74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b

Analysis

max time kernel
156s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe
Size

20KB
MD5

6741cb540e2f76726ad89c77bdeecfe0
SHA1

0e89a7a37c349a1f2f26f3240b30d2bde24b3954
SHA256

74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b
SHA512

813b9dc051a8105e526562789d95e8cf493426977bd5f4fc0146351075198be24c3d68debea39a444df67430f5963a0de374fdf7883fec9b25f39085dbfd3cdd
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJB8S:1M3PnQoHDCpHf4I4Qwdc0G5KDJ+S

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
4576	winlogon.exe
2832	AE 0124 BE.exe
4724	winlogon.exe
4708	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe

Loads dropped DLL 3 IoCs

pid	Process
2832	AE 0124 BE.exe
4708	winlogon.exe
4724	winlogon.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.DirectoryServices.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\DiagTrack\GetFileActionAllowedList.dat	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\GARABD.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\TermService\0411	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\Speech.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\WirelessDisplay.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\DiagPackage.diagpkg	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\.NET Data Provider for SqlServer\0410	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1031\CvtResUI.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ComponentModel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\XPThemes.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\SMDiagnostics.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceMonikerSupport.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\8d4be6e5a963721e5560e61d906a875a\Microsoft.GroupPolicy.AdmTmplEditor.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.Resources\v4.0_1.0.0.0_de_31bf3856ad364e35\Microsoft.Management.Infrastructure.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.DurableInstancing.resources\v4.0_4.0.0.0_de_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Rsat.VolumeActivation.Tools~~1.0.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Host-Compute-PowerShell-Module-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\MSDTC Bridge 3.0.0.0\0000\_TransactionBridgePerfCounters_D.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.rsp	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Device.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\fr\SqlWorkflowInstanceStoreSchemaUpgrade.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.WindowsRuntime.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\person_im.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\lucon.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\appxsignature.p7x	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Host-Devices-EmulatedChipset-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\en-US\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Tpm.Commands\v4.0_10.0.0.0__31bf3856ad364e35\TrustedPlatformModule.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.ServiceModel.Activities.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\sysglobl.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\Microsoft.VisualBasic.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\UserExperienceVirtualization.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\v4.0_1.0.0.0_ja_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting\v4.0_2.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~id-id~1.0.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\System.EnterpriseServices.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_GPIO2_GLK.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\en-US\PresentationHostDLL.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\Microsoft.Build.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.NetDiagFramework.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\iSCSI.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Containers-Server-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Ring07.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.TraceSource\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.TraceSource.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7C77C512.pf	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Compute-Host-Containers-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.928.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\de-DE\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\System.Activities.Presentation.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\aspnet_rc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\it-IT\ServiceModelEvents.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\DeviceSetup.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_ja_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\System.png	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989776"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989776"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372299175"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{11BEE38F-49C4-11ED-B696-E62BBF623C53} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3874690528"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3874690528"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3876722312"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00bbfbe7d0ddd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989776"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5064a7e8d0ddd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b1421600000000020000000000106600000001000020000000eb75596b6c822c1f666983ad438c073ade651f937c2aa5091a3302aad82e28ba000000000e8000000002000020000000870add9b1ad3649899106201dac6b2b910a646bc9902e022a31a788d1d74609c200000002c81535c30b6909e289b77454fe27f89887c553099fde00a5ba2c83d712e9eaa40000000496ee10db5644550ab9356153372d5600c5f8a7751ca952f533069d53e55dc1229867b13cb4b11a40a8a937ae8a1063ca1ce9209112f300a0cc80cbe0349ae17	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989776"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3876722312"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e2728ad8693e804caf0ad2c227b14216000000000200000000001066000000010000200000002b3cbdb1c5c727491e243c94d5570d9be4a1384797b04f24e07252ceb3d2a48a000000000e80000000020000200000001bc3c0285710ad5e5aa78d7c1f2aadfcb84deaabbfb999f2b611c53a9de615c02000000014acfc7efa5a4f933497d2aa33863d282645e009d3f08c8aa314265e9b3487884000000041a9d06d2471d54dca0441860269ea5373da4494f11718f2b19f39a416a71ee8977de3192795b8fe2da0bd848a613bb47dbc64a1e611502b9fcb90b922fec8ec	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4600	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
508	74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe
4600	iexplore.exe
4600	iexplore.exe
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE
4576	winlogon.exe
2832	AE 0124 BE.exe
4724	winlogon.exe
4708	winlogon.exe
1152	IEXPLORE.EXE
1152	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 508 wrote to memory of 4600	508	74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe	78
PID 508 wrote to memory of 4600	508	74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe	78
PID 4600 wrote to memory of 1152	4600	iexplore.exe	79
PID 4600 wrote to memory of 1152	4600	iexplore.exe	79
PID 4600 wrote to memory of 1152	4600	iexplore.exe	79
PID 508 wrote to memory of 4576	508	74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe	80
PID 508 wrote to memory of 4576	508	74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe	80
PID 508 wrote to memory of 4576	508	74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe	80
PID 4576 wrote to memory of 2832	4576	winlogon.exe	81
PID 4576 wrote to memory of 2832	4576	winlogon.exe	81
PID 4576 wrote to memory of 2832	4576	winlogon.exe	81
PID 4576 wrote to memory of 4724	4576	winlogon.exe	82
PID 4576 wrote to memory of 4724	4576	winlogon.exe	82
PID 4576 wrote to memory of 4724	4576	winlogon.exe	82
PID 2832 wrote to memory of 4708	2832	AE 0124 BE.exe	83
PID 2832 wrote to memory of 4708	2832	AE 0124 BE.exe	83
PID 2832 wrote to memory of 4708	2832	AE 0124 BE.exe	83

C:\Users\Admin\AppData\Local\Temp\74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe
"C:\Users\Admin\AppData\Local\Temp\74baf1c40d6ccbdb43fb0da5ccd00b7c3ca11698117577da0ba3e2c5d015af1b.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4600 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1152
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4708
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
7de3527d962389a61a0825bebf9031b7

SHA1
ffc04b363ec1d3976e454446827d36813002a9b7

SHA256
63db191be3bdce3f969a6f457edaa2bf5c9ec863a311540d719ad80ca9ce4a19

SHA512
57220b86487cefb01b4c2b9b904a147ea35133f490d5da092dbf10e1568c14a2f1359ed36529edc779335a9f4530c25a67d2065620379eec0e682b03389ae91d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
e8a60e669753815c827d45a758e29259

SHA1
827507a5d5e9c75780f1cb1da5852bd7b061b46f

SHA256
881d4d5bebc59957998901f0dfc25b98aba782a2f452b67ac7b6f8281b9ff3f0

SHA512
f64320709063a3202e3a8239806aa6b45885fa2c4ddc6d42784cb1f4a24b148beb08856fbff0f85f6a06c2c8483bf2ad05657aeffea0ac8813a38e9c830f654b

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
aa4c0c40bc00706a18b6b1e36b7d7472

SHA1
1b3ef376323f6159572366ccab25f091ab509eac

SHA256
8c6732f76082c6d3e2f2dc9e4ba262ecf105808ebfe0c5661d71ad54556faac4

SHA512
c162cbfc976ba446cd30fadf99a8c8a0cf65cb7c4bb3857b4c915ce392ca7422d0771baee93e1a95036a5aa3d0fff0ca25532a65bc6f885531657d4c4ec1eaf7

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
aa4c0c40bc00706a18b6b1e36b7d7472

SHA1
1b3ef376323f6159572366ccab25f091ab509eac

SHA256
8c6732f76082c6d3e2f2dc9e4ba262ecf105808ebfe0c5661d71ad54556faac4

SHA512
c162cbfc976ba446cd30fadf99a8c8a0cf65cb7c4bb3857b4c915ce392ca7422d0771baee93e1a95036a5aa3d0fff0ca25532a65bc6f885531657d4c4ec1eaf7

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
6d721f5c5a9f023b5958f69f5a621d1a

SHA1
a8e8d91b18e095a0fc69695d12dd06fc40d7cdd1

SHA256
798c3b8b7fdc4e0a63e5f0b91a9a7251e1f10b8a83abc66b2dd22c4348cea293

SHA512
36642fe163416738878a33e2c0cf8ecddca3a0e84a9d046593285e790ed4f5cd48320fde80e0e370c2baeb4048aefd71c6528306e15bce23e15fa177d7ea1ef5

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
c1828ee3da08c40ff7f58a0f27c5e90c

SHA1
483d8aa5464e0161ddc9a40345d52f9390513b33

SHA256
e35deeb5139ea40f22b1dd1e1bcc2b79be75fc67dff03ae93dd848a13c19f026

SHA512
a8911f0f7998b9bc309f6c8968f90973d1d32c2e601bcbe309ccdd6ae50c34a30dc439ea68ca5a2a80bb546adfbb13e5b9fb0b833decd3a345093f757265d3c9

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
aa4c0c40bc00706a18b6b1e36b7d7472

SHA1
1b3ef376323f6159572366ccab25f091ab509eac

SHA256
8c6732f76082c6d3e2f2dc9e4ba262ecf105808ebfe0c5661d71ad54556faac4

SHA512
c162cbfc976ba446cd30fadf99a8c8a0cf65cb7c4bb3857b4c915ce392ca7422d0771baee93e1a95036a5aa3d0fff0ca25532a65bc6f885531657d4c4ec1eaf7

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
aa4c0c40bc00706a18b6b1e36b7d7472

SHA1
1b3ef376323f6159572366ccab25f091ab509eac

SHA256
8c6732f76082c6d3e2f2dc9e4ba262ecf105808ebfe0c5661d71ad54556faac4

SHA512
c162cbfc976ba446cd30fadf99a8c8a0cf65cb7c4bb3857b4c915ce392ca7422d0771baee93e1a95036a5aa3d0fff0ca25532a65bc6f885531657d4c4ec1eaf7

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
aa4c0c40bc00706a18b6b1e36b7d7472

SHA1
1b3ef376323f6159572366ccab25f091ab509eac

SHA256
8c6732f76082c6d3e2f2dc9e4ba262ecf105808ebfe0c5661d71ad54556faac4

SHA512
c162cbfc976ba446cd30fadf99a8c8a0cf65cb7c4bb3857b4c915ce392ca7422d0771baee93e1a95036a5aa3d0fff0ca25532a65bc6f885531657d4c4ec1eaf7

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
aa4c0c40bc00706a18b6b1e36b7d7472

SHA1
1b3ef376323f6159572366ccab25f091ab509eac

SHA256
8c6732f76082c6d3e2f2dc9e4ba262ecf105808ebfe0c5661d71ad54556faac4

SHA512
c162cbfc976ba446cd30fadf99a8c8a0cf65cb7c4bb3857b4c915ce392ca7422d0771baee93e1a95036a5aa3d0fff0ca25532a65bc6f885531657d4c4ec1eaf7

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads