6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261

Analysis

max time kernel
152s
max time network
161s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
Size

20KB
MD5

593fafd60704f67f9d6f4be8f8a52c10
SHA1

69d215cb189028a48dda7aaa4afb32c4ad881eb0
SHA256

6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261
SHA512

614583bba4618b6bfce19070618979df3f6860a404b6c4d5bbe6753f555c049e0d00410572403ee04911daa5048ccdb33a3f5693904861471e4bc4d36c80258f
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBLp:1M3PnQoHDCpHf4I4Qwdc0G5KDJJp

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
1200	winlogon.exe
988	AE 0124 BE.exe
1476	winlogon.exe
1460	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
1200	winlogon.exe
1200	winlogon.exe
988	AE 0124 BE.exe
988	AE 0124 BE.exe
1460	winlogon.exe

Drops desktop.ini file(s) 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\ELS\Transliteration\devanagari-to-latin.nlt	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\beam_r.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\McxTask.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MICROSOFT.VISUALBASIC.COMPATIBILITY.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml.resources\2.0.0.0_ja_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.resources\2.0.0.0_it_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\ssef874.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Services.resources\2.0.0.0_fr_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\154860df057d588035a8c66a65ea31e7	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dire573b08f5#	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\DeviceCenter\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\Policy.6.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.6.0.Microsoft.Ink.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\ehvid.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Styles\PAL\Symphony\Symphony\Symphony.psd	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Security.resources\2.0.0.0_fr_b03f5f7f11d50a3a\System.Security.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\4e9468fdc6937145e65c6434787e2fa5	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_ja_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MICROSOFT.VISUALBASIC.COMPATIBILITY.resources\8.0.0.0_es_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\f68563fb25af65c25de37130ebcd576c\System.Xml.Linq.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Outlook.v9.0\9.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\bb69e031fd35b02403c7c22ea5c8e4d4\System.Data.Linq.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data86569bbf#\98a4068512ff6a2566204bc1e759b0be\System.Data.OracleClient.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Excel.v9.0	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\RS_Unmute.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\GB-wp4.jpg	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\1e1a1bd97e618bc4934ee967bea27ae8\UIAutomationTypes.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsForm0b574481#\501c549eee2d5c10d2ba0f46aba60f47\WindowsFormsIntegration.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\ro-RO_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\wait_r.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SecurityAuditPoliciesSnapIn.resources\6.1.0.0_it_31bf3856ad364e35\SecurityAuditPoliciesSnapIn.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\221fa10bd3cb407e43b7476af5039090\System.ComponentModel.DataAnnotations.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\en-US\Power_Troubleshooter.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\es-ES\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\fr-FR\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\a415a146afc72f13f691f69a11ab5609\Microsoft.Vsa.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\index\NetworkDiagnostics_1_Web.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Linq.resources\3.5.0.0_it_b77a5c561934e089\System.Data.Linq.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\TS_Transparency.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\3112fe15b1994ff59b169cf7ce997e71\System.Web.Abstractions.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\9a939c85c518e958f158f5d5d75af50e\PresentationFramework-SystemCore.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\17ab5131ab854c98847ad70236435924	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Security.#\84ebf4aede3a599b943b3320ca704911	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\majalla.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\da42912f997fae780054f0c3a6b47fea\Microsoft.GroupPolicy.Reporting.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\140714964f3afbcea38cb33d548c5d3c	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\georgiai.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\zh-HK\bootmgr.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\85s1256.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1e85062785e286cd9eae9c26d2c61f73\System.Data.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\BAUHS93.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Security.#\53628485c538b7d0bde021e842825dc9	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\angsau.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core	AE 0124 BE.exe
File opened for modification	C:\Windows\es-ES\twain_32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\56a7faf970109dc1dc6b76f643d93c5f	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Search\fr-FR	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371640830"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D104011-43C7-11ED-BD9E-FAB5137186BE} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000bc7c2ab9510c2b97072ddc290ad512114cfd1ea98d3fb7ce4f94fdf2440e3a15000000000e8000000002000020000000c7510f370aa3cd15b7ce9e301b83b77953937d79b9ff6fd40df61339745477809000000091b6f5e81af73727245c0c0bb9c53b42e5e35c002ca647ae841bf3b9af9816a5dfad5072164e48d49f9db3f332eb1ce18d254d4a5484d0c976119f48e49bc7d7cbbb0bd63ae9d179017aec4ec56e92957186ed3f95d7f8ef9a765f2d2989509fb5b9b15aa299b872d8a9976f894cf30df2c3f1b6cfae9b74c187aae2da6240afb912d62cf3b81190be540a057a4e8aaa40000000c199b9c297b903a7065997cd5df0166dd70269a7f5fdfa0f5e9cc31f8fd76a8789c02cc4bd1185872c8408b8dc4aa11c765973f85b87f8185c1c71f80c754d58	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf00000000020000000000106600000001000020000000e86cc1f515ec12469e2260d9cf01a0a5cd7d87c8510b3f7ea033829e9f850e20000000000e8000000002000020000000dfccda374f6859b6a00549a8ed1f8268c09e4c45e3bd862cdc559caa00df97172000000047c036fd6505049e36006a432dd9d274310f97100bf6c703d4635a9aa624e953400000000c2b35ebc0c337fc35caaea623159c4dc0a7889f8cb975c9d0c24b250eadd7079d5e27cfce06ace9e74a181a940354655b643ab05a671da343faf9d74d37e1a7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f05cea23d4d7d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1076	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
1076	iexplore.exe
1076	iexplore.exe
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE
1200	winlogon.exe
988	AE 0124 BE.exe
1464	IEXPLORE.EXE
1464	IEXPLORE.EXE
1460	winlogon.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1076	1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	27
PID 1104 wrote to memory of 1076	1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	27
PID 1104 wrote to memory of 1076	1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	27
PID 1104 wrote to memory of 1076	1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	27
PID 1076 wrote to memory of 1464	1076	iexplore.exe	29
PID 1076 wrote to memory of 1464	1076	iexplore.exe	29
PID 1076 wrote to memory of 1464	1076	iexplore.exe	29
PID 1076 wrote to memory of 1464	1076	iexplore.exe	29
PID 1104 wrote to memory of 1200	1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	30
PID 1104 wrote to memory of 1200	1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	30
PID 1104 wrote to memory of 1200	1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	30
PID 1104 wrote to memory of 1200	1104	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	30
PID 1200 wrote to memory of 988	1200	winlogon.exe	31
PID 1200 wrote to memory of 988	1200	winlogon.exe	31
PID 1200 wrote to memory of 988	1200	winlogon.exe	31
PID 1200 wrote to memory of 988	1200	winlogon.exe	31
PID 1200 wrote to memory of 1476	1200	winlogon.exe	33
PID 1200 wrote to memory of 1476	1200	winlogon.exe	33
PID 1200 wrote to memory of 1476	1200	winlogon.exe	33
PID 1200 wrote to memory of 1476	1200	winlogon.exe	33
PID 988 wrote to memory of 1460	988	AE 0124 BE.exe	32
PID 988 wrote to memory of 1460	988	AE 0124 BE.exe	32
PID 988 wrote to memory of 1460	988	AE 0124 BE.exe	32
PID 988 wrote to memory of 1460	988	AE 0124 BE.exe	32

C:\Users\Admin\AppData\Local\Temp\6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
"C:\Users\Admin\AppData\Local\Temp\6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1076 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1464
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1460
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0DZN8DMG.txt

Filesize
596B

MD5
3268bca31f4b7018386b8305467b8896

SHA1
7ba5368471f8b2af27443fb5005dadc90f9e385c

SHA256
313d875b67989f8ffe7c335775b473c4f14b5a2d280dfbad295afa7dc8d0a4bb

SHA512
d9bec1460722748928ec13b56b9ee68540b0c3eeecbebb6898818a642780fc50227e04c0f5fe93fa938b903f08b261d0209514bf5816134e178429127c61d973

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
7a79fc528f652f2c45bb660c26426f88

SHA1
6dcf77cd96bec0d8dbe8a9a78d18640952acc884

SHA256
d2a8b042dd1bf75f647668a56f34e6c8047e67cdb9bb092f9b40ca8dd8227320

SHA512
bb5f4e7a42f7cdc26d3111b7fe5dbf7c52d3bc8c3e03c5136d077ef0022264d920200fe576546a4da292747b209e16ddb7441f0c5da134c0644403b06d2a4289

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
memory/1104-56-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads