c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a

Analysis

max time kernel
151s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a.exe
Size

68KB
MD5

657af217dc7ff720a69b95eecca650a0
SHA1

8c3b480ffae6ff786e02758be7b7e3e49b5972e6
SHA256

c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a
SHA512

38881daef71909b2ee389a376b5d7b1168b4cc1e6db4de1d2b75e18f0effbfc310632407db2c7675e66f459820363b905595f7e17f1c12bb7fae0bf425518303
SSDEEP

1536:sr+Fum5LMI+WTJjcXnXMcpm/zOxJXKJt1:sr+Fu2II+HXXMcI/AKJb

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
3268	winlogon.exe
212	AE 0124 BE.exe
2724	winlogon.exe
3912	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
212	AE 0124 BE.exe
3912	winlogon.exe

Drops desktop.ini file(s) 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\CPFilters.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\hiddigi.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdcameradriver.inf_amd64_43b67cb2258aaa60\RDCameraMediaSource.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mssmbios.inf_amd64_9fc7fe03de136fc1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\e1y60x64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\wbemcore.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-FibreChannel-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-SCSI-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-ClientUA-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.423.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx-AutoNgenEnable.3.5~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneDrive-Setup-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\qca61x4_2_2.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\et-EE\windows.ui.xaml.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\MSFT_NetSwitchTeam.format.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\avicap32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\RTMediaFrame.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-FCI-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientLocalUI-D-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_3ae2ea3a55ec0279	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dmoleaututils.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.ApplicationModel.Core.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netl1e64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\aeevts.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\LogFiles\Scm\SCM.EVM.1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\AppVSentinel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spinf.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sdfrd.inf_amd64_25779da6eca4810a	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a_highTX_LE_7.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-pipelineconfig.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\xwizard.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\Microsoft.Uev.ManagedAgentWmi.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\networkitemfactory.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msaudite.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ar-SA\quickassist.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DeviceUpdateCenter-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-WindowsIoT-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\imapi2.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\networklist\icons\StockIcons\office_32.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\NcaApi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Devices.Portable.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_SS_620.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\dot3cfg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cryptxml.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\comdlg32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-UnifiedWriteFilter-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\urssynopsys.inf_amd64_057fa37902020500	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\explorer.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\perfdisk.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\microsoft-windows-notepad-fod-package-Wrapper~31bf3856ad364e35~amd64~en-US~10.0.19041.488.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\mispace.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_1daeee8f3aa30fcb	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\searchfolder.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\GamePanelExternalHook.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\SpatializerApo.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\hidinterrupt.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dllhst3g.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfsensorgroup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.Uev.Office2010CustomActions.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzyp.inf_amd64_19eb30e94285f2a6\mdmzyp.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\rtux64w10.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\listsvc.dll.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..lications.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca4ad7571b666b43\WFSR.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_en-us_a323edc73bd86475\http_501.htm	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1_none_97b0a47239f6db64\PeopleLogo.scale-100_contrast-white.png	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.Excel\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Excel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appidcore.resources_31bf3856ad364e35_10.0.19041.1081_en-us_ce36a852fdc49a6a\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-pnpui.resources_31bf3856ad364e35_10.0.19041.1_en-us_7eed11ea07bd4d1c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..talcontrolssettings_31bf3856ad364e35_10.0.19041.964_none_d1ce1ea46e50a943\MicrosoftFamily.scale-150_contrast-white.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_presentationframework.classic_31bf3856ad364e35_4.0.15805.0_none_7124addc72a97b19	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00020c00_31bf3856ad364e35_10.0.19041.1_none_ed81ea9b1d36dee4	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_bcmwdidhdpcie.inf_31bf3856ad364e35_10.0.19041.1_none_6be28be212bdb5e8\bcmwdidhdpcie.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\404-3.htm	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.Numerics.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_localuserimageprovider_31bf3856ad364e35_10.0.19041.1_none_8c7b0675ca35a26a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-luainstaller_31bf3856ad364e35_10.0.19041.746_none_f6afbc42c71a95c1\f	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Services\d9883396e9f4829648858cacb8d30bd7\System.Web.Services.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_10.0.19041.746_none_251e769058968366\background.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-font-truetype-sitka_31bf3856ad364e35_10.0.19041.1_none_9c1fe6045dbd922a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_10.0.19041.1_pl-pl_3b7bfc382056a014\mlang.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0\9.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-AppServer-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\ShellExperiences\PeoplePane.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_fdwsd_31bf3856ad364e35_10.0.19041.746_none_5ba1ce4020f51d5a\r	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Queryable\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.Queryable.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSplashScreen.scale-400.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..dateagent.resources_31bf3856ad364e35_10.0.19041.1202_en-us_9e1dec63338af19a\n	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ieframe_31bf3856ad364e35_11.0.19041.1288_none_1d22271c8cc35d4b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..ilterservice-client_31bf3856ad364e35_10.0.19041.964_none_a7d860f2823e1040\n\KeyboardFilterManager.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..providers.resources_31bf3856ad364e35_10.0.19041.1_en-us_26f3cfb007e94ea5\GenericProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_10.0.19041.1_none_069bb9ed33830c5f\ssef874.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.19041.1_en-us_6bac97f839f3675b\Rules.System.Finale.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-60_altform-unplated_contrast-black.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_10.0.19041.1_none_84825441c9d82039	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sigverif_31bf3856ad364e35_10.0.19041.1_none_718a91e09abc2926	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_61883.inf_31bf3856ad364e35_10.0.19041.1_none_db2bddad493a3027\61883.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelanguage-vm.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mfplat_31bf3856ad364e35_10.0.19041.746_none_d4a3e379b24495e7\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..daptercim.resources_31bf3856ad364e35_10.0.19041.1_en-us_b5f6ad4a2c3870c9\NetAdapterCim.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Ring01.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_5b82975c7223fe3a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-protocolproviders_31bf3856ad364e35_10.0.19041.746_none_d14e7c9238ed667e\f\PrinterProtocolProvider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..ifiedwritefilter-ux_31bf3856ad364e35_10.0.19041.746_none_c7c6fccae233c8b7\ResetDriveSquare44x44Logo.scale-400.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..terface-remoting-ps_31bf3856ad364e35_10.0.19041.1_none_a267088363420f82\msdaps.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-magnify_31bf3856ad364e35_10.0.19041.84_none_65d0f4a4c6cd4975\f\Magnify.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..tifications-service_31bf3856ad364e35_10.0.19041.746_none_b841bbfa9f58f32d\r	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-ApplicationModel-Sync-Desktop-FOD-Package~31bf3856ad364e35~wow64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ransformers-onecore_31bf3856ad364e35_10.0.19041.262_none_a617ba84a205eb79	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft.configci.commands_31bf3856ad364e35_10.0.19041.1081_none_2c29f9bccc6b1b06	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_lv-lv_1fc499a81f0d91a1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-parentalcontrols-ots_31bf3856ad364e35_10.0.19041.84_none_8a067925a612632c\WpcApi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-photoscreensaver_31bf3856ad364e35_10.0.19041.746_none_49c7c9a4b745444e\PhotoScreensaver.scr	AE 0124 BE.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-wmpdxm_31bf3856ad364e35_10.0.19041.1266_none_18fdf6dfdcfcdf40\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..tory-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_aec305a85fdb2d10	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-UtilityVM-Containers-Shared-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\htmlfileicon.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.19041.153_none_b4f0bd83cfc7701e\AxInstSv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-explorerframe_31bf3856ad364e35_10.0.19041.1023_none_3754bff128f552e2\f\ExplorerFrame.dll.mun	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_10.0.19041.867_none_b4e9fc09cfcbdd7c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_11.0.19041.1_en-us_0d680e0f2f0a9da7\iexpress.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mskeyprotcli-dll_31bf3856ad364e35_10.0.19041.423_none_a674d42538bb790e\r\mskeyprotcli.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\schemas\EAPMethods\EAPAkaConnectionPropertiesV1.xsd	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hidserv.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_dc2a12a5e4e77b7b	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2040	c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a.exe
3268	winlogon.exe
212	AE 0124 BE.exe
3912	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 3268	2040	c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a.exe	84
PID 2040 wrote to memory of 3268	2040	c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a.exe	84
PID 2040 wrote to memory of 3268	2040	c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a.exe	84
PID 3268 wrote to memory of 212	3268	winlogon.exe	85
PID 3268 wrote to memory of 212	3268	winlogon.exe	85
PID 3268 wrote to memory of 212	3268	winlogon.exe	85
PID 3268 wrote to memory of 2724	3268	winlogon.exe	86
PID 3268 wrote to memory of 2724	3268	winlogon.exe	86
PID 3268 wrote to memory of 2724	3268	winlogon.exe	86
PID 212 wrote to memory of 3912	212	AE 0124 BE.exe	87
PID 212 wrote to memory of 3912	212	AE 0124 BE.exe	87
PID 212 wrote to memory of 3912	212	AE 0124 BE.exe	87

C:\Users\Admin\AppData\Local\Temp\c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a.exe
"C:\Users\Admin\AppData\Local\Temp\c6ceb02cd726cc4d3b14bd425db38f1be24bfbebdbda8d18738947d733344a6a.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3912
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:2724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
dc900366f74a5617aaa67f9828ce3de2

SHA1
2708532bab29608ad23fa82fde14e9d6a7aa80bf

SHA256
661bfbbf7a493ff0ceccfced092a7d96d81ecc7e5e5e9f7b08bf6d570a20e2c0

SHA512
7e183040854e17de6ffb634f6b6410194d57079eb8156902ec6b6e43f53a37dc9850f532d7e45bd9c3e8d3be7e7645288f165c02539b36d7f2cbf341912a0551

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
dc900366f74a5617aaa67f9828ce3de2

SHA1
2708532bab29608ad23fa82fde14e9d6a7aa80bf

SHA256
661bfbbf7a493ff0ceccfced092a7d96d81ecc7e5e5e9f7b08bf6d570a20e2c0

SHA512
7e183040854e17de6ffb634f6b6410194d57079eb8156902ec6b6e43f53a37dc9850f532d7e45bd9c3e8d3be7e7645288f165c02539b36d7f2cbf341912a0551

Download Submit
C:\Windows\AE 0124 BE.jpg

Filesize
133KB

MD5
7350aa8f068f09e0c50fcb936a2bd811

SHA1
ebe35a257a7f9535e1ca7577aba55fc67b0228a8

SHA256
f56dfb6baf75ddf34a373d349743dd315ddc42cddda509bdef9fcd847c4aa32f

SHA512
4e5cafe1d52418a8e3481a0ade5043bc596bdea2434d3ba32260f4b01aec8f3555304892046d9c08e0f0d09faa90f5ab4894f6bd19ed517befd6e190a0e53e64

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
dc900366f74a5617aaa67f9828ce3de2

SHA1
2708532bab29608ad23fa82fde14e9d6a7aa80bf

SHA256
661bfbbf7a493ff0ceccfced092a7d96d81ecc7e5e5e9f7b08bf6d570a20e2c0

SHA512
7e183040854e17de6ffb634f6b6410194d57079eb8156902ec6b6e43f53a37dc9850f532d7e45bd9c3e8d3be7e7645288f165c02539b36d7f2cbf341912a0551

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
dc900366f74a5617aaa67f9828ce3de2

SHA1
2708532bab29608ad23fa82fde14e9d6a7aa80bf

SHA256
661bfbbf7a493ff0ceccfced092a7d96d81ecc7e5e5e9f7b08bf6d570a20e2c0

SHA512
7e183040854e17de6ffb634f6b6410194d57079eb8156902ec6b6e43f53a37dc9850f532d7e45bd9c3e8d3be7e7645288f165c02539b36d7f2cbf341912a0551

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
dc900366f74a5617aaa67f9828ce3de2

SHA1
2708532bab29608ad23fa82fde14e9d6a7aa80bf

SHA256
661bfbbf7a493ff0ceccfced092a7d96d81ecc7e5e5e9f7b08bf6d570a20e2c0

SHA512
7e183040854e17de6ffb634f6b6410194d57079eb8156902ec6b6e43f53a37dc9850f532d7e45bd9c3e8d3be7e7645288f165c02539b36d7f2cbf341912a0551

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
dc900366f74a5617aaa67f9828ce3de2

SHA1
2708532bab29608ad23fa82fde14e9d6a7aa80bf

SHA256
661bfbbf7a493ff0ceccfced092a7d96d81ecc7e5e5e9f7b08bf6d570a20e2c0

SHA512
7e183040854e17de6ffb634f6b6410194d57079eb8156902ec6b6e43f53a37dc9850f532d7e45bd9c3e8d3be7e7645288f165c02539b36d7f2cbf341912a0551

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads