1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904

Analysis

max time kernel
153s
max time network
148s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12/10/2022, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
Size

20KB
MD5

65e20fe33e32e5bbfce06725da9f1390
SHA1

7a8e41de13760f158edac9045d6cf64036ecafea
SHA256

1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904
SHA512

4f6c9758364541dfd362c69424c0b9242ddf4137a474615a3648100588b9127931eb5b302697d22f30189c0960757932f3d5cad164f73f346ff5dcf2541b33f7
SSDEEP

192:4/bROG+bO5r+C+isnpHfB7FhO8C0lzWvI4QwFt9V+jqCNa5KDJBaV:4L+q5r+PpHfXhUkKvI4QwjQNa5KDJq

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
1624	winlogon.exe
540	AE 0124 BE.exe
1988	winlogon.exe
828	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
540	AE 0124 BE.exe
540	AE 0124 BE.exe
1624	winlogon.exe
1624	winlogon.exe
1344	iexplore.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	D:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_neutral_9c9eb67d406a1632	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_neutral_7f08406e40c6ede2	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\dsprop.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\auditpolmsg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ac.bcm	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRA4.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky004.inf_amd64_neutral_5db759db19acd3ae\Amd64\KYFS820.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\msdri.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\msv1_0.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\EventCreate.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\sc.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\ipsecsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_neutral_d9eee378245b3b8b\net8187bv64.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WCN\ja-JP\Add_a_device_or_computer_to_a_network_usb.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\olecli32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\scksp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_neutral_9d9a7113099a28a2\sti.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\efsadu.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\label.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\bthprops.cpl.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\RestartManagerUninstall.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\msscript.ocx.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\AdvancedInstallers\OEMHelpIns.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ShareMedia-ControlPanel-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wdma_usb.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcpq2.inf_amd64_neutral_e9784021af1f5e24\mdmcpq2.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\napinsp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\msctf.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\cscript.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseN\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\BRD7045N.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYTS250c.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN2221E3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wialx006.inf_amd64_neutral_ae607a72b46f9cfc\lxa5WIA.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\net8187se64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Display.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBPV4.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\LR16006.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SA1341E3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDUR.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\sethc.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\it-IT\CompatProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\hdaudio.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\bthpan.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_neutral_2d4257afa2e35253\umbus.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dtsh.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\setupcln.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\ssdpsrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\sr-Latn-CS\comctl32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnin002.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\flpydisk.inf_amd64_neutral_f54222cc59267e1e\flpydisk.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBPP4.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\modemui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ClickDownNormal.gif	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_neutral_a2f120466549d68b\swenum.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_neutral_fdcfb86ce78678d1\msports.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500gt.cfg	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHH51N04.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Break.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mciqtz32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\sberes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\win32spl.dll.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_6.1.7600.16385_de-de_20dbe216b7fa97c4	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..tx-xinput.resources_31bf3856ad364e35_6.1.7600.16385_es-es_01eee11bdf6f7755	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\COM.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\th-TH_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-i..pbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6846ee899eb2f8b1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_battery.inf_31bf3856ad364e35_6.1.7600.16385_none_721c84936d812c57	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_lsi_fc.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2027b86856e610bb	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-lpksetup.resources_31bf3856ad364e35_6.1.7600.16385_it-it_be93ac22d37c8051	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-intl_31bf3856ad364e35_6.1.7601.17514_none_156874b463b94921	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\a00ba16c92fd291e37a00bab4a72a3fe\System.Web.Extensions.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ESENT\esentprf.hxx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-i..gbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f0e6b9729f6b6972	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-magnification_31bf3856ad364e35_6.1.7600.16385_none_537dafcd9f940b98\Magnification.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..njifinderdictionary_31bf3856ad364e35_6.1.7600.16385_none_a20bb1f2cf82b3c4\IMJPKDIC.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-diskraid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1c9c0689f800ffeb\diskraid.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_512fa3b8707f96fa	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft.grouppolicy.interop_31bf3856ad364e35_6.1.7601.17514_none_c3e31e3d1b53bd5a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-o..ct-picker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6674b4d9f148cbe1	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Windows Battery Critical.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5646c597a746df57	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.ComponentModel.Composition.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4ae5495c772f5647	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_unknown.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e3df5dcc076ae20b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-n..e_iassvcs.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1f70a0fdb12439de	AE 0124 BE.exe
File opened for modification	C:\Windows\Web	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\napcrypt	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fax-service.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8df008402077a058\FXSEVENT.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..integration-support_31bf3856ad364e35_6.1.7600.16385_none_8429bbdebd38db4a\idq.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..c-runtime.resources_31bf3856ad364e35_6.1.7600.16385_de-de_acd8878978b9f62d\msdtc.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_es-es_506d995dde4fc5ec\RS_RestoreIEconnection.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msi-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1999bdf21cdafb8a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_system.drawing.resources_b03f5f7f11d50a3a_6.1.7600.16385_fr-fr_eb224e17115bc4a7	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Linq.Parallel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_6.1.7601.17514_es-es_fdd58ced73f62bda	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_lsi_sas2.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_61a63821397a90a8\lsi_sas2.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-adminkitbranding_31bf3856ad364e35_8.0.7601.17514_none_ed30b91fe51eb56b\iedkcs32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_en-us_99b742cd983bba61\L2SecHC.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.InfoPath.Permission	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\361ef62867b1804328cf3616dc8a7f7b\System.Workflow.ComponentModel.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..utilities.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e7fc600777ea8426	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\16-on-black.gif	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\404-11.htm	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277\sspisrv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_617418a2a916eb62\aspnet_rc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_617418a2a916eb62\InstallUtil.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-..lications.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8002fc80e6c60075	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89\winload.efi	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..ercomtool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_34345a337e310068\cacls.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dssec.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cb09ab873574da8f\dssec.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fdddo_31bf3856ad364e35_6.1.7600.16385_none_b0de2afe4ca7a1e2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00011009_31bf3856ad364e35_6.1.7600.16385_none_e9d2c2576e3db837	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..foldersui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_41a3cfa3d390ea26	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_db578bdb5e3559c6	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-certutil.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cfc47fe37fac61ff	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.Framework.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.de.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..-mcplayer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1268989a682b8fa1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-security-negoexts_31bf3856ad364e35_6.1.7600.16385_none_b81643545ac42615	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\sysglobl\v4.0_4.0.0.0__b03f5f7f11d50a3a\sysglobl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{817790C1-4A3B-11ED-A584-DA3F1CB7DA19} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372350478"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000b3db6fdbeed082905777e56a8713221617b827e6106d678e2bb9e2ea6abffd32000000000e8000000002000020000000a6509508e124c5992904509378a172a3c32e5b9a5ff518199e4214f5e5384eba900000005d42bb40c1c478784bfff7a3f5a3c4cd1c17f9e16530f6b02ab7e4517412ed4b612eb3c06da18405843a74fe4a682796d3db2aad9c6766ac67fa91dcd9264b5ec90f6aa56fb6cf9950db4be43d8b4b11c165d51c6fae0d7c00a23a7efe9457d3b44751fd4629148567b8772c4d42f2403d8976a71a8cebbebca45180f382aeda4cded17458757aca281db6f945d30b3440000000f8e10899b1dbcee989d6e60700cd5bba87e9636f2165bbee2c17535123a85c7e5e6287e785400c2ec072eb81eff93c6034ec9a6beeca2c8141d1e70b7ef96840	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0fcf55748ded801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000006280990cb80327742c125d1496425e8b0abc464d083cc676f7c60ea7a3e0d903000000000e8000000002000020000000d95a502dc51e19a7a9e5e6c679ec8ac73230b45d995a5136fe08e9f6f03a8376200000006715d75bebcb0aef46226b42bd0c1eb7ae8ee92b9f5faae7a812bba93f18aa0a40000000d617953f92af44f8c396d6400d7e7d93ef2c1cd2766e73056582d38be5107bbb39d36697f888c3e5277bd74c1379188b81bf1a529369ffb1ca4e0795d5ad69c9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1344	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
1344	iexplore.exe
1344	iexplore.exe
1624	winlogon.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
540	AE 0124 BE.exe
1988	winlogon.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1344	2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	27
PID 2016 wrote to memory of 1344	2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	27
PID 2016 wrote to memory of 1344	2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	27
PID 2016 wrote to memory of 1344	2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	27
PID 1344 wrote to memory of 1692	1344	iexplore.exe	29
PID 1344 wrote to memory of 1692	1344	iexplore.exe	29
PID 1344 wrote to memory of 1692	1344	iexplore.exe	29
PID 1344 wrote to memory of 1692	1344	iexplore.exe	29
PID 2016 wrote to memory of 1624	2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	30
PID 2016 wrote to memory of 1624	2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	30
PID 2016 wrote to memory of 1624	2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	30
PID 2016 wrote to memory of 1624	2016	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	30
PID 1624 wrote to memory of 540	1624	winlogon.exe	31
PID 1624 wrote to memory of 540	1624	winlogon.exe	31
PID 1624 wrote to memory of 540	1624	winlogon.exe	31
PID 1624 wrote to memory of 540	1624	winlogon.exe	31
PID 540 wrote to memory of 1988	540	AE 0124 BE.exe	32
PID 540 wrote to memory of 1988	540	AE 0124 BE.exe	32
PID 540 wrote to memory of 1988	540	AE 0124 BE.exe	32
PID 540 wrote to memory of 1988	540	AE 0124 BE.exe	32
PID 1624 wrote to memory of 828	1624	winlogon.exe	33
PID 1624 wrote to memory of 828	1624	winlogon.exe	33
PID 1624 wrote to memory of 828	1624	winlogon.exe	33
PID 1624 wrote to memory of 828	1624	winlogon.exe	33

C:\Users\Admin\AppData\Local\Temp\1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
"C:\Users\Admin\AppData\Local\Temp\1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1344 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1692
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1988
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YOSIO372.txt

Filesize
603B

MD5
a5d1fa5202bed88d0e04a0b0c910b954

SHA1
e98195ae5d42407a2a39c556882b9c75ef426060

SHA256
5a3eb703dd58eac88cd9a6450a459d288aef561cb4056225c6e96cf28e51add9

SHA512
8152ffbb06d46865cc2bdc98ee7a9a289c7fb680bec119c629a1abd2702e999c7eefcce2cd5591a91b35f7cc1db6677bb9a3ac2c2339977853be379c28027881

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
0d5e2e43e00d824a7521bd0627a1cc3d

SHA1
f3d6e45e00c9b84ea7ef5068e521c819f562c831

SHA256
215d792d1d0e12da5aa5ac34934931d56178410798abed238418b58ee4b8fede

SHA512
da76a14da6633b3a4b7e075505cedbfa150dddf3da6f72ec3524026ef652e908894039d593d8ed0469c19e6015a3d1f98412a4cca74dd5c8552a3ef49107c570

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
30f7ca80a305cd73654099b91cfb35f2

SHA1
ec39e92e72e6f63c639d612733529a98435b8e1e

SHA256
c1b1285a4bba9f89e415edef6f099eaeca27ae6da76cdfccd36c9e7ad55f6f28

SHA512
18d242a110be722af70f49059737da9e785250f6c61d4afcd33339dbb3a20ef6aa8cc99c64ae93f7b94d6f9386eeadd4818b13f1df79d4e63ce0ed8d902835e1

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

Filesize
615KB

MD5
7b2a54732d38cd19c79c8184d6932f6f

SHA1
6d42bd8fe510e9a4ed6c13409daf4c7a49e7db04

SHA256
76fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d

SHA512
acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
memory/540-75-0x00000000025F1000-0x0000000002B3D000-memory.dmp

Filesize
5.3MB

Download
memory/2016-56-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads