ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a

Analysis

max time kernel
110s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe
Size

20KB
MD5

41770ff94a5d9c00c2cc4ad9a965a8e0
SHA1

8a6a8c6c9c5673563eab9b3c5f0ce2611bbcea60
SHA256

ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a
SHA512

0ef635f7f076cc135642b21e01dcfe75c7679c607b091f9191d9b8d85d22b2f6a6e790cc0e4526985fd40c108215148cb5f883a4c107191eaf254b87f630fdf5
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBpI5:1M3PnQoHDCpHf4I4Qwdc0G5KDJ6

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
1920	winlogon.exe
1328	AE 0124 BE.exe
4228	winlogon.exe
3528	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 2 IoCs

pid	Process
1328	AE 0124 BE.exe
3528	winlogon.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windows.Storage.OneCore.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-IsolatedUserMode-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ws3cap.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\NetFirewallPortFilter.cmdletDefinition.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\certutil.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msvcp100.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\PkgMgr.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\cmnicfg.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Snapins-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx-Shared-WCF-PipeActivation~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-CustomShellHost-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\adsmsext.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Wdac\MSFT_OdbcDriverTask_v1.0.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vdmdbg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmati.inf_amd64_16fbf6520a254fad\mdmati.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9\nete1g3e.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-PrintToPDFServices-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\MSFT_NetNeighbor.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\l2nacp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\netid.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-DisposableClientVM-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.867.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_fsundelete.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\els.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cdp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\perfmon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.UI.Xaml.InkControls.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0416\_setup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\GameBarPresenceWriter.proxy.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\RTMediaFrame.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tsusbhub.inf_amd64_bd91a147ab4ebf1c	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_media.inf_amd64_2dec3adbda5f7bb6\c_media.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\clip.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\OpcServices.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SMB1Deprecation-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\PDFRenderFilter.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Keywords\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}3081.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\tetheringclient.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\compositebus.inf_amd64_7500cffa210c6946\CompositeBus.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vstxraid.inf_amd64_300cb04282659e6d\VSTXRAID.SYS	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\EventTracingManagement	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\logagent.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Optional-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\dsregtask.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\apds.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\UserDataTypeHelperUtil.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA324i_5_SS_T.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\InitiatorId.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.System.RemoteDesktop.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-WOW64-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-WOW64-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Dism\Dism.Format.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\opengl32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\radardt.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ISE\ise.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Chakra.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_e87e378eb673af65	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\el-GR\cdosys.dll.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Win32WebViewHost.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0000201a_31bf3856ad364e35_10.0.19041.1_none_b262d2a6f5fa057c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..mpatibilitybinaries_31bf3856ad364e35_10.0.19041.1_none_ba873fa897b439f5	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-directx-direct3d11on12_31bf3856ad364e35_10.0.19041.1081_none_7b0a2a9b30f80ccf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-ui-cred-library_31bf3856ad364e35_10.0.19041.1_none_7f94fd4f66257c91	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-AssignedAccessCsp-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wsp-spaces_31bf3856ad364e35_10.0.19041.1266_none_dafed5b762bc3dc5	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\EventViewer.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\EventViewer.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..ac-ado-ddl-security_31bf3856ad364e35_10.0.19041.264_none_901037be9f43dc71	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\forceStorageCapState.png	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\colorPicker\hueColorBar.png	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square44x44logo.scale-400_contrast-white.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_et-ee_c4ec55767757de0d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-g..onenumberformatting_31bf3856ad364e35_10.0.19041.1_none_3117a5cb798a5536	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Common-RegulatedPackages-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization.Extensions\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteFX-VM-Setup-Package~31bf3856ad364e35~amd64~~10.0.19041.153.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..aphostres.resources_31bf3856ad364e35_10.0.19041.1_it-it_b6a048ec05d6a6df	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Services\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..imeserver.resources_31bf3856ad364e35_10.0.19041.844_en-us_1d267af587f56b9c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_rhproxy.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_622340a725d0802c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..-binaries.resources_31bf3856ad364e35_10.0.19041.1_sr-..-rs_3c7b8ddb0a8496f4	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\f615f628433cab34a98f99334931a2a3\SrpUxSnapIn.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\move_rl.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_netwew00.inf_31bf3856ad364e35_10.0.19041.1_none_9d32b0ec79600e11\Netwew00.INF	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Package_1_for_KB4552925~31bf3856ad364e35~amd64~~10.0.1.3176.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-00000427_31bf3856ad364e35_10.0.19041.1_none_9fdc2f5301df8e71	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\common\oobe-listview-vm.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..seraccountshandlers_31bf3856ad364e35_10.0.19041.264_none_7139e4323bf9d4a2	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-store-licensemanager_31bf3856ad364e35_10.0.19041.173_none_1e3599c3548216f8	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_qd3x64.inf_31bf3856ad364e35_10.0.19041.1_none_50705aaa370f4d6f\qd3x64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_ialpssi_i2c.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_da74ee7a2e23cd0c\iaLPSSi_I2C.INF_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmaus.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\InputMethod\CHS\ChsPinyinUDP.lex	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.targetsize-48.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wordbreaker7-english_31bf3856ad364e35_10.0.19041.1_none_fd424f9af59e3fa1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activities	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Containers-Server-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..ingengine.resources_31bf3856ad364e35_10.0.19041.1_en-us_05bf2a873d4fa326	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.SmartTag\15.0.0.0__71e9bce111e9429c	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Transactions.Bridge.Dtc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_system.reflection.extensions_b03f5f7f11d50a3a_4.0.15805.0_none_a99a730a6407fa03	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_hdaudbus.inf_31bf3856ad364e35_10.0.19041.1081_none_b43386ed17ece9aa\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-c..ilityaccess-manager_31bf3856ad364e35_10.0.19041.746_none_df3c22d6a04a589d\f\CapabilityAccessManager.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\_ServiceModelServicePerfCounters.vrg	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\WorkFolders-Client.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\network\Images	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-basesrv_31bf3856ad364e35_10.0.19041.1_none_c2bbf8598318544b	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\MSDTC	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Debug	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\0c09	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\WideTile.scale-200.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-proxy-onecore_31bf3856ad364e35_10.0.19041.928_none_49810de45ba21255\vmprox.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-NetFx-Shared-WCF-TcpPortSharing~31bf3856ad364e35~amd64~~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-media-cap..ternal-broadcastdvr_31bf3856ad364e35_10.0.19041.1288_none_2c3ca3a0cb2dc18e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mssign32-dll_31bf3856ad364e35_10.0.19041.1_none_8024db0279cb1a30	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987983"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987983"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d93231cfd6d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10445431cfd6d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371528777"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "794954943"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000a2b5c24ef9c937fb0dfcdb8737c15b133c350aa5eb4f854b501f12ff31042963000000000e80000000020000200000000f916e14a8205df10fd03f9f78fd69e36e77629571afbf8826cdcfa5760ad75b20000000f8e06d25a9909957a0ec2f5067d6e6b2abf139554c39f8f73b0edba4477423a840000000640597605f4a5ce4724c41015502a7b0c82579b881220390251f66954341df13ceb99860ca2d47b51d907f1f08808262f19698733e2f2f8c69cb16d5e9bf35b3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{59E8B71D-42C2-11ED-A0EE-D2F2753F5017} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987983"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "794954943"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000d07c45b9387ea8afe447798d9f48538d1644bdeb13e0a3dc958567fd60f6d885000000000e8000000002000020000000da8edacacda79117b70559e9d57382273e7e3565333738bbc5af5b754a32565d2000000025bbb31784f210d9a1e7e113bfc0a50903cf22eb8ab747b9ff077e4df102de0e40000000df9acce1909efffca411c542ed1a12db3af5f10f938ad4488dd5f6f5e2e016c9c6ded9bbc8a9b21124c9d61a48c1f31ee11cae198736b1fc8fa6b563f6504217	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "794331385"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "794331385"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987983"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
220	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3148	ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe
220	iexplore.exe
220	iexplore.exe
1920	winlogon.exe
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
1328	AE 0124 BE.exe
3528	winlogon.exe
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 220	3148	ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe	85
PID 3148 wrote to memory of 220	3148	ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe	85
PID 220 wrote to memory of 2408	220	iexplore.exe	86
PID 220 wrote to memory of 2408	220	iexplore.exe	86
PID 220 wrote to memory of 2408	220	iexplore.exe	86
PID 3148 wrote to memory of 1920	3148	ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe	87
PID 3148 wrote to memory of 1920	3148	ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe	87
PID 3148 wrote to memory of 1920	3148	ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe	87
PID 1920 wrote to memory of 1328	1920	winlogon.exe	88
PID 1920 wrote to memory of 1328	1920	winlogon.exe	88
PID 1920 wrote to memory of 1328	1920	winlogon.exe	88
PID 1920 wrote to memory of 4228	1920	winlogon.exe	90
PID 1920 wrote to memory of 4228	1920	winlogon.exe	90
PID 1920 wrote to memory of 4228	1920	winlogon.exe	90
PID 1328 wrote to memory of 3528	1328	AE 0124 BE.exe	92
PID 1328 wrote to memory of 3528	1328	AE 0124 BE.exe	92
PID 1328 wrote to memory of 3528	1328	AE 0124 BE.exe	92

C:\Users\Admin\AppData\Local\Temp\ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe
"C:\Users\Admin\AppData\Local\Temp\ecfdb716ee335d2b8cb80666659401fbde28b29d571fee0c89fb80e6d030189a.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:220 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2408
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3528
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:4228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
ec23eb28f331e6cd70a000a4b2db170a

SHA1
45b5c1ee9f93184e51e8515e328e0f99b96e6349

SHA256
39a99248599774e207e00c638106fbe03d9c99aed30866c1037fb2d783d03b45

SHA512
9e4c80fde6d3eeb742613a6b6db018646cabb26c0fbdbdff347d6e215025b0d31cbb686b592408f0a04b7829e0a1cd4ada79399584e121709fa810e3ccb8eb06

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
ec23eb28f331e6cd70a000a4b2db170a

SHA1
45b5c1ee9f93184e51e8515e328e0f99b96e6349

SHA256
39a99248599774e207e00c638106fbe03d9c99aed30866c1037fb2d783d03b45

SHA512
9e4c80fde6d3eeb742613a6b6db018646cabb26c0fbdbdff347d6e215025b0d31cbb686b592408f0a04b7829e0a1cd4ada79399584e121709fa810e3ccb8eb06

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
246cd19fd0bb54468a08ca2ad911dca8

SHA1
cf1cbb9d4640f1ac121d12c77a9d5331e028c212

SHA256
b16ea41c42c43b2857b4e987bd1ea5aa6cc06b0d0250b85217836669080c76ab

SHA512
4073a7ff897c0dbfb3b2628141a2a0269f95a68061f0d7946ba87dfbf12ec0b3d6ea308f75a0a928617287343bac193bfdec9f65a06bfc32b2ef8bd0e85ec580

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
90a1eba06bc214f501cde43b14712195

SHA1
b014732f42563a3f0d6ad8cede9531174f74fc2e

SHA256
4962752bb0d5f573eabcf1829228687a37ea7009de14c448bfc5f76dbf98ca41

SHA512
ad78c65b0acf3a247d6c76c3a45de5623c23e0a0ea5d693a7646323ca332a13495f3a7da614156386806dc93b647e4ff389ac2921cbd5c5654e8b2e9813694ea

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
ec23eb28f331e6cd70a000a4b2db170a

SHA1
45b5c1ee9f93184e51e8515e328e0f99b96e6349

SHA256
39a99248599774e207e00c638106fbe03d9c99aed30866c1037fb2d783d03b45

SHA512
9e4c80fde6d3eeb742613a6b6db018646cabb26c0fbdbdff347d6e215025b0d31cbb686b592408f0a04b7829e0a1cd4ada79399584e121709fa810e3ccb8eb06

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
ec23eb28f331e6cd70a000a4b2db170a

SHA1
45b5c1ee9f93184e51e8515e328e0f99b96e6349

SHA256
39a99248599774e207e00c638106fbe03d9c99aed30866c1037fb2d783d03b45

SHA512
9e4c80fde6d3eeb742613a6b6db018646cabb26c0fbdbdff347d6e215025b0d31cbb686b592408f0a04b7829e0a1cd4ada79399584e121709fa810e3ccb8eb06

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
ec23eb28f331e6cd70a000a4b2db170a

SHA1
45b5c1ee9f93184e51e8515e328e0f99b96e6349

SHA256
39a99248599774e207e00c638106fbe03d9c99aed30866c1037fb2d783d03b45

SHA512
9e4c80fde6d3eeb742613a6b6db018646cabb26c0fbdbdff347d6e215025b0d31cbb686b592408f0a04b7829e0a1cd4ada79399584e121709fa810e3ccb8eb06

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
ec23eb28f331e6cd70a000a4b2db170a

SHA1
45b5c1ee9f93184e51e8515e328e0f99b96e6349

SHA256
39a99248599774e207e00c638106fbe03d9c99aed30866c1037fb2d783d03b45

SHA512
9e4c80fde6d3eeb742613a6b6db018646cabb26c0fbdbdff347d6e215025b0d31cbb686b592408f0a04b7829e0a1cd4ada79399584e121709fa810e3ccb8eb06

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads