a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115

General

Target

a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
Size

914KB
MD5

4af4b5b7967956e9eb9a0a7757453850
SHA1

131e87b04c108ab84b17ff92a0a12945059c7ec8
SHA256

a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115
SHA512

1a8015e0466aee6fb500eb5c5f632b4def4aa7590616d480a03242578ace6e273323d558b2e2ad50143709feaa7c734ed1b06539cd1854a8ede0216bad78e655
SSDEEP

6144:a+nglw9ayQv3ahvyn/PU7O0KXgTTSj9ltfgIg+oaU64RZYIW7lEykhC6H8GY55hf:rjS3Yvyn/0TkLFU64cIW5EykhXG5Tsql

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe smrss.exe"	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

Executes dropped EXE 1 IoCs

Processes:

03120.exe

pid process

4528 03120.exe

pid	process
4528	03120.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\freizer = "C:\\WINDOWS\\system32\\freizer.exe"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\system32\\svchost.exe"	reg.exe

Drops file in System32 directory 3 IoCs

Processes:

a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\freizer.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File created	C:\Windows\SysWOW64\smrss.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Windows\SysWOW64\smrss.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

Drops file in Program Files directory 64 IoCs

Processes:

a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

Drops file in Windows directory 1 IoCs

Processes:

a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

description ioc process

File created C:\WINDOWS\svchost.exe a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\WINDOWS\svchost.exe	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

pid	process
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.execmd.execmd.exe

description	pid	process	target process
PID 1848 wrote to memory of 2300	1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe	cmd.exe
PID 1848 wrote to memory of 2300	1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe	cmd.exe
PID 1848 wrote to memory of 2300	1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe	cmd.exe
PID 1848 wrote to memory of 3064	1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe	cmd.exe
PID 1848 wrote to memory of 3064	1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe	cmd.exe
PID 1848 wrote to memory of 3064	1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe	cmd.exe
PID 3064 wrote to memory of 1192	3064	cmd.exe	reg.exe
PID 3064 wrote to memory of 1192	3064	cmd.exe	reg.exe
PID 3064 wrote to memory of 1192	3064	cmd.exe	reg.exe
PID 2300 wrote to memory of 748	2300	cmd.exe	reg.exe
PID 2300 wrote to memory of 748	2300	cmd.exe	reg.exe
PID 2300 wrote to memory of 748	2300	cmd.exe	reg.exe
PID 1848 wrote to memory of 4528	1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe	03120.exe
PID 1848 wrote to memory of 4528	1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe	03120.exe
PID 1848 wrote to memory of 4528	1848	a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe	03120.exe

C:\Users\Admin\AppData\Local\Temp\a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe
"C:\Users\Admin\AppData\Local\Temp\a54c022e62aced366f663197e780b77c4631de73fd4bc7048e1865ee2d9bc115.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\cmd.exe
cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\reg.exe
reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v freizer /t REG_SZ /d C:\WINDOWS\system32\freizer.exe /f
3⤵
- Adds Run key to start application
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\reg.exe
reg ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v svchost /t REG_SZ /d C:\WINDOWS\system32\svchost.exe /f
3⤵
- Adds Run key to start application
PID:1192

C:\windows\temp\03120.exe
"C:\windows\temp\03120.exe"
2⤵
- Executes dropped EXE
PID:4528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\03120.exe
Filesize
16KB

MD5
1c0e7855741266ca62f001e21bf564ae

SHA1
d58d03f73fd914c53d981d45f773b679fb7a25d2

SHA256
cb61b132a3fafa93b299751d93dbaed04b81d967638339b3526afa5b01f8b208

SHA512
46cac3f3e0191d6faceb4c241b05556290229a058b0d2ee2fc5e46b7225cf1ecf4e31586628a45f5702183bc5e1ca0391cd7bd238fce2c294844ded6a69cd1be

Download Submit
C:\windows\temp\03120.exe
Filesize
16KB

MD5
1c0e7855741266ca62f001e21bf564ae

SHA1
d58d03f73fd914c53d981d45f773b679fb7a25d2

SHA256
cb61b132a3fafa93b299751d93dbaed04b81d967638339b3526afa5b01f8b208

SHA512
46cac3f3e0191d6faceb4c241b05556290229a058b0d2ee2fc5e46b7225cf1ecf4e31586628a45f5702183bc5e1ca0391cd7bd238fce2c294844ded6a69cd1be

Download Submit
memory/748-135-0x0000000000000000-mapping.dmp

Download
memory/1192-134-0x0000000000000000-mapping.dmp

Download
memory/2300-132-0x0000000000000000-mapping.dmp

Download
memory/3064-133-0x0000000000000000-mapping.dmp

Download
memory/4528-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads