44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a

Analysis

max time kernel
41s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
Size

887KB
MD5

6c5e2996e2241d84f6b4b423190dcc9a
SHA1

f5ab483cd9f743a368ae12c1b2d4d669ac6263fb
SHA256

44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a
SHA512

297b37414b6c3fca77c8209cfb285d364078bc4c1f98f5779c72379ee0c5ec2cf3f6f501d787d72145464ef3917744229bc41eb210252ab2e732c8d2a4bfd9c0
SSDEEP

12288:rjS3Yvyn/0TvhifHW8NUnVuCjNHtJsqb6y0q5LD:ru3Y578NUnV9jNHf1Wm

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe"	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe

Executes dropped EXE 1 IoCs

pid	Process
1348	42410.exe

Loads dropped DLL 2 IoCs

pid	Process
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\freizer.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File created	C:\Windows\SysWOW64\smrss.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Windows\SysWOW64\smrss.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPDMC.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Windows Media Player\setup_wm.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpshare.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\svchost.exe	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1348	42410.exe
Token: SeTcbPrivilege	1348	42410.exe
Token: SeSecurityPrivilege	1348	42410.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2004	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	28
PID 1640 wrote to memory of 2004	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	28
PID 1640 wrote to memory of 2004	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	28
PID 1640 wrote to memory of 2004	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	28
PID 1640 wrote to memory of 2008	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	30
PID 1640 wrote to memory of 2008	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	30
PID 1640 wrote to memory of 2008	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	30
PID 1640 wrote to memory of 2008	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	30
PID 2004 wrote to memory of 1724	2004	cmd.exe	32
PID 2004 wrote to memory of 1724	2004	cmd.exe	32
PID 2004 wrote to memory of 1724	2004	cmd.exe	32
PID 2004 wrote to memory of 1724	2004	cmd.exe	32
PID 2008 wrote to memory of 1752	2008	cmd.exe	33
PID 2008 wrote to memory of 1752	2008	cmd.exe	33
PID 2008 wrote to memory of 1752	2008	cmd.exe	33
PID 2008 wrote to memory of 1752	2008	cmd.exe	33
PID 1640 wrote to memory of 1348	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	34
PID 1640 wrote to memory of 1348	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	34
PID 1640 wrote to memory of 1348	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	34
PID 1640 wrote to memory of 1348	1640	44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe	34

C:\Users\Admin\AppData\Local\Temp\44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe
"C:\Users\Admin\AppData\Local\Temp\44a19b000695b25bf74a0d1a627960e390411d8f48d17634299fb718ac24334a.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
    3⤵
    - Adds Run key to start application
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
    3⤵
    - Adds Run key to start application
    PID:1752
- C:\windows\temp\42410.exe
  "C:\windows\temp\42410.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\42410.exe

Filesize
59KB

MD5
4844fd851088a11e240cfe5b54096209

SHA1
3a25e5d4c11922195a716e4eb86f5f3e961f01ed

SHA256
57c4a326be03a5ddd4d409b21ec6a5372777618b6eec4112029114a0de8bb824

SHA512
c102fad40b730183d2d382c220c2b457bba8e84bcf07926a17ec16b736e2b74fad05f936bc3b3aa34e16e1a86f54125d70cce0b54fe3e69c8b99c8f54be21831

Download Submit
\Windows\Temp\42410.exe

Filesize
59KB

MD5
4844fd851088a11e240cfe5b54096209

SHA1
3a25e5d4c11922195a716e4eb86f5f3e961f01ed

SHA256
57c4a326be03a5ddd4d409b21ec6a5372777618b6eec4112029114a0de8bb824

SHA512
c102fad40b730183d2d382c220c2b457bba8e84bcf07926a17ec16b736e2b74fad05f936bc3b3aa34e16e1a86f54125d70cce0b54fe3e69c8b99c8f54be21831

Download Submit
\Windows\Temp\42410.exe

Filesize
59KB

MD5
4844fd851088a11e240cfe5b54096209

SHA1
3a25e5d4c11922195a716e4eb86f5f3e961f01ed

SHA256
57c4a326be03a5ddd4d409b21ec6a5372777618b6eec4112029114a0de8bb824

SHA512
c102fad40b730183d2d382c220c2b457bba8e84bcf07926a17ec16b736e2b74fad05f936bc3b3aa34e16e1a86f54125d70cce0b54fe3e69c8b99c8f54be21831

Download Submit
memory/1640-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download