Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02/10/2022, 06:50
Static task
static1
Behavioral task
behavioral1
Sample
e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe
Resource
win7-20220812-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe
-
Size
67KB
-
MD5
6eddc720e728994991c2fd59d4286760
-
SHA1
723ffedcfd5c2e92426adb3740d1df4925d3d45b
-
SHA256
e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce
-
SHA512
46fae0760e6b68c86f5ef4a5db01b8e64b0cd2b99f4e19f8d84b2b8816337c87c8302399a9066608fe7b24fe930e93aacda7c59459f0ef3e57eb37fdc698da46
-
SSDEEP
1536:sr+Fum5LMI+WTJjcsnXMcpm/zOxJXKJetu:sr+Fu2II+HiXMcI/AKJetu
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 3264 winlogon.exe 4084 AE 0124 BE.exe 1144 winlogon.exe 2372 winlogon.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Loads dropped DLL 3 IoCs
pid Process 4084 AE 0124 BE.exe 1144 winlogon.exe 2372 winlogon.exe -
Drops desktop.ini file(s) 28 IoCs
description ioc Process File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 25 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\F:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventPacketCaptureProvider.cdxml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dswave.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-QuickAssist-Package~31bf3856ad364e35~wow64~~10.0.19041.1266.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\downlevel\api-ms-win-core-datetime-l1-1-0.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_fsencryption.inf_amd64_b4b4845819a23338 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmbsb.inf_amd64_0e44beb9cebe5a1e AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nettcpip.inf_amd64_96215b82eaa40fd5 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\EnterpriseAppMgmtClient.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\c_fsphysicalquotamgmt.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ndisuio.inf_amd64_6096fd74a67ccd5d AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\msvcp110.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bthoob.inf_amd64_c6923052f60677d9 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\stexstor.inf_amd64_fefc1160d15aa667 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ialpssi_gpio.inf_amd64_62ffa3c95446bcfc\iaLPSSi_GPIO.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\tapisrv.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetISATAPConfiguration.cdxml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mfc110.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mfds.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wecutil.exe AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-RDP4VS-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-ShellLauncher-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netwns64.inf_amd64_162bb49f925c6463\NETwNs64.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drttransport.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ir50_qc.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WiFiDisplay.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-MFPMP-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-ServerCommon-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmeiger.inf_amd64_05ca2a1836c16cab\mdmeiger.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\en-US\wsp_sr_uninstall.mfl AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\rshx32.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\windows.internal.shellcommon.TokenBrokerModal.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-Host-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectPlay-OC-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\kerberos.mof AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\MapGeocoder.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\winspool.drv AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\cmifw.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_f2e8231e8b60f214\msports.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\xml\wmi2xml.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\NETSTAT.EXE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\shdocvw.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WMPhoto.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\olethk32.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VID-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx-Shared-Typelibs~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\MTConfig.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\iologmsg.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\wlanext.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\en-US\msfeedsbs.mfl AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms003.inf_x86_360f6f3a7c4b3433\prnms003.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\tokenbinding.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package02~31bf3856ad364e35~amd64~~10.0.19041.1266.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Legacy-Components-OC-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wdmvsc.inf_amd64_8666ee4da6ad6325 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wvmic_timesync.inf_amd64_aa4bfe1897922114 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\cht4vx64.inf_amd64_b03448ba0b72ec47\cht4vx64.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_d823e3edc27ae17c\k57nd60a.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\p2pnetsh.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\NcdProp.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\wlandlg.dll.mui AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\DevicesFlowUI.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.19041.906_fr-fr_6b9d8f66c195c032 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-efs-core-library_31bf3856ad364e35_10.0.19041.746_none_349b2e51f659d3a5 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..icy-policymaker-mof_31bf3856ad364e35_10.0.19041.1_none_703e42c91c4f0ed0\polprocl.mof AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v4.0.dll AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\lib\text.js AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-audio-mci.resources_31bf3856ad364e35_10.0.19041.1_en-us_74871b578e5301d8 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ecomponent-binaries_31bf3856ad364e35_10.0.19041.1_none_fca0d5aa5ebf06e3 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-scanprofiles_31bf3856ad364e35_10.0.19041.746_none_25607f25b1f12d12 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_dual_netl1c63x64.inf_31bf3856ad364e35_10.0.19041.1_none_4f57631eed0b8c03\L1C63x64.sys AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_10.0.19041.1_sk-sk_1d051ec1ce6962bb\bootmgr.efi.mui AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XamlBuildTask AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_dual_c_swcomponent.inf_31bf3856ad364e35_10.0.19041.1_none_48e1df239fe44d00 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-wmpnss-api.resources_31bf3856ad364e35_10.0.19041.1_en-us_25102b60f45e88fc AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hello-face_31bf3856ad364e35_10.0.19041.1_none_b73dd41cd20a0d41\FaceRecognitionEngineAdapterResourcesCore.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList\Client.xml AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web_mediumtrust.config AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..dlers-extensibility_31bf3856ad364e35_10.0.19041.1081_none_7f6a472fcaa4abbb AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-transactionmanagerapi_31bf3856ad364e35_10.0.19041.868_none_34bcfd7a32d5c819 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mail-comm-dll_31bf3856ad364e35_10.0.19041.928_none_6216c3c0ebaaa043 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\en-US\Conf.adml AE 0124 BE.exe File opened for modification C:\Windows\SystemResources\Windows.UI.Search\pris AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_system.runtime.windowsruntime.ui.xaml_b77a5c561934e089_4.0.15805.0_none_fb111c4b225c9565 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-mediaplayer-mls_31bf3856ad364e35_10.0.19041.1_none_cab343a0aa0e6901 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1266_none_9e165130188df1ee\r\uwfvol.sys AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-atl_31bf3856ad364e35_10.0.19041.746_none_89198a92b881b1ac\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-compat-compattelrunner_31bf3856ad364e35_10.0.19041.1202_none_33e8c5dac6801a49\r\CompatTelRunner.exe AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-48_altform-unplated.png AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-64_altform-unplated_contrast-white.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-filehistory-core_31bf3856ad364e35_10.0.19041.1110_none_29d8ec742bfd8b13\f\fhsvcctl.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..olicy-snapin-native_31bf3856ad364e35_10.0.19041.746_none_1d64d1568eaf1706\auditpolmsg.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1081_en-us_ce36a852fdc49a6a\f\srpapi.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..al-chinese-moimeexe_31bf3856ad364e35_10.0.19041.1_none_e73c658ee671e530\ChtIME.exe AE 0124 BE.exe File opened for modification C:\Windows\INF\buttonconverter.inf AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-dpapi-dll_31bf3856ad364e35_10.0.19041.1_none_382a13e3e63cd773 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wsp-replication_31bf3856ad364e35_10.0.19041.1_none_135769ddb14321b4 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\bfdaea28d1c61b8d6ebb102bbf468c49 AE 0124 BE.exe File opened for modification C:\Windows\INF\net1ic64.inf AE 0124 BE.exe File opened for modification C:\Windows\INF\c_61883.inf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Routing.dll AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-UX-UI-62-Package~31bf3856ad364e35~amd64~~10.0.19041.264.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-taskbarcpl_31bf3856ad364e35_10.0.19041.844_none_d2d34da1889ad5d3 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_netfx-installutil_exe_config_rtm_31bf3856ad364e35_10.0.19041.1_none_1eb075c59dfe2ac9 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_dual_mdmairte.inf_31bf3856ad364e35_10.0.19041.1_none_8eabf2f4755e302a\mdmairte.inf AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\napinit\1aadf48268feebf254c480273caa6ff0\napinit.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\Boot\PCAT\ja-JP\bootmgr.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-edge-edgemanager_31bf3856ad364e35_10.0.19041.1151_none_e153a3044a59f3e6\f\WebRuntimeManager.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-font-embedding_31bf3856ad364e35_10.0.19041.264_none_93a1c4297dd52039\r\t2embed.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..ers-storage-library_31bf3856ad364e35_10.0.19041.1_none_8d596e9983ef9e35\wc_storage.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\f\SystemSettings.DataModel.winmd AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..e.desktop.searchapp_31bf3856ad364e35_10.0.19041.1_none_43fe9f4e368e081f AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\x86_mscorlib_b77a5c561934e089_10.0.19041.1_none_889f22e0525b760e AE 0124 BE.exe File opened for modification C:\Windows\IME\IMEJP\DICTS\mshwjpnrIME.dll AE 0124 BE.exe File opened for modification C:\Windows\INF\usbaudio2.PNF AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m...appxmain.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_47a6d07813fa8c1d AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.NetTcp AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Printing-PrintToPDFServices-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ndis-tdi-bindingengine_31bf3856ad364e35_10.0.19041.746_none_1c0e323084570b53 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_10.0.19041.1_none_a3224c6911783037\IMJPUEX.EXE AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_10.0.19041.906_none_198d8d483aa30ed0\r\gpupdate.exe AE 0124 BE.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1016 e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe 3264 winlogon.exe 4084 AE 0124 BE.exe 1144 winlogon.exe 2372 winlogon.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1016 wrote to memory of 3264 1016 e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe 84 PID 1016 wrote to memory of 3264 1016 e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe 84 PID 1016 wrote to memory of 3264 1016 e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe 84 PID 3264 wrote to memory of 4084 3264 winlogon.exe 85 PID 3264 wrote to memory of 4084 3264 winlogon.exe 85 PID 3264 wrote to memory of 4084 3264 winlogon.exe 85 PID 3264 wrote to memory of 1144 3264 winlogon.exe 86 PID 3264 wrote to memory of 1144 3264 winlogon.exe 86 PID 3264 wrote to memory of 1144 3264 winlogon.exe 86 PID 4084 wrote to memory of 2372 4084 AE 0124 BE.exe 87 PID 4084 wrote to memory of 2372 4084 AE 0124 BE.exe 87 PID 4084 wrote to memory of 2372 4084 AE 0124 BE.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe"C:\Users\Admin\AppData\Local\Temp\e6b6edeaf9b53a6acae9b1814961b48a95e865d93d157738f5e248ad529225ce.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2372
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1144
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD52b31045b4342065348e7663fa5261fc0
SHA1e0a6a39ce6e443ecd6f5f51b26c8ef23cc7effa9
SHA2568f70ec54276cc4c13eaaa4ab3b2646ac9237278f2a16023456e0401e256eedfc
SHA512530b8027da1aa270b3020d1f1dce90d89115bcdbb533fccc08f6536b69256bd8e3e2dd715434ffa9b1c55c8e02a2f81ed29d7529e92a727480fc6068c9b77ca2
-
Filesize
130KB
MD5914316377f6bccff54b15012a90c4209
SHA10770bea820eaed31f29f08d58c24444b65afa03a
SHA25681415202ca81494a7c47e355a5124532882071425c9bb94cc26274b79d489bc5
SHA512eb24ea1b5a9e9c831d445f76de48b844596de3efc8971e5cb915bae12aa65a515accda3ae26975c2290fb1e2e2709862884893efbba2ed0d7ab2bbe51bf9d6e5
-
Filesize
130KB
MD5914316377f6bccff54b15012a90c4209
SHA10770bea820eaed31f29f08d58c24444b65afa03a
SHA25681415202ca81494a7c47e355a5124532882071425c9bb94cc26274b79d489bc5
SHA512eb24ea1b5a9e9c831d445f76de48b844596de3efc8971e5cb915bae12aa65a515accda3ae26975c2290fb1e2e2709862884893efbba2ed0d7ab2bbe51bf9d6e5
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
130KB
MD5914316377f6bccff54b15012a90c4209
SHA10770bea820eaed31f29f08d58c24444b65afa03a
SHA25681415202ca81494a7c47e355a5124532882071425c9bb94cc26274b79d489bc5
SHA512eb24ea1b5a9e9c831d445f76de48b844596de3efc8971e5cb915bae12aa65a515accda3ae26975c2290fb1e2e2709862884893efbba2ed0d7ab2bbe51bf9d6e5
-
Filesize
130KB
MD5914316377f6bccff54b15012a90c4209
SHA10770bea820eaed31f29f08d58c24444b65afa03a
SHA25681415202ca81494a7c47e355a5124532882071425c9bb94cc26274b79d489bc5
SHA512eb24ea1b5a9e9c831d445f76de48b844596de3efc8971e5cb915bae12aa65a515accda3ae26975c2290fb1e2e2709862884893efbba2ed0d7ab2bbe51bf9d6e5
-
Filesize
130KB
MD5914316377f6bccff54b15012a90c4209
SHA10770bea820eaed31f29f08d58c24444b65afa03a
SHA25681415202ca81494a7c47e355a5124532882071425c9bb94cc26274b79d489bc5
SHA512eb24ea1b5a9e9c831d445f76de48b844596de3efc8971e5cb915bae12aa65a515accda3ae26975c2290fb1e2e2709862884893efbba2ed0d7ab2bbe51bf9d6e5
-
Filesize
130KB
MD5914316377f6bccff54b15012a90c4209
SHA10770bea820eaed31f29f08d58c24444b65afa03a
SHA25681415202ca81494a7c47e355a5124532882071425c9bb94cc26274b79d489bc5
SHA512eb24ea1b5a9e9c831d445f76de48b844596de3efc8971e5cb915bae12aa65a515accda3ae26975c2290fb1e2e2709862884893efbba2ed0d7ab2bbe51bf9d6e5
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
