741fc8882114d576c049e5a0e830282ae99b39df35cb5a090bf0e8f4b5ddb353

Analysis

max time kernel
49s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FRST64.exe
Size

2.3MB
MD5

42f626b952be10e6f0826631431fc2dd
SHA1

c0f1ba2f53ea222581be47b6a1ca3f2efe9e7507
SHA256

741fc8882114d576c049e5a0e830282ae99b39df35cb5a090bf0e8f4b5ddb353
SHA512

9571e11f179b928ea41c7c24512ae6536154dca42eb32d658ae55a0a49956b42933f23c0860f9f58cd1e57f08421becbd8d6107b9afd55da41b3c80e20a640df
SSDEEP

49152:o2EYTb8atv1orq+pEiSDTj1VyvBaj3jnE/ImdPFRgiYhFE94Ik0ZD5FJ9X+:tXbIrqtnDmdPFRTY73IRZD5FLX

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FRST64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
2616	bcdedit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	FRST64.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	FRST64.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities	FRST64.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	FRST64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	FRST64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data	FRST64.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	FRST64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	FRST64.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2	FRST64.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2:Win32_ShadowCopy	FRST64.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2324	notepad.exe
2464	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2944	FRST64.exe
2944	FRST64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2944	FRST64.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeBackupPrivilege	2616	bcdedit.exe
Token: SeRestorePrivilege	2616	bcdedit.exe
Token: SeRestorePrivilege	2616	bcdedit.exe
Token: SeRestorePrivilege	2616	bcdedit.exe
Token: SeBackupPrivilege	2516	vssvc.exe
Token: SeRestorePrivilege	2516	vssvc.exe
Token: SeAuditPrivilege	2516	vssvc.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2684	DrvInst.exe
Token: SeLoadDriverPrivilege	2684	DrvInst.exe
Token: SeLoadDriverPrivilege	2684	DrvInst.exe
Token: SeLoadDriverPrivilege	2684	DrvInst.exe
Token: SeRestorePrivilege	2944	FRST64.exe
Token: SeBackupPrivilege	2944	FRST64.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe
2944	FRST64.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2876	2944	FRST64.exe	28
PID 2944 wrote to memory of 2876	2944	FRST64.exe	28
PID 2944 wrote to memory of 2876	2944	FRST64.exe	28
PID 2944 wrote to memory of 2348	2944	FRST64.exe	30
PID 2944 wrote to memory of 2348	2944	FRST64.exe	30
PID 2944 wrote to memory of 2348	2944	FRST64.exe	30
PID 2348 wrote to memory of 2616	2348	cmd.exe	32
PID 2348 wrote to memory of 2616	2348	cmd.exe	32
PID 2348 wrote to memory of 2616	2348	cmd.exe	32
PID 2944 wrote to memory of 2324	2944	FRST64.exe	39
PID 2944 wrote to memory of 2324	2944	FRST64.exe	39
PID 2944 wrote to memory of 2324	2944	FRST64.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FRST64.exe
"C:\Users\Admin\AppData\Local\Temp\FRST64.exe"
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /u /c echo 2
  2⤵
  PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\bcdedit.exe
    C:\Windows\system32\bcdedit /export C:\FRST\Hives\BCD
    3⤵
    - Modifies boot configuration data using bcdedit
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\system32\notepad.exe
  notepad "C:\Users\Admin\AppData\Local\Temp\Search.txt"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2324
- C:\Windows\system32\notepad.exe
  notepad "C:\Users\Admin\AppData\Local\Temp\SearchReg.txt"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "0000000000000320"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FRST\a5Np9Gb8Qq\NTUSER.DAT

Filesize
768KB

MD5
b2c7c4382badd9b8fbde0f4e49f9bb7f

SHA1
db71f8dc33968fdbc0f7a58bedfb31949cb3e573

SHA256
6888f718b2d83e5db32ada1209ac6e2e825077659f8c6837584a421cf7341fbe

SHA512
bb3aa5b6357de1de079e84dc4329443697cc376484e4e2321952f7974a9ab87195e8b507d6bcfb2d91e994694b6ea6302e6c40746281bae0a6ece96bb640356f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab372A.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Search.txt

Filesize
244B

MD5
33188f5355e9c3c0ff2e10d4bc8b9f61

SHA1
51d8409f9bc3946e2cf73819c0afd7ce601d06f4

SHA256
625a6c2548e0b2c13571781261c5a178ad67e8cea164e7cda0cfe8e089819248

SHA512
c7d159578aa7380c33490933f89dc3aa5a0f6f20e29cb4462655c1a0c6c5f1f3446f30264de22eb213bff45aba313c5fad65bd1a91e155fa2f06ad265e0afba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SearchReg.txt

Filesize
248B

MD5
17eddae152a9b9d2d298fdb240b1a385

SHA1
3afa8375b369d74775caca5c8f0254c23371794a

SHA256
fba6781479b17c76042c7f2cefcfe49fb75a4172c33a7849128d1dba6dcd73df

SHA512
4d5b1bb082697ff215b267dbbc402e0f152b97f12d1ed1fd8780768f610f806433a66533a2116ac40a8859852bc14850e08bd23f3ccc2acf78a56406f8a4066e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3914.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit