d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438

Analysis

max time kernel
151s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe
Size

848KB
MD5

52d009a4dc46ae879f8e500b08a30f90
SHA1

71bd383b26aae011dc8d9eb42cbe26ed215b030a
SHA256

d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438
SHA512

5d8f511284635bb4ed95607be69dd204027206e2309432c6c7b52cb6534f208620081cd211ee947c39b26312e29b0fa9e59ed1d8a19de4e96fee25220deae3a0
SSDEEP

12288:BK1+GfT2VnGErym0y28Kw99N83rsy37r359zA0Pubifcr2+dEDRd:BK1+QSVnGkyF8b18XfHzA0Pub6crMDT

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
3828	winlogon.exe
2668	AE 0124 BE.exe
4952	winlogon.exe
1816	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 5 IoCs

pid	Process
2668	AE 0124 BE.exe
4952	winlogon.exe
1816	winlogon.exe
2660	MsiExec.exe
2660	MsiExec.exe

Drops desktop.ini file(s) 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\browseui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\slmgr.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netvwifibus.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_5938c699b80ebb8f	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx4-US-OC-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\PS_SCHM.GDL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_fscontentscreener.inf_amd64_bd1517e25f3e419f\c_fscontentscreener.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\MSFT_NetLbfoTeamMember.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\l2gpstore.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfc120cht.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Worker-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\iaLPSS2i_I2C_GLK.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_be4ba6237d385e2e	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_A.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCacheStatus.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\FileIntegrity.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionSpecific-Professional-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\usbport.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\flpydisk.inf_amd64_acb1691126c93472\flpydisk.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\d3d10level9.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\tar.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-62-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04113~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SMB1Deprecation-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\appmgr.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wevtapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_bf289615d063c627	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\kerberos.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmChipset-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbScriptModule.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbcciddriver.inf_amd64_400a61104320a399\UsbccidDriver.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.Types.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ChatApis.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.117.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-WithGraphics-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx-Shared-WCF-TcpActivation~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nett4x64.inf_amd64_54eacac1858c78ab\nett4x64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdvgwddmdx11.inf_amd64_e8336336d081cc11\rdvgu1164.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_0d06b6638bdb4763\storahci.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Windows.Networking.Proximity.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\twinui.appcore.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsCodecsExt.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx-Shared-WPF-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_ServicingStack~31bf3856ad364e35~amd64~~19041.1220.1.0.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\npsvctrig.inf_amd64_b98e9a5325075265	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\hidtelephonydriver.inf_amd64_43fa6b1db642df7e\HidTelephonyDriver.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\ManagedDeveloperStructure.xsd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\AnalogCommonProxyStub.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Client-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\diskmgmt.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\quartz.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WebClnt.dll	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..iocorepolicymanager_31bf3856ad364e35_10.0.19041.84_none_40006b314987633d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..uetooth-dafprovider_31bf3856ad364e35_10.0.19041.746_none_fdc3acdd83fbafd5	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-mscorlib_tlb_b03f5f7f11d50a3a_4.0.15805.0_none_5e343e700741fda3	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_mdmrock3.inf_31bf3856ad364e35_10.0.19041.1_none_897a553137c7ac31\mdmrock3.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-installer-engine_31bf3856ad364e35_10.0.19041.264_none_e15c1f0e12661737\msi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe.config	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-AppManagement-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..rprovider.resources_31bf3856ad364e35_10.0.19041.1_en-us_bd12916a82295478\DefaultPrinterProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-peauth_31bf3856ad364e35_10.0.19041.1_none_be1053e82903a3b2	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-msmq-runtime_31bf3856ad364e35_10.0.19041.746_none_22bc83c4dca24ac0	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\common\GifSequencePlayer.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-desktop-p..ioning-platform-uap_31bf3856ad364e35_10.0.19041.1_none_2ebe9c70633aa91a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..ormabstractionlayer_31bf3856ad364e35_10.0.19041.1_none_9b301fa8bcc20f24	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-s..chservice-component_31bf3856ad364e35_10.0.19041.1266_none_2262e67641106c48\r\SpeechServiceWinRTApi.ProxyStub.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\normidna.nlp	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-80_altform-lightunplated.png	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\SIPolicy_office.p7b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\f\kdhvcom.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.security...gement.policyengine_31bf3856ad364e35_10.0.19041.1_none_e32615008e4368a2	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_mdmsettingsprov.resources_31bf3856ad364e35_10.0.19041.1_en-us_7d9448bdc3bc97bd\MDMSettingsProv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-kernelstreaming_31bf3856ad364e35_10.0.19041.1_none_0d71cfdb3541a1c8\ks.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nlevelmanifests-com_31bf3856ad364e35_10.0.19041.1_none_3cb8c1d054cbdcca\RPC-HTTP-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-ShellLauncher-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.844.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_hidinterrupt.inf_31bf3856ad364e35_10.0.19041.1_none_0c7db1f3157e6f65\hidinterrupt.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_kscaptur.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_92265240048293a5\kscaptur.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..band-experience-api_31bf3856ad364e35_10.0.19041.264_none_d7750416676a2126\MbaeApiPublic.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Excel	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_he-il_8f9454bc5718c793	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\text.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-directmanipulation_31bf3856ad364e35_10.0.19041.1202_none_c1dc44cb56c475d7	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_system.xaml.hosting_31bf3856ad364e35_4.0.15805.0_none_756e01d3247eed20	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-composable-switcher_31bf3856ad364e35_10.0.19041.1202_none_c6bc9919830beaaa\f\ShellComponents.Switcher.pri	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-authorizationmanagerui_31bf3856ad364e35_10.0.19041.1_none_d7cb04209f02ffb1\azroleui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\M1033Mark.keyboard.NU2	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.Shell\Images\TabletMode.scale-400.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-imapiv2-legacyshim_31bf3856ad364e35_10.0.19041.1_none_f44245466e39475d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-audiodiagnostic_31bf3856ad364e35_10.0.19041.1_none_767880898f16fada\TS_APOLoadFailure.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-US\l1033.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_networking-mpssvc-svc-tracing_31bf3856ad364e35_10.0.19041.1_none_91e7777d1ebf6053	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Loading.htm	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sud.resources_31bf3856ad364e35_10.0.19041.1_en-us_0b9ce0b804c10b3c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_mshdc.inf_31bf3856ad364e35_10.0.19041.1288_none_903f584d84af5cd8\f\pciide.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_storufs.inf_31bf3856ad364e35_10.0.19041.1081_none_6b6cf075f4b4dd60\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cloudstore_31bf3856ad364e35_10.0.19041.746_none_9a83611ca3c54a51\r	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking 4.0.0.0\0000	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Product-Data-21h1-EKB-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.789.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_fdwsd_31bf3856ad364e35_10.0.19041.264_none_5b8a2456210730cb\f\fdWSD.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..scannerpreview-host_31bf3856ad364e35_10.0.19041.1_none_484e61e96e69ac70\Wide310x150Logo.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_wcf-microsoft.transactions.bridge_b03f5f7f11d50a3a_10.0.19041.1_none_3f9183b55a6b7300	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\msil_system.servicemodel.web_31bf3856ad364e35_10.0.19041.1_none_e6b5a89fb2e3af16	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-audio-audiocore_31bf3856ad364e35_10.0.19041.264_none_5481650943811810\f\AudioEng.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\square150x150logo.scale-400_contrast-white.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-ngc-isocontainer_31bf3856ad364e35_10.0.19041.1202_none_016caa8c16e51981	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_7636dd425605d882	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_custommarshalers_b03f5f7f11d50a3a_4.0.15805.0_none_cd44891d7ce54f12\CustomMarshalers.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..directplay8-payload_31bf3856ad364e35_1.0.19041.1_none_58ba966f5b8ade0b\dpnathlp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..esources-deployment_31bf3856ad364e35_10.0.19041.1_none_b872fa54ff279dbe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-r..ry-editor.resources_31bf3856ad364e35_10.0.19041.1_en-us_bb16f4d1d67d891e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-n..ty-assistant-client_31bf3856ad364e35_10.0.19041.1_none_d08fc9d124adf88f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.1_none_b4746d3aaf96ef0d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1023_it-it_6faeee6765322d55\r	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\srmlib	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..dialoghost.appxmain_31bf3856ad364e35_10.0.19041.423_none_edab5dd3a4c202d9	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	3792	msiexec.exe
Token: SeCreateTokenPrivilege	4704	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4704	msiexec.exe
Token: SeLockMemoryPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeMachineAccountPrivilege	4704	msiexec.exe
Token: SeTcbPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	4704	msiexec.exe
Token: SeTakeOwnershipPrivilege	4704	msiexec.exe
Token: SeLoadDriverPrivilege	4704	msiexec.exe
Token: SeSystemProfilePrivilege	4704	msiexec.exe
Token: SeSystemtimePrivilege	4704	msiexec.exe
Token: SeProfSingleProcessPrivilege	4704	msiexec.exe
Token: SeIncBasePriorityPrivilege	4704	msiexec.exe
Token: SeCreatePagefilePrivilege	4704	msiexec.exe
Token: SeCreatePermanentPrivilege	4704	msiexec.exe
Token: SeBackupPrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4704	msiexec.exe
Token: SeShutdownPrivilege	4704	msiexec.exe
Token: SeDebugPrivilege	4704	msiexec.exe
Token: SeAuditPrivilege	4704	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4704	msiexec.exe
Token: SeChangeNotifyPrivilege	4704	msiexec.exe
Token: SeRemoteShutdownPrivilege	4704	msiexec.exe
Token: SeUndockPrivilege	4704	msiexec.exe
Token: SeSyncAgentPrivilege	4704	msiexec.exe
Token: SeEnableDelegationPrivilege	4704	msiexec.exe
Token: SeManageVolumePrivilege	4704	msiexec.exe
Token: SeImpersonatePrivilege	4704	msiexec.exe
Token: SeCreateGlobalPrivilege	4704	msiexec.exe
Token: SeBackupPrivilege	552	vssvc.exe
Token: SeRestorePrivilege	552	vssvc.exe
Token: SeAuditPrivilege	552	vssvc.exe
Token: SeBackupPrivilege	3792	msiexec.exe
Token: SeRestorePrivilege	3792	msiexec.exe
Token: SeRestorePrivilege	3792	msiexec.exe
Token: SeTakeOwnershipPrivilege	3792	msiexec.exe
Token: SeRestorePrivilege	3792	msiexec.exe
Token: SeTakeOwnershipPrivilege	3792	msiexec.exe
Token: SeRestorePrivilege	3792	msiexec.exe
Token: SeTakeOwnershipPrivilege	3792	msiexec.exe
Token: SeBackupPrivilege	2568	srtasks.exe
Token: SeRestorePrivilege	2568	srtasks.exe
Token: SeSecurityPrivilege	2568	srtasks.exe
Token: SeTakeOwnershipPrivilege	2568	srtasks.exe
Token: SeBackupPrivilege	2568	srtasks.exe
Token: SeRestorePrivilege	2568	srtasks.exe
Token: SeSecurityPrivilege	2568	srtasks.exe
Token: SeTakeOwnershipPrivilege	2568	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4704	msiexec.exe
4704	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1760	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe
3828	winlogon.exe
2668	AE 0124 BE.exe
4952	winlogon.exe
1816	winlogon.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 4704	1760	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe	85
PID 1760 wrote to memory of 4704	1760	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe	85
PID 1760 wrote to memory of 4704	1760	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe	85
PID 1760 wrote to memory of 3828	1760	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe	88
PID 1760 wrote to memory of 3828	1760	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe	88
PID 1760 wrote to memory of 3828	1760	d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe	88
PID 3828 wrote to memory of 2668	3828	winlogon.exe	89
PID 3828 wrote to memory of 2668	3828	winlogon.exe	89
PID 3828 wrote to memory of 2668	3828	winlogon.exe	89
PID 3828 wrote to memory of 4952	3828	winlogon.exe	92
PID 3828 wrote to memory of 4952	3828	winlogon.exe	92
PID 3828 wrote to memory of 4952	3828	winlogon.exe	92
PID 2668 wrote to memory of 1816	2668	AE 0124 BE.exe	93
PID 2668 wrote to memory of 1816	2668	AE 0124 BE.exe	93
PID 2668 wrote to memory of 1816	2668	AE 0124 BE.exe	93
PID 3792 wrote to memory of 2568	3792	msiexec.exe	96
PID 3792 wrote to memory of 2568	3792	msiexec.exe	96
PID 3792 wrote to memory of 2660	3792	msiexec.exe	99
PID 3792 wrote to memory of 2660	3792	msiexec.exe	99
PID 3792 wrote to memory of 2660	3792	msiexec.exe	99

C:\Users\Admin\AppData\Local\Temp\d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe
"C:\Users\Admin\AppData\Local\Temp\d08c7efe781c31aa5a077846f879e288da503010ea536533e062f0fd22075438.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4704
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1816
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3EC20487F8E982287C596460B09E9E71
  2⤵
  - Loads dropped DLL
  PID:2660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
4ddcd6a2f494a6cd4b03e3111b2fc92e

SHA1
ca9b4e633c7a56b8133e7da24b4d2c6e5066c9cb

SHA256
1a776794f71789839a3f177df88a770bedbc6a8064dcac8e8e4027ab58987118

SHA512
baaaa4475ff14f5fd506f738cc3ecb78b10b2f4fb29d9711a9bbb90f379404e9c5a40eecd043f285b0dfc67ec037fe9716e2b0174476df1cc5b69e96dd9a6909

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
4ddcd6a2f494a6cd4b03e3111b2fc92e

SHA1
ca9b4e633c7a56b8133e7da24b4d2c6e5066c9cb

SHA256
1a776794f71789839a3f177df88a770bedbc6a8064dcac8e8e4027ab58987118

SHA512
baaaa4475ff14f5fd506f738cc3ecb78b10b2f4fb29d9711a9bbb90f379404e9c5a40eecd043f285b0dfc67ec037fe9716e2b0174476df1cc5b69e96dd9a6909

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
848KB

MD5
721d6f31378341f84b6208e9e47b1688

SHA1
1fad2b18850dc2630182e276186f9f21a0ee2e31

SHA256
ef3b897d02bb4a76e7c200cbd1d4481f480048e0d5d42226c6742c2205152915

SHA512
ffd4decdd6048609abd29f529c9be8ebb4b1ea9a7e1a8a80b178838cbe708c2f45305fbe7456d6e2561648aff01d6b89b212139ee20a5ff93af57b6e592ca7de

Download Submit
C:\Windows\Installer\MSI4E01.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
C:\Windows\Installer\MSI4E01.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
C:\Windows\Installer\MSI4EDC.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
C:\Windows\Installer\MSI4EDC.tmp

Filesize
61KB

MD5
4f0829102cd133bad186ec3ee03cf2a8

SHA1
4297f15802a5d54bda6fc984ec872b4df5e4801f

SHA256
9c494c89a49e812a097333e86322a937e52c6077c16a4be35d61dbbdaa02ce22

SHA512
498e41f2b91d49669d99f954c921073550aa7f155b5a85a867ef20ac3b5f510e89779a0da3f23810b67e53603883c137d1ab7d888dcf3f532ef4155524fc0122

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
153KB

MD5
c2aef58688000f61339fd7e1c23945df

SHA1
6a4d41e2dd6651b8d51391188969f8ce125fd4cb

SHA256
01f9a2854f5444bbb8989cf1ac09e2169f1f892e128c3b8159b590d5879d99f6

SHA512
4f9f45b65d6c1d15608f1b797d8fc798d034e87053a177a6e8bfc791ff8578657f75cee0be12f44bfd1ee33f104e8d4cecb13fca81e93d67b83808f8a9442f8d

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
4ddcd6a2f494a6cd4b03e3111b2fc92e

SHA1
ca9b4e633c7a56b8133e7da24b4d2c6e5066c9cb

SHA256
1a776794f71789839a3f177df88a770bedbc6a8064dcac8e8e4027ab58987118

SHA512
baaaa4475ff14f5fd506f738cc3ecb78b10b2f4fb29d9711a9bbb90f379404e9c5a40eecd043f285b0dfc67ec037fe9716e2b0174476df1cc5b69e96dd9a6909

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
4ddcd6a2f494a6cd4b03e3111b2fc92e

SHA1
ca9b4e633c7a56b8133e7da24b4d2c6e5066c9cb

SHA256
1a776794f71789839a3f177df88a770bedbc6a8064dcac8e8e4027ab58987118

SHA512
baaaa4475ff14f5fd506f738cc3ecb78b10b2f4fb29d9711a9bbb90f379404e9c5a40eecd043f285b0dfc67ec037fe9716e2b0174476df1cc5b69e96dd9a6909

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
4ddcd6a2f494a6cd4b03e3111b2fc92e

SHA1
ca9b4e633c7a56b8133e7da24b4d2c6e5066c9cb

SHA256
1a776794f71789839a3f177df88a770bedbc6a8064dcac8e8e4027ab58987118

SHA512
baaaa4475ff14f5fd506f738cc3ecb78b10b2f4fb29d9711a9bbb90f379404e9c5a40eecd043f285b0dfc67ec037fe9716e2b0174476df1cc5b69e96dd9a6909

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
4ddcd6a2f494a6cd4b03e3111b2fc92e

SHA1
ca9b4e633c7a56b8133e7da24b4d2c6e5066c9cb

SHA256
1a776794f71789839a3f177df88a770bedbc6a8064dcac8e8e4027ab58987118

SHA512
baaaa4475ff14f5fd506f738cc3ecb78b10b2f4fb29d9711a9bbb90f379404e9c5a40eecd043f285b0dfc67ec037fe9716e2b0174476df1cc5b69e96dd9a6909

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
11.8MB

MD5
42f5d88787c625ab5f03e2015e187f19

SHA1
a9cee427f0faeaad4b87af160048098839ecaf19

SHA256
2da54fe6580e8179c571dcade2e72250bb0e6d9f974d2961a5e84b3bf4f72b8f

SHA512
e928110d7abafe476897b7d820799ecd89f7fab58cf41d761275ce5ef05939f48883935eba6ca0f953509d78500d8b831fda4a009a1b94b31949dac35f1fb635

Download Submit
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{149f04b9-78d8-4520-a318-9508b86dfd6d}_OnDiskSnapshotProp

Filesize
5KB

MD5
b7c9e9e75f8801677986977d6176cc9b

SHA1
02a1ffe7af672def02c117f0b67fe63970fd62bc

SHA256
37f478cfcc9a39d2a27d0dd7f5a1c787d81d79958f6fef6f00654750fa4c189d

SHA512
b315d4d0392d4f872677e40e2ae480f05a6647845d069a3f66a519c04eb4b400efc4a7d12d5fe2231e292cbec17fd8371198979d3bb33c2ed959962d528c99ef

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads