4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4

Analysis

max time kernel
165s
max time network
188s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe
Size

65KB
MD5

6826454ce86d7227720436768129ae70
SHA1

55147b8634806ed09b6073e244b669b6737178e1
SHA256

4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4
SHA512

65502c0bddf7d7209d0bdaeabec8304010cb65608a6aa6f780b9075f62575a8f5f1adedabaf02608bdd3166654e660e010748affd6ec657f98060f1afc464312
SSDEEP

768:4a4r+PpHfXGLOFCk6SLARI+WEkFfsEjUPIOuJI5R7xuMAnXMcMaJIWmS2zIzV9xE:sr+Fum5LMI+WTJjcsnXMcpm/zOxJXKJf

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
1208	winlogon.exe
1404	AE 0124 BE.exe
1664	winlogon.exe
1832	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe
1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe
1208	winlogon.exe
1208	winlogon.exe
1404	AE 0124 BE.exe
1404	AE 0124 BE.exe
1832	winlogon.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Client.resources\3.5.0.0_it_b77a5c561934e089\System.Data.Services.Client.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\gulim.ttc	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.RuntimeUi.Intl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.RuntimeUi.Intl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\Fonts\chs_boot.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Json\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Json.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelServicePerfCounters.reg	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IIEHost	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.io.log.resources\3.0.0.0_de_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\move_rm.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\HomeGroup\CL_WscApi.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\GIL_____.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0008\PerfCounters.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Windows Default.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources\1.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napsnap.resources\6.1.0.0_en_31bf3856ad364e35\napsnap.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing.Design.resources\2.0.0.0_es_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\bcad898b90aee666da2f81b0a87a91ee	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\it-IT\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\offline.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmti.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\4d3e.msi	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\sbs_system.data.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\JSC.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\ehmsas.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\85855.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\games.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.RuntimeUi\14.0.0.0__71e9bce111e9429c	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\afee8437a90f473862f2d364b3669041	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\cb8c46fb93cee393acd4db95f6d8bfa2\System.Windows.Forms.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\pl-PL_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\angelu64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmsier.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\GOUDYSTO.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0407\aclui.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\locatep.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.Linq\1efa0826492fcfdac41786f53d12106e\System.Data.Linq.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\ko-KR	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsUpdate\de-DE\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\PLAYBILL.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\0804\aspnet_perf.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\SchCache	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management.Automation	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Transactions.resources\2.0.0.0_it_b77a5c561934e089\System.Transactions.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions\3.5.0.0__31bf3856ad364e35\System.Web.Abstractions.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0410\lug.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\en-US\mobile.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\wiaep002.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\62765bb26133f581e10bb7c866f35c83\System.Net.Http.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\CL_RunDiagnosticScript.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Help\es-ES\resources.H1S	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\040C\nap.CHM	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000e6f0706c90e8048859559d708ac61bd35b796eca28c5e4061a5de7f9fbf6799f000000000e80000000020000200000007047d12ce853cc4e379b77ed768cf10c12d2d0262d6a15594af5afb204c96d60900000006f3c939ad5137e74ab7e69614ff05facdf488393ddabb8208138d7b24b1fa58a6034a51807e285fbf68188b1942872735684963dac7dd829c1e20e9c4864af69306c3320d0484df5651736108a4ff80ad3e4660eaae2aff249977bfb453f65132c05a3ed03b42a6b98b501e6a463e9fdf3f3fe1aa5164d6dbf79a4b2beb0ba1fd78a392f57bf41ae1029ec34f5617682400000004ed21f6d12a37aa6732bd0cac861a3f55e605ccb0f8b8aedb602af8808917e766619e23b55cc9fd4b924ad6f221570ba5dd248e8a60cad9df56870844725c778	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA4397E1-4A4B-11ED-AB20-4A12BD72B3C7} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372357447"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0d15e9458ded801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0f3d159765a7f43b6bf060b4b70c9a300000000020000000000106600000001000020000000f3bef746817143b45598ae72a5e2686f5f6fe337992e853ae6df28b9b8dae786000000000e80000000020000200000000024075525b42961d7b1d07e6b29ff003a9071044f9830670fd9c2ef7ccca4442000000062d84fc6bed84d60f56d9c9dc62460f5cdbb42eeb7c533c29020bce2a25ba897400000006ecf9e7a1656c50b8e6f6e4192baa8400f08fe583ce291a093af808f9de9c21540e0451a6a2a4b6c9d0fdedfcf5a6d550a0e69770ab6930a6157f46363e2582f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
852	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe
852	iexplore.exe
852	iexplore.exe
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE
1208	winlogon.exe
1404	AE 0124 BE.exe
1832	winlogon.exe
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 852	1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe	27
PID 1948 wrote to memory of 852	1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe	27
PID 1948 wrote to memory of 852	1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe	27
PID 1948 wrote to memory of 852	1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe	27
PID 852 wrote to memory of 1376	852	iexplore.exe	29
PID 852 wrote to memory of 1376	852	iexplore.exe	29
PID 852 wrote to memory of 1376	852	iexplore.exe	29
PID 852 wrote to memory of 1376	852	iexplore.exe	29
PID 1948 wrote to memory of 1208	1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe	30
PID 1948 wrote to memory of 1208	1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe	30
PID 1948 wrote to memory of 1208	1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe	30
PID 1948 wrote to memory of 1208	1948	4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe	30
PID 1208 wrote to memory of 1404	1208	winlogon.exe	31
PID 1208 wrote to memory of 1404	1208	winlogon.exe	31
PID 1208 wrote to memory of 1404	1208	winlogon.exe	31
PID 1208 wrote to memory of 1404	1208	winlogon.exe	31
PID 1208 wrote to memory of 1664	1208	winlogon.exe	32
PID 1208 wrote to memory of 1664	1208	winlogon.exe	32
PID 1208 wrote to memory of 1664	1208	winlogon.exe	32
PID 1208 wrote to memory of 1664	1208	winlogon.exe	32
PID 1404 wrote to memory of 1832	1404	AE 0124 BE.exe	33
PID 1404 wrote to memory of 1832	1404	AE 0124 BE.exe	33
PID 1404 wrote to memory of 1832	1404	AE 0124 BE.exe	33
PID 1404 wrote to memory of 1832	1404	AE 0124 BE.exe	33

C:\Users\Admin\AppData\Local\Temp\4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe
"C:\Users\Admin\AppData\Local\Temp\4b02e36b0dc4c3a45cb22e12e5068894733bcc16165a57ff470cf4436e8e2ff4.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:852 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1376
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1832
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7WLCWOTR.txt

Filesize
608B

MD5
583874efffacf7577cc12f70b715abea

SHA1
b34ea386c14c388e05bd6d00156198788f55a6f6

SHA256
065c0544a791d3a9dc9d80edceee9cee3b0eb001bd4c70dbc19c6c92dcbd5333

SHA512
de96f1b64af3d3756c660e18cecccd5a52906c1a2d7ae144698a15547869081e34ddfb2d726f13ffb7012d1dc583dcac4792d4972c2fdf894d6737db52a0ffab

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
65KB

MD5
39655c13f85ea8155379695807c99b42

SHA1
c71a1919b310133c547cab0bf55e818ab5883051

SHA256
6cb7d41e115762824337dfeeecf554747181c24c41155ed549654ff89155c64e

SHA512
380e324ffc6bd86a23ecca1c729654a90abff9fc2c66a0d8bfc1ea05a17b90aac8964488abe25f0de950056c79e6bbafbe6473ee2810ef3cbf69876c37b2267d

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
130KB

MD5
0c9637ad9ff99d90815aa715c9401b11

SHA1
963408d2d09a0f1212bfeacc9be2c93b0e421590

SHA256
609486740d57fbc402c1fb324d2cd7a7d5dc2d6f7470adc0a5a4f5f3bbc3de59

SHA512
203b9cebfb9336095d5bfd512c0010dd88c83e5a467dc682ccb498ca02e4991acdbb511c3611960848b99e61a7021aae7495433515f684ead2dd5bc15a962ca4

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
d137023fb0ebaf4ce85aa38df368165f

SHA1
fc1aa49a789e72fc9f458388a360eb6bf55d3f9a

SHA256
492213722834b7979edbefaa5317f71a6b6ac5fbb41d9ff5118a86fdedc7e590

SHA512
0bd07e6a104c89bc9f9db6b7da4392bc01259bf9a7c8c35bb9fbb18ef5510e46ac012f210304e604fd3b3a17124b395499edeecd4d481cf43303a6a35c2118d4

Download Submit
memory/1208-60-0x0000000000000000-mapping.dmp

Download
memory/1404-66-0x0000000000000000-mapping.dmp

Download
memory/1664-75-0x0000000000000000-mapping.dmp

Download
memory/1832-80-0x0000000000000000-mapping.dmp

Download
memory/1948-56-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads