d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e

Analysis

max time kernel
181s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
Size

611KB
MD5

305b09db4ddcc16dcc43e3288282ff21
SHA1

38610c2b846bcaba5787cba0e83c3df6094364d5
SHA256

d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e
SHA512

90f2f674a4bc22de05a8aceb19f41bea980353e75a3a4876d648b89b476ac10f42d26a35a8cdc2e0d11ecdd721912b0bc9a6ebea54ba04d7a72d7c4013dff44d
SSDEEP

12288:rj9l69ZU++3jUOIcr1MFNXJKsg1V5aXiuI3o+:rDsOIcrMXosg1V5ayuI3o+

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe"	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Executes dropped EXE 1 IoCs

pid	Process
752	21002.exe

Loads dropped DLL 2 IoCs

pid	Process
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smrss.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Windows\SysWOW64\smrss.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File created	C:\WINDOWS\SysWOW64\freizer.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
752	21002.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\svchost.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Suspicious behavior: MapViewOfSection 49 IoCs

pid	Process
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe
752	21002.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	21002.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1920	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	28
PID 1096 wrote to memory of 1920	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	28
PID 1096 wrote to memory of 1920	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	28
PID 1096 wrote to memory of 1920	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	28
PID 1096 wrote to memory of 1748	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	31
PID 1096 wrote to memory of 1748	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	31
PID 1096 wrote to memory of 1748	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	31
PID 1096 wrote to memory of 1748	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	31
PID 1096 wrote to memory of 752	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	32
PID 1096 wrote to memory of 752	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	32
PID 1096 wrote to memory of 752	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	32
PID 1096 wrote to memory of 752	1096	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	32
PID 1920 wrote to memory of 1156	1920	cmd.exe	34
PID 1920 wrote to memory of 1156	1920	cmd.exe	34
PID 1920 wrote to memory of 1156	1920	cmd.exe	34
PID 1920 wrote to memory of 1156	1920	cmd.exe	34
PID 1748 wrote to memory of 1000	1748	cmd.exe	35
PID 1748 wrote to memory of 1000	1748	cmd.exe	35
PID 1748 wrote to memory of 1000	1748	cmd.exe	35
PID 1748 wrote to memory of 1000	1748	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
"C:\Users\Admin\AppData\Local\Temp\d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
    3⤵
    - Adds Run key to start application
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
    3⤵
    - Adds Run key to start application
    PID:1000
- C:\windows\temp\21002.exe
  "C:\windows\temp\21002.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\21002.exe

Filesize
52KB

MD5
7ca844ce3df71df241cbe0a1d1741b08

SHA1
48bb0bcabec2d0502d41857d99875ea711082435

SHA256
45cc01fdc1ac42e35b53ad90afe2c87fb168fafe0e744239b2d81f5638eb53f6

SHA512
4f891b68de7242d56320d1cfd00ed7f61a536f86f118a0f4c9ac1be0a1ce45f3c4d35e4930c59bcfcbfebc5068c8c47a9d000a6a665a10d48e8fcc7c743fc1b3

Download Submit
C:\windows\temp\21002.exe

Filesize
52KB

MD5
7ca844ce3df71df241cbe0a1d1741b08

SHA1
48bb0bcabec2d0502d41857d99875ea711082435

SHA256
45cc01fdc1ac42e35b53ad90afe2c87fb168fafe0e744239b2d81f5638eb53f6

SHA512
4f891b68de7242d56320d1cfd00ed7f61a536f86f118a0f4c9ac1be0a1ce45f3c4d35e4930c59bcfcbfebc5068c8c47a9d000a6a665a10d48e8fcc7c743fc1b3

Download Submit
\Windows\Temp\21002.exe

Filesize
52KB

MD5
7ca844ce3df71df241cbe0a1d1741b08

SHA1
48bb0bcabec2d0502d41857d99875ea711082435

SHA256
45cc01fdc1ac42e35b53ad90afe2c87fb168fafe0e744239b2d81f5638eb53f6

SHA512
4f891b68de7242d56320d1cfd00ed7f61a536f86f118a0f4c9ac1be0a1ce45f3c4d35e4930c59bcfcbfebc5068c8c47a9d000a6a665a10d48e8fcc7c743fc1b3

Download Submit
\Windows\Temp\21002.exe

Filesize
52KB

MD5
7ca844ce3df71df241cbe0a1d1741b08

SHA1
48bb0bcabec2d0502d41857d99875ea711082435

SHA256
45cc01fdc1ac42e35b53ad90afe2c87fb168fafe0e744239b2d81f5638eb53f6

SHA512
4f891b68de7242d56320d1cfd00ed7f61a536f86f118a0f4c9ac1be0a1ce45f3c4d35e4930c59bcfcbfebc5068c8c47a9d000a6a665a10d48e8fcc7c743fc1b3

Download Submit
memory/1096-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download