fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 06:09 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
Size

20KB
MD5

933ac6a2234ba205f00d21ec54a21910
SHA1

9148eeed74728ce159651816d0e408fe619f6c12
SHA256

fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691
SHA512

913af589c2bab9fcd423d3f636abd99152794a7671eaf7b68dd31f5c65dacaa321bdb3c68a802ecba30e59125368f071500dcf260eec60dd1580e6911db9f579
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJB23z:1M3PnQoHDCpHf4I4Qwdc0G5KDJU

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe

Executes dropped EXE 4 IoCs

pid	Process
1612	winlogon.exe
1608	AE 0124 BE.exe
4256	winlogon.exe
2000	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 3 IoCs

pid	Process
1608	AE 0124 BE.exe
4256	winlogon.exe
2000	winlogon.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallSqlState.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.DirectoryServices.Protocols.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\it	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web_lowtrust.config	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx	AE 0124 BE.exe
File opened for modification	C:\Windows\PLA\Rules\de-DE\Rules.System.Network.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Tasks.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_es_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.WasHosting\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmx5560.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\fr\PresentationUI.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\aspnet.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Transactions.resources\v4.0_4.0.0.0_de_b77a5c561934e089\System.Transactions.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\PeerToPeerCaching.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\ShFusRes.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\FileTracker.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity.Design.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.Data.Entity.Design.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\eaeb6a67061f4e471cdd1c9e023f4e58\PresentationFramework.Aero2.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\es\DataSvcUtil.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.ComponentModel.DataAnnotations.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\WindowsMediaDRM.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\LSM	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationUI.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\PresentationUI.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\3082\dv_aspnetmmc.chm	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmvdot.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\WindowsRemoteManagement.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime.Resources\3.0.0.0_fr_31bf3856ad364e35\System.Workflow.Runtime.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\0c671454f3bec22322ca78eade5d677c	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\fdc.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Data.Entity.Build.Tasks.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\XPThemes.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\uaspstor.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\PERFLIB\040C	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Workflow.ComponentModel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RemoteAssistance.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.ja.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IO.Log	AE 0124 BE.exe
File opened for modification	C:\Windows\IdentityCRL\INT	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Spelling.api	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\sbs_microsoft.vsa.vb.codedomprocessor.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppSetting.ascx.it.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_I2C_GLK.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_de_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.EnterpriseServices.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1040\CvtResUI.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\ja\SqlWorkflowInstanceStoreSchemaUpgrade.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\mscorlib.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\Regasm.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\compatjit.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\mscorlib.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\impact.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\v4.0_3.0.0.0_en_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.resources\v4.0_4.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373921618"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993554"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993554"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C3DB413-5885-11ED-89AC-E62BBF623C53} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30fc376f92ecd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5045306d92ecd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993554"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1856730473"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1851261173"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000007384b6292cd30e43055a0b3720d65ee40a64ea133b9d3eb9099d5cbd483ed1bc000000000e800000000200002000000010136a3c298d1415d916050e6f523f8cb830ab0ebf7488d36bbc49c13c7b1a1c20000000319628cd7aa092079bd1ddb12c2b1af76082b297bc68a7832474dc979e59bae540000000ffb1fa188f1dcd3f395ce1b3835def96feaf8dd0be747dc9e107f1069cdbe506e08a7a208a4789c6539180d527fdd7a5a39cb14e70cc5bcafe1f8d15eafa0a86	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1851261173"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000239ad9457f2f378e1fbe15ba9b48114e7b355d780050557cc04f51007fd82fb7000000000e8000000002000020000000907c077972e2ec2e9cf79992730d18ceb2d05fc34a39d8c93abd45dcb5d732982000000049fbafa194edcf6fe4e3ad98435465bf80cd97f2f94c592525bdd52ca6c42c5240000000637044b922abe37f34050213b2f3369a48d9eeb6b63d1ff3d06bc64a6c0b4c00e317e22a5411b4334155a582cc224258720d046831031588167c0fdca4695781	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1856730473"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993554"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3636	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3636	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3060	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
3636	iexplore.exe
3636	iexplore.exe
1612	winlogon.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1608	AE 0124 BE.exe
4256	winlogon.exe
2000	winlogon.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3636	3060	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	82
PID 3060 wrote to memory of 3636	3060	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	82
PID 3636 wrote to memory of 1948	3636	iexplore.exe	83
PID 3636 wrote to memory of 1948	3636	iexplore.exe	83
PID 3636 wrote to memory of 1948	3636	iexplore.exe	83
PID 3060 wrote to memory of 1612	3060	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	84
PID 3060 wrote to memory of 1612	3060	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	84
PID 3060 wrote to memory of 1612	3060	fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe	84
PID 1612 wrote to memory of 1608	1612	winlogon.exe	85
PID 1612 wrote to memory of 1608	1612	winlogon.exe	85
PID 1612 wrote to memory of 1608	1612	winlogon.exe	85
PID 1612 wrote to memory of 4256	1612	winlogon.exe	86
PID 1612 wrote to memory of 4256	1612	winlogon.exe	86
PID 1612 wrote to memory of 4256	1612	winlogon.exe	86
PID 1608 wrote to memory of 2000	1608	AE 0124 BE.exe	89
PID 1608 wrote to memory of 2000	1608	AE 0124 BE.exe	89
PID 1608 wrote to memory of 2000	1608	AE 0124 BE.exe	89

C:\Users\Admin\AppData\Local\Temp\fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe
"C:\Users\Admin\AppData\Local\Temp\fcaa1ebaaf2f70fb277b593f94e745cc39ea34db129c9d0265cd08a73b2a2691.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1948
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2000
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4256

Network

No results found

93.184.221.240:80

260 B
5
93.184.221.240:80

260 B
5
93.184.221.240:80

322 B
7
93.184.221.240:80

260 B
5
93.184.220.29:80

322 B
7
104.80.225.205:443

322 B
7
93.184.221.240:80

iexplore.exe

260 B
5
93.184.220.29:80

IEXPLORE.EXE

260 B
5
13.69.239.73:443

322 B
7
204.79.197.200:443

ieonline.microsoft.com

tls, http2

iexplore.exe

1.2kB
8.0kB
15
13

No results found

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C

Filesize
779B

MD5
004e1f9f2b4726e5564e16c49fb4a831

SHA1
b57e588e3371a7fee13eaa737aefdf4e126dcf51

SHA256
bad8f107566ae2c13676df6b3c67da0642b6c850a6705acac03f460a6adb8dab

SHA512
5971b426d98c2f4e66708d490f513d66f85b89aa31479ec8e60e6b54b2afe32b77cf8d853d367f5ee173685129d0ba179739be5cf72a11a641d1cee6a28c75c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C

Filesize
246B

MD5
99b4fe2c9a30df563dc2fe3ed00cf459

SHA1
2d67b7a9f208e04fbe708207e00b1a2208d9da0e

SHA256
bd6202a63f62e66266321a02bf05b065a5a12d2d41b166ef5c52bce7b627af62

SHA512
da36b4cd57181d090f8eeddfc8e39c811e14775cdb71e50cff4889a82a058a811702bef8be5fc4f383fad5c42153e664e976fd69f1e1d332b078d8b1f3d41cd4

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
22c4647e82ee43a9b0761e1fa17df729

SHA1
588e23b8029f561faa725c09ddf2cae7e7b250b4

SHA256
afc4e53eacdb5ae70a9ab19d43a8eae4f94da76ebfb8e665f7b4a8e6e2d5ec02

SHA512
789e0ba765b38e3e2ea6fa0095c97e90f49ee710d4fd26e7995ef9207ce73bf6353e8b8d10daaeba51998ebde8ebe94b0a313b1cd48571526b767791fb565058

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
bb105504964fb508903d163ba92834c7

SHA1
09f0bc7d3f16830e6fcf538cac63b292ebcafdd2

SHA256
e8a12e7f519707ef382f9ee2bf17437c7fb446246849b16c74bd634ea5b286b6

SHA512
7c4a35bab1f8c0bf88be8f9697ee79892bbd842c806b40bf0551874ab83beae2e485bd7a17755df239e9a200073a784d5a03b6adf49b2a1bccc3bc5648a06a33

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
e6b55890a38db58bd43dbbe9feea6b76

SHA1
b1de84cdb248ffe9aa527c969867239bd1f5a40e

SHA256
acaea766c418839f07c46bb10df2f8d97c629e2142dd996e7bdfb1c0646c6d18

SHA512
d086e30bdfdc4d897a5d661e095750c95533f9eb96c7a3ddb69cffbc6c6af8b8a9ab528dbe990844e3fd3026b2fee947ade5e4525883e46a02144b1d321de0d7

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.