3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91

Analysis

max time kernel
190s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe
Size

21KB
MD5

625de60aafa37f5cd38ac40641d47be0
SHA1

8fe57fc509103549ab5daafe193037264d3f76a9
SHA256

3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91
SHA512

ae30a8115f335aef3387f85e1bfcdd02481626c6ebc689b5b40e615c851abd4bcf96bbfb301393eb2489133acd454ec852085191244dd9c5bf3114e13ffdd32a
SSDEEP

384:1M3PnQoHDCpHf4I4Qwdc0G5KDJfYurhn/p:1m/QojCpHfx0gon/p

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
3424	winlogon.exe
3828	AE 0124 BE.exe
3916	winlogon.exe
1184	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 3 IoCs

pid	Process
3828	AE 0124 BE.exe
3916	winlogon.exe
1184	winlogon.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\AspNetMMCExt	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions.Design.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\pl-PL_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\de-DE\bootmgfw.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\f615f628433cab34a98f99334931a2a3\SrpUxSnapIn.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\fr-FR\bootmgr.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Printing\3.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Services.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Client.Resources\3.5.0.0_fr_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders.Resources\3.0.0.0_de_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.Resources\2.0.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Security.Resources\2.0.0.0_fr_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.Resources\3.5.0.0_fr_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WindowsBase.Resources\3.0.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\62d027db4e48b2e35ce8272c55ed780e\MMCEx.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Services.Resources\2.0.0.0_es_b03f5f7f11d50a3a\System.Web.Services.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Services.Resources\2.0.0.0_it_b03f5f7f11d50a3a\System.Web.Services.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationUI\3.0.0.0__31bf3856ad364e35\PresentationUI.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Printing.Resources\3.0.0.0_it_31bf3856ad364e35\System.Printing.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\83a3b8af1eee54050fa565ab6fc8e5d9	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\zh-CN_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions.Design.Resources\3.5.0.0_ja_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.config	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Common.v9.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript.Resources\8.0.0.0_fr_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\15.0.0.0__71e9bce111e9429c\Policy.12.0.office.config	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\6d056f3fff70a663755a1120dd61d6e3\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\ko-KR	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Install.Resources\3.0.0.0_fr_b77a5c561934e089\System.ServiceModel.Install.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ab4e1169d06499b26dcd454f8e05b3a6	AE 0124 BE.exe
File opened for modification	C:\Windows\Branding	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Excel	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Graph\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Graph.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Install.Resources\3.0.0.0_it_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\pt-BR_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W79a81d80#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\687a0140ccc03a6ccf55dc3b9cb08148\Microsoft.PowerShell.Security.Activities.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml.Resources\2.0.0.0_de_b77a5c561934e089\system.data.sqlxml.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Resources\3.5.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\DiagTrack	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.PowerPoint	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Design	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders.Resources\3.0.0.0_de_31bf3856ad364e35\UIAutomationClientsideProviders.resources.dll	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989622"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372232804"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b4355e36ddd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8098B786-4929-11ED-B696-F22D08015D11} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1547617750"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989622"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1547617750"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000004101b0fb57fb4dcaf5b2273c81383e37fd6c26b93718568f0a36b3d776562e35000000000e8000000002000020000000d1970d66840559c2de274e8748ccc810e241369c285eac1f25191fdd66d275c9200000003f2f4a0084c6dab6aca7cbd3fa069dbfbdd9e5da3ce48956943cd97b9949241a40000000a2be8fd88a77a0b92c26f4dc396958d220f345a17bad86f2e9018fe82c9ec610b7902cbf2c29012ad8d2258b81f24e6bf85e37fd37f107373e303dd9351eac68	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000cba73cb2d3fab67c06c212d3027db0c0e7b90ea5dc5683c27700a7929421096d000000000e8000000002000020000000156a4482944fa92ff1d6366bce20f516f2dc6ce2b9204d247098d23e31755d1220000000f9daaf43dab84df152e723ca05114166d204b0cf7c8d4d379e716f2e5190f13040000000b30184285891e91d44fe99b596f6b947f69cca939a3dc1c641b299804debd8de47ed783cfabd8d812f6be369c4db00cf5d487a0015f4e3f565c6bd4acd234d6d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2050855d36ddd801	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4924	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5016	3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe
4924	iexplore.exe
4924	iexplore.exe
3424	winlogon.exe
3828	AE 0124 BE.exe
3916	winlogon.exe
3172	IEXPLORE.EXE
3172	IEXPLORE.EXE
1184	winlogon.exe
3172	IEXPLORE.EXE
3172	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4924	5016	3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe	81
PID 5016 wrote to memory of 4924	5016	3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe	81
PID 4924 wrote to memory of 3172	4924	iexplore.exe	82
PID 4924 wrote to memory of 3172	4924	iexplore.exe	82
PID 4924 wrote to memory of 3172	4924	iexplore.exe	82
PID 5016 wrote to memory of 3424	5016	3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe	83
PID 5016 wrote to memory of 3424	5016	3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe	83
PID 5016 wrote to memory of 3424	5016	3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe	83
PID 3424 wrote to memory of 3828	3424	winlogon.exe	84
PID 3424 wrote to memory of 3828	3424	winlogon.exe	84
PID 3424 wrote to memory of 3828	3424	winlogon.exe	84
PID 3424 wrote to memory of 3916	3424	winlogon.exe	85
PID 3424 wrote to memory of 3916	3424	winlogon.exe	85
PID 3424 wrote to memory of 3916	3424	winlogon.exe	85
PID 3828 wrote to memory of 1184	3828	AE 0124 BE.exe	86
PID 3828 wrote to memory of 1184	3828	AE 0124 BE.exe	86
PID 3828 wrote to memory of 1184	3828	AE 0124 BE.exe	86

C:\Users\Admin\AppData\Local\Temp\3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe
"C:\Users\Admin\AppData\Local\Temp\3228cce4f8f2882620de6dea290076df0dbd357028115b16d89fcb31351e3c91.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3172
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1184
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
35c05c584cdb852adf1be27e4d6b52f2

SHA1
23283f8e084bb9778ae706b4e979993a1aa9baae

SHA256
b5515765bc43cf3ba5b8e4d2adf222094ab727f6af6903904bc4c466275ead45

SHA512
52ed73120a0022c6e996037a9701c406d659ba6c0b3c87fde3707861b511fb609222d28ffb104db96fd08a653e1d147093b891df8e8e4b022af51301a9c7b622

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
35c05c584cdb852adf1be27e4d6b52f2

SHA1
23283f8e084bb9778ae706b4e979993a1aa9baae

SHA256
b5515765bc43cf3ba5b8e4d2adf222094ab727f6af6903904bc4c466275ead45

SHA512
52ed73120a0022c6e996037a9701c406d659ba6c0b3c87fde3707861b511fb609222d28ffb104db96fd08a653e1d147093b891df8e8e4b022af51301a9c7b622

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
41KB

MD5
fcc9226a94d53414c180a2889ceec24b

SHA1
0e5fafd894bd07ba11e3a22a6ab3e9776b33f082

SHA256
6f14b99e559b24fb2666c10e6fae2d3c6d4995681d62601d7f40ff99078305b4

SHA512
d81b3b4e46597f1b9c7249102b55341803e3d782fe79ffc8896e9589d325da60a6d86d05f7d02ab84a3ce53f8143895444a7e04c85d92974fc1f0389967d9d83

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
41KB

MD5
fcc9226a94d53414c180a2889ceec24b

SHA1
0e5fafd894bd07ba11e3a22a6ab3e9776b33f082

SHA256
6f14b99e559b24fb2666c10e6fae2d3c6d4995681d62601d7f40ff99078305b4

SHA512
d81b3b4e46597f1b9c7249102b55341803e3d782fe79ffc8896e9589d325da60a6d86d05f7d02ab84a3ce53f8143895444a7e04c85d92974fc1f0389967d9d83

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
35c05c584cdb852adf1be27e4d6b52f2

SHA1
23283f8e084bb9778ae706b4e979993a1aa9baae

SHA256
b5515765bc43cf3ba5b8e4d2adf222094ab727f6af6903904bc4c466275ead45

SHA512
52ed73120a0022c6e996037a9701c406d659ba6c0b3c87fde3707861b511fb609222d28ffb104db96fd08a653e1d147093b891df8e8e4b022af51301a9c7b622

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
35c05c584cdb852adf1be27e4d6b52f2

SHA1
23283f8e084bb9778ae706b4e979993a1aa9baae

SHA256
b5515765bc43cf3ba5b8e4d2adf222094ab727f6af6903904bc4c466275ead45

SHA512
52ed73120a0022c6e996037a9701c406d659ba6c0b3c87fde3707861b511fb609222d28ffb104db96fd08a653e1d147093b891df8e8e4b022af51301a9c7b622

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
35c05c584cdb852adf1be27e4d6b52f2

SHA1
23283f8e084bb9778ae706b4e979993a1aa9baae

SHA256
b5515765bc43cf3ba5b8e4d2adf222094ab727f6af6903904bc4c466275ead45

SHA512
52ed73120a0022c6e996037a9701c406d659ba6c0b3c87fde3707861b511fb609222d28ffb104db96fd08a653e1d147093b891df8e8e4b022af51301a9c7b622

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
35c05c584cdb852adf1be27e4d6b52f2

SHA1
23283f8e084bb9778ae706b4e979993a1aa9baae

SHA256
b5515765bc43cf3ba5b8e4d2adf222094ab727f6af6903904bc4c466275ead45

SHA512
52ed73120a0022c6e996037a9701c406d659ba6c0b3c87fde3707861b511fb609222d28ffb104db96fd08a653e1d147093b891df8e8e4b022af51301a9c7b622

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads