Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 22:09
Static task
static1
Behavioral task
behavioral1
Sample
6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
Resource
win10v2004-20220812-en
General
-
Target
6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
-
Size
20KB
-
MD5
593fafd60704f67f9d6f4be8f8a52c10
-
SHA1
69d215cb189028a48dda7aaa4afb32c4ad881eb0
-
SHA256
6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261
-
SHA512
614583bba4618b6bfce19070618979df3f6860a404b6c4d5bbe6753f555c049e0d00410572403ee04911daa5048ccdb33a3f5693904861471e4bc4d36c80258f
-
SSDEEP
192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBLp:1M3PnQoHDCpHf4I4Qwdc0G5KDJJp
Malware Config
Signatures
-
Drops file in Drivers directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe -
Executes dropped EXE 4 IoCs
pid Process 3036 winlogon.exe 2708 AE 0124 BE.exe 4216 winlogon.exe 176 winlogon.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Loads dropped DLL 1 IoCs
pid Process 2708 AE 0124 BE.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 27 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\B:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\F:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\A:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\h8514oem.fon AE 0124 BE.exe File opened for modification C:\Windows\Fonts\vgasysg.fon AE 0124 BE.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-black.png AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc# AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel AE 0124 BE.exe File opened for modification C:\Windows\Boot\PCAT\nb-NO AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Speech\es-ES\DiagPackage.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\Fonts\couf1257.fon AE 0124 BE.exe File opened for modification C:\Windows\INF\megasas.inf AE 0124 BE.exe File opened for modification C:\Windows\INF\netefe3e.inf AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Device\RS_EnableDevice.ps1 AE 0124 BE.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-white_scale-150.png AE 0124 BE.exe File opened for modification C:\Windows\INF\image.inf AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.JScript.Resources\8.0.0.0_it_b03f5f7f11d50a3a\Microsoft.JScript.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Mobile.Resources\2.0.0.0_es_b03f5f7f11d50a3a\System.Web.Mobile.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\81091ae499b2593b4e8a4b012e6a7c1b\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\INF\c_wceusbs.inf AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Deployment.Resources\2.0.0.0_it_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.IO.Log.Resources\3.0.0.0_es_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Bluetooth\de-DE AE 0124 BE.exe File opened for modification C:\Windows\Fonts\Nirmala.ttf AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Drawing.Design.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_it_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168# AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W79a81d80#\66c9c4b757a6c6e5c7c2a2d7a860f698\Microsoft.Windows.Diagnosis.Commands.WriteDiagTelemetry.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll AE 0124 BE.exe File opened for modification C:\Windows\Globalization\ELS\HyphenationDictionaries\MsHy7en.lex AE 0124 BE.exe File opened for modification C:\Windows\INF\.NET Data Provider for Oracle\0C0A AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_es_b03f5f7f11d50a3a\Microsoft.Build.Utilities.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Outlook.v9.0\9.0.0.0__b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\cc60c54c3dde798a43317ec502c0ca47\Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\Boot\EFI\ko-KR\bootmgfw.efi.mui AE 0124 BE.exe File opened for modification C:\Windows\INF\hidirkbd.inf AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Power\TS_USBSelective.ps1 AE 0124 BE.exe File opened for modification C:\Windows\INF\c_mediumchanger.inf AE 0124 BE.exe File opened for modification C:\Windows\INF\umpass.inf AE 0124 BE.exe File opened for modification C:\Windows\INF\c_securitydevices.inf AE 0124 BE.exe File opened for modification C:\Windows\INF\LSM\0000\lagcounterdef.ini AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_es_b03f5f7f11d50a3a\Microsoft.Build.Tasks.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Utilities.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\4364afb08a160ec916d9ec14a6f5b435 AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Speech\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\Boot\PCAT\tr-TR AE 0124 BE.exe File opened for modification C:\Windows\INF\c_cashdrawer.inf AE 0124 BE.exe File opened for modification C:\Windows\INF\prnms008.inf AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.config AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\SMDiagnostics.Resources\3.0.0.0_it_b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\f11cacda118fe5e85f977a5cbe9b8646 AE 0124 BE.exe File opened for modification C:\Windows\Boot\EFI\sv-SE\bootmgfw.efi.mui AE 0124 BE.exe File opened for modification C:\Windows\INF\c_multifunction.inf AE 0124 BE.exe File opened for modification C:\Windows\INF\mdmsier.inf AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Core.Resources\3.5.0.0_es_b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\7dbb2a0aca626d77ea20c20c40f32e60\Microsoft.GroupPolicy.Reporting.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\Cursors\pin.svg AE 0124 BE.exe File opened for modification C:\Windows\INF\c_apo.inf AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.WorkflowServices.Resources\3.5.0.0_it_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.scale-200_altform-unplated.png AE 0124 BE.exe File opened for modification C:\Windows\INF\netimm.inf AE 0124 BE.exe File opened for modification C:\Windows\INF\sisraid4.inf AE 0124 BE.exe File opened for modification C:\Windows\INF\storufs.PNF AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000d7eba3793c3161860cdc8468b4381cd1e843dd31249feb726287ff8551f1ee5c000000000e8000000002000020000000f3ff8836910559956bd7ec94502f007b881aa3bca01781ead07edc85b548f931200000006b81813fbf01c4057abcd398f1f3bc0b49a814685d9acd3e37744f2e348713cb400000001d71db907ea6ca244726fbc50a92378cb3d6116d50f369c3669aa228617650070c2f56874a0a658ff92399f74fd810cf2b9e19586a74ea67419eacde402c8672 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371640849" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "342957856" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988244" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000025ced13118291ea643bfb0f5b713c8b06a9623a0cb662c1755c9da1dbaef09e0000000000e80000000020000200000000dedeec7a970999f66767061c1a02744264fe6dbc20093bf9e312ee0497a6f04200000007b8bfe585a01613a52579e82ce568c62abb7013303e6182c7ffcbf8172bc29ed4000000033069d50400f783de3e87aeb2d77f75ae6e58f4d70730ba3fd4a7f7f2d1445716b0e09649ea257795fe027ec706134986692a6ba22b09843208558c77a849e8d iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c00329d4d7d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "342957856" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40054b34d4d7d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988244" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{39614115-43C7-11ED-89AC-F6A3911CAFFB} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4892 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3596 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 4892 iexplore.exe 4892 iexplore.exe 4844 IEXPLORE.EXE 4844 IEXPLORE.EXE 3036 winlogon.exe 2708 AE 0124 BE.exe 4216 winlogon.exe 176 winlogon.exe 4844 IEXPLORE.EXE 4844 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3596 wrote to memory of 4892 3596 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 80 PID 3596 wrote to memory of 4892 3596 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 80 PID 4892 wrote to memory of 4844 4892 iexplore.exe 81 PID 4892 wrote to memory of 4844 4892 iexplore.exe 81 PID 4892 wrote to memory of 4844 4892 iexplore.exe 81 PID 3596 wrote to memory of 3036 3596 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 82 PID 3596 wrote to memory of 3036 3596 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 82 PID 3596 wrote to memory of 3036 3596 6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe 82 PID 3036 wrote to memory of 2708 3036 winlogon.exe 84 PID 3036 wrote to memory of 2708 3036 winlogon.exe 84 PID 3036 wrote to memory of 2708 3036 winlogon.exe 84 PID 3036 wrote to memory of 4216 3036 winlogon.exe 86 PID 3036 wrote to memory of 4216 3036 winlogon.exe 86 PID 3036 wrote to memory of 4216 3036 winlogon.exe 86 PID 2708 wrote to memory of 176 2708 AE 0124 BE.exe 87 PID 2708 wrote to memory of 176 2708 AE 0124 BE.exe 87 PID 2708 wrote to memory of 176 2708 AE 0124 BE.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe"C:\Users\Admin\AppData\Local\Temp\6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4892 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4844
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:176
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4216
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
20KB
MD57a79fc528f652f2c45bb660c26426f88
SHA16dcf77cd96bec0d8dbe8a9a78d18640952acc884
SHA256d2a8b042dd1bf75f647668a56f34e6c8047e67cdb9bb092f9b40ca8dd8227320
SHA512bb5f4e7a42f7cdc26d3111b7fe5dbf7c52d3bc8c3e03c5136d077ef0022264d920200fe576546a4da292747b209e16ddb7441f0c5da134c0644403b06d2a4289
-
Filesize
40KB
MD57531962914333aa799f10e4cccf1e7ef
SHA179fab20289ff5bde3af018ddc2ad11fcd217d293
SHA256a514fb3c3cce037be76b06544e2b8f1f20ab0ab265c960593ae8d90d07ced868
SHA5120d4fc55b3c444dcdb49c5b53cb6090f9ca02273d88428afc01bcbafbee79b90ecd3245d36c5b4e49e3a5ffc121824b4f5b3ddda8df733889efbe71fed789d22f
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
40KB
MD5d79b4677c74ea52d5db0831671184116
SHA1f1d52155518c69a8b444c9636973a43ff9e7ff79
SHA256f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da
SHA512308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb