Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 06:09 UTC
Static task
static1
Behavioral task
behavioral1
Sample
fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
Resource
win10v2004-20220812-en
General
-
Target
fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
-
Size
20KB
-
MD5
933ac6a2234ba205f00d21ec54a21910
-
SHA1
9148eeed74728ce159651816d0e408fe619f6c12
-
SHA256
fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691
-
SHA512
913af589c2bab9fcd423d3f636abd99152794a7671eaf7b68dd31f5c65dacaa321bdb3c68a802ecba30e59125368f071500dcf260eec60dd1580e6911db9f579
-
SSDEEP
192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJB23z:1M3PnQoHDCpHf4I4Qwdc0G5KDJU
Malware Config
Signatures
-
Drops file in Drivers directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe -
Executes dropped EXE 4 IoCs
pid Process 1612 winlogon.exe 1608 AE 0124 BE.exe 4256 winlogon.exe 2000 winlogon.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Loads dropped DLL 3 IoCs
pid Process 1608 AE 0124 BE.exe 4256 winlogon.exe 2000 winlogon.exe -
Drops desktop.ini file(s) 24 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 27 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\A:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\F:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\B:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlState.sql AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.DirectoryServices.Protocols.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\it AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web_lowtrust.config AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx AE 0124 BE.exe File opened for modification C:\Windows\PLA\Rules\de-DE\Rules.System.Network.xml AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Tasks.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.WasHosting\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll AE 0124 BE.exe File opened for modification C:\Windows\INF\mdmx5560.inf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\fr\PresentationUI.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\aspnet.mfl AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Transactions.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Transactions.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\en-US\PeerToPeerCaching.adml AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\ShFusRes.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\FileTracker.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client.resources AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity.Design.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.Data.Entity.Design.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\eaeb6a67061f4e471cdd1c9e023f4e58\PresentationFramework.Aero2.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\es\DataSvcUtil.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.ComponentModel.DataAnnotations.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\WindowsMediaDRM.adml AE 0124 BE.exe File opened for modification C:\Windows\INF\LSM AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationUI.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\PresentationUI.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\3082\dv_aspnetmmc.chm AE 0124 BE.exe File opened for modification C:\Windows\INF\mdmvdot.inf AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\en-US\WindowsRemoteManagement.adml AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime.Resources\3.0.0.0_fr_31bf3856ad364e35\System.Workflow.Runtime.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\0c671454f3bec22322ca78eade5d677c AE 0124 BE.exe File opened for modification C:\Windows\INF\fdc.inf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Data.Entity.Build.Tasks.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\XPThemes.manifest AE 0124 BE.exe File opened for modification C:\Windows\INF\uaspstor.inf AE 0124 BE.exe File opened for modification C:\Windows\INF\PERFLIB\040C AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Workflow.ComponentModel.dll AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\RemoteAssistance.adml AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.ja.resx AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.IO.Log AE 0124 BE.exe File opened for modification C:\Windows\IdentityCRL\INT AE 0124 BE.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Spelling.api AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\sbs_microsoft.vsa.vb.codedomprocessor.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.it.resx AE 0124 BE.exe File opened for modification C:\Windows\INF\iaLPSS2i_I2C_GLK.inf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.EnterpriseServices.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\1040\CvtResUI.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\ja\SqlWorkflowInstanceStoreSchemaUpgrade.sql AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\mscorlib.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.resx AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\Regasm.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\compatjit.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\mscorlib.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Fonts\impact.ttf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.resources\v4.0_4.0.0.0_it_31bf3856ad364e35 AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373921618" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993554" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993554" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C3DB413-5885-11ED-89AC-E62BBF623C53} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30fc376f92ecd801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5045306d92ecd801 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993554" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1856730473" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1851261173" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000007384b6292cd30e43055a0b3720d65ee40a64ea133b9d3eb9099d5cbd483ed1bc000000000e800000000200002000000010136a3c298d1415d916050e6f523f8cb830ab0ebf7488d36bbc49c13c7b1a1c20000000319628cd7aa092079bd1ddb12c2b1af76082b297bc68a7832474dc979e59bae540000000ffb1fa188f1dcd3f395ce1b3835def96feaf8dd0be747dc9e107f1069cdbe506e08a7a208a4789c6539180d527fdd7a5a39cb14e70cc5bcafe1f8d15eafa0a86 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1851261173" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000239ad9457f2f378e1fbe15ba9b48114e7b355d780050557cc04f51007fd82fb7000000000e8000000002000020000000907c077972e2ec2e9cf79992730d18ceb2d05fc34a39d8c93abd45dcb5d732982000000049fbafa194edcf6fe4e3ad98435465bf80cd97f2f94c592525bdd52ca6c42c5240000000637044b922abe37f34050213b2f3369a48d9eeb6b63d1ff3d06bc64a6c0b4c00e317e22a5411b4334155a582cc224258720d046831031588167c0fdca4695781 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1856730473" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993554" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3636 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3636 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3060 fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe 3636 iexplore.exe 3636 iexplore.exe 1612 winlogon.exe 1948 IEXPLORE.EXE 1948 IEXPLORE.EXE 1608 AE 0124 BE.exe 4256 winlogon.exe 2000 winlogon.exe 1948 IEXPLORE.EXE 1948 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3060 wrote to memory of 3636 3060 fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe 82 PID 3060 wrote to memory of 3636 3060 fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe 82 PID 3636 wrote to memory of 1948 3636 iexplore.exe 83 PID 3636 wrote to memory of 1948 3636 iexplore.exe 83 PID 3636 wrote to memory of 1948 3636 iexplore.exe 83 PID 3060 wrote to memory of 1612 3060 fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe 84 PID 3060 wrote to memory of 1612 3060 fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe 84 PID 3060 wrote to memory of 1612 3060 fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe 84 PID 1612 wrote to memory of 1608 1612 winlogon.exe 85 PID 1612 wrote to memory of 1608 1612 winlogon.exe 85 PID 1612 wrote to memory of 1608 1612 winlogon.exe 85 PID 1612 wrote to memory of 4256 1612 winlogon.exe 86 PID 1612 wrote to memory of 4256 1612 winlogon.exe 86 PID 1612 wrote to memory of 4256 1612 winlogon.exe 86 PID 1608 wrote to memory of 2000 1608 AE 0124 BE.exe 89 PID 1608 wrote to memory of 2000 1608 AE 0124 BE.exe 89 PID 1608 wrote to memory of 2000 1608 AE 0124 BE.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe"C:\Users\Admin\AppData\Local\Temp\fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1948
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2000
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4256
-
-
Network
- No results found
-
260 B 5
-
260 B 5
-
322 B 7
-
260 B 5
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
322 B 7
-
1.2kB 8.0kB 15 13
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
779B
MD5004e1f9f2b4726e5564e16c49fb4a831
SHA1b57e588e3371a7fee13eaa737aefdf4e126dcf51
SHA256bad8f107566ae2c13676df6b3c67da0642b6c850a6705acac03f460a6adb8dab
SHA5125971b426d98c2f4e66708d490f513d66f85b89aa31479ec8e60e6b54b2afe32b77cf8d853d367f5ee173685129d0ba179739be5cf72a11a641d1cee6a28c75c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C
Filesize246B
MD599b4fe2c9a30df563dc2fe3ed00cf459
SHA12d67b7a9f208e04fbe708207e00b1a2208d9da0e
SHA256bd6202a63f62e66266321a02bf05b065a5a12d2d41b166ef5c52bce7b627af62
SHA512da36b4cd57181d090f8eeddfc8e39c811e14775cdb71e50cff4889a82a058a811702bef8be5fc4f383fad5c42153e664e976fd69f1e1d332b078d8b1f3d41cd4
-
Filesize
40KB
MD5e6b55890a38db58bd43dbbe9feea6b76
SHA1b1de84cdb248ffe9aa527c969867239bd1f5a40e
SHA256acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18
SHA512d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7
-
Filesize
40KB
MD5e6b55890a38db58bd43dbbe9feea6b76
SHA1b1de84cdb248ffe9aa527c969867239bd1f5a40e
SHA256acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18
SHA512d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7
-
Filesize
20KB
MD522c4647e82ee43a9b0761e1fa17df729
SHA1588e23b8029f561faa725c09ddf2cae7e7b250b4
SHA256afc4e53eacdb5ae70a9ab19d43a8eae4f94da76ebfb8e665f7b4a8e6e2d5ec02
SHA512789e0ba765b38e3e2ea6fa0095c97e90f49ee710d4fd26e7995ef9207ce73bf6353e8b8d10daaeba51998ebde8ebe94b0a313b1cd48571526b767791fb565058
-
Filesize
40KB
MD5bb105504964fb508903d163ba92834c7
SHA109f0bc7d3f16830e6fcf538cac63b292ebcafdd2
SHA256e8a12e7f519707ef382f9ee2bf17437c7fb446246849b16c74bd634ea5b286b6
SHA5127c4a35bab1f8c0bf88be8f9697ee79892bbd842c806b40bf0551874ab83beae2e485bd7a17755df239e9a200073a784d5a03b6adf49b2a1bccc3bc5648a06a33
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
40KB
MD5e6b55890a38db58bd43dbbe9feea6b76
SHA1b1de84cdb248ffe9aa527c969867239bd1f5a40e
SHA256acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18
SHA512d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7
-
Filesize
40KB
MD5e6b55890a38db58bd43dbbe9feea6b76
SHA1b1de84cdb248ffe9aa527c969867239bd1f5a40e
SHA256acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18
SHA512d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7
-
Filesize
40KB
MD5e6b55890a38db58bd43dbbe9feea6b76
SHA1b1de84cdb248ffe9aa527c969867239bd1f5a40e
SHA256acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18
SHA512d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7
-
Filesize
40KB
MD5e6b55890a38db58bd43dbbe9feea6b76
SHA1b1de84cdb248ffe9aa527c969867239bd1f5a40e
SHA256acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18
SHA512d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb