6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27

Analysis

max time kernel
152s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
Size

20KB
MD5

15a07b5cf414586ecee046a8894540a0
SHA1

5b3cf96dac2178d333ad8ff0482119ffd6e970a6
SHA256

6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27
SHA512

22ed644161c2f6a17fa51caf2dc91f8e16a2d6dd8c68284756fe6de6d04dc1c3f6f9cc782043e06bec60835e62e0aa05ad781a445ed130496a3fb31a51908bcb
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBi8Eq/7d:1M3PnQoHDCpHf4I4Qwdc0G5KDJvE2h

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
1784	winlogon.exe
824	AE 0124 BE.exe
1124	winlogon.exe
1472	winlogon.exe

Loads dropped DLL 6 IoCs

pid	Process
1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
824	AE 0124 BE.exe
824	AE 0124 BE.exe
1784	winlogon.exe
1784	winlogon.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SchCache	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\2.0.0.0_es_b03f5f7f11d50a3a\System.DirectoryServices.Protocols.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks.resources\3.0.0.0_fr_31bf3856ad364e35\PresentationBuildTasks.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\TaskScheduler.Resources\6.1.0.0_de_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClient\3.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\it-IT\cbva.dll.mui	AE 0124 BE.exe
File created	C:\Windows\AE 0124 BE.exe	winlogon.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.PowerPoint\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.PowerPoint.config	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Web.resources\3.5.0.0_de_31bf3856ad364e35\System.ServiceModel.Web.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\a63e76cc86c8958f0f3e9741c0d89f14	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\4e9468fdc6937145e65c6434787e2fa5	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Wind0de890be#\5bf4243eccd10a06c3d5086c8a884165	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Web.RegularE#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.DataSet#\56ccdabce54219b23bc4b6477d98b45c	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\aa7d7c2bf390b327607c0f3dc47741fa\System.IO.Compression.FileSystem.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.Services\4c68ebf1c5c63ebf75ad81a9ca3e3fd2\System.Data.Services.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SFXPlugins\StandardFX_Plugin.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_es_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.runtime.serialization.resources\3.0.0.0_it_b77a5c561934e089\System.RunTime.Serialization.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bc09ad2d49d8535371845cd7532f9271	AE 0124 BE.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\AcGenral.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.resources\2.0.0.0_de_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.XML.resources\2.0.0.0_fr_b77a5c561934e089\System.xml.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\87581a03feafa4075e201c62e402702f\PresentationFramework.Classic.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System\095a3392942c3d4eb888e6a32036acd8\System.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\CL_AeroFeature.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\TS_Wirelessadaptersettings.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter\6.1.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Linq.resources\3.5.0.0_it_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement.resources\3.5.0.0_fr_b77a5c561934e089\System.DirectoryServices.AccountManagement.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\PresentationFramework.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\2a8d6efe5a99d9e6b03587df841c2087\System.IdentityModel.Services.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normidna.nlp	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\e883ac4543d94e67abd1c33191633865\System.DirectoryServices.Protocols.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt73a1fc9d#\0e4b3c951459254c78b0c1f9c52d8c9a	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\pt-PT\bootmgfw.efi.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\index\AudioRecordingDiagnostic.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.office	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.Entity	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\size2_i.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\CL_RunDiagnosticScript.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\it-IT\RS_DisableScreensaver.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\bcab827b24e870428fcdda58e1ebec20	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\ja-JP\ehprivjob.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\MCX\X02	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MICROSOFT.VISUALBASIC.COMPATIBILITY.DATA.resources\8.0.0.0_it_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Net\d567624f1206028ff852c689416d6b58	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data86569bbf#\98a4068512ff6a2566204bc1e759b0be\System.Data.OracleClient.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dire573b08f5#\45c73b666d25924eb01d83df44e6003e\System.DirectoryServices.AccountManagement.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\4bfa36696bef033cf7e33b1a092c8a0f	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\da42912f997fae780054f0c3a6b47fea\Microsoft.GroupPolicy.Reporting.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SrpUxSnapIn.resources\6.1.0.0_ja_31bf3856ad364e35\SrpUxSnapIn.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WindowsBase.resources\3.0.0.0_ja_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\up_il.cur	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1097884aa9f2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374591113"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000005efdd4f972cb74ca2415d4e5e9799d3a4b154410fa2fdf1ffa082e09a91ad6d1000000000e8000000002000020000000b49b61ec73364540ba9d987dce90ea18588079b5c1e81d9a05b3807c916ea6f82000000020874227a6cde11360a726c878f5001c3c2c188944c0b4fe5e068a2e2d208f5440000000f9d3c871462665f44b807d09bc4194c311c274afd7ff7edb81b207abe26f048992428d1b26b158ca68d63d0ba81745867d553fb185a78d731a1250bed5c771de	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5CF3A571-5E9C-11ED-9332-6A94EDCEDC7A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000000904f8849e46b3348d9d1d1c67ee2205bbb6bccde92e4f241fee2118231fd388000000000e800000000200002000000025dfba90112b7afaa685afe5f528e582f3375a30d153c1249664db8ffe637f4990000000d0fbcb7e64bc2d10494d31fb19592a706633a8dde1db663124e2ddcd50903fb0e5ed5e4ffb7700710587691a9f028534b84a820b77df7d69539e15480abce4255cd129ba20ecb52a02b2240c11592c967e3d0daf695b6bc5de463b92890a318209bcf69ddfb80caff6ee04834fd94cd55ea5fa67539cd9ae23a5a67fc34b091112c20a50f9f28d945d8da8e1d2303e44400000005e79aa94e39359837444407fcd0b3f51ae87827c91aa9c8e6f14402d9cb98684e04ac8b23e42fcaa0d66a2fe9c09609a7103a7f42d8aa50cfc43cd3659806850	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1348	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
1348	iexplore.exe
1348	iexplore.exe
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1784	winlogon.exe
824	AE 0124 BE.exe
1124	winlogon.exe
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1348	1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	26
PID 1424 wrote to memory of 1348	1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	26
PID 1424 wrote to memory of 1348	1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	26
PID 1424 wrote to memory of 1348	1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	26
PID 1348 wrote to memory of 1980	1348	iexplore.exe	28
PID 1348 wrote to memory of 1980	1348	iexplore.exe	28
PID 1348 wrote to memory of 1980	1348	iexplore.exe	28
PID 1348 wrote to memory of 1980	1348	iexplore.exe	28
PID 1424 wrote to memory of 1784	1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	29
PID 1424 wrote to memory of 1784	1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	29
PID 1424 wrote to memory of 1784	1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	29
PID 1424 wrote to memory of 1784	1424	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	29
PID 1784 wrote to memory of 824	1784	winlogon.exe	30
PID 1784 wrote to memory of 824	1784	winlogon.exe	30
PID 1784 wrote to memory of 824	1784	winlogon.exe	30
PID 1784 wrote to memory of 824	1784	winlogon.exe	30
PID 824 wrote to memory of 1124	824	AE 0124 BE.exe	31
PID 824 wrote to memory of 1124	824	AE 0124 BE.exe	31
PID 824 wrote to memory of 1124	824	AE 0124 BE.exe	31
PID 824 wrote to memory of 1124	824	AE 0124 BE.exe	31
PID 1784 wrote to memory of 1472	1784	winlogon.exe	32
PID 1784 wrote to memory of 1472	1784	winlogon.exe	32
PID 1784 wrote to memory of 1472	1784	winlogon.exe	32
PID 1784 wrote to memory of 1472	1784	winlogon.exe	32

C:\Users\Admin\AppData\Local\Temp\6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
"C:\Users\Admin\AppData\Local\Temp\6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1348 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1980
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1124
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Executes dropped EXE
    PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0MT38N2U.txt

Filesize
606B

MD5
9218dc2e86a05026945f9300c79b371e

SHA1
f131ac712575007c24853a11ea745fe488d13586

SHA256
2771386b009d254395559913357aa92ae3997a21248a48f795ba836fc07f21e4

SHA512
c673d461f9031b3c88ce15b9d5553cd558d20cb07fdee4b1ac5efdad88d883ec1a6e5cb13a44e8deec050bbd671da3fb7cfbc730f18f2c8d3515ea246ef96a77

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
a618653903c8b98efe9d67b8a35917aa

SHA1
21522a39bc77748e2098d0e36e32bf27308817e5

SHA256
2de593fcea4623886dcd29dbf9c6bd9040990d0b758d11bdab69cf9ddd62ffc7

SHA512
8ad60850f4e67596aa2f39805f980b7a3a4ecf9f6794754b21f3f2b45b7568e73df4e29e3a903a938d91274f66abb392417733aca368022cf854a9f3dc560da6

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
a618653903c8b98efe9d67b8a35917aa

SHA1
21522a39bc77748e2098d0e36e32bf27308817e5

SHA256
2de593fcea4623886dcd29dbf9c6bd9040990d0b758d11bdab69cf9ddd62ffc7

SHA512
8ad60850f4e67596aa2f39805f980b7a3a4ecf9f6794754b21f3f2b45b7568e73df4e29e3a903a938d91274f66abb392417733aca368022cf854a9f3dc560da6

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
memory/824-74-0x0000000002851000-0x0000000002D9D000-memory.dmp

Filesize
5.3MB

Download
memory/1424-56-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads