Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 02:14
Static task
static1
Behavioral task
behavioral1
Sample
c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe
Resource
win10v2004-20220812-en
General
-
Target
c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe
-
Size
20KB
-
MD5
0eb476444927e26b1558507de48778a0
-
SHA1
6a0a7c7a191ca784da5d9906bd4aa77c9dbd17ae
-
SHA256
c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a
-
SHA512
98f233021ff58fe36f4afca1be92fe34a39123f0b8b6dd7f1f289a41e1af95951d8a8501aed44a010b6d9d859b1ab0d744ae376addfa398500d3b07b6752ee9d
-
SSDEEP
192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBdq:1M3PnQoHDCpHf4I4Qwdc0G5KDJS
Malware Config
Signatures
-
Drops file in Drivers directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe -
Executes dropped EXE 4 IoCs
pid Process 2260 winlogon.exe 3052 AE 0124 BE.exe 4504 winlogon.exe 4684 winlogon.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Loads dropped DLL 3 IoCs
pid Process 3052 AE 0124 BE.exe 4504 winlogon.exe 4684 winlogon.exe -
Drops desktop.ini file(s) 24 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 27 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\A:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\B:\Autorun.inf winlogon.exe File opened for modification \??\F:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\regedit.exe AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Boot\EFI\nl-NL\bootmgfw.efi.mui AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Video\ja-JP\CL_LocalizationData.psd1 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\ControlPanelDisplay.adml AE 0124 BE.exe File opened for modification C:\Windows\INF\dwup.inf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\MOF\de AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\fr\System.Windows.Controls.Ribbon.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\UIAutomationClient.Resources\3.0.0.0_es_31bf3856ad364e35\UIAutomationClient.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\sysglobl.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Tools-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\DeviceCenter\TS_DeviceCenter.ps1 AE 0124 BE.exe File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.contrast-white.png AE 0124 BE.exe File opened for modification C:\Windows\INF\mdmcrtix.inf AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-S-1-5-18.dat AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-IoTUAP-ShellExt-Tools-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations.resources\v4.0_4.0.0.0_de_b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\msbuild.exe.config AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll AE 0124 BE.exe File opened for modification C:\Windows\Boot\EFI\zh-TW\bootmgr.efi.mui AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Power\DiagPackage.diagpkg AE 0124 BE.exe File opened for modification C:\Windows\INF\netrtwlane.inf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\de-DE\Printing2.adml AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\fr-FR\Logon.adml AE 0124 BE.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-4DE02988.pf AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Worker-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Resources\2.0.0.0_es_b03f5f7f11d50a3a\System.Web.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\INF\pci.inf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.resources\v4.0_4.0.0.0_es_b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg AE 0124 BE.exe File opened for modification C:\Windows\Prefetch\DISMHOST.EXE-D3106C12.pf AE 0124 BE.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.KeyDistributionService.Cmdlets.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.ja.resx AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.es.resx AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-DeviceGuard-GPEXT-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Core-Client-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.207.cat AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\679ef210e507dd4acebe324d3d5fd13a\SecurityAuditPoliciesSnapIn.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf AE 0124 BE.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~bn-in~1.0.mum AE 0124 BE.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Fonts.Cher~und-Cher~1.0.mum AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Video\RS_aud_reg_settings.ps1 AE 0124 BE.exe File opened for modification C:\Windows\INF\c_receiptprinter.inf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Data.OracleClient.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\servicing\ja-JP\CbsMsg.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Storage-VirtualDevice-FibreChannel-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.mum AE 0124 BE.exe File opened for modification C:\Windows\InputMethod\CHS\ChsPinyinDM02.lex AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\es-ES\Servicing.adml AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-OpenSSH-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr-FR\ServiceModelInstallRC.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\en-US\WindowsInkWorkspace.adml AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-UX-UI-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.mum AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources AE 0124 BE.exe File opened for modification C:\Windows\INF\c_system.inf AE 0124 BE.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.IdentityModel.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.resx AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Printing.Resources\3.0.0.0_it_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\eaeb6a67061f4e471cdd1c9e023f4e58\PresentationFramework.Aero2.ni.dll AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995112" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1721906141" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5025eb47a8f2d801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000a1388b123c3b7228978dac9cff28e5c4ef5dc953b820b252684334f31100e351000000000e8000000002000020000000bb95fec59d80708d5a49e645df730fc751f4eecce47e3f10361c59d956495fd82000000042992d144c0e56b7a0c2a0fe4997de44f039e2ff2e673d9ce07ba7e5aa1199094000000052b996c3267a10453a96ea80a74e878eb249c6df68c4eda5c09960dafbff92decd6fd5315069ad7d7555aa7b278c57928c453f7af3ae38d1d833c885003a6b2f iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10820048a8f2d801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{723AF99A-5E9B-11ED-89AC-5EAE84113378} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000005920e6f537b6eecabd11ed9dc5c0e71eb808ba2ea4c67ff473a2f91e7725dde3000000000e8000000002000020000000cace2e5162aa78b5cbd1471875386a0e2995fa2e338176f3b7b2ae453b2f4482200000002a4afe908bef5ec50a64948471eaa90fdd37c75a464a5c3cbf32ccce9bef3bef40000000e1f5363c54802b04e659b4c8660ed5b038937e7faec06222d31b889651114feca78cca680225a348c7d3da015c3021369b9c49953e8f292de9702593fcfac571 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1721906141" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373987627" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995112" iexplore.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2252 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2252 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2820 c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe 2252 iexplore.exe 2252 iexplore.exe 2260 winlogon.exe 2640 IEXPLORE.EXE 2640 IEXPLORE.EXE 3052 AE 0124 BE.exe 4504 winlogon.exe 4684 winlogon.exe 2640 IEXPLORE.EXE 2640 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2252 2820 c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe 79 PID 2820 wrote to memory of 2252 2820 c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe 79 PID 2252 wrote to memory of 2640 2252 iexplore.exe 80 PID 2252 wrote to memory of 2640 2252 iexplore.exe 80 PID 2252 wrote to memory of 2640 2252 iexplore.exe 80 PID 2820 wrote to memory of 2260 2820 c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe 81 PID 2820 wrote to memory of 2260 2820 c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe 81 PID 2820 wrote to memory of 2260 2820 c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe 81 PID 2260 wrote to memory of 3052 2260 winlogon.exe 82 PID 2260 wrote to memory of 3052 2260 winlogon.exe 82 PID 2260 wrote to memory of 3052 2260 winlogon.exe 82 PID 2260 wrote to memory of 4504 2260 winlogon.exe 83 PID 2260 wrote to memory of 4504 2260 winlogon.exe 83 PID 2260 wrote to memory of 4504 2260 winlogon.exe 83 PID 3052 wrote to memory of 4684 3052 AE 0124 BE.exe 84 PID 3052 wrote to memory of 4684 3052 AE 0124 BE.exe 84 PID 3052 wrote to memory of 4684 3052 AE 0124 BE.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe"C:\Users\Admin\AppData\Local\Temp\c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4684
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4504
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD528b3eeccb3c572d1e0856d434aa7793a
SHA197fdf7c9c0e4805ab336560d7e3798bfedde52e9
SHA256437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078
SHA5129d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4
-
Filesize
40KB
MD528b3eeccb3c572d1e0856d434aa7793a
SHA197fdf7c9c0e4805ab336560d7e3798bfedde52e9
SHA256437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078
SHA5129d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4
-
Filesize
20KB
MD5914ef4e63239838435052e31c675aa47
SHA1c4ca8028c64a21a2b5f1f89b5884dbaafd192bb3
SHA2568d512e9a8eb97684a4be8e6e4ee94d49163a7b7a78e28297030644f4a089448e
SHA5127d8d4fb2fb6f489746bc673d733523f3d688cfbc18a9ebba91e919548b41236333e76cf7165519034c84d78f3e27360bf35df3c50e0adab274905026d43d61d0
-
Filesize
40KB
MD59bbef43f4ee9cfe9ee8946967b4e42c1
SHA1b71a02b9f4d7cae4e0cd521e9645f43c84e5b734
SHA25639023d0f0d5f7dd7da48f3be6aa58f2935c4e0a674779f6f617a78574cfac4e3
SHA512754e1f18e638a9496737ae69b7fd0328e58451b56fb9ddd0f7dd494c8503b1e252846d3643d2e86195171b4443e02d07c2dbadeca75b89355081f592d7fe5180
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
40KB
MD528b3eeccb3c572d1e0856d434aa7793a
SHA197fdf7c9c0e4805ab336560d7e3798bfedde52e9
SHA256437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078
SHA5129d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4
-
Filesize
40KB
MD528b3eeccb3c572d1e0856d434aa7793a
SHA197fdf7c9c0e4805ab336560d7e3798bfedde52e9
SHA256437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078
SHA5129d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4
-
Filesize
40KB
MD528b3eeccb3c572d1e0856d434aa7793a
SHA197fdf7c9c0e4805ab336560d7e3798bfedde52e9
SHA256437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078
SHA5129d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4
-
Filesize
40KB
MD528b3eeccb3c572d1e0856d434aa7793a
SHA197fdf7c9c0e4805ab336560d7e3798bfedde52e9
SHA256437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078
SHA5129d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb
-
Filesize
25B
MD5589b6886a49054d03b739309a1de9fcc
SHA10ec1dff7a03f13dea28eea5e754d5b0e5e1dc308
SHA256564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8
SHA5124b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb