.1.7600.16385_none_8945930a7d61b9f0\MigRegDB.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dpapi-keys_31bf3856ad364e35_6.1.7600.16385_none_d9c7c4a2e721da7e\dpapimig.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-pdm-configuration_31bf3856ad364e35_11.2.9600.16428_none_32a601ad2b7a554f\PDMSetup.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.7601.17514_none_3eb101caec1acc2c\ie4uinit.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\servicing\TrustedInstaller.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a\winload.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89\winresume.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17514_none_d281ccc018b94ff4\conhost.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..iondata-cmdlinetool_31bf3856ad364e35_6.1.7601.17514_none_e6510234bbcb2a8c\bcdedit.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-installer-executable_31bf3856ad364e35_6.1.7601.17514_none_a7a77a3b9cb96ce6\msiexec.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\ehome\CreateDisc\SBEServer.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-bubbles_31bf3856ad364e35_6.1.7601.17514_none_cca44baae0912bbe\Bubbles.scr bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..ortingcompatibility_31bf3856ad364e35_6.1.7600.16385_none_5a9496fc0f35b80b\DWWIN.EXE bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-findstr_31bf3856ad364e35_6.1.7601.17514_none_855590d1705431c5\findstr.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.2.9600.16428_none_46d2efef53c02386\iexpress.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1204 00043.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1688 wrote to memory of 692 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 27 PID 1688 wrote to memory of 692 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 27 PID 1688 wrote to memory of 692 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 27 PID 1688 wrote to memory of 692 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 27 PID 1688 wrote to memory of 1668 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 28 PID 1688 wrote to memory of 1668 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 28 PID 1688 wrote to memory of 1668 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 28 PID 1688 wrote to memory of 1668 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 28 PID 692 wrote to memory of 2000 692 cmd.exe 32 PID 692 wrote to memory of 2000 692 cmd.exe 32 PID 692 wrote to memory of 2000 692 cmd.exe 32 PID 692 wrote to memory of 2000 692 cmd.exe 32 PID 1668 wrote to memory of 1768 1668 cmd.exe 31 PID 1668 wrote to memory of 1768 1668 cmd.exe 31 PID 1668 wrote to memory of 1768 1668 cmd.exe 31 PID 1668 wrote to memory of 1768 1668 cmd.exe 31 PID 1688 wrote to memory of 1204 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 33 PID 1688 wrote to memory of 1204 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 33 PID 1688 wrote to memory of 1204 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 33 PID 1688 wrote to memory of 1204 1688 bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe"C:\Users\Admin\AppData\Local\Temp\bc6f984016385610c7f81fb5697724f55f9286b6b86e485a7419114c8906ebf1.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.execmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\reg.exereg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f3⤵
- Adds Run key to start application
PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\reg.exereg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f3⤵
- Adds Run key to start application
PID:1768
-
-
-
C:\windows\temp\00043.exe"C:\windows\temp\00043.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1204
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5090d5891041e35e18c77f664581c0bd6
SHA1cf3fdcfe52f5b915c10fd778b5e1dd091f4e847b
SHA2561d5cae50081a57e7b55bef220788d9065483ff1a8d39c3ca8df39f60cdf231af
SHA51228daf522db7774d04f2dde7c5edf20c0fb7b1f58956fa1bacd4b417cb129640418aff98ab009d7c454b77031a54a212ceb12b427c564f4c5b00e5a07d8cabaff
-
Filesize
39KB
MD5090d5891041e35e18c77f664581c0bd6
SHA1cf3fdcfe52f5b915c10fd778b5e1dd091f4e847b
SHA2561d5cae50081a57e7b55bef220788d9065483ff1a8d39c3ca8df39f60cdf231af
SHA51228daf522db7774d04f2dde7c5edf20c0fb7b1f58956fa1bacd4b417cb129640418aff98ab009d7c454b77031a54a212ceb12b427c564f4c5b00e5a07d8cabaff
-
Filesize
39KB
MD5090d5891041e35e18c77f664581c0bd6
SHA1cf3fdcfe52f5b915c10fd778b5e1dd091f4e847b
SHA2561d5cae50081a57e7b55bef220788d9065483ff1a8d39c3ca8df39f60cdf231af
SHA51228daf522db7774d04f2dde7c5edf20c0fb7b1f58956fa1bacd4b417cb129640418aff98ab009d7c454b77031a54a212ceb12b427c564f4c5b00e5a07d8cabaff