1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833

Analysis

max time kernel
189s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe
Size

20KB
MD5

44e3297edcb8acbdfc77e4eef215c3f0
SHA1

df1c7ca445ebef14569f22c97dbfc8ffaceb49b1
SHA256

1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833
SHA512

74ea6d65af0970a0da118f089ac3e73ae85a37633b28f741d86b9d9280f943a7c36c792639cd907de48ac2c588f66467be9459980af8823729da09a1ac14d460
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBSWQt:1M3PnQoHDCpHf4I4Qwdc0G5KDJEv

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
712	winlogon.exe
1632	AE 0124 BE.exe
4944	winlogon.exe
3544	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 3 IoCs

pid	Process
1632	AE 0124 BE.exe
4944	winlogon.exe
3544	winlogon.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\mdmolic.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\netr28x.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks.Resources\3.0.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\en-US\bfsvc.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\8554.msi	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Dtc.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\bg-BG	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\fr-FR\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Windows Notify System Generic.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Printing.Resources\3.0.0.0_fr_31bf3856ad364e35\System.Printing.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\BITS\en-US\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\hdaudio.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.Resources\2.0.0.0_ja_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\zh-TW_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\de-DE\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\vga950.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0\10.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a32f4f54a0df42f1dc8d6cb91d471bb9\Microsoft.WSMan.Runtime.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35\Microsoft.ConfigCI.Commands.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\rtux64w10.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobePDF417.pmp	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ViewerPS.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\logo.scale-200.png	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\8514oemr.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#	AE 0124 BE.exe
File opened for modification	C:\Windows\Logs\WindowsUpdate\WindowsUpdate.20220812.191258.472.1.etl	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.Resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\app857.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\BITS\0409\bitsctrs.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement.Resources\3.5.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.SecureBoot.Commands.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0C0A\_ServiceModelEndpointPerfCounters_D.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\Microsoft.ConfigCI.Commands.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.DirectoryServices.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\debug	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0\9.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmntt1.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Entity	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Device\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\en-US\bootmgfw.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFramework.Resources\3.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\no_rm.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\wsearchidxpi\040C	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_61883.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\ServiceModelService 3.0.0.0\0410\_ServiceModelServicePerfCounters_D.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Resources\2.0.0.0_it_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\d8c6c061391afad5d08eeee96bda9e8f	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\size3_l.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\LeelawUI.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\netg664.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.ComponentModel.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMDiagnostics.Resources\3.0.0.0_it_b77a5c561934e089\SMDiagnostics.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\netelx.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\fr-CA\bootmgfw.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\TS_PaperJam.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\addins\FXSEXT.ecf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Resources\2.0.0.0_es_b77a5c561934e089	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000bf9908c748cddaa8306c7212002391b4bf5304f50fd3d7822bde8967e4d68671000000000e80000000020000200000002ba42d6389828082b3bf0952bef3f7a1f27962bfe912c00969cebbea9e1da49a20000000f2fb65ebe44591c89d408addc1422d0827daa898feb19b1e54cbd8a6c37a192940000000fb4e9c371d6b885c4eb7d50ace333df8283d5074e9a7d6fed68b114cbc200e5162d288b2f211eeabea1cd6c903349bda451c883ff140e37c3cb16126d9177fed	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000aa804c108847b665f28b2de9196138da4239bae860dec97b948207cea6b6cb56000000000e80000000020000200000002b25abbd1c510aa1095f7d1aede8c2ba785de4f40a82a82a5f18dc7799f4261920000000ffeb3319f2856e874c864ce17744c139440a02f291cc326786ae78a426ea230940000000f854c75ae0d955e5c9d6739a519769659c25a57029ce3a329a1af45a1012464afd00f7c3b6ed44f0e320f5d4fa441975f61db7e8684d224bb98bb769467f1e81	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1725396624"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50235c80e0d6d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988000"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988000"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2128522714"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406b9a7de0d6d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2128522714"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1725396624"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988000"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "370933085"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C1D72B7-42D3-11ED-B696-72E5C3FA065D} = "0"	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4896	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4320	1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe
4896	iexplore.exe
4896	iexplore.exe
712	winlogon.exe
1632	AE 0124 BE.exe
4944	winlogon.exe
3544	winlogon.exe
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 4896	4320	1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe	82
PID 4320 wrote to memory of 4896	4320	1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe	82
PID 4896 wrote to memory of 2128	4896	iexplore.exe	83
PID 4896 wrote to memory of 2128	4896	iexplore.exe	83
PID 4896 wrote to memory of 2128	4896	iexplore.exe	83
PID 4320 wrote to memory of 712	4320	1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe	84
PID 4320 wrote to memory of 712	4320	1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe	84
PID 4320 wrote to memory of 712	4320	1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe	84
PID 712 wrote to memory of 1632	712	winlogon.exe	85
PID 712 wrote to memory of 1632	712	winlogon.exe	85
PID 712 wrote to memory of 1632	712	winlogon.exe	85
PID 712 wrote to memory of 4944	712	winlogon.exe	86
PID 712 wrote to memory of 4944	712	winlogon.exe	86
PID 712 wrote to memory of 4944	712	winlogon.exe	86
PID 1632 wrote to memory of 3544	1632	AE 0124 BE.exe	87
PID 1632 wrote to memory of 3544	1632	AE 0124 BE.exe	87
PID 1632 wrote to memory of 3544	1632	AE 0124 BE.exe	87

C:\Users\Admin\AppData\Local\Temp\1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe
"C:\Users\Admin\AppData\Local\Temp\1ca8391aede978184131b332074879af1743e9219611bb96f688b9f5d6698833.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4896 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2128
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3544
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
bdbf5cd6b05a798549a4ad3e73fae6e9

SHA1
106686bee5afb98a3ab48be1bb379035c8a4cb4a

SHA256
c42da5a13dae6412065ef92b4073452f9e5b9a311371a1807d565712250c46ff

SHA512
99ca4d9f1b812e16fa6e6f8bc23454c095b3468da5059b60825802a339ab4bb352396875d8a83e996e498b9121a9f8cd679d2efb0c602e52bf35a0f50d2760aa

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
bdbf5cd6b05a798549a4ad3e73fae6e9

SHA1
106686bee5afb98a3ab48be1bb379035c8a4cb4a

SHA256
c42da5a13dae6412065ef92b4073452f9e5b9a311371a1807d565712250c46ff

SHA512
99ca4d9f1b812e16fa6e6f8bc23454c095b3468da5059b60825802a339ab4bb352396875d8a83e996e498b9121a9f8cd679d2efb0c602e52bf35a0f50d2760aa

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
330371c6f21075695bf5919246de2cb3

SHA1
008a6a8449eaeba412a13b8410b9f47e4ed0106f

SHA256
1c24fe158fb8614cd405434bec9a6b684e76070bdf8cfc3764f193008a0b422f

SHA512
947475ec60aeae3c036ef5ba22cd67fc7dd4de3ab6978f60ec64125c76c030ff1c4fcf920d0a1c34912bcd5b8b762a72191586f750ffd77e89745776fcaef8d7

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
330371c6f21075695bf5919246de2cb3

SHA1
008a6a8449eaeba412a13b8410b9f47e4ed0106f

SHA256
1c24fe158fb8614cd405434bec9a6b684e76070bdf8cfc3764f193008a0b422f

SHA512
947475ec60aeae3c036ef5ba22cd67fc7dd4de3ab6978f60ec64125c76c030ff1c4fcf920d0a1c34912bcd5b8b762a72191586f750ffd77e89745776fcaef8d7

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
bdbf5cd6b05a798549a4ad3e73fae6e9

SHA1
106686bee5afb98a3ab48be1bb379035c8a4cb4a

SHA256
c42da5a13dae6412065ef92b4073452f9e5b9a311371a1807d565712250c46ff

SHA512
99ca4d9f1b812e16fa6e6f8bc23454c095b3468da5059b60825802a339ab4bb352396875d8a83e996e498b9121a9f8cd679d2efb0c602e52bf35a0f50d2760aa

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
bdbf5cd6b05a798549a4ad3e73fae6e9

SHA1
106686bee5afb98a3ab48be1bb379035c8a4cb4a

SHA256
c42da5a13dae6412065ef92b4073452f9e5b9a311371a1807d565712250c46ff

SHA512
99ca4d9f1b812e16fa6e6f8bc23454c095b3468da5059b60825802a339ab4bb352396875d8a83e996e498b9121a9f8cd679d2efb0c602e52bf35a0f50d2760aa

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
bdbf5cd6b05a798549a4ad3e73fae6e9

SHA1
106686bee5afb98a3ab48be1bb379035c8a4cb4a

SHA256
c42da5a13dae6412065ef92b4073452f9e5b9a311371a1807d565712250c46ff

SHA512
99ca4d9f1b812e16fa6e6f8bc23454c095b3468da5059b60825802a339ab4bb352396875d8a83e996e498b9121a9f8cd679d2efb0c602e52bf35a0f50d2760aa

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
bdbf5cd6b05a798549a4ad3e73fae6e9

SHA1
106686bee5afb98a3ab48be1bb379035c8a4cb4a

SHA256
c42da5a13dae6412065ef92b4073452f9e5b9a311371a1807d565712250c46ff

SHA512
99ca4d9f1b812e16fa6e6f8bc23454c095b3468da5059b60825802a339ab4bb352396875d8a83e996e498b9121a9f8cd679d2efb0c602e52bf35a0f50d2760aa

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
memory/712-134-0x0000000000000000-mapping.dmp

Download
memory/1632-139-0x0000000000000000-mapping.dmp

Download
memory/3544-152-0x0000000000000000-mapping.dmp

Download
memory/4944-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads