fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d

Analysis

max time kernel
227s
max time network
236s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 13:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe
Size

24KB
MD5

925044a12beb1f5e87e0e50b123ac108
SHA1

8865b8ad52bc7a1bd0cdabd7bbd62b0bc190b001
SHA256

fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d
SHA512

b88d95aec1aaf2af0727ae8d4b878f412cf15173d59575831bc20e2ea60f62728f3460fbe22616835920b2b9e940471fb3eba925bef7bc44850d097e1cf86917
SSDEEP

384:4L+q5r+PpHfXhUkKvI4QwjQNa5KDJMgDT4U0x:4a4r+PpHfXGLOFXUU0x

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
1960	winlogon.exe
1092	AE 0124 BE.exe
1932	winlogon.exe
748	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe
1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe
1960	winlogon.exe
1960	winlogon.exe
1092	AE 0124 BE.exe
1092	AE 0124 BE.exe
748	winlogon.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Speech	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\fr-FR\RS_ChangeProcessorState.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\consolab.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ReachFramework	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe.config	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\Policy.1.2.Microsoft.Interop.Security.AzRoles.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\1e1a1bd97e618bc4934ee967bea27ae8	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Search\TS_IndexingService.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Help\it-IT\Help.H1T	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\multimon.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Routing.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\2dc6cfd856864312d563098f9486361c	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\PCW\en-US\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\ja-JP\RS_AdjustScreenBrightness.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\vga950.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\browser.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\netk57a.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0019	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Routing.resources\3.5.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\secpriv.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmbr002.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\000A\aspnet_perf.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Windows Exclamation.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.es.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Client.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\664e4afe397442c26ea9ededbb639ce5	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\prnhp004.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\RemoteAccess	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1040\vbc7ui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Design.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationUI\3.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SYSTEM.CONFIGURATION.resources\2.0.0.0_ja_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmarch.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management.Automation	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ph3xibc6.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0005\_TransactionBridgePerfCounters.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\4a984a9ad59d14063bc6ae64a0c8f62a\System.Runtime.Serialization.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Performance\TS_TooManyStartupPrograms.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\en-US\langreg.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ASP.NET\0000	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\PerfCounters.h	AE 0124 BE.exe
File opened for modification	C:\Windows\explorer.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mcglidhostobj\6.1.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\ced847eb933ffee8e1a2e738205916ce	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\140714964f3afbcea38cb33d548c5d3c\Microsoft.MediaCenter.TV.Tuners.Interop.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\IME\IMESC5\DICTS\PINTLGDX.IMD	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.ApplicationServer.Applications	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorie.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\sysglobl.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Management.Automation.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Entity.Design.resources\3.5.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\pl-PL	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\netefe3e.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0006	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 3.0.0.0\0000	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.AddIn	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\rdvgwddm.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.IO.Cb3b124c8#	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 702ccaf4d1e3d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf0000000002000000000010660000000100002000000072fd43662836b00dc532561a6ef6a1fd3e31bd363cd292774e70da7c75e428a7000000000e80000000020000200000008633612813171efbc728eee355620aa70c9a15a356b23852ca02096d17581d239000000074602a06365d332fa88eca258e0e713c460c434c7deb26f74f85d9e5c8404f1422692a752e311d309a4b57bd1f447882850b5090ab8572152d8efdf1ec58a4d504715763523f60427135ed728176406e76b911d0d37a19c7b1ec8a07a67eb2ee900b37aa0f26bf10cee69eb385518071d3aa8c43c18d5d116286dc95382a2c7017eb80be05dd946323080f866d2a5b1340000000ebcb13b11875f21974e674f303718fb8d5d1d80d2abf732e034283199ca200062c6c667d95caac5a602c62e474f09bee106b3f088cb68445f13c37ec42d86005	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1E4E21F1-4FC5-11ED-9F7B-6E705F4A26E5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062e6ef0d45f4454ab79548c962d74cdf000000000200000000001066000000010000200000006d8e795611010ac1928f1ae6b6a5630927871cbcf25d19ba147a3ee3364883e4000000000e800000000200002000000027e52a25da2133f13da45c7f780d571f13610e88ed2e997cecce4d69b11969ae2000000008aabbcc89e1c258d4d673f32c7bd8522a2ad43b7234b475833624d4fca062274000000064da6cc9e117af711f4b1fd46dd8db9071b0c012e10d89c55fa45ccf91147fdbe11bf513bf0b098f243a99e88ed9dbde42ccca712409e580a46ae6c11fa6e07d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372959348"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1408	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe
1408	iexplore.exe
1408	iexplore.exe
1960	winlogon.exe
1092	AE 0124 BE.exe
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE
748	winlogon.exe
1684	IEXPLORE.EXE
1684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1408	1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe	28
PID 1420 wrote to memory of 1408	1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe	28
PID 1420 wrote to memory of 1408	1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe	28
PID 1420 wrote to memory of 1408	1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe	28
PID 1408 wrote to memory of 1684	1408	iexplore.exe	30
PID 1408 wrote to memory of 1684	1408	iexplore.exe	30
PID 1408 wrote to memory of 1684	1408	iexplore.exe	30
PID 1408 wrote to memory of 1684	1408	iexplore.exe	30
PID 1420 wrote to memory of 1960	1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe	31
PID 1420 wrote to memory of 1960	1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe	31
PID 1420 wrote to memory of 1960	1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe	31
PID 1420 wrote to memory of 1960	1420	fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe	31
PID 1960 wrote to memory of 1092	1960	winlogon.exe	32
PID 1960 wrote to memory of 1092	1960	winlogon.exe	32
PID 1960 wrote to memory of 1092	1960	winlogon.exe	32
PID 1960 wrote to memory of 1092	1960	winlogon.exe	32
PID 1960 wrote to memory of 1932	1960	winlogon.exe	33
PID 1960 wrote to memory of 1932	1960	winlogon.exe	33
PID 1960 wrote to memory of 1932	1960	winlogon.exe	33
PID 1960 wrote to memory of 1932	1960	winlogon.exe	33
PID 1092 wrote to memory of 748	1092	AE 0124 BE.exe	34
PID 1092 wrote to memory of 748	1092	AE 0124 BE.exe	34
PID 1092 wrote to memory of 748	1092	AE 0124 BE.exe	34
PID 1092 wrote to memory of 748	1092	AE 0124 BE.exe	34

C:\Users\Admin\AppData\Local\Temp\fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe
"C:\Users\Admin\AppData\Local\Temp\fcd26d2f2eaa8fb6b1426434c8b58b54dd136fa41b60a228b825236dc2e6116d.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1408 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1684
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:748
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BR5ARE17.txt

Filesize
603B

MD5
c4e7cd01b2043b7e3c3b2b3188ecb9f9

SHA1
b66da382b722607d7ed20084f989a0530e880330

SHA256
c7ad111fa1ab2d951e7a071f4c72ffeec35d04978417053bedea184bb31471c9

SHA512
2a539c6082b61af62cd41bbd6f73c73f6881e819f1ae2d69be0961582b3597457ad0deae9286df652a9f25b0401380b6a749398ba4e743e0c719e68e1cc456fa

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
24KB

MD5
16dc9fca0be72f08ecbc991c2c36a77f

SHA1
5ee5e4d93acee9b138e182517f164b5c02cdf26e

SHA256
f3eb12eb480632a7cd7d6ea2398d3216822037de41aeb931bf01bb7318f56bf2

SHA512
744ace591e07055562ff07bf98a8031cea6b1108f35329f23817ba173a164559d27eb67a73c38d0b1518d1694cb7c86dbe5d91ad6de5bde6152ad399c26b77a4

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
49KB

MD5
02d88b67bead87297e4a1040900a9f37

SHA1
e3d550a01fc564f19b89cdf3b12a84982784055d

SHA256
cf05cdc72a7c9cb5d1e706965c54d7348f738bbe27ac4fa152bae71e1cf92a07

SHA512
07a9e1142226aa2fbcf51d3b9990b5a5f798dae81ea2c7a46696157068e332fd6612888462a7f291ed7b5b74ebb2f9fa58a4aa713fa885bcbd2c726ae0050fef

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
49KB

MD5
3501e37c4feb51d4e363041f37aeb2cc

SHA1
d2a170775dd617181336886c4d0bbc25023ff89e

SHA256
5ab7e6dabb0efbc1f63f14c2fafdec3d0e68fa4f5aa2bf9af35e366d0e5b456e

SHA512
57f5e6b4704c7c7962ee859161e500f534fad0979c9eff17e69817adf11dfe66ef7c2c1953522903440de7e691033100fc0dbf8a85f0fa35f92f517341c17f11

Download Submit
memory/1420-56-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads