d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2022 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
Size

1.2MB
MD5

0b5fa02e0b1f94ae10832fbfeb771d0d
SHA1

b49793a157b12e11c38cad090416c9980a433c03
SHA256

d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b
SHA512

4f078c5fd24658d6b64dcfb8ad89118fd7d3383e8bec1f39ea5eb451f9c8482311fe0428410d892d23e428ab221090bf050407bbb32fd0bc39016545a1df7472
SSDEEP

6144:xCTPgrnq0/FniJi6uTJKvePPMqLckUet72FwBI+AFdb8MuiVQO8uZUE4Mw:xCTPgrnZiJiAaMVkUet7EwBI+APuzUj2

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nnyz = "dgrw.exe"	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

Drops desktop.ini file(s) 48 IoCs

description	ioc	Process
File opened for modification	\??\e:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\m:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\n:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\t:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\w:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\y:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\z:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\c:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\p:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\q:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\u:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\h:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\l:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\g:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\f:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\h:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\k:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\o:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\p:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\q:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\r:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\z:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\v:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\n:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\o:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\u:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\y:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\l:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\i:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\j:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\m:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\r:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\s:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\t:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\x:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\g:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\f:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\i:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\v:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\x:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\e:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\j:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\k:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\s:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\w:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\c:\Desktop.ini	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\u:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\j:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\m:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\n:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\q:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\r:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\w:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\g:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\h:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\i:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\k:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\o:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\s:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\z:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\f:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\p:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\t:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\v:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\x:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\y:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened (read-only)	\??\e:	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

Drops autorun.inf file 1 TTPs 47 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\r:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\w:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\x:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\y:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	C:\Documents and Settings\Admin\Application Data\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\c:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\f:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\p:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\u:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\y:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\g:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\j:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\o:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\t:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\m:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\m:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\t:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\s:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\x:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\n:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\q:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\r:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\i:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\k:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\z:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\c:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\e:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\g:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\s:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\w:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\z:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\h:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\o:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\p:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\l:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\n:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\v:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\h:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\j:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\k:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\l:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\q:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\u:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\v:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\e:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	\??\f:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	\??\i:\Autorun.inf	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvbvm60.dll	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File created	C:\Windows\SysWOW64\dgrw.exe	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
File opened for modification	C:\Windows\SysWOW64\dgrw.exe	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Negeri Serumpun Sebalai .pif .bat .com .scr .exe	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4208	5044	WerFault.exe	84

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\SCRNSAVE.EXE = "MR_COO~1.SCR"	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "JPEG Image"	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ = "Princess Document"	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
5044	d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe

C:\Users\Admin\AppData\Local\Temp\d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe
"C:\Users\Admin\AppData\Local\Temp\d2d0fbfc38812cb3da2e8b5159498f4fce159e025eb302ddc630fc00a6b3aa1b.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 868
  2⤵
  - Program crash
  PID:4208