e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440

Analysis

max time kernel
122s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
Size

945KB
MD5

3820c268bf09b0462e1ab11bae1f2ce1
SHA1

c4d235d9b3e07d231ec1270e07c1c7cb3b0ffc47
SHA256

e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440
SHA512

7ee1aae451f2cc20b21a2b8513f1cb8c935381bf81ffc46376b3e3995b601e5996d4b0c27c3b40b056b7c83a415390133e26b85c70cff5d67af5e3d516477386
SSDEEP

6144:a+nglw9ayQv3ahvyn/PU7O0KXgTTSjyEN2ERBOzlgV+/F5HMinY2gzoEfyIiSW/Q:rjS3Yvyn/0TvgV+/nHqoVjmBG0Ko

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe"	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe

Executes dropped EXE 1 IoCs

pid	Process
4676	02133.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smrss.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Windows\SysWOW64\smrss.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File created	C:\WINDOWS\SysWOW64\freizer.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\svchost.exe	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4676	02133.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2980	4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe	84
PID 4476 wrote to memory of 2980	4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe	84
PID 4476 wrote to memory of 2980	4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe	84
PID 4476 wrote to memory of 3896	4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe	85
PID 4476 wrote to memory of 3896	4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe	85
PID 4476 wrote to memory of 3896	4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe	85
PID 3896 wrote to memory of 4536	3896	cmd.exe	88
PID 3896 wrote to memory of 4536	3896	cmd.exe	88
PID 3896 wrote to memory of 4536	3896	cmd.exe	88
PID 2980 wrote to memory of 4068	2980	cmd.exe	89
PID 2980 wrote to memory of 4068	2980	cmd.exe	89
PID 2980 wrote to memory of 4068	2980	cmd.exe	89
PID 4476 wrote to memory of 4676	4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe	90
PID 4476 wrote to memory of 4676	4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe	90
PID 4476 wrote to memory of 4676	4476	e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe	90

C:\Users\Admin\AppData\Local\Temp\e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe
"C:\Users\Admin\AppData\Local\Temp\e80dddebd13a630ecfb66cfc4efc3181da671c5453adf17734dd5d8f6ccd1440.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
    3⤵
    - Adds Run key to start application
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
    3⤵
    - Adds Run key to start application
    PID:4536
- C:\windows\temp\02133.exe
  "C:\windows\temp\02133.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\02133.exe

Filesize
337KB

MD5
760faf0f6fb5b15c6045f5f15116b499

SHA1
6d4807e03e59b5711d017180fbd91fe2db45cdf4

SHA256
8168fc205f199d8179ec2d76a4d0a90d01e4d4f526bfb78ae450639af136fd4e

SHA512
2bf3b53a3fe9ac439a7bd379a69f51e0acb45a81259199ea037ad099985d0ffe073c3dc7cc4dff626159ae706d98e276e463d32e540f7532fced1c274f7fd850

Download Submit
C:\windows\temp\02133.exe

Filesize
337KB

MD5
760faf0f6fb5b15c6045f5f15116b499

SHA1
6d4807e03e59b5711d017180fbd91fe2db45cdf4

SHA256
8168fc205f199d8179ec2d76a4d0a90d01e4d4f526bfb78ae450639af136fd4e

SHA512
2bf3b53a3fe9ac439a7bd379a69f51e0acb45a81259199ea037ad099985d0ffe073c3dc7cc4dff626159ae706d98e276e463d32e540f7532fced1c274f7fd850

Download Submit