16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d

Analysis

max time kernel
198s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe
Size

20KB
MD5

92bf68dd3665bfa20e535ff4b35b45c0
SHA1

9a9d782690d7d4c1c60264deef3cc3852ee4f7c8
SHA256

16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d
SHA512

9b0171586dbdef314b8ea6f8b76a5da48effd9c3400ef0af89afc0180437056e2002af7b405d997e6217885a7f61b03ba38a13ed7f0420aa24641ab1b465f735
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBzwHOe:1M3PnQoHDCpHf4I4Qwdc0G5KDJRwt

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
1264	winlogon.exe
4576	AE 0124 BE.exe
1484	winlogon.exe
4812	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 3 IoCs

pid	Process
4576	AE 0124 BE.exe
1484	winlogon.exe
4812	winlogon.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Selectors.Resources\3.0.0.0_de_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\ru-RU	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\xjis.nlp	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Linq.Resources\3.5.0.0_fr_b77a5c561934e089\System.Data.Linq.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\IEBrowseWeb\es-ES\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\c15be34a937f1a0f06596ffb8e106ea0\Microsoft.Isam.Esent.Interop.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\sv-SE\bootmgfw.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Resources\3.5.0.0_es_b77a5c561934e089\System.Data.Services.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\es-ES\bootmgr.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\RS_AdjustDimDisplay.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0c5c095df94f2312c1107726858cffe2\Microsoft.PowerShell.Commands.Utility.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Selectors\3.0.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\33ddd1d414c8f8d6deceff1a62363c2e\mscorlib.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_de_31bf3856ad364e35\Microsoft.PowerShell.Security.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\explorer.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\apppatch\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\aero_working.ani	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\IESecurity\it-IT\RS_PhishingFilter.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Keyboard\RS_Cicero.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#	AE 0124 BE.exe
File opened for modification	C:\Windows\bcastdvr	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Printing.Resources\3.0.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\ba094d32157d7acfed89b01413f8effb\Microsoft.PowerShell.Commands.Diagnostics.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Device\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\apppatch\frxmain.sdb	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_it_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Resources\3.5.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtc259d85b#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WindowsFormsIntegration.Resources\3.0.0.0_it_31bf3856ad364e35\WindowsFormsIntegration.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\setupact.log	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Messaging.Resources\2.0.0.0_es_b03f5f7f11d50a3a\System.Messaging.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\3.5.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Xml.Linq\3.5.0.0__b77a5c561934e089\System.Xml.Linq.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\BITS\ja-JP\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System\a67e70d6e6bdcf4ac31a986148d455c4	AE 0124 BE.exe
File opened for modification	C:\Windows\Tasks	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\589b59854d0a7a4ef9c0a2adf4c00fd9\CustomMarshalers.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\4bbb283adecdf8a5bf110bc6786d021d	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\lt-LT	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing.Resources\2.0.0.0_it_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\83a3b8af1eee54050fa565ab6fc8e5d9	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\Fonts\msyhn_boot.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\ja-JP\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Bluetooth\de-DE\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\DeviceCenter\fr-FR\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\IESecurity\it-IT\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime.Resources\3.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\mib.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\ja-JP\RS_DisableUSBSelective.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.Resources\3.5.0.0_ja_31bf3856ad364e35	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0a1fba193ecd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993555"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000a2f909e66a2ef7a6cd63e9ff36cc0435a2be3eec129e4a4e66b3009cd598625b000000000e8000000002000020000000ca77bef3d48971c1471799bea69580e174e7d6fcc7944546479b18e338bbb4392000000062341907ad855161dc5fc2f7dbad49b4ee45e07318dca4c1ac212fac0369575840000000c924401a87b98867537524d22163241d27e3041154a13f88c998ed3a9c19eb99293ea269844b04a002c1f738f53eed12cbd83166f346109336ec64685a3ce4eb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2880281769"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993555"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BF6A27AC-5886-11ED-89AC-FA09CB65A760} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50fe659b93ecd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373922120"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000a6eebd36371bab0bbaaf9c638fb9e1c6e822298bc87b203b107a2d87b0000de4000000000e800000000200002000000041dfc03049d5c8a782a02eab103483eba0275b10fcaf6a26ececd460b27843e020000000137bd6d9db1191d0707bd326f45fff82fe00fe2380f19f3943fec1f97f3d80aa40000000ee27133e50561a1e02522ee791e71ced4fc23f10549f19aa554b69484c55810d41aec64f4d5f9ba5be39845874eb651a4dde1fb140465054b1233bc0ebebfc01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2880281769"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2176	16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe
2172	iexplore.exe
2172	iexplore.exe
1264	winlogon.exe
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE
4576	AE 0124 BE.exe
1484	winlogon.exe
4812	winlogon.exe
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2172	2176	16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe	81
PID 2176 wrote to memory of 2172	2176	16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe	81
PID 2172 wrote to memory of 1656	2172	iexplore.exe	82
PID 2172 wrote to memory of 1656	2172	iexplore.exe	82
PID 2172 wrote to memory of 1656	2172	iexplore.exe	82
PID 2176 wrote to memory of 1264	2176	16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe	83
PID 2176 wrote to memory of 1264	2176	16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe	83
PID 2176 wrote to memory of 1264	2176	16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe	83
PID 1264 wrote to memory of 4576	1264	winlogon.exe	84
PID 1264 wrote to memory of 4576	1264	winlogon.exe	84
PID 1264 wrote to memory of 4576	1264	winlogon.exe	84
PID 1264 wrote to memory of 1484	1264	winlogon.exe	85
PID 1264 wrote to memory of 1484	1264	winlogon.exe	85
PID 1264 wrote to memory of 1484	1264	winlogon.exe	85
PID 4576 wrote to memory of 4812	4576	AE 0124 BE.exe	86
PID 4576 wrote to memory of 4812	4576	AE 0124 BE.exe	86
PID 4576 wrote to memory of 4812	4576	AE 0124 BE.exe	86

C:\Users\Admin\AppData\Local\Temp\16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe
"C:\Users\Admin\AppData\Local\Temp\16bcb4399443c51e2225a621e348c32eb53280d75cb6fe3cc6031d2790df017d.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1656
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4812
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
d05f440293d371ec03f9f6505ac78b84

SHA1
cda8c65aeac384bafd344918c744a0ca7b6d6958

SHA256
fd1f572587b67565c00b8cc70b0b33db19608366e97c3c51fc1b9377e30d711e

SHA512
fc13dcd2283e727bc5c15b4774db5eeaee78c4445a9c058629b72a2cd8d3c88725e946bf13b1af9b6852f4b00c33b5d6d04cef33c5e988c26aae0434e254d556

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
d05f440293d371ec03f9f6505ac78b84

SHA1
cda8c65aeac384bafd344918c744a0ca7b6d6958

SHA256
fd1f572587b67565c00b8cc70b0b33db19608366e97c3c51fc1b9377e30d711e

SHA512
fc13dcd2283e727bc5c15b4774db5eeaee78c4445a9c058629b72a2cd8d3c88725e946bf13b1af9b6852f4b00c33b5d6d04cef33c5e988c26aae0434e254d556

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
7e3eba5b3cc2711f2031011837d62f39

SHA1
808876996c436928067cdc7f68a9ab4bf7a7d414

SHA256
76d4318923a9cd1d7471e6931e0eeb450808456b71267236f1c099282e86398b

SHA512
345f664ae95381f88f4c34a77cbfecd4d741eeb07fd1352d4e4f9b9575801cdb5bc0e507cce7a5b3fc5801f5f82c70bf09c1959285908863abd57935c914bcbc

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
930fb918eba563d2761d1bb66f891dec

SHA1
1681e5afe17db33e5e401a94b3c242d27e1f91c7

SHA256
e3aeecef4eb810285fd7a34740990b1cdc83c984d4e06935d94e1c4a3e5c121e

SHA512
dd2c9967d99ebb268f406573da05b446597c2d9ec3786f907b7c46a2757e207ad3a7172a83dc0abe2fbab6f5b00b5f619b7c2c5cea208d1212b8c2cdfb1dfab6

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d05f440293d371ec03f9f6505ac78b84

SHA1
cda8c65aeac384bafd344918c744a0ca7b6d6958

SHA256
fd1f572587b67565c00b8cc70b0b33db19608366e97c3c51fc1b9377e30d711e

SHA512
fc13dcd2283e727bc5c15b4774db5eeaee78c4445a9c058629b72a2cd8d3c88725e946bf13b1af9b6852f4b00c33b5d6d04cef33c5e988c26aae0434e254d556

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d05f440293d371ec03f9f6505ac78b84

SHA1
cda8c65aeac384bafd344918c744a0ca7b6d6958

SHA256
fd1f572587b67565c00b8cc70b0b33db19608366e97c3c51fc1b9377e30d711e

SHA512
fc13dcd2283e727bc5c15b4774db5eeaee78c4445a9c058629b72a2cd8d3c88725e946bf13b1af9b6852f4b00c33b5d6d04cef33c5e988c26aae0434e254d556

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d05f440293d371ec03f9f6505ac78b84

SHA1
cda8c65aeac384bafd344918c744a0ca7b6d6958

SHA256
fd1f572587b67565c00b8cc70b0b33db19608366e97c3c51fc1b9377e30d711e

SHA512
fc13dcd2283e727bc5c15b4774db5eeaee78c4445a9c058629b72a2cd8d3c88725e946bf13b1af9b6852f4b00c33b5d6d04cef33c5e988c26aae0434e254d556

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
d05f440293d371ec03f9f6505ac78b84

SHA1
cda8c65aeac384bafd344918c744a0ca7b6d6958

SHA256
fd1f572587b67565c00b8cc70b0b33db19608366e97c3c51fc1b9377e30d711e

SHA512
fc13dcd2283e727bc5c15b4774db5eeaee78c4445a9c058629b72a2cd8d3c88725e946bf13b1af9b6852f4b00c33b5d6d04cef33c5e988c26aae0434e254d556

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads