7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541

Analysis

max time kernel
162s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 22:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe
Size

20KB
MD5

6d48427fb1c409ef55c6998a85b1a7f0
SHA1

00cc5a6aa742b992be2754d44d60b09d3941a279
SHA256

7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541
SHA512

b87a76b981765cb17c8f2fde05c2ed02117daa28b21065efe5127e43c1fd47cbf2b9b6bc913d94d8d6e7b2ffcd4c16b3cf9df6fae67cb60eb602c86fd9e17066
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBJUv:1M3PnQoHDCpHf4I4Qwdc0G5KDJG

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
1580	winlogon.exe
4844	AE 0124 BE.exe
4832	winlogon.exe
2424	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
4844	AE 0124 BE.exe
4832	winlogon.exe
2424	winlogon.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\iaLPSS2i_GPIO2_GLK.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.resources\v4.0_4.0.0.0_it_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config.comments	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Xml.Linq.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreLogic.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\REFSPCL.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.FileSystem.Watcher.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\timesi.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Video\TS_Main.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\1031\cscompui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe.config	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizardFinish.ascx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.Web.Services.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\pt-PT_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Logs\Telephony	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ES\System.Configuration.Install.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\home1.aspx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\error.aspx.de.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Runtime.WindowsRuntime.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\ega40866.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Apps	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Search\fr-FR\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\comicbd.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\heat.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_I2C_SKL.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\input.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Activities	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\qps-ploc	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web_minimaltrust.config	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.Resources\2.0.0.0_es_b03f5f7f11d50a3a\System.ServiceProcess.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\84e4d3dd82c2ffe753a12b426fa9eab0\MIGUIControls.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\SourceHash{B175520C-86A2-35A7-8619-86DC379688B9}	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security0.aspx.it.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\appcompat\Programs\Amcache.hve	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Outlook.v9.0\9.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_fr_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\445e1976593e6b3b2072e606af9be0ae	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\4364afb08a160ec916d9ec14a6f5b435	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0407\sqlsoldb.chm	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\editUser.aspx	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Focus0_48000Hz.raw	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.AddIn.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\it\Microsoft.Data.Entity.Build.Tasks.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Workflow.Activities.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\DeviceCenter\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\DeviceCenter	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Networking\es-ES\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Logs\NetSetup\service.0.etl	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelOperationPerfCounters.reg	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\ja\SqlWorkflowInstanceStoreSchema.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Resources\2.0.0.0_ja_b77a5c561934e089\System.Data.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_es_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\uk-UA\bootmgfw.efi.mui	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "553585154"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988000"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000154e3b462bda32ec58917378d6d2d4fbde6ae6d04e26d3bbb4c289b09c396b1c000000000e80000000020000200000001a3ab68e8ea496adac1c7071ae88584c50c773adf4afb632b94db36094ac9f1c200000003d809ca1f1f8d3f1fa78738dd8895eb23e9d3bf8f8a67d167b8beb0bc33b157440000000c4858b1ed52ffe052342d576129081f3bbde18d9ac010cf7f6157bb6631470754dd72dd3f552e6b8c29830d4ffb8a6f687fe1d7b5a4b040ee18d68d1fcc21fdb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4C388109-42D3-11ED-89AC-D2D0017C8629} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "579522817"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000071a591502aa80e002cc25e98729c07312cacd9cbb0c77b4d93e9dc4514707551000000000e8000000002000020000000cbb3a3bb32c3d9f3a867e7f5f2a7754a2b8ce12ff3a24fcef2887b1eddb3032b2000000086c46045ae846a84d0760fe0377e78f7c294ef78fdb99e6e6498e2f954b91e4b40000000b3aff2e92069d6a9535e4bf295dd841a24d350504b1851e5083879d9304de9265998de3ac96ab3726930a80a0e8d631bd53b8d46c5522e0332b572bdea7b9a9e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "553585154"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988000"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988000"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4006c422e0d6d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371536056"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 005e4223e0d6d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3200	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4956	7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe
3200	iexplore.exe
3200	iexplore.exe
1580	winlogon.exe
4844	AE 0124 BE.exe
4512	IEXPLORE.EXE
4512	IEXPLORE.EXE
4832	winlogon.exe
2424	winlogon.exe
4512	IEXPLORE.EXE
4512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3200	4956	7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe	82
PID 4956 wrote to memory of 3200	4956	7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe	82
PID 3200 wrote to memory of 4512	3200	iexplore.exe	83
PID 3200 wrote to memory of 4512	3200	iexplore.exe	83
PID 3200 wrote to memory of 4512	3200	iexplore.exe	83
PID 4956 wrote to memory of 1580	4956	7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe	84
PID 4956 wrote to memory of 1580	4956	7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe	84
PID 4956 wrote to memory of 1580	4956	7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe	84
PID 1580 wrote to memory of 4844	1580	winlogon.exe	85
PID 1580 wrote to memory of 4844	1580	winlogon.exe	85
PID 1580 wrote to memory of 4844	1580	winlogon.exe	85
PID 1580 wrote to memory of 4832	1580	winlogon.exe	86
PID 1580 wrote to memory of 4832	1580	winlogon.exe	86
PID 1580 wrote to memory of 4832	1580	winlogon.exe	86
PID 4844 wrote to memory of 2424	4844	AE 0124 BE.exe	87
PID 4844 wrote to memory of 2424	4844	AE 0124 BE.exe	87
PID 4844 wrote to memory of 2424	4844	AE 0124 BE.exe	87

C:\Users\Admin\AppData\Local\Temp\7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe
"C:\Users\Admin\AppData\Local\Temp\7c657331556aeb226567989c3dcb31f343fbf13629ac5eb9965c4384683f8541.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3200 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4512
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2424
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
fd70739fca5345a28f924f9102ae10ee

SHA1
6ce3f92183544f3bf52cb76364591589cb940a19

SHA256
f238404cc643efddef8ff430f128cdc8ec1513969eaac24b5e5bce81248a91e7

SHA512
a787d3a2bceeaed2f2a29f357df6ae17d5b9f66a3c561550d5f83c308ad26a1ddf876488151ff5e51ce93bfb9d0c7b8ca812d595e8d3ebdda7d805707ac1b278

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
0e57c1b97945e7377c45145cbf656420

SHA1
0ac26308353c9d13bb8fac6c8382a5c788a941b0

SHA256
74a8d30b8875e67c75f4a514c5f4eb74a8ad9c07868dc8b57e75daff4a82d530

SHA512
49d68c223932dd0d58e9e2d58708c7a4146daa315db959adfe84f66e6dcd4aafeb64912862dd12fd958170eff5e6e02873929bbd933899bb3dd6750e28d9183c

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
13a5065c1debaf8cad4cd679f0a15c04

SHA1
07d8194a203684508423317d50b3dd11ce293524

SHA256
21dd9f003d9e7a6fc8cab1895335fd8544b6e71a65d0b21390c5472640593b35

SHA512
19d2fc4dcdb4014f3be616c5c8d445c64d263cee3f53d906da55553397d7c4ea1ec1f7367e7847a9f5b85c171308ff663a0719b9c68e498ee83c564be0b5f02b

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
13a5065c1debaf8cad4cd679f0a15c04

SHA1
07d8194a203684508423317d50b3dd11ce293524

SHA256
21dd9f003d9e7a6fc8cab1895335fd8544b6e71a65d0b21390c5472640593b35

SHA512
19d2fc4dcdb4014f3be616c5c8d445c64d263cee3f53d906da55553397d7c4ea1ec1f7367e7847a9f5b85c171308ff663a0719b9c68e498ee83c564be0b5f02b

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
cc462d81762cb3d3ce3578f799e310b3

SHA1
70397dbfb8f95458e5c8cf0e1fbfe77fe900d9fa

SHA256
0ae758990a8843c96ed3a943604db84e919f4f7e5290c68767606574f8fa9fe2

SHA512
a2b47ecdd5e8c1742f73afdb5a92a0144c8de66203ae528f09a78906f168edc5d4ea5735d5ee342389428d59e6f87e29886df216e706936c094cefcc9a3420e1

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
dd74ec71061a4ceb3675499bda1b27ac

SHA1
20a29eafe445578b6d8f487793c3a2ba04647908

SHA256
8c44741a094b44267adaa2d6f2031861965a6972513ecb92fd872b6def103059

SHA512
93b4037125586cd03a19c4c27762cb90fca98d4b18329a56305187d2cfbc3c05e7c63e352729c61ac04c13d8a03aa58371637bf32d176e71582b58e09483f612

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
13a5065c1debaf8cad4cd679f0a15c04

SHA1
07d8194a203684508423317d50b3dd11ce293524

SHA256
21dd9f003d9e7a6fc8cab1895335fd8544b6e71a65d0b21390c5472640593b35

SHA512
19d2fc4dcdb4014f3be616c5c8d445c64d263cee3f53d906da55553397d7c4ea1ec1f7367e7847a9f5b85c171308ff663a0719b9c68e498ee83c564be0b5f02b

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
13a5065c1debaf8cad4cd679f0a15c04

SHA1
07d8194a203684508423317d50b3dd11ce293524

SHA256
21dd9f003d9e7a6fc8cab1895335fd8544b6e71a65d0b21390c5472640593b35

SHA512
19d2fc4dcdb4014f3be616c5c8d445c64d263cee3f53d906da55553397d7c4ea1ec1f7367e7847a9f5b85c171308ff663a0719b9c68e498ee83c564be0b5f02b

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
13a5065c1debaf8cad4cd679f0a15c04

SHA1
07d8194a203684508423317d50b3dd11ce293524

SHA256
21dd9f003d9e7a6fc8cab1895335fd8544b6e71a65d0b21390c5472640593b35

SHA512
19d2fc4dcdb4014f3be616c5c8d445c64d263cee3f53d906da55553397d7c4ea1ec1f7367e7847a9f5b85c171308ff663a0719b9c68e498ee83c564be0b5f02b

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
13a5065c1debaf8cad4cd679f0a15c04

SHA1
07d8194a203684508423317d50b3dd11ce293524

SHA256
21dd9f003d9e7a6fc8cab1895335fd8544b6e71a65d0b21390c5472640593b35

SHA512
19d2fc4dcdb4014f3be616c5c8d445c64d263cee3f53d906da55553397d7c4ea1ec1f7367e7847a9f5b85c171308ff663a0719b9c68e498ee83c564be0b5f02b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads