eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d

Analysis

max time kernel
112s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 14:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe
Size

20KB
MD5

105a18e0441382d726d31e963cb65320
SHA1

a3898266a05dbc3dc895ae224d50bebe7b40bc6e
SHA256

eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d
SHA512

1d033a126636234580b68dae74748b89d8cc44e5b6ada205321679b3ffe9a7f487a28fda75cb8195198eec0e9a5104000eb090893e02930956270b8cc2a4f1ad
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBn:1M3PnQoHDCpHf4I4Qwdc0G5KDJV

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
652	winlogon.exe
1028	AE 0124 BE.exe
1888	winlogon.exe
1896	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe
828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe
1028	AE 0124 BE.exe
1028	AE 0124 BE.exe
652	winlogon.exe
652	winlogon.exe
1960	iexplore.exe

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc6300t.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RAF42453.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\ir41_32.ax.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\C_28595.NLS	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\forfiles.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\wpdfs.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Signing.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\pshed.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNBJ3340.TBL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\atiilhag.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\RpcNs4.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\NAPMONTR.DLL.MUI	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8000at.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\Starter\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\SmartcardCredentialProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\RasServerMigPlugin-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_neutral_9d0740f32ce81d24\vwifibus.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle002.inf_amd64_neutral_c7564163ba063094\Amd64\LR5500.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\netsstpa.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wecsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\pnrpnsp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\verifier.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\SFPATXP.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\xwizard.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wlandlg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\WmiPerfInst.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\winrssrv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmx5560.inf_amd64_neutral_e853cea0022c059a	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_neutral_ab477c4d805d044f	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\AuthFWSnapin.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dssec.dat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpfvuw73.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\DevicePairingFolder.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\osbaseln.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\onex.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote_output.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\arcsas.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\wiaca00d.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP1B.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\wiabr006.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wmdmps.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\oledlg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\lv-LV\comdlg32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Parsing.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\tapi3.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~hi-IN~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\xnacc.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\disk.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\prnep003.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fi-FI\msprivs.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\QShvHost.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky004.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sdiagnhost.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD770CN.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseE\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wlgpclnt.dll.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\upcjb.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8ee5e5c4ebc12467	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..yer-wmasf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5969e4fd40bb1315	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_215dd47ace207069	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tcpip-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d57fb3291a763082	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..deviceapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f481d1fe1ea802bc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-batmeter.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_14852531c6104039	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..haringapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b0d2053a4a9b5ea5	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\a9f43923aab0d83b93cbf10ac1dfd0b5\Microsoft.MediaCenter.iTv.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.Compression.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\MSBuild.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_fdc.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_698e5b1ed44452e2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-icm-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fa7d33c63615e977	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rpc-ping.resources_31bf3856ad364e35_6.1.7600.16385_es-es_090da00f290af8e5	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-rasifmon.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dd421a2a0bdcbb1d	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\CL_WinSAT.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Transactions.Bridge.Dtc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\fthsvc.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..datalayer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_57cdd39f8f90c2bd	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mspaint_31bf3856ad364e35_6.1.7600.16385_none_8df3dcc84fe54e8b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-ntlanui2.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e560288e34f95bca	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\e97b40597db13e8a8151b30b9c59007e\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\ehiBmlDataCarousel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmlasno.inf_31bf3856ad364e35_6.1.7600.16385_none_dea8b5e2e5831811	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-sysman.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d73b0f855e2d2c3d	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Deployment\413d36d1d35aabadf1c9d6f0a56cfab8\System.Deployment.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\fus.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\rdpbus.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\PLA\Rules\Rules.System.Configuration.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..ardplugin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a1d58e3decef3b90	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft.windows.h..iverclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0815c0b2b1324480	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-scanprofiles.resources_31bf3856ad364e35_6.1.7600.16385_en-us_042ff2d9a17712a1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napsnap.resources\6.1.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\0728af1479c3388cadf85ccfc2b12582\System.Runtime.Serialization.Formatters.Soap.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\simpo.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\PERFLIB\0C0A\perfh.dat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_net44amd.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_03f11f9f118f8e2a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\napinit	AE 0124 BE.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-GB\l2057.phn	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmbr00a.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_344b463ca3d98840	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ee45d5239172d495	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ion-agent.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dbf410c67f37f9c0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-vssapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4150642bed0c6eef	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wpd-status.resources_31bf3856ad364e35_6.1.7600.16385_es-es_64386099db69448f	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_nv_lh.inf_31bf3856ad364e35_6.1.7600.16385_none_4a5c7d78e486512b	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\de-DE\bootfix.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp003.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0252a858dbbfc051	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..tigations.resources_31bf3856ad364e35_6.1.7601.17514_it-it_a86eb39db843b531	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Specialized\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1041\alinkui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\Power.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_hidirkbd.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1fd6945ba466454b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-ebrima_31bf3856ad364e35_6.1.7600.16385_none_2a70c05575ba0bb8	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehRecObj	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\Fonts\kor_boot.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\Microsoft.MediaCenter.Shell.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0411\nfs_.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmkortx.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.RegularExpressions	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.Primitives.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\TabletPCInputPanel.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e27ea1a169962df1	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000a85b9267031563baf83237405cb529ee615ab0cc3c0eb2c5f114ce15cb369ceb000000000e8000000002000020000000bad109a50e980ccae1fd9e9e7724b1a94703bc76627bbfed341384cc8aad5852900000005febc2fadecdf19fef0c16790acfd7061ddd165aa6007d3c301a2f2d893afbadd5253124447fd2e35360b0cca6e3ab3cce80563e7805489e0b66b53436b12c276977bcfb66a39456fe1c006ed2e47944b0bc2846f315f810b027c719ef62357f44325e5eeae62c09978c5679f2b67d999295a15658ecda7e1d37b7c1a685051ab9a3d7c38e90e35e503383f1962d0e2e4000000034e4a4d7ae08c24d5260822e8b74553b0151631010177a5b64248ca0c4c9b36e64cc5dd0ed8bc9c8710efb063d1e158aaf2526f44e6576d098cd388c7542ce47	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372286020"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6E536CD1-49A5-11ED-A920-7ADB5DB493F4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000ac211cd7a331dca1ed7ba2c3e053c867b2ee64eef91082fa1946743aff2c6807000000000e8000000002000020000000e0b897983a3b5c9c30ec2fd633aa445bf121aa530f0fe107c34e3dfe862f27c22000000017bf8dec061050b0c29257811cb5493fca3bcdd09ebc00faec2b8603a15a96ec40000000642adf34d4298944e59e317ef7044804209625c0da0c021c4994ad6bbddbcd48d48f0d89deb7290415a933b79cde3e7db66f490f124266a6c8eb3262b96a333f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0163b44b2ddd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1960	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe
1960	iexplore.exe
1960	iexplore.exe
676	IEXPLORE.EXE
676	IEXPLORE.EXE
652	winlogon.exe
1028	AE 0124 BE.exe
1888	winlogon.exe
676	IEXPLORE.EXE
676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1960	828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe	27
PID 828 wrote to memory of 1960	828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe	27
PID 828 wrote to memory of 1960	828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe	27
PID 828 wrote to memory of 1960	828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe	27
PID 1960 wrote to memory of 676	1960	iexplore.exe	29
PID 1960 wrote to memory of 676	1960	iexplore.exe	29
PID 1960 wrote to memory of 676	1960	iexplore.exe	29
PID 1960 wrote to memory of 676	1960	iexplore.exe	29
PID 828 wrote to memory of 652	828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe	30
PID 828 wrote to memory of 652	828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe	30
PID 828 wrote to memory of 652	828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe	30
PID 828 wrote to memory of 652	828	eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe	30
PID 652 wrote to memory of 1028	652	winlogon.exe	31
PID 652 wrote to memory of 1028	652	winlogon.exe	31
PID 652 wrote to memory of 1028	652	winlogon.exe	31
PID 652 wrote to memory of 1028	652	winlogon.exe	31
PID 1028 wrote to memory of 1888	1028	AE 0124 BE.exe	32
PID 1028 wrote to memory of 1888	1028	AE 0124 BE.exe	32
PID 1028 wrote to memory of 1888	1028	AE 0124 BE.exe	32
PID 1028 wrote to memory of 1888	1028	AE 0124 BE.exe	32
PID 652 wrote to memory of 1896	652	winlogon.exe	33
PID 652 wrote to memory of 1896	652	winlogon.exe	33
PID 652 wrote to memory of 1896	652	winlogon.exe	33
PID 652 wrote to memory of 1896	652	winlogon.exe	33

C:\Users\Admin\AppData\Local\Temp\eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe
"C:\Users\Admin\AppData\Local\Temp\eafe33d20ed174c1cea3f6a32e631daa3282f9c8241c91f1931c4d1ac523397d.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:676
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1888
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BWX044MK.txt

Filesize
608B

MD5
360e09c6bddf5f505f488885194f78d1

SHA1
f00e5eaf80f2977d77001acea3af8374267d9163

SHA256
dbcfaabfbaf8c2f3292374c7db2802b45f4316a1178b967026a1f5a12161bee3

SHA512
dd7131d12e9b4a69f5b7e51e4a48b6e1d11ab7cc6616636fbf9417c3c8115f1da78607cdf4e11f50e6e1e1ac7df291b50dfdf30e4893a4cad82b39a65826c33b

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
3acd75a8a8f0bb919ca87cbc5b85d0fe

SHA1
885c1f5165dea37f72be25183b92a3e61598b03b

SHA256
cebf0e8e0200b0738a3d9a32dad8bad0ee90d4bf01af78f790f7a1815760d317

SHA512
15c1620b6d631d8cb7978272c44ab025fdb130f87bb8d33d6c68319b0fea6e643f7a9598f3b80b730949b58d2e53172a67df97cf808164f0e97b4e211fdb1ccb

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

Filesize
615KB

MD5
7b2a54732d38cd19c79c8184d6932f6f

SHA1
6d42bd8fe510e9a4ed6c13409daf4c7a49e7db04

SHA256
76fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d

SHA512
acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
01ea8cd0056947a9e775da63cb8afc9f

SHA1
d0f1ef7a4f9fc5cd51243c7fe4ce209cda571f34

SHA256
d01fc9fceac30b57618375d8f6beb63a45a34291ec93db599a19e4de6a7f8511

SHA512
acc47be6c264f06a3f42b876cc170fb36910dc5c35f76dd7621880ad2c4a0da814f316736e84167f8b8ae031fcaed3fca6c1134b59a1754a8d78d64bdebaeb6e

Download Submit
memory/828-56-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1028-75-0x00000000026C1000-0x0000000002C0D000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads