d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e

Analysis

max time kernel
148s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
Size

611KB
MD5

305b09db4ddcc16dcc43e3288282ff21
SHA1

38610c2b846bcaba5787cba0e83c3df6094364d5
SHA256

d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e
SHA512

90f2f674a4bc22de05a8aceb19f41bea980353e75a3a4876d648b89b476ac10f42d26a35a8cdc2e0d11ecdd721912b0bc9a6ebea54ba04d7a72d7c4013dff44d
SSDEEP

12288:rj9l69ZU++3jUOIcr1MFNXJKsg1V5aXiuI3o+:rDsOIcrMXosg1V5ayuI3o+

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe"	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Executes dropped EXE 1 IoCs

pid	Process
4624	21002.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe"	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smrss.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Windows\SysWOW64\smrss.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File created	C:\WINDOWS\SysWOW64\freizer.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4624	21002.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\svchost.exe	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe
4624	21002.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	21002.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 3964	632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	83
PID 632 wrote to memory of 3964	632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	83
PID 632 wrote to memory of 3964	632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	83
PID 632 wrote to memory of 3132	632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	84
PID 632 wrote to memory of 3132	632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	84
PID 632 wrote to memory of 3132	632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	84
PID 3132 wrote to memory of 3268	3132	cmd.exe	87
PID 3132 wrote to memory of 3268	3132	cmd.exe	87
PID 3132 wrote to memory of 3268	3132	cmd.exe	87
PID 3964 wrote to memory of 3428	3964	cmd.exe	88
PID 3964 wrote to memory of 3428	3964	cmd.exe	88
PID 3964 wrote to memory of 3428	3964	cmd.exe	88
PID 632 wrote to memory of 4624	632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	89
PID 632 wrote to memory of 4624	632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	89
PID 632 wrote to memory of 4624	632	d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe	89

C:\Users\Admin\AppData\Local\Temp\d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe
"C:\Users\Admin\AppData\Local\Temp\d567cea27f3be5b7d14ef3fc02525bd2443bc8688c4381d3a25d63a077f72f8e.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
    3⤵
    - Adds Run key to start application
    PID:3428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
    3⤵
    - Adds Run key to start application
    PID:3268
- C:\windows\temp\21002.exe
  "C:\windows\temp\21002.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:4624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\21002.exe

Filesize
52KB

MD5
7ca844ce3df71df241cbe0a1d1741b08

SHA1
48bb0bcabec2d0502d41857d99875ea711082435

SHA256
45cc01fdc1ac42e35b53ad90afe2c87fb168fafe0e744239b2d81f5638eb53f6

SHA512
4f891b68de7242d56320d1cfd00ed7f61a536f86f118a0f4c9ac1be0a1ce45f3c4d35e4930c59bcfcbfebc5068c8c47a9d000a6a665a10d48e8fcc7c743fc1b3

Download Submit
C:\windows\temp\21002.exe

Filesize
52KB

MD5
7ca844ce3df71df241cbe0a1d1741b08

SHA1
48bb0bcabec2d0502d41857d99875ea711082435

SHA256
45cc01fdc1ac42e35b53ad90afe2c87fb168fafe0e744239b2d81f5638eb53f6

SHA512
4f891b68de7242d56320d1cfd00ed7f61a536f86f118a0f4c9ac1be0a1ce45f3c4d35e4930c59bcfcbfebc5068c8c47a9d000a6a665a10d48e8fcc7c743fc1b3

Download Submit