794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
Size

869KB
MD5

66156586ec84babbdbd7621960d663ed
SHA1

da357945720084bee3be7f0941c03538a25938bf
SHA256

794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6
SHA512

4c29cef6a870265b95f31775df58a644380b1b01d1e366c6b9a53a1e40f654faf11cbc85f4c9715bc1a93eee06193bf850fc4e461f1bce9fbb013fcb3dbd31d7
SSDEEP

6144:a+nglw9ayQv3ahvyn/PU7O0KXgTTSjyEN2ERBOzlgV6ub/OBRRehLgNuOPeHNEbK:rjS3Yvyn/0TvgVbGRettEbqrJftVb

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe"	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe

Executes dropped EXE 1 IoCs

pid	Process
1808	11231.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smrss.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Windows\SysWOW64\smrss.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File created	C:\WINDOWS\SysWOW64\freizer.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\svchost.exe	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4408	2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe	81
PID 2020 wrote to memory of 4408	2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe	81
PID 2020 wrote to memory of 4408	2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe	81
PID 2020 wrote to memory of 4056	2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe	82
PID 2020 wrote to memory of 4056	2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe	82
PID 2020 wrote to memory of 4056	2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe	82
PID 4408 wrote to memory of 64	4408	cmd.exe	85
PID 4408 wrote to memory of 64	4408	cmd.exe	85
PID 4408 wrote to memory of 64	4408	cmd.exe	85
PID 4056 wrote to memory of 4328	4056	cmd.exe	86
PID 4056 wrote to memory of 4328	4056	cmd.exe	86
PID 4056 wrote to memory of 4328	4056	cmd.exe	86
PID 2020 wrote to memory of 1808	2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe	87
PID 2020 wrote to memory of 1808	2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe	87
PID 2020 wrote to memory of 1808	2020	794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe	87

C:\Users\Admin\AppData\Local\Temp\794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe
"C:\Users\Admin\AppData\Local\Temp\794adfe27d453913e998004c928272f256bd2267a519e083da86e2fcebb8c1e6.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
    3⤵
    - Adds Run key to start application
    PID:64
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
    3⤵
    - Adds Run key to start application
    PID:4328
- C:\windows\temp\11231.exe
  "C:\windows\temp\11231.exe"
  2⤵
  - Executes dropped EXE
  PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\11231.exe

Filesize
20KB

MD5
58078dceb7bcec39cf33319b2a88af7c

SHA1
4d56a7f03c1f6e8a3fec218c00ce2f83efe2f678

SHA256
ceade08732e58284e328de0f5fba0b9fa5dcb6fca18da209e9951fedfcd5acae

SHA512
efed771e42ed6fc5e1c100ed601b9db3aa61612b79ef35be9fdc809d497ef837d6e6b73e1f0f1dbbdddedfc82a0b62a2d3ed85efeda87ca09d4f2f03f0acbe03

Download Submit
C:\windows\temp\11231.exe

Filesize
20KB

MD5
58078dceb7bcec39cf33319b2a88af7c

SHA1
4d56a7f03c1f6e8a3fec218c00ce2f83efe2f678

SHA256
ceade08732e58284e328de0f5fba0b9fa5dcb6fca18da209e9951fedfcd5acae

SHA512
efed771e42ed6fc5e1c100ed601b9db3aa61612b79ef35be9fdc809d497ef837d6e6b73e1f0f1dbbdddedfc82a0b62a2d3ed85efeda87ca09d4f2f03f0acbe03

Download Submit
memory/64-134-0x0000000000000000-mapping.dmp

Download
memory/1808-136-0x0000000000000000-mapping.dmp

Download
memory/4056-133-0x0000000000000000-mapping.dmp

Download
memory/4328-135-0x0000000000000000-mapping.dmp

Download
memory/4408-132-0x0000000000000000-mapping.dmp

Download