c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a

Analysis

max time kernel
152s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe
Size

20KB
MD5

0eb476444927e26b1558507de48778a0
SHA1

6a0a7c7a191ca784da5d9906bd4aa77c9dbd17ae
SHA256

c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a
SHA512

98f233021ff58fe36f4afca1be92fe34a39123f0b8b6dd7f1f289a41e1af95951d8a8501aed44a010b6d9d859b1ab0d744ae376addfa398500d3b07b6752ee9d
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBdq:1M3PnQoHDCpHf4I4Qwdc0G5KDJS

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
2260	winlogon.exe
3052	AE 0124 BE.exe
4504	winlogon.exe
4684	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 3 IoCs

pid	Process
3052	AE 0124 BE.exe
4504	winlogon.exe
4684	winlogon.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Boot\EFI\nl-NL\bootmgfw.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Video\ja-JP\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\ControlPanelDisplay.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\dwup.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\MOF\de	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\fr\System.Windows.Controls.Ribbon.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClient.Resources\3.0.0.0_es_31bf3856ad364e35\UIAutomationClient.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\sysglobl.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Tools-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\DeviceCenter\TS_DeviceCenter.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\logo.contrast-white.png	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmcrtix.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-S-1-5-18.dat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-IoTUAP-ShellExt-Tools-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations.resources\v4.0_4.0.0.0_de_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\msbuild.exe.config	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\zh-TW\bootmgr.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\DiagPackage.diagpkg	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\netrtwlane.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\Printing2.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\Logon.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-4DE02988.pf	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Worker-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Resources\2.0.0.0_es_b03f5f7f11d50a3a\System.Web.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\pci.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.resources\v4.0_4.0.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg	AE 0124 BE.exe
File opened for modification	C:\Windows\Prefetch\DISMHOST.EXE-D3106C12.pf	AE 0124 BE.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.KeyDistributionService.Cmdlets.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.ja.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.es.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-DeviceGuard-GPEXT-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Core-Client-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.207.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\679ef210e507dd4acebe324d3d5fd13a\SecurityAuditPoliciesSnapIn.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~bn-in~1.0.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Fonts.Cher~und-Cher~1.0.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Video\RS_aud_reg_settings.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_receiptprinter.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Data.OracleClient.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\ja-JP\CbsMsg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Storage-VirtualDevice-FibreChannel-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\InputMethod\CHS\ChsPinyinDM02.lex	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\Servicing.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-OpenSSH-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.964.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr-FR\ServiceModelInstallRC.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\WindowsInkWorkspace.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-UX-UI-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\c_system.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.IdentityModel.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Printing.Resources\3.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\eaeb6a67061f4e471cdd1c9e023f4e58\PresentationFramework.Aero2.ni.dll	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995112"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1721906141"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5025eb47a8f2d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a1000000000020000000000106600000001000020000000a1388b123c3b7228978dac9cff28e5c4ef5dc953b820b252684334f31100e351000000000e8000000002000020000000bb95fec59d80708d5a49e645df730fc751f4eecce47e3f10361c59d956495fd82000000042992d144c0e56b7a0c2a0fe4997de44f039e2ff2e673d9ce07ba7e5aa1199094000000052b996c3267a10453a96ea80a74e878eb249c6df68c4eda5c09960dafbff92decd6fd5315069ad7d7555aa7b278c57928c453f7af3ae38d1d833c885003a6b2f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10820048a8f2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{723AF99A-5E9B-11ED-89AC-5EAE84113378} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000005920e6f537b6eecabd11ed9dc5c0e71eb808ba2ea4c67ff473a2f91e7725dde3000000000e8000000002000020000000cace2e5162aa78b5cbd1471875386a0e2995fa2e338176f3b7b2ae453b2f4482200000002a4afe908bef5ec50a64948471eaa90fdd37c75a464a5c3cbf32ccce9bef3bef40000000e1f5363c54802b04e659b4c8660ed5b038937e7faec06222d31b889651114feca78cca680225a348c7d3da015c3021369b9c49953e8f292de9702593fcfac571	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1721906141"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373987627"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995112"	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2252	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2252	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2820	c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe
2252	iexplore.exe
2252	iexplore.exe
2260	winlogon.exe
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE
3052	AE 0124 BE.exe
4504	winlogon.exe
4684	winlogon.exe
2640	IEXPLORE.EXE
2640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2252	2820	c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe	79
PID 2820 wrote to memory of 2252	2820	c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe	79
PID 2252 wrote to memory of 2640	2252	iexplore.exe	80
PID 2252 wrote to memory of 2640	2252	iexplore.exe	80
PID 2252 wrote to memory of 2640	2252	iexplore.exe	80
PID 2820 wrote to memory of 2260	2820	c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe	81
PID 2820 wrote to memory of 2260	2820	c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe	81
PID 2820 wrote to memory of 2260	2820	c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe	81
PID 2260 wrote to memory of 3052	2260	winlogon.exe	82
PID 2260 wrote to memory of 3052	2260	winlogon.exe	82
PID 2260 wrote to memory of 3052	2260	winlogon.exe	82
PID 2260 wrote to memory of 4504	2260	winlogon.exe	83
PID 2260 wrote to memory of 4504	2260	winlogon.exe	83
PID 2260 wrote to memory of 4504	2260	winlogon.exe	83
PID 3052 wrote to memory of 4684	3052	AE 0124 BE.exe	84
PID 3052 wrote to memory of 4684	3052	AE 0124 BE.exe	84
PID 3052 wrote to memory of 4684	3052	AE 0124 BE.exe	84

C:\Users\Admin\AppData\Local\Temp\c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe
"C:\Users\Admin\AppData\Local\Temp\c02203437779a081a84da1dff52e2b0a2c4b161d37172afd9b97dc2bfcedbc3a.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2640
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4684
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
28b3eeccb3c572d1e0856d434aa7793a

SHA1
97fdf7c9c0e4805ab336560d7e3798bfedde52e9

SHA256
437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078

SHA512
9d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
28b3eeccb3c572d1e0856d434aa7793a

SHA1
97fdf7c9c0e4805ab336560d7e3798bfedde52e9

SHA256
437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078

SHA512
9d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
914ef4e63239838435052e31c675aa47

SHA1
c4ca8028c64a21a2b5f1f89b5884dbaafd192bb3

SHA256
8d512e9a8eb97684a4be8e6e4ee94d49163a7b7a78e28297030644f4a089448e

SHA512
7d8d4fb2fb6f489746bc673d733523f3d688cfbc18a9ebba91e919548b41236333e76cf7165519034c84d78f3e27360bf35df3c50e0adab274905026d43d61d0

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
9bbef43f4ee9cfe9ee8946967b4e42c1

SHA1
b71a02b9f4d7cae4e0cd521e9645f43c84e5b734

SHA256
39023d0f0d5f7dd7da48f3be6aa58f2935c4e0a674779f6f617a78574cfac4e3

SHA512
754e1f18e638a9496737ae69b7fd0328e58451b56fb9ddd0f7dd494c8503b1e252846d3643d2e86195171b4443e02d07c2dbadeca75b89355081f592d7fe5180

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
28b3eeccb3c572d1e0856d434aa7793a

SHA1
97fdf7c9c0e4805ab336560d7e3798bfedde52e9

SHA256
437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078

SHA512
9d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
28b3eeccb3c572d1e0856d434aa7793a

SHA1
97fdf7c9c0e4805ab336560d7e3798bfedde52e9

SHA256
437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078

SHA512
9d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
28b3eeccb3c572d1e0856d434aa7793a

SHA1
97fdf7c9c0e4805ab336560d7e3798bfedde52e9

SHA256
437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078

SHA512
9d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
28b3eeccb3c572d1e0856d434aa7793a

SHA1
97fdf7c9c0e4805ab336560d7e3798bfedde52e9

SHA256
437e03071877a41d22136d0c0ec67a690ec4fa83a2cb3fc36a0b98ba32ac1078

SHA512
9d2d6ccedd319db012b1d0a680ce59b31de413048b966fa66f2206039d41fd6a42f69f052aa23fcc29157d4954cb533c638b92be4dff7cd2e8224b706efaccc4

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads