6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261

Analysis

max time kernel
152s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
Size

20KB
MD5

593fafd60704f67f9d6f4be8f8a52c10
SHA1

69d215cb189028a48dda7aaa4afb32c4ad881eb0
SHA256

6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261
SHA512

614583bba4618b6bfce19070618979df3f6860a404b6c4d5bbe6753f555c049e0d00410572403ee04911daa5048ccdb33a3f5693904861471e4bc4d36c80258f
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBLp:1M3PnQoHDCpHf4I4Qwdc0G5KDJJp

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
3036	winlogon.exe
2708	AE 0124 BE.exe
4216	winlogon.exe
176	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 1 IoCs

pid	Process
2708	AE 0124 BE.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\h8514oem.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\vgasysg.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-black.png	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\nb-NO	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\es-ES\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\couf1257.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\megasas.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\netefe3e.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Device\RS_EnableDevice.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-white_scale-150.png	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\image.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript.Resources\8.0.0.0_it_b03f5f7f11d50a3a\Microsoft.JScript.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Mobile.Resources\2.0.0.0_es_b03f5f7f11d50a3a\System.Web.Mobile.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\81091ae499b2593b4e8a4b012e6a7c1b\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_wceusbs.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Deployment.Resources\2.0.0.0_it_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IO.Log.Resources\3.0.0.0_es_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Bluetooth\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\Nirmala.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing.Design.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W79a81d80#\66c9c4b757a6c6e5c7c2a2d7a860f698\Microsoft.Windows.Diagnosis.Commands.WriteDiagTelemetry.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\ELS\HyphenationDictionaries\MsHy7en.lex	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for Oracle\0C0A	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_es_b03f5f7f11d50a3a\Microsoft.Build.Utilities.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Outlook.v9.0\9.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\cc60c54c3dde798a43317ec502c0ca47\Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\ko-KR\bootmgfw.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\hidirkbd.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_USBSelective.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_mediumchanger.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\umpass.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_securitydevices.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\LSM\0000\lagcounterdef.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_es_b03f5f7f11d50a3a\Microsoft.Build.Tasks.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Utilities.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\4364afb08a160ec916d9ec14a6f5b435	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\tr-TR	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_cashdrawer.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\prnms008.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.config	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMDiagnostics.Resources\3.0.0.0_it_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\f11cacda118fe5e85f977a5cbe9b8646	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\sv-SE\bootmgfw.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_multifunction.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmsier.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Core.Resources\3.5.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\7dbb2a0aca626d77ea20c20c40f32e60\Microsoft.GroupPolicy.Reporting.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\pin.svg	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_apo.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.WorkflowServices.Resources\3.5.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\logo.scale-200_altform-unplated.png	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\netimm.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\sisraid4.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\storufs.PNF	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000d7eba3793c3161860cdc8468b4381cd1e843dd31249feb726287ff8551f1ee5c000000000e8000000002000020000000f3ff8836910559956bd7ec94502f007b881aa3bca01781ead07edc85b548f931200000006b81813fbf01c4057abcd398f1f3bc0b49a814685d9acd3e37744f2e348713cb400000001d71db907ea6ca244726fbc50a92378cb3d6116d50f369c3669aa228617650070c2f56874a0a658ff92399f74fd810cf2b9e19586a74ea67419eacde402c8672	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371640849"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "342957856"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30988244"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000025ced13118291ea643bfb0f5b713c8b06a9623a0cb662c1755c9da1dbaef09e0000000000e80000000020000200000000dedeec7a970999f66767061c1a02744264fe6dbc20093bf9e312ee0497a6f04200000007b8bfe585a01613a52579e82ce568c62abb7013303e6182c7ffcbf8172bc29ed4000000033069d50400f783de3e87aeb2d77f75ae6e58f4d70730ba3fd4a7f7f2d1445716b0e09649ea257795fe027ec706134986692a6ba22b09843208558c77a849e8d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c00329d4d7d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "342957856"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40054b34d4d7d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30988244"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{39614115-43C7-11ED-89AC-F6A3911CAFFB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4892	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3596	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
4892	iexplore.exe
4892	iexplore.exe
4844	IEXPLORE.EXE
4844	IEXPLORE.EXE
3036	winlogon.exe
2708	AE 0124 BE.exe
4216	winlogon.exe
176	winlogon.exe
4844	IEXPLORE.EXE
4844	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4892	3596	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	80
PID 3596 wrote to memory of 4892	3596	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	80
PID 4892 wrote to memory of 4844	4892	iexplore.exe	81
PID 4892 wrote to memory of 4844	4892	iexplore.exe	81
PID 4892 wrote to memory of 4844	4892	iexplore.exe	81
PID 3596 wrote to memory of 3036	3596	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	82
PID 3596 wrote to memory of 3036	3596	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	82
PID 3596 wrote to memory of 3036	3596	6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe	82
PID 3036 wrote to memory of 2708	3036	winlogon.exe	84
PID 3036 wrote to memory of 2708	3036	winlogon.exe	84
PID 3036 wrote to memory of 2708	3036	winlogon.exe	84
PID 3036 wrote to memory of 4216	3036	winlogon.exe	86
PID 3036 wrote to memory of 4216	3036	winlogon.exe	86
PID 3036 wrote to memory of 4216	3036	winlogon.exe	86
PID 2708 wrote to memory of 176	2708	AE 0124 BE.exe	87
PID 2708 wrote to memory of 176	2708	AE 0124 BE.exe	87
PID 2708 wrote to memory of 176	2708	AE 0124 BE.exe	87

C:\Users\Admin\AppData\Local\Temp\6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe
"C:\Users\Admin\AppData\Local\Temp\6ee8558fd712abbe3aa55a11d40f13e0a44f580c92339545d6358a9536ada261.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4892 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4844
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:176
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
7a79fc528f652f2c45bb660c26426f88

SHA1
6dcf77cd96bec0d8dbe8a9a78d18640952acc884

SHA256
d2a8b042dd1bf75f647668a56f34e6c8047e67cdb9bb092f9b40ca8dd8227320

SHA512
bb5f4e7a42f7cdc26d3111b7fe5dbf7c52d3bc8c3e03c5136d077ef0022264d920200fe576546a4da292747b209e16ddb7441f0c5da134c0644403b06d2a4289

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
7531962914333aa799f10e4cccf1e7ef

SHA1
79fab20289ff5bde3af018ddc2ad11fcd217d293

SHA256
a514fb3c3cce037be76b06544e2b8f1f20ab0ab265c960593ae8d90d07ced868

SHA512
0d4fc55b3c444dcdb49c5b53cb6090f9ca02273d88428afc01bcbafbee79b90ecd3245d36c5b4e49e3a5ffc121824b4f5b3ddda8df733889efbe71fed789d22f

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d79b4677c74ea52d5db0831671184116

SHA1
f1d52155518c69a8b444c9636973a43ff9e7ff79

SHA256
f2e2d28cc1ead9b6cc983022bd6c3e709ff12d718631f0fc7600bea2594ae3da

SHA512
308034edb736fa37ffb314c7d644ff15740f38079155d30ed4057964c4bef00362c8aad43bd1aa6457623e804ae1a91389cd90766337add5977a82515d53a4b9

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads