17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c

Analysis

max time kernel
167s
max time network
138s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
Size

20KB
MD5

5ae356c0e6e632a3204815ea11af4370
SHA1

799c875f919e59248737c97ed92c1504660ae96c
SHA256

17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c
SHA512

af4a8f66db6cd453dc72290921ca99cc26f87877b38225eb68d86c4a0cc7b5df7e271e18b4005d753a1a6dba9201fab041a3d8c543eb8f23ecc1568ab2b68edf
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBFBG:1M3PnQoHDCpHf4I4Qwdc0G5KDJY

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
1040	winlogon.exe
1836	AE 0124 BE.exe
1516	winlogon.exe
1476	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
1836	AE 0124 BE.exe
1836	AE 0124 BE.exe
1040	winlogon.exe
1040	winlogon.exe
1476	winlogon.exe
1972	iexplore.exe

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv002.inf_amd64_neutral_6ca80563d6148ee5\Amd64\SV8080.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\zipfldr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wshtcpip.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ksfilter.inf_amd64_neutral_86311fdf78a07678	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBP_295.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\netvfx64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf2100t.exp	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\prnky002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\icm32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\secproc_isv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr006.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\napipsec.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\SML347.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\usbvideo.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\BWUnpairElevated.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\cdosys.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDTURME.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mapistub.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR2221E3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ICM-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\ja-JP\UnattendProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\slmgr\0407\slmgr.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\pla.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\napinsp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ncryptui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\hiddigi.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\mdmusrk1.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNB_0317.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiacn001.inf_amd64_neutral_b7a0b2f53d745b5a\CNHP760S.ICC	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dhcpcore.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDBENE.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TabletPC-OC-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netserv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\iologmsg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Sensors-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\avmcowan.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPFRES50.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYPS8100.GDL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\circlass.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDMON.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfc120chs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\TSpkg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\nv_LH.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\cacls.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RAF42453.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\ndptsp.tsp.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfcsubs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wiaaut.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\amdsata.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migration\netiomig.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\channels\OCUR\Security-SPP-Component-SKU-OCUR-ul-oob.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl001.inf_amd64_neutral_9209e816461a1a73\mdmgl001.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\amdide.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\prnep002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\wialx003.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\autoconv.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\tcpipcfg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\vaultsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmbr005.inf_amd64_neutral_d140721f97061bba\mdmbr005.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.Wsman.Management.dll-Help.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cmstplua.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\fltlib.dll.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\ff7aa68fbf75e4b7ca80813225c3db01\Microsoft.Office.Interop.InfoPath.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Wind5abb17e9#	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0C0A\cmak_ops.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-MiscRedirection-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..e-traditionalarabic_31bf3856ad364e35_6.1.7600.16385_none_6d5a9b4c052c604d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..umservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6aa2d458ee571cf9	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Web.Mobile\5ea81699d36a1938a0ff618380506f11\System.Web.Mobile.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\upcki.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\netr28ux.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\prnle003.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..anagement.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3596ec7b0271cf2b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-hlink.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7e00139a18587871	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_servicemodelreg.resources_b03f5f7f11d50a3a_6.1.7601.17514_it-it_a2d23aa972cd1528	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmbr006.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_615fc86e7747fffd	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-auxdisp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cb6506a151408697	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..ansliteration-nowow_31bf3856ad364e35_6.1.7600.16385_none_b021af6864cb7d41	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..dle-agent.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8862ff35ebda0351	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_wiaca00c.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_593c91fc14f0a39a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-rd.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9c83c01868feedec	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..extension.resources_31bf3856ad364e35_6.1.7600.16385_it-it_40b12ad257cf5176	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-scheduleui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_565288a92e180282	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-h..ragelayer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2ec2291faab0e703	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\sdbus.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-MediaCenter-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..audiocore.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0d2e4e4afe398b53	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..tebox-isv.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4d13e81b4baf1f05	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wlanui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0f9ac8eec6625beb	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_33ca509b38470ebb	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.resources\3.5.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\2.0.0.0_ja_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printing-PremiumTools-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_acpi.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0fa7d070e2960b75	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..tance-exe.resources_31bf3856ad364e35_6.1.7600.16385_it-it_74deb36d94bd1786	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\8514sysr.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ASP.NET\0012\aspnet_perf2.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehstor-api.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_09790da7a766eeb0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-mingliu_31bf3856ad364e35_6.1.7600.16385_none_170f5b78a1ae6145	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\PresentationFramework.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\library.H1S	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.1049.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\default.aspx.ja.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Linq.Parallel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SnippingTool-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_wsatconfig.resources_b03f5f7f11d50a3a_6.1.7601.17514_it-it_0730093e89a28b79	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7601.17514_en-us_eded87a2761fb190	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..t-starter.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b201023da49e2ba0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..p-support.resources_31bf3856ad364e35_11.2.9600.16428_en-us_81683e6166c84e1b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-iis-webdavbinaries_31bf3856ad364e35_6.1.7601.17514_none_c87778b746d52a7d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..enger-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ec6ce2d43b6f79e8	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..ropertypageprovider_31bf3856ad364e35_6.1.7600.16385_none_df05ec5796b1db12	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_isapi_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_6a5786eb10d40b64	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ba2335c8bba30fbf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmelsa.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\prnky003.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-efsfull.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b476d77765b85967	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnlx00b.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_efd70dec1babcd01	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.Resources\1.0.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\en-US\netavpna.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageconsolidatedProviders.aspx.ja.resx	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000c434b69a28b6bcd2393fce2e54ed97ba8eceae35f41296f9b0ea2e8d0934b892000000000e800000000200002000000066954045bb93952dbf9560626540a3f63f4a5f758629f3a26218d74b2c4a7a7090000000e9d4b51614d8d29029148e55f9f0f1f313c10edf69998b95b5a3a48795dfeff131ce2394103d79c4459e097c33603bd5c16b56ffa3636f72c50f54a97d6f985c6c56299fc92c85f4e9e6e4f4a192556bd99b6ee5c6df52f07df7725d928c6aa68bccec06cb445a858689c26db4c180edee90407916fb394f1713fff720a0c8c09982423156dcc84ea35ecd54e6e60648400000006512010ccd87814bd3d8a325b0fd865e1ee6c769cedc55fea82c7805ad72be9d3ac7e50634313e3c3d5c292deac89234f27f216f24c5f6aef464c79bea779f40	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000ddc1de1a7644dcdde405be88348f46e95191e1802fc2be79843f2ebf268068ea000000000e80000000020000200000007095be199adfe3dcf6c39a00b79749eb7a30fb68d619bc3af6c303c31d1d7e5820000000384ca1e6080e2008425c11fbddabec55de41ba37acabd3cff9551da65997fc7e400000008e00bb293b92c9739e046985e62898710ee20fdf62dfc2e486c81f0729a2c2c5a90550b8c22970dc9e5fffeb03336e37fa7a510b93be8e7a4fdc919926bdc811	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372299352"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0fb2f47d1ddd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D41EC81-49C4-11ED-9916-DE5CC620A9B4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1972	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
1972	iexplore.exe
1972	iexplore.exe
1040	winlogon.exe
1836	AE 0124 BE.exe
572	IEXPLORE.EXE
1516	winlogon.exe
572	IEXPLORE.EXE
1476	winlogon.exe
572	IEXPLORE.EXE
572	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1972	1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	28
PID 1240 wrote to memory of 1972	1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	28
PID 1240 wrote to memory of 1972	1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	28
PID 1240 wrote to memory of 1972	1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	28
PID 1972 wrote to memory of 572	1972	iexplore.exe	30
PID 1972 wrote to memory of 572	1972	iexplore.exe	30
PID 1972 wrote to memory of 572	1972	iexplore.exe	30
PID 1972 wrote to memory of 572	1972	iexplore.exe	30
PID 1240 wrote to memory of 1040	1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	31
PID 1240 wrote to memory of 1040	1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	31
PID 1240 wrote to memory of 1040	1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	31
PID 1240 wrote to memory of 1040	1240	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	31
PID 1040 wrote to memory of 1836	1040	winlogon.exe	32
PID 1040 wrote to memory of 1836	1040	winlogon.exe	32
PID 1040 wrote to memory of 1836	1040	winlogon.exe	32
PID 1040 wrote to memory of 1836	1040	winlogon.exe	32
PID 1836 wrote to memory of 1516	1836	AE 0124 BE.exe	33
PID 1836 wrote to memory of 1516	1836	AE 0124 BE.exe	33
PID 1836 wrote to memory of 1516	1836	AE 0124 BE.exe	33
PID 1836 wrote to memory of 1516	1836	AE 0124 BE.exe	33
PID 1040 wrote to memory of 1476	1040	winlogon.exe	34
PID 1040 wrote to memory of 1476	1040	winlogon.exe	34
PID 1040 wrote to memory of 1476	1040	winlogon.exe	34
PID 1040 wrote to memory of 1476	1040	winlogon.exe	34

C:\Users\Admin\AppData\Local\Temp\17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
"C:\Users\Admin\AppData\Local\Temp\17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:572
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1516
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RKNJCRBR.txt

Filesize
607B

MD5
dc07adff542ef20282bdff95eb6998c0

SHA1
49a8d0f85912ead1beb8f9b11064cc50e7c4f7d0

SHA256
efcebb3f8f0b3b2d86fe3336be4cab9dcc74aa047cacda5849c401a07f073c50

SHA512
2f953cacd427dd47bc0026f21b164d9e45e2f80f268cb04136a13a3066b38b8085568b8bc9671eacf93be39514013db1a689f70019912d3f1abcc5f8e2732104

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
4d8f6ffd85054a4ce7921c05900b3be1

SHA1
197dc76b5f2ea0cb41f88177756cb9e6ea303327

SHA256
112a219ee8a7852784c70b27b97f612606cf200bd27161ae2d4e88173d4470c8

SHA512
65c8032d44b507bfbef64d8780b91f9e737185c516d9e8cd7726804544b27b68094fa196f851caf3d6e071db1aefc5780b8c14ce20890f2143e737d72724362a

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
4d8f6ffd85054a4ce7921c05900b3be1

SHA1
197dc76b5f2ea0cb41f88177756cb9e6ea303327

SHA256
112a219ee8a7852784c70b27b97f612606cf200bd27161ae2d4e88173d4470c8

SHA512
65c8032d44b507bfbef64d8780b91f9e737185c516d9e8cd7726804544b27b68094fa196f851caf3d6e071db1aefc5780b8c14ce20890f2143e737d72724362a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

Filesize
615KB

MD5
7b2a54732d38cd19c79c8184d6932f6f

SHA1
6d42bd8fe510e9a4ed6c13409daf4c7a49e7db04

SHA256
76fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d

SHA512
acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
memory/1240-56-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1836-74-0x0000000002441000-0x000000000298D000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads