1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2022, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
Size

20KB
MD5

65e20fe33e32e5bbfce06725da9f1390
SHA1

7a8e41de13760f158edac9045d6cf64036ecafea
SHA256

1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904
SHA512

4f6c9758364541dfd362c69424c0b9242ddf4137a474615a3648100588b9127931eb5b302697d22f30189c0960757932f3d5cad164f73f346ff5dcf2541b33f7
SSDEEP

192:4/bROG+bO5r+C+isnpHfB7FhO8C0lzWvI4QwFt9V+jqCNa5KDJBaV:4L+q5r+PpHfXhUkKvI4QwjQNa5KDJq

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe

Executes dropped EXE 4 IoCs

pid	Process
3416	winlogon.exe
3780	AE 0124 BE.exe
2224	winlogon.exe
1216	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 3 IoCs

pid	Process
3780	AE 0124 BE.exe
2224	winlogon.exe
1216	winlogon.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\CloudExperienceHostCommon.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WordBreakers.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\StructuredQuery.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\xolehlp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-VirtualDevice-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Tools-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\microsoft-windows-quickassist-package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.1266.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\NetIPsecRule.cmdletDefinition.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\systemcpl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wpdmtphw.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_apo.inf_amd64_a261b6effa32e5a2\c_apo.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA344a_highTX_LE_8.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS-manifest.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package01~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\hid.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iastorav.inf_amd64_87f761c07c99d5e7\iastorav.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmrock.inf_amd64_9b13bcc1f320d1ad\mdmrock.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\hcproviders.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDTT102.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Media.MediaControl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wscinterop.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RegulatedPackages-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wvmic_kvpexchange.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\WindowsOptionalFeatureSet\WindowsOptionalFeatureSet.Schema.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cmpbk32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\rpcnsh.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DirectX-Database-FOD-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Optional-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vdrvroot.inf_amd64_5dbe5e81fafe4636	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wvmic_ext.inf_amd64_34d742f3550dabd2\wvmic_ext.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\SystemSupportInfo.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.StateRepositoryClient.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_cashdrawer.inf_amd64_a648ee708660440c\c_cashdrawer.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netmscli.inf_amd64_b39ea5f4658998de\netmscli.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-pl-rtm.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\MSFT_NetSwitchTeamMember.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrinterConfiguration.format.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\winbrand.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wscproxystub.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppServerClient-OptGroup-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1023.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Configuration\BaseRegistration\MSFT_DSCMetaConfiguration.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_cfd501781ae941c0\mdmcom1.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\clb.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.System.Launcher.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-COM-MSMQ-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\EhStorPwdDrv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_amd64_9c09bd1df352f065	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\choice.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dmband.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\AcpiDev.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbvideo.inf_amd64_b401376fd0a39c95	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\tasklist.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\PS_VpnConnectionTriggerApplication_v1.0.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\SEMgrPS.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WPDShServiceObj.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ehstorpwddrv.inf_amd64_220e4fad6c84d016\EhStorPwdDrv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmpsion.inf_amd64_28542b9aafacda15\mdmpsion.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_LE_14.bin	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-syncres.resources_31bf3856ad364e35_10.0.19041.1_sl-si_cb8b3be7d5136343	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\DiagPackage.diagpkg	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.AccountsControl\Images\Outlook.Theme-Light_Scale-400.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kerplugin.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_23f4c1602d97fe43	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_4.0.15805.0_none_3c077b3e544312c6	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-g..ppolicy-policymaker_31bf3856ad364e35_10.0.19041.388_none_1f6de35ddc4aa878	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-exfat_31bf3856ad364e35_10.0.19041.1288_none_ca2e859dce5b4f6d\f	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_multiportserial.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmtdkj3.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code\ApplicationConfigurationPage.cs	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dns-client_31bf3856ad364e35_10.0.19041.572_none_bfb752f1e1449c59	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeupdatesettings-main.html	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SrpUxSnapIn.resources\v4.0_10.0.0.0_en_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-quiethours_31bf3856ad364e35_10.0.19041.746_none_86e52a0f94bec6a2\QuietHours.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\common-listview-template.html	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.264_none_223a5768a6257099\WESL_ShellLauncher.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-ClientForNFS-Infrastructure-OptGroup-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-h..-spatialgraphfilter_31bf3856ad364e35_10.0.19041.1_none_abbf238ce08950e6	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..ncredentialprovider_31bf3856ad364e35_10.0.19041.84_none_629e847850ff454d\@WindowsHelloFaceToastIcon.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-devices-printers-winrt_31bf3856ad364e35_10.0.19041.746_none_d9a8ccfc8fa70f23\f\Windows.Devices.Printers.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..dcredentialprovider_31bf3856ad364e35_10.0.19041.84_none_39adc1f1f0aabb14\SmartcardCredentialProvider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\en-US\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\AllowBuildPreview.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Networking-Containers-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx35linq-system...s.accountmanagement_31bf3856ad364e35_10.0.19041.1_none_d8c09b0a76c91806	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-webengine4_dll_b03f5f7f11d50a3a_4.0.15805.0_none_21a607a7dfb96fc0	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENTRAL_mfc100_x86	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package0211~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_wcf-m_svc_mon_sup_dll_31bf3856ad364e35_10.0.19200.110_none_d18a3bec13c9b068	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-mfnetcore_31bf3856ad364e35_10.0.19041.1_none_4f19ab29c0d292d7	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bootux.deployment_31bf3856ad364e35_10.0.19041.746_none_1c0a97992f105d4b\r\bootim.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_10.0.19041.1_en-us_c75e61f00b6f9cc9	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.1_en-us_c92f752e3f016999\vmsmb.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Portable-Devices-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TFTP-Client-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..outercore.resources_31bf3856ad364e35_10.0.19041.1_en-us_f761b9139fc6ad53	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_575c0d2f9b49c0af	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-mls_31bf3856ad364e35_10.0.19041.1_none_26d1df24626bda37	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_uiautomationclient_31bf3856ad364e35_4.0.15805.0_none_defd1d65995d5055	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.TypeConverter\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-D8E67ED6.pf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..ationcore.resources_31bf3856ad364e35_10.0.19041.1_en-us_c072fc43c852c692	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_wcf-m_svc_mod_end_perf_reg_31bf3856ad364e35_10.0.19041.1_none_7cc5a9d92f3d181b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appcontract-bmpolicy_31bf3856ad364e35_10.0.19041.746_none_e2b8c2d751f4912e\r\ACPBackgroundManagerPolicy.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..dataretrievalclient_31bf3856ad364e35_10.0.19041.153_none_a276f5a2021aca33\DeviceMetadataRetrievalClient.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoMsa.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-com-adm_31bf3856ad364e35_10.0.19041.1_none_af9fea0854cfb9ad\COM.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-AssignedAccess-Package~31bf3856ad364e35~amd64~~10.0.19041.1023.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..hinese-imepadapplet_31bf3856ad364e35_10.0.19041.1_none_b11a222b9adc8c4f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-00011009_31bf3856ad364e35_10.0.19041.1_none_43cede33f3ea380b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..e-utility.resources_31bf3856ad364e35_10.0.19041.1_en-us_b54e33bc60acaeb9	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-directml_31bf3856ad364e35_10.0.19041.488_none_9b6dfac98444e0cb	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-protocolproviders_31bf3856ad364e35_10.0.19041.746_none_d14e7c9238ed667e\CashDrawerProtocolProvider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-devicediagnostic_31bf3856ad364e35_10.0.19041.1_none_9f161f16da1d1848\TS_DeviceDriverNeedsUpdate.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cloudstore_31bf3856ad364e35_10.0.19041.746_none_9a83611ca3c54a51\Windows.CloudStore.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..-mdmlocalmanagement_31bf3856ad364e35_10.0.19041.789_none_f45ee311420162d8\r\mdmlocalmanagement.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\8e67d22c9da389c9e4820cd665e85ad1\Microsoft.Windows.Diagnosis.SDHost.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appx-deployment-client_31bf3856ad364e35_10.0.19041.1288_none_2aa975f68f862bfc	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{838BD514-4A3B-11ED-A0EE-F63A18EFECFD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000008df296aa5559e8434911a560d40da2b448f7ed59a4ffccc62c8b7c8eba76da71000000000e8000000002000020000000822257cc9d0b4b2b63d029a4c40de0368b8bcbe555de974c69a4f128af48897a200000000c5d7dc09001ed91dbf13b7b6bf80c7e181b91595e0155b512504889644ee708400000004c83e20c98657e3e420448c3d4f6a32b14b946853a0ea4936722b37f33c9856912c95a98da879e37d1e5494c3643ea069f851add8d8860ac70f351231b6a30cb	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0649d5c48ded801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1553980480"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1553980480"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000bea7671486244971097c475232596864b1eaf30e32d7c631c8092e32a7849f09000000000e80000000020000200000005c62bb31867f593ba38bd6d76530be5502a0f7aa42a67eb7523c12c91af8457d200000002c93db4bc1237726f821a772f32cda7cacde1be64f5f9db2de1ea52c0e2d4a7d40000000e702c89fae47cba14ca2b157f39ee694ad313ec1862d4ca5fc092138e1a33f7b54e45673577470e02335a42f53a70aff171f1151381f33b0308660aca18fd695	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c96d5c48ded801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30989896"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30989896"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372350478"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4336	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4336	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2320	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
4336	iexplore.exe
4336	iexplore.exe
3416	winlogon.exe
3320	IEXPLORE.EXE
3320	IEXPLORE.EXE
3780	AE 0124 BE.exe
2224	winlogon.exe
1216	winlogon.exe
3320	IEXPLORE.EXE
3320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 4336	2320	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	84
PID 2320 wrote to memory of 4336	2320	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	84
PID 4336 wrote to memory of 3320	4336	iexplore.exe	85
PID 4336 wrote to memory of 3320	4336	iexplore.exe	85
PID 4336 wrote to memory of 3320	4336	iexplore.exe	85
PID 2320 wrote to memory of 3416	2320	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	86
PID 2320 wrote to memory of 3416	2320	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	86
PID 2320 wrote to memory of 3416	2320	1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe	86
PID 3416 wrote to memory of 3780	3416	winlogon.exe	87
PID 3416 wrote to memory of 3780	3416	winlogon.exe	87
PID 3416 wrote to memory of 3780	3416	winlogon.exe	87
PID 3416 wrote to memory of 2224	3416	winlogon.exe	88
PID 3416 wrote to memory of 2224	3416	winlogon.exe	88
PID 3416 wrote to memory of 2224	3416	winlogon.exe	88
PID 3780 wrote to memory of 1216	3780	AE 0124 BE.exe	90
PID 3780 wrote to memory of 1216	3780	AE 0124 BE.exe	90
PID 3780 wrote to memory of 1216	3780	AE 0124 BE.exe	90

C:\Users\Admin\AppData\Local\Temp\1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe
"C:\Users\Admin\AppData\Local\Temp\1e91764f12fe4f3f71f0fa500ee3353c7734886ce34672e7e0f67b590db01904.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4336 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3320
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1216
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
0d5e2e43e00d824a7521bd0627a1cc3d

SHA1
f3d6e45e00c9b84ea7ef5068e521c819f562c831

SHA256
215d792d1d0e12da5aa5ac34934931d56178410798abed238418b58ee4b8fede

SHA512
da76a14da6633b3a4b7e075505cedbfa150dddf3da6f72ec3524026ef652e908894039d593d8ed0469c19e6015a3d1f98412a4cca74dd5c8552a3ef49107c570

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
30f7ca80a305cd73654099b91cfb35f2

SHA1
ec39e92e72e6f63c639d612733529a98435b8e1e

SHA256
c1b1285a4bba9f89e415edef6f099eaeca27ae6da76cdfccd36c9e7ad55f6f28

SHA512
18d242a110be722af70f49059737da9e785250f6c61d4afcd33339dbb3a20ef6aa8cc99c64ae93f7b94d6f9386eeadd4818b13f1df79d4e63ce0ed8d902835e1

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
7d5a7b7a6c7b24fbbf4441699deb2b5c

SHA1
4ab3b7cac29197e382c84e7817e5b22625c9b2cd

SHA256
2d8dcd9b7486a9d785c4d329a7cd1daccc262661f3228cfc78cf962f8ca5f3fb

SHA512
fff3075c147faecd57b48ca5703ae2dd05b26a444bf462101cd4399b5b77c97ba4112b254850913496b409e70fb34b5e50a9e405c79dc6dae60c03440e306b87

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads