17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c

Analysis

max time kernel
155s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
Size

20KB
MD5

5ae356c0e6e632a3204815ea11af4370
SHA1

799c875f919e59248737c97ed92c1504660ae96c
SHA256

17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c
SHA512

af4a8f66db6cd453dc72290921ca99cc26f87877b38225eb68d86c4a0cc7b5df7e271e18b4005d753a1a6dba9201fab041a3d8c543eb8f23ecc1568ab2b68edf
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBFBG:1M3PnQoHDCpHf4I4Qwdc0G5KDJY

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
912	winlogon.exe
4668	AE 0124 BE.exe
364	winlogon.exe
2892	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe

Loads dropped DLL 3 IoCs

pid	Process
4668	AE 0124 BE.exe
2892	winlogon.exe
364	winlogon.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\35e71ddd80b7908e1a8311173ffd6ff1	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\bg-BG	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Video\ja-JP\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_I2C_BXT_P.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.Resources\2.0.0.0_ja_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Install\3.0.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\roman.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0410\msdasc.chm	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\basicdisplay.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\Microsoft.ManagementConsole.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\basicdisplay.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_hidclass.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\ru-RU\memtest.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0411\mmc.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.OracleClient.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime.Resources\3.0.0.0_fr_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Activities.Resources\3.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\ssef1257.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\office\15.0.0.0__71e9bce111e9429c	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmcpq.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Data	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0410\msorcl32.chm	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\nb-NO	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\pt-BR\memtest.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\ja-JP\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\IEBrowseWeb\ja-JP\RS_DisableAddon.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders.Resources\3.0.0.0_it_31bf3856ad364e35\UIAutomationClientsideProviders.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System\3c22c13412b49e04ae306a2aa7768c12\System.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\d45411995fcf227e7ae64fc50d491d23\Microsoft.WSMan.Management.Activities.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Branding\shellbrd	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\GOTHICBI.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_fr_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.Resources\2.0.0.0_fr_b77a5c561934e089\System.Runtime.Remoting.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\aero_nwse_l.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\ja-JP\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.mshtml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.Ink.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\sv-SE\bootmgr.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\en-GB\bootmgr.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\tr-TR\memtest.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\aero_nesw_xl.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmmod.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmneuhs.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winhlp32.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml.Resources\2.0.0.0_fr_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\size3_i.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_I2C_CNL.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\31390f70fb4de9a9c92af90b01c2b585\napcrypt.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Keyboard\ja-JP\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\586ed23cb27e69e90eee6d49206356b8	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\a0e4dc4d7b18b0bcf31e3df2eef25553\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dll	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30286f59d1ddd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000046653da8b25c1424c6a63d4a5cf0eaf89a0830b4881c2a99cfd9989cadcd7836000000000e80000000020000200000005c2d85a5367ee424b7ced1a74615ab713aad5dd893f34ac2e938a2f27a698547200000003d6d271cfeb28c743ab576efe504d6d7051f0e235e9f84c6af7e53e9580c8d744000000081e33215b5668d3926dc1f4ceac937e6f341c2cae3ebc9f657f75419fd3c6826bb41ec2e8ef20ccf94c2021cb0c477b75b48d1ca48c7f0ac391f2cc0d31578f2	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989777"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000091026f40ba255d7fd28e12dd1ce83b2e49c0b22d07d2448b75624c571b331883000000000e8000000002000020000000e3e2445cd70703830f959a0e27a7b5c43ea7dbbd9417ccbe7de2201432b30768200000007b381551c9049c0055951a333260f51f6fe80ed353b3fcfb7914f7e7a5aac7b7400000003b56459368d0ca2234118767371e5502d9ef46eaf94b23f4bbe28720e2f85ae49d39313f805451a9d6fad096c2da5257f9de310d9edf9c5c61b792ec9fef2b74	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7F1948AD-49C4-11ED-89AC-520B3B914C01} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1734363579"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372299392"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a61966d1ddd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1734363579"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989777"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3524	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4084	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
3524	iexplore.exe
3524	iexplore.exe
912	winlogon.exe
4668	AE 0124 BE.exe
364	winlogon.exe
2892	winlogon.exe
1236	IEXPLORE.EXE
1236	IEXPLORE.EXE
1236	IEXPLORE.EXE
1236	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 3524	4084	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	81
PID 4084 wrote to memory of 3524	4084	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	81
PID 3524 wrote to memory of 1236	3524	iexplore.exe	84
PID 3524 wrote to memory of 1236	3524	iexplore.exe	84
PID 3524 wrote to memory of 1236	3524	iexplore.exe	84
PID 4084 wrote to memory of 912	4084	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	85
PID 4084 wrote to memory of 912	4084	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	85
PID 4084 wrote to memory of 912	4084	17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe	85
PID 912 wrote to memory of 4668	912	winlogon.exe	86
PID 912 wrote to memory of 4668	912	winlogon.exe	86
PID 912 wrote to memory of 4668	912	winlogon.exe	86
PID 912 wrote to memory of 364	912	winlogon.exe	87
PID 912 wrote to memory of 364	912	winlogon.exe	87
PID 912 wrote to memory of 364	912	winlogon.exe	87
PID 4668 wrote to memory of 2892	4668	AE 0124 BE.exe	88
PID 4668 wrote to memory of 2892	4668	AE 0124 BE.exe	88
PID 4668 wrote to memory of 2892	4668	AE 0124 BE.exe	88

C:\Users\Admin\AppData\Local\Temp\17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe
"C:\Users\Admin\AppData\Local\Temp\17d1dd66980e93ea4b0225e24fbb5b8affe808fdd6b4e24c651d655377c63a9c.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3524 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1236
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2892
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
4d8f6ffd85054a4ce7921c05900b3be1

SHA1
197dc76b5f2ea0cb41f88177756cb9e6ea303327

SHA256
112a219ee8a7852784c70b27b97f612606cf200bd27161ae2d4e88173d4470c8

SHA512
65c8032d44b507bfbef64d8780b91f9e737185c516d9e8cd7726804544b27b68094fa196f851caf3d6e071db1aefc5780b8c14ce20890f2143e737d72724362a

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
4d8f6ffd85054a4ce7921c05900b3be1

SHA1
197dc76b5f2ea0cb41f88177756cb9e6ea303327

SHA256
112a219ee8a7852784c70b27b97f612606cf200bd27161ae2d4e88173d4470c8

SHA512
65c8032d44b507bfbef64d8780b91f9e737185c516d9e8cd7726804544b27b68094fa196f851caf3d6e071db1aefc5780b8c14ce20890f2143e737d72724362a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
560749bd2dde054d9d9400e47ed415b8

SHA1
a6ce111b0db8ed32865f16cfc3c82f87d378abb0

SHA256
73ab66ab9fefe248e73c2a536988181646eab13bb9265da74e6abc0a0cce92c4

SHA512
934313c156027961a52a62619f37aba1df3a846efcd0ca311261422841e102e98419401e00214747506d3d6ebcdea6a45bac1691580363224a32cf450aacb385

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads