e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 11:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
Size

961KB
MD5

30147f56dde3180582a5b733e109e933
SHA1

30cd26ebd9d8aaa450578763674f4da4e67c12f7
SHA256

e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f
SHA512

7668e27188f581f83561240555cbf9a4dc9fd4a1f2b040d781ef4c0c924d981b94a48effcf2e993a277d2a399422893c252d1ca59feef49288f283dca6b8996e
SSDEEP

12288:rj9l69ZU++3jUOIcr1MFNXJU6uTc5HBX+SfTc5HBX+SN8sqJsqlL:rDsOIcrMXPuTcfTfTcfTe1J1lL

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe"	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe

Executes dropped EXE 1 IoCs

pid	Process
4364	31100.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smrss.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Windows\SysWOW64\smrss.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File created	C:\WINDOWS\SysWOW64\freizer.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\svchost.exe	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2220	1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe	82
PID 1968 wrote to memory of 2220	1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe	82
PID 1968 wrote to memory of 2220	1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe	82
PID 1968 wrote to memory of 1552	1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe	83
PID 1968 wrote to memory of 1552	1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe	83
PID 1968 wrote to memory of 1552	1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe	83
PID 1552 wrote to memory of 4668	1552	cmd.exe	87
PID 1552 wrote to memory of 4668	1552	cmd.exe	87
PID 1552 wrote to memory of 4668	1552	cmd.exe	87
PID 2220 wrote to memory of 4404	2220	cmd.exe	88
PID 2220 wrote to memory of 4404	2220	cmd.exe	88
PID 2220 wrote to memory of 4404	2220	cmd.exe	88
PID 1968 wrote to memory of 4364	1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe	89
PID 1968 wrote to memory of 4364	1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe	89
PID 1968 wrote to memory of 4364	1968	e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe	89

C:\Users\Admin\AppData\Local\Temp\e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe
"C:\Users\Admin\AppData\Local\Temp\e0ef3d651bf6023f5c1d1fc2e157937413f51a958b1ddc24b9bce366ab14126f.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
    3⤵
    - Adds Run key to start application
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
    3⤵
    - Adds Run key to start application
    PID:4668
- C:\windows\temp\31100.exe
  "C:\windows\temp\31100.exe"
  2⤵
  - Executes dropped EXE
  PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\31100.exe

Filesize
26KB

MD5
37f7b0efb7593d4f636e5a106e8a09b0

SHA1
dff40ff99d3dc9510f1db10ffe219039892f5808

SHA256
63bdaa0b87995260c596956694c5a2111d855032cbd8a1f2e9a7e9fc8bbfc03f

SHA512
9eb49cead844c69836dfe1f73258b38c90ef487de18cd8e9687cc335c47b345df3d56e96beed4ea17e09715b578fcbf7f9c10cc4786e1b97cdbc3cee0763089c

Download Submit
C:\windows\temp\31100.exe

Filesize
26KB

MD5
37f7b0efb7593d4f636e5a106e8a09b0

SHA1
dff40ff99d3dc9510f1db10ffe219039892f5808

SHA256
63bdaa0b87995260c596956694c5a2111d855032cbd8a1f2e9a7e9fc8bbfc03f

SHA512
9eb49cead844c69836dfe1f73258b38c90ef487de18cd8e9687cc335c47b345df3d56e96beed4ea17e09715b578fcbf7f9c10cc4786e1b97cdbc3cee0763089c

Download Submit