035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1

Analysis

max time kernel
159s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 14:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe
Size

20KB
MD5

698a64df505c93c0df0650f41bd180b0
SHA1

95f78325018d382a205ae09489b8cd46d7e47898
SHA256

035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1
SHA512

b8f6c81e4bbce149d40c704ba56a7b2ff3c7bd6832883c80131cb045b6b2e7f13dd3228a5ed154912e3831dc397c37a50d71b87207cd31243db682a479a08d3a
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJB0T7PCDG:1M3PnQoHDCpHf4I4Qwdc0G5KDJ+z

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
4796	winlogon.exe
2192	AE 0124 BE.exe
1428	winlogon.exe
4052	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 3 IoCs

pid	Process
2192	AE 0124 BE.exe
4052	winlogon.exe
1428	winlogon.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\ESENT\0409\esentprf.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\ace0ccf90f3ff2439a125417206b62ff\Microsoft.ApplicationId.RuleWizard.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\index\PowerDiagnostic.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_keyboard.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Selectors	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationProvider.Resources\3.0.0.0_de_31bf3856ad364e35\UIAutomationProvider.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_pcmcia.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.WorkflowServices.Resources\3.5.0.0_de_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\85775.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\c8514sys.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Routing.Resources\3.5.0.0_de_31bf3856ad364e35\System.Web.Routing.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_ucm.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\TinyTile.contrast-black_scale-125.png	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\38720ac5ef14845a9be0c2386ce0436f\Microsoft.PowerShell.Commands.Utility.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\larrow.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEHost	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\fi-FI_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\move_rm.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\index\BluetoothDiagnostic.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\085cda9eebdee4ba67ebbcfb4dfa8c85	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\SMSvcHost 3.0.0.0\0C0A\_SMSvcHostPerfCounters_D.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Printing	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\lv-LV	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.ComponentModel.Resources\3.0.0.0_ja_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\de-DE\winhlp32.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\8514fixt.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\busy_m.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\roman.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\iagpio.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0000\_ServiceModelEndpointPerfCounters_D.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\9761aa02e459394769888f74d97b844c\Microsoft.InternationalSettings.Commands.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\vgas1257.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Client.Resources\3.5.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\07760e3f77c2cd8ca7cfce131f86da95	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\IESecurity\it-IT\RS_IESecuritylevels.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Resources\2.0.0.0_de_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\589b59854d0a7a4ef9c0a2adf4c00fd9\CustomMarshalers.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Video\RC_viddrv_driverblocklist.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.Resources\2.0.0.0_it_b03f5f7f11d50a3a\System.Configuration.Install.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\Fonts\meiryon_boot.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\61883.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing.Design.Resources\2.0.0.0_it_b03f5f7f11d50a3a\System.Drawing.Design.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Windows Notify Calendar.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\smae1255.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\splashscreen.contrast-white_scale-400.png	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\scrawpdo.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\cc60c54c3dde798a43317ec502c0ca47\Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\IESecurity\de-DE\RS_Blockpopups.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data.Resources\8.0.0.0_es_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\size4_i.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\LSM\lagcounterdef.h	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\065c68c5df73d6d3fe1af0c906703dcf\System.ServiceProcess.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\Misc\PCAT	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ReachFramework.Resources\3.0.0.0_de_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime.Resources\3.0.0.0_de_31bf3856ad364e35\System.Workflow.Runtime.resources.dll	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989777"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "422345696"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0023e81fd1ddd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b5a321d1ddd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372299266"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989777"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "422345696"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "506409779"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000001bb2f7f380251e3d0f03cbecd65d86d3b6fa9fcfc1d78762a67eda314ca22f96000000000e800000000200002000000031ee045f9118591cbf0673294e53e07955e4d501322aa30944c3c2e1d8ad0fed2000000032ec8d061dc14b84eab41ee78de4e9033f7d957058ac9abcc06703ee6883713a400000001ece8165f494f12171d1f34270ec8be25aeebc550a4c99cb537a968d817257c0fe8d68a7a908254a063803aff878086f1333258a4f5e9327466192865f927332	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989777"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4379EF39-49C4-11ED-AECB-5EAE84113378} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000883ed98174fc174d8e18111dae0d9120000000000200000000001066000000010000200000005a58be8e3a0e275f1a256bf4efb8081cbcedc1ea4d8a7dbfad20ebee2dd608aa000000000e8000000002000020000000b9c9fdcaf546ab244ea301b1182ee5e78ab790f183f7f128b0a0799dad62451020000000e758d7ffaeb21831f8e276acd8c26fcb1c0ef58870458d018e72cf959d83241e400000005fec2aeb431460ff1dfd475b14000f66b011746269da5817f549ae4d5518e2e28860bc7480ead01f785c359b84b8fb372e1a865a46323e06a75ceb6cae7115e7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4376	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2076	035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe
4376	iexplore.exe
4376	iexplore.exe
4796	winlogon.exe
2192	AE 0124 BE.exe
4052	winlogon.exe
1428	winlogon.exe
4440	IEXPLORE.EXE
4440	IEXPLORE.EXE
4440	IEXPLORE.EXE
4440	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 4376	2076	035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe	78
PID 2076 wrote to memory of 4376	2076	035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe	78
PID 4376 wrote to memory of 4440	4376	iexplore.exe	79
PID 4376 wrote to memory of 4440	4376	iexplore.exe	79
PID 4376 wrote to memory of 4440	4376	iexplore.exe	79
PID 2076 wrote to memory of 4796	2076	035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe	80
PID 2076 wrote to memory of 4796	2076	035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe	80
PID 2076 wrote to memory of 4796	2076	035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe	80
PID 4796 wrote to memory of 2192	4796	winlogon.exe	81
PID 4796 wrote to memory of 2192	4796	winlogon.exe	81
PID 4796 wrote to memory of 2192	4796	winlogon.exe	81
PID 4796 wrote to memory of 1428	4796	winlogon.exe	82
PID 4796 wrote to memory of 1428	4796	winlogon.exe	82
PID 4796 wrote to memory of 1428	4796	winlogon.exe	82
PID 2192 wrote to memory of 4052	2192	AE 0124 BE.exe	83
PID 2192 wrote to memory of 4052	2192	AE 0124 BE.exe	83
PID 2192 wrote to memory of 4052	2192	AE 0124 BE.exe	83

C:\Users\Admin\AppData\Local\Temp\035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe
"C:\Users\Admin\AppData\Local\Temp\035f646949bd1c5b8ccf3d2e2f96a408222478296d2d986e3841d6e6b31655e1.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4376 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4440
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4052
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
fcc7267fff09dbe895caebc962dd6213

SHA1
12b03be1697fd40e31a1e0f5c4ca29cd920a23c2

SHA256
f0a49988d3a91436df0665db65f3ee10e1f60273c7dd88a5a8bd6a206e78dc90

SHA512
b9a71d43c5eca14c195d5a27cbc5e2e9e099916a5b21ae3ca2be301b4b140b0dae2acf7e1a0c540a887fc0b98081ddec37205c95dd438a046e7594af6ca1377b

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
fcc7267fff09dbe895caebc962dd6213

SHA1
12b03be1697fd40e31a1e0f5c4ca29cd920a23c2

SHA256
f0a49988d3a91436df0665db65f3ee10e1f60273c7dd88a5a8bd6a206e78dc90

SHA512
b9a71d43c5eca14c195d5a27cbc5e2e9e099916a5b21ae3ca2be301b4b140b0dae2acf7e1a0c540a887fc0b98081ddec37205c95dd438a046e7594af6ca1377b

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
1077cda765600086a9086f9aae683fd4

SHA1
e3098fcaa6b30808c3d283e2f702b868b0d5a6bd

SHA256
ad62073c065dacebd44b2eb558edf2f1e96cd96f13f2591fec94552fc50bf20c

SHA512
536f46e92bc23ee89bf8f58e7d51df1e900d9919f1a86a6aa78c227c3cfe82cf70cca7ebd4ad18f193a34836e011fcf0dbd90071839f3313cbb150afbc442c15

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
1077cda765600086a9086f9aae683fd4

SHA1
e3098fcaa6b30808c3d283e2f702b868b0d5a6bd

SHA256
ad62073c065dacebd44b2eb558edf2f1e96cd96f13f2591fec94552fc50bf20c

SHA512
536f46e92bc23ee89bf8f58e7d51df1e900d9919f1a86a6aa78c227c3cfe82cf70cca7ebd4ad18f193a34836e011fcf0dbd90071839f3313cbb150afbc442c15

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
fcc7267fff09dbe895caebc962dd6213

SHA1
12b03be1697fd40e31a1e0f5c4ca29cd920a23c2

SHA256
f0a49988d3a91436df0665db65f3ee10e1f60273c7dd88a5a8bd6a206e78dc90

SHA512
b9a71d43c5eca14c195d5a27cbc5e2e9e099916a5b21ae3ca2be301b4b140b0dae2acf7e1a0c540a887fc0b98081ddec37205c95dd438a046e7594af6ca1377b

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
fcc7267fff09dbe895caebc962dd6213

SHA1
12b03be1697fd40e31a1e0f5c4ca29cd920a23c2

SHA256
f0a49988d3a91436df0665db65f3ee10e1f60273c7dd88a5a8bd6a206e78dc90

SHA512
b9a71d43c5eca14c195d5a27cbc5e2e9e099916a5b21ae3ca2be301b4b140b0dae2acf7e1a0c540a887fc0b98081ddec37205c95dd438a046e7594af6ca1377b

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
fcc7267fff09dbe895caebc962dd6213

SHA1
12b03be1697fd40e31a1e0f5c4ca29cd920a23c2

SHA256
f0a49988d3a91436df0665db65f3ee10e1f60273c7dd88a5a8bd6a206e78dc90

SHA512
b9a71d43c5eca14c195d5a27cbc5e2e9e099916a5b21ae3ca2be301b4b140b0dae2acf7e1a0c540a887fc0b98081ddec37205c95dd438a046e7594af6ca1377b

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
fcc7267fff09dbe895caebc962dd6213

SHA1
12b03be1697fd40e31a1e0f5c4ca29cd920a23c2

SHA256
f0a49988d3a91436df0665db65f3ee10e1f60273c7dd88a5a8bd6a206e78dc90

SHA512
b9a71d43c5eca14c195d5a27cbc5e2e9e099916a5b21ae3ca2be301b4b140b0dae2acf7e1a0c540a887fc0b98081ddec37205c95dd438a046e7594af6ca1377b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads