fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691

Analysis

max time kernel
123s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
Size

20KB
MD5

933ac6a2234ba205f00d21ec54a21910
SHA1

9148eeed74728ce159651816d0e408fe619f6c12
SHA256

fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691
SHA512

913af589c2bab9fcd423d3f636abd99152794a7671eaf7b68dd31f5c65dacaa321bdb3c68a802ecba30e59125368f071500dcf260eec60dd1580e6911db9f579
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJB23z:1M3PnQoHDCpHf4I4Qwdc0G5KDJU

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
1940	winlogon.exe
1284	AE 0124 BE.exe
1984	winlogon.exe
1912	winlogon.exe

Loads dropped DLL 7 IoCs

pid	Process
1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
1940	winlogon.exe
1940	winlogon.exe
1284	AE 0124 BE.exe
1284	AE 0124 BE.exe
844	iexplore.exe

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiacn001.inf_amd64_neutral_b7a0b2f53d745b5a\CNHW900.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\cryptext.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmboca.inf_amd64_neutral_cc532ed7b3b5b5a9\mdmboca.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNB_0318.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\eappcfg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\gpsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO3100T.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpD5400t.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\rpcping.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasic	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\gpprefcl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migration\audmigplugin.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\nlsbres.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF6940T.XML	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\hcproviders.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\netshell.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wscinterop.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\fr-FR\SmiProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm002.inf_amd64_neutral_7c42808e24ebff99\Amd64\KO360U.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_neutral_fc4ebadff3a40ae4\WpdFs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\dialer.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\EP0NB020.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4300t.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Switch.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DeviceProperties.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\cdosys.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ServiceModel.mof.uninstall	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\xwizards.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~pl-PL~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\prnrc00b.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Utilman.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\CertPolEng.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\prnrc004.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\usercpl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiabr006.inf_amd64_neutral_0232ca4f23224d01	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS11006.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\d2d1.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\PortableDeviceApi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\nfs-clientcore-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mpg2splt.ax	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NOEUY.DXT	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm002.inf_amd64_neutral_7c42808e24ebff99\prnkm002.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00f.inf_amd64_neutral_f7f7e179d99acc58\CNHL800.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\prnrc00a.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalN	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\setup16.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wpcao.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDINGUJ.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfLpt.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\getuname.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\fr-FR\DismCore.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\pciide.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD135C.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasicE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDUR1.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntpe.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\sendmail.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDUK.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\KYKM3050.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\prnsh002.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~de-DE~7.1.7601.16492.cat	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\CreateAppSetting.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_hu-hu_cc2ae7a603d88da8	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\rod.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0C0A\msdasc.chm	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\battery.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep004.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_991b6dbcb3872570	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Networking\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\DiagPackage.diagpkg	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\SqlWorkflowInstanceStoreSchemaUpgrade.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f52607304e593d93	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceProcess	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_brmfcsto.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5fd7fe222b4eb767	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5fe3c920d2faa436	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.7600.16385_en-us_6d3e07200f2ae7de	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-usbrpm-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c4cd84973b13f3b5	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\dc34242bf840d340e94d2657c7c33371\Microsoft.MediaCenter.Sports.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..-bckupbas.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b804f6a281eac43b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..rolviewer.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_47f399fa0a96f8c0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sonic-tables-alloc_3_31bf3856ad364e35_6.1.7600.16385_none_aa4fa4aa431e4653	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f223685acfe7ea57	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnlx005.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_089ce29ad22d190c	AE 0124 BE.exe
File opened for modification	C:\Windows\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_ja_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\9312b7591cfb35c1c4b3e6d497c0489e\Microsoft.Transactions.Bridge.Dtc.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\hvgafix.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\IME\IMETC10\HELP\IMTCEN.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\Speech\Engines\SR\fr-FR\l1036.mllr	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_83099b6ac05ef396	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\aspnet_state\0804\aspnet_state_perf.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DefineErrorPage.aspx.fr.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..apc-layer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_21b6e6d65bd4c9c3	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehsidebarres_31bf3856ad364e35_6.1.7600.16385_none_fab1b57dde428ba5	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..ne-editor.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0f9192e319053501	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WindowsFormsIntegration.resources\3.0.0.0_it_31bf3856ad364e35\WindowsFormsIntegration.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.Resources\1.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmgl005.inf_31bf3856ad364e35_6.1.7600.16385_none_cedc019a9436ccfc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_5a770247be1acfba	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..ltdel-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2823e1c0b9b01d77	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.resources\3.5.0.0_it_31bf3856ad364e35\System.Web.Abstractions.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1044\eula.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-setupapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68d891dc840c463a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-network.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74e8789d956287b3	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msi-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ea94d29f5fbbedcf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rpc-ns.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_feb416c76ffd57b3	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_es-es_084f776c600a93ae	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-sys_data_oraclient_perfcoun_b03f5f7f11d50a3a_6.1.7600.16385_none_12b230ea15a9e57a	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~ru-RU~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~ru-RU~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmcxhv6.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_af2d735e08c1d7d7	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mup-mof_31bf3856ad364e35_6.1.7600.16385_none_b87803a83de5efa6	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rpc-http_31bf3856ad364e35_6.1.7601.17514_none_fe1ef25f55f373ef	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_arc.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3c55042f29067b76	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-deviceux.resources_31bf3856ad364e35_6.1.7600.16385_it-it_581bce649102203a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-runas.resources_31bf3856ad364e35_6.1.7600.16385_de-de_64d7230929f19560	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..edirector.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8127938e13864b78	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep003.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fe55166b78f0994c	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{203F2981-587D-11ED-9D78-7225AF48583A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502810f989ecd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000401ed1b2723bf36d4a1ee5c96cf418640ca6c569314bf3a75fad5bee8f26dc4d000000000e8000000002000020000000821af3bc52b990ccc941c281702250f8a1de668b3417b459e7a57727048632989000000029eb62c8940176f7135f8976118a961283b9248572dee7a92f5d995ddfde9fc4b67e900f80bf1c9f9e1ceffa04c8237e728a77d77e9178eb06db22e77675761072c024a2bb8fd48807be3e36afd52a714da187ed75f1742db6d0f3230d4f5d39ec9c40cd1db184abd9d47db3bd5b06d4bfeea4217fedce9fef8ac4873d9d2b3e7d032939ec104fbde0d84d39b9dfe6694000000067dba575cb1f9b416646a6cf3ffc338585c66e7ae7dd957fcc48fdbb67a97a8b318606cd96b4eb71768125b227e8ef17f6433868d2ecc335dba3fa8d2d0eb1db	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000008b1ab7108e3bb46bbbb59a5180d5c011628d67f793ab8797589def2411f172dc000000000e8000000002000020000000682da10192f51ed0ad6aee76e252c924ae3e9199d29c395feee1a5b5b7f8ad8720000000a9adf14cd13396c8fec90d7e52a2d579c4b9b390aa0c6065de1a5c3bd2ba5c35400000003ce960ea8780ce8bd51fe9dba5c170c1c483d551d226374a8d377bd90a3cff8652191f74381535c93c79d2f7f630f02021e32b81565bc9f2a0dab96e996ead05	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373917978"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
844	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
844	iexplore.exe
844	iexplore.exe
1940	winlogon.exe
532	IEXPLORE.EXE
532	IEXPLORE.EXE
1284	AE 0124 BE.exe
1984	winlogon.exe
532	IEXPLORE.EXE
532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 844	1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	27
PID 1204 wrote to memory of 844	1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	27
PID 1204 wrote to memory of 844	1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	27
PID 1204 wrote to memory of 844	1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	27
PID 844 wrote to memory of 532	844	iexplore.exe	29
PID 844 wrote to memory of 532	844	iexplore.exe	29
PID 844 wrote to memory of 532	844	iexplore.exe	29
PID 844 wrote to memory of 532	844	iexplore.exe	29
PID 1204 wrote to memory of 1940	1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	30
PID 1204 wrote to memory of 1940	1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	30
PID 1204 wrote to memory of 1940	1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	30
PID 1204 wrote to memory of 1940	1204	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	30
PID 1940 wrote to memory of 1284	1940	winlogon.exe	31
PID 1940 wrote to memory of 1284	1940	winlogon.exe	31
PID 1940 wrote to memory of 1284	1940	winlogon.exe	31
PID 1940 wrote to memory of 1284	1940	winlogon.exe	31
PID 1940 wrote to memory of 1912	1940	winlogon.exe	32
PID 1940 wrote to memory of 1912	1940	winlogon.exe	32
PID 1940 wrote to memory of 1912	1940	winlogon.exe	32
PID 1940 wrote to memory of 1912	1940	winlogon.exe	32
PID 1284 wrote to memory of 1984	1284	AE 0124 BE.exe	33
PID 1284 wrote to memory of 1984	1284	AE 0124 BE.exe	33
PID 1284 wrote to memory of 1984	1284	AE 0124 BE.exe	33
PID 1284 wrote to memory of 1984	1284	AE 0124 BE.exe	33

C:\Users\Admin\AppData\Local\Temp\fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
"C:\Users\Admin\AppData\Local\Temp\fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:844 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:532
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1984
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\93GIPQPP.txt

Filesize
603B

MD5
7f5891524ad05490811c41d1fe936106

SHA1
7b6610278852590d4f87a1c60b3c236097084e02

SHA256
164da788fa86858588efa0efb9965c80eb1dc7ddc41cc9493ac6426d7512a73c

SHA512
f7cbd109967028dbb7be97b7dd9b30397c36ba8d5b59347f3b70a8e2e2c58587b1300eaf72d31b702978ebe6d1ed6f1a77a8e2c58d486793db2a0d90f058348f

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
22c4647e82ee43a9b0761e1fa17df729

SHA1
588e23b8029f561faa725c09ddf2cae7e7b250b4

SHA256
afc4e53eacdb5ae70a9ab19d43a8eae4f94da76ebfb8e665f7b4a8e6e2d5ec02

SHA512
789e0ba765b38e3e2ea6fa0095c97e90f49ee710d4fd26e7995ef9207ce73bf6353e8b8d10daaeba51998ebde8ebe94b0a313b1cd48571526b767791fb565058

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

Filesize
615KB

MD5
7b2a54732d38cd19c79c8184d6932f6f

SHA1
6d42bd8fe510e9a4ed6c13409daf4c7a49e7db04

SHA256
76fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d

SHA512
acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
memory/1204-56-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1284-68-0x0000000000000000-mapping.dmp

Download
memory/1912-80-0x0000000000000000-mapping.dmp

Download
memory/1940-61-0x0000000000000000-mapping.dmp

Download
memory/1984-83-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads