1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851

General

Target

1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe
Size

992KB
MD5

0c251e16386189d342223e7f511361bb
SHA1

4e81b732cb711b2be91acdb2869baf50380f2315
SHA256

1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851
SHA512

b729d75f29dff30d3cbdfe0f290bd101f880810b50b508474943c9a0ea86fef55046f536381fa8bbd0764602f894e9e1c015b448a00b9934aa7618f1e904e9dc
SSDEEP

12288:rjS3Yvyn/0TQIW5EykhXG5RzXsqoUVOP0q5L7aXih:ru3Y5EE05d1oUVOFayh

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe"	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smrss.exe	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe
File opened for modification	C:\Windows\SysWOW64\smrss.exe	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe
File created	C:\WINDOWS\SysWOW64\freizer.exe	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\svchost.exe	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4288	1280	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe	28
PID 1280 wrote to memory of 4288	1280	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe	28
PID 1280 wrote to memory of 4288	1280	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe	28
PID 1280 wrote to memory of 5064	1280	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe	27
PID 1280 wrote to memory of 5064	1280	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe	27
PID 1280 wrote to memory of 5064	1280	1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe	27
PID 4288 wrote to memory of 1472	4288	cmd.exe	26
PID 4288 wrote to memory of 1472	4288	cmd.exe	26
PID 4288 wrote to memory of 1472	4288	cmd.exe	26
PID 5064 wrote to memory of 2228	5064	cmd.exe	25
PID 5064 wrote to memory of 2228	5064	cmd.exe	25
PID 5064 wrote to memory of 2228	5064	cmd.exe	25

C:\Users\Admin\AppData\Local\Temp\1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe
"C:\Users\Admin\AppData\Local\Temp\1b90919d25d7d33edaae435c568c5b19021e1d10e7b4c3a1bed9a93ee5695851.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- C:\windows\temp\42001.exe
  "C:\windows\temp\42001.exe"
  2⤵
  PID:2036

C:\Windows\SysWOW64\reg.exe
reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
1⤵
- Adds Run key to start application
PID:2228

C:\Windows\SysWOW64\reg.exe
reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
1⤵
- Adds Run key to start application
PID:1472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\42001.exe

Filesize
34KB

MD5
96f7c927c22394ed4433f266d8b92e16

SHA1
743398a0d7dc6bdde79a08285baf5cd17c187a08

SHA256
51c23517c73db8abc00944bcc3e3882fce42c06533b9a9c409c4ff6669cc5d22

SHA512
ad36aec01fa6ebb5ff7b196b8084bdf95a3bbb925eb7787b2e00365ee315fae417f7c77a9d46927bdb09d389acc1b4c7949f88d22957dd44cf424a5733550012

Download Submit
C:\windows\temp\42001.exe

Filesize
39KB

MD5
090d5891041e35e18c77f664581c0bd6

SHA1
cf3fdcfe52f5b915c10fd778b5e1dd091f4e847b

SHA256
1d5cae50081a57e7b55bef220788d9065483ff1a8d39c3ca8df39f60cdf231af

SHA512
28daf522db7774d04f2dde7c5edf20c0fb7b1f58956fa1bacd4b417cb129640418aff98ab009d7c454b77031a54a212ceb12b427c564f4c5b00e5a07d8cabaff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads