6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
Size

20KB
MD5

15a07b5cf414586ecee046a8894540a0
SHA1

5b3cf96dac2178d333ad8ff0482119ffd6e970a6
SHA256

6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27
SHA512

22ed644161c2f6a17fa51caf2dc91f8e16a2d6dd8c68284756fe6de6d04dc1c3f6f9cc782043e06bec60835e62e0aa05ad781a445ed130496a3fb31a51908bcb
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBi8Eq/7d:1M3PnQoHDCpHf4I4Qwdc0G5KDJvE2h

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
1876	winlogon.exe
3596	AE 0124 BE.exe
4200	winlogon.exe
1056	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Loads dropped DLL 3 IoCs

pid	Process
3596	AE 0124 BE.exe
4200	winlogon.exe
1056	winlogon.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5f033e913d34d111	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wlanutil.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-FibreChannel-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-ClientUA-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_399f04975a0af112\pnrmc.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms014.inf_amd64_faec3fc366f8e1fa\Amd64\MSMPS.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\BthMtpEnum.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDGKL.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\idtsec.inf_amd64_9321d33f1997dbfd\idtsec.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_46dd0342577f43cd\mdmtdkj2.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\olecli32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cewmdm.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\directmanipulation.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\perfos.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\pots.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Package-ua~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmsupra.inf_amd64_ed209c9a3da66777\mdmsupra.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\whhelper.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\xboxgipsynthetic.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_cfd501781ae941c0	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\scrptadm.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\compact.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Server-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Optional-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\networklist\icons\StockIcons\bench_24.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\usbvideo.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\MSFT_ProcessResource.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\MSWB7.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-ApplicationModel-Sync-Desktop-FOD-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdvgwddmdx11.inf_amd64_e8336336d081cc11\rdvgocl64.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdateLog.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\en	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_Net6to4Configuration.types.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\delegatorprovider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDYBA.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Basic-Http-Minio-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netrtwlane01.inf_amd64_b02695ef070d7a42	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcodex.inf_amd64_f5594a2af66d11ab\mdmcodex.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\cmcfg32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSPaint-FoD-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnms002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_L_LE_1.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterStatistics.Format.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cngprovider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0021\_setup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msasn1.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-ProfessionalWorkstation-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\scecli.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_05ebd3b4422f62ba\rdpbus.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe.config	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\winsrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\Repository	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dui70.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-AppServer-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1081.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_floppydisk.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmbw561.inf_amd64_0406b31e81bea0d1	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\itsas35i.inf_amd64_4f5850c71046b0cb\ItSas35i.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbcir.inf_amd64_a19f675674962ae4\usbcir.sys	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell.resources_31bf3856ad364e35_10.0.19041.1_en-us_6642fffc29d98ad7	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..ig-registrar-wizard_31bf3856ad364e35_10.0.19041.746_none_1b2c02c95e316350	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_10.0.19041.1165_none_3e0b1e846a203ebe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m...appxmain.resources_31bf3856ad364e35_10.0.19041.1_ro-ro_47a6d07813fa8c1d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..defaultassociations_31bf3856ad364e35_10.0.19041.964_none_983b357fe6dfa2bf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\AccountLogo.png	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\up_rm.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe.config	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-deviceux.resources_31bf3856ad364e35_10.0.19041.1_en-us_256d21174c83b289	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..ilterservice-client_31bf3856ad364e35_10.0.19041.964_none_a7d860f2823e1040	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Images	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..smsrouter.resources_31bf3856ad364e35_10.0.19041.1_en-us_13304de5d0823d65	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\localNgc.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-xwizards-duiplugin_31bf3856ad364e35_10.0.19041.746_none_42b611bc30df49f4	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-xbox-auth..er-client-component_31bf3856ad364e35_10.0.19041.1_none_b4df41d0baa7021b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..necoreuap.resources_31bf3856ad364e35_10.0.19041.117_en-us_0f4e5cc52b2ff016\r\AcRes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.Entity.Design.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobenetworklossaversion-main.html	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\views\unifiedEnrollmentDiscovery.html	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-iorate_31bf3856ad364e35_10.0.19041.1_none_deab411b743de049	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Handwriting~eu-es~1.0.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.scale-400.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-console-host-propsheet_31bf3856ad364e35_10.0.19041.746_none_fbd1acf77c7e8ac8\r\console.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\Splashscreen.scale-400.png	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Containers-ApplicationGuard-Shared-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteFX-HyperV-Integration-Package~31bf3856ad364e35~amd64~~10.0.19041.84.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_prnms005.inf_31bf3856ad364e35_10.0.19041.1_none_1eab1be1d38e5678\Amd64\MSxpsPCL6.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-wmiv2-miutils-dll_31bf3856ad364e35_10.0.19041.546_none_5392c362b0eebdea	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\tsgenericusbdriver.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\blackberry.browser	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\Square71x71Logo.contrast-black_scale-150.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..extservice.appxmain_31bf3856ad364e35_10.0.19041.423_none_2cade1bc915dca0d\r\Microsoft.AsyncTextService.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\r\AppVStrm.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Security-SPP-Component-SKU-ProfessionalWorkstation-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-credui-onecore_31bf3856ad364e35_10.0.19041.1_none_3146ea64c3238619	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_wpf-xamlviewer_31bf3856ad364e35_10.0.19041.1_none_0bff5a051c4a690a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_fr-fr_b59136bc7aa040e6	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-datastore.resources_31bf3856ad364e35_10.0.19041.1_en-us_86be62f074e84417	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.19041.906_sl-si_b068fa9d1555b8df	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-directshow-dmo_31bf3856ad364e35_10.0.19041.1_none_d0874ed19e069aca	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-analog-h2-physicsplugin-baked_31bf3856ad364e35_10.0.19041.1_none_5fb69e670630e91d\presetmotionpropertiesdynamic.hbakedmotionproperties	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-US\l1033.cw	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1266_none_1a0aa046bfbc05b6	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-s..r-library.resources_31bf3856ad364e35_10.0.19041.1_en-us_23c4f86809aaa34b	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\j8514sys.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\ELS	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\cscui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.264.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_iscsi.inf_31bf3856ad364e35_10.0.19041.1151_none_2548defe90359599\r\msiscsi.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-vmsynthstor_31bf3856ad364e35_10.0.19041.153_none_93179d83c79f443c\f\vmsynthstor.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-worker-events_31bf3856ad364e35_10.0.19041.488_none_fde4c1454c01ca46\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-system_ni_b03f5f7f11d50a3a_4.0.15805.0_none_ea837eff9d95cc9e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-networkprofile_31bf3856ad364e35_10.0.19041.746_none_60e946790955ce95	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_c_media.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_64e5ca1dfef06e34\c_media.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppxSignature.p7x	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\pris	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cabview.resources_31bf3856ad364e35_10.0.19041.1_en-us_96fffa5c72762a53	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_mscorlib_b77a5c561934e089_10.0.19200.110_none_e5fd5bf631610b7e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_prnms004.inf_31bf3856ad364e35_10.0.19041.1_none_f59945c05aa85d79\Amd64	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995104"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2644830998"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374587411"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0588aa0a0f2d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2657331072"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000ee7d354beb0d1e17e9f27d79321d736d8e4da8e88d1a05a66d5c215c60557714000000000e8000000002000020000000f0356ed2334b2377931015b7b96862ed83a5994d949ffa587c46f991dfee6969200000007665506ee9a4a27ca3613bf4de8093bec50feb757d34729f64ee29e91442279d40000000e31f5fb65127edfab6f33269001d60f03dbed71cc6b1b849c40b572ae941a258ca70c32b7eb32abac04cb390c6080455497233a69f4ebe2b23e6d6356f4b9419	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002ecda0a0f2d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C9048BE4-5E93-11ED-A0EE-62142853BA25} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30995104"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995104"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2644830998"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000006f56caddc3b13af5b1d0f0edbdd0780b714dd17f0524228b554cda5694fe9dff000000000e800000000200002000000060ecc979c76d9ec610041dbc7cec48d7e90f62c0fa218e0a4f5e684c1ff25d9720000000e0a31cd35c3409a8abff98b0b03998ba6f6e44169051fd743ed8588d00106fad40000000ac6b53f0b732673b43cd9c2e29bd92a0a8d2dc003adaf0eedc84daa73d2390cb1ee7d856c90ba778faf5f836103694ce8fc4603015ba9d7225a80bf4f02a6241	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1204	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1204	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
632	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
1204	iexplore.exe
1204	iexplore.exe
1876	winlogon.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE
3596	AE 0124 BE.exe
4200	winlogon.exe
1056	winlogon.exe
1520	IEXPLORE.EXE
1520	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 1204	632	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	82
PID 632 wrote to memory of 1204	632	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	82
PID 1204 wrote to memory of 1520	1204	iexplore.exe	83
PID 1204 wrote to memory of 1520	1204	iexplore.exe	83
PID 1204 wrote to memory of 1520	1204	iexplore.exe	83
PID 632 wrote to memory of 1876	632	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	84
PID 632 wrote to memory of 1876	632	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	84
PID 632 wrote to memory of 1876	632	6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe	84
PID 1876 wrote to memory of 3596	1876	winlogon.exe	85
PID 1876 wrote to memory of 3596	1876	winlogon.exe	85
PID 1876 wrote to memory of 3596	1876	winlogon.exe	85
PID 1876 wrote to memory of 4200	1876	winlogon.exe	86
PID 1876 wrote to memory of 4200	1876	winlogon.exe	86
PID 1876 wrote to memory of 4200	1876	winlogon.exe	86
PID 3596 wrote to memory of 1056	3596	AE 0124 BE.exe	87
PID 3596 wrote to memory of 1056	3596	AE 0124 BE.exe	87
PID 3596 wrote to memory of 1056	3596	AE 0124 BE.exe	87

C:\Users\Admin\AppData\Local\Temp\6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe
"C:\Users\Admin\AppData\Local\Temp\6852d87bab89558e673fbf69265db81fc2917e6de647c466c2135a04362bfb27.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1204 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1520
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1056
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
5f49b65bdc1713b58ed97d0e9625a968

SHA1
84b74e55478c9abb163aa6629e3fd3b91bed4806

SHA256
a681ab9abc281fd12a7bd06f56e36a21e8ee28b5294815c5e07b781e324a32f9

SHA512
4b502288bef324db8ad33e63c7b6f242ef7954a6fbec3ed012530044c82fee3ad1158febe088bc0deea67ac35646a0a1bd6d961c0f67b11fee584e4f1abd753a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
1cf5b4caf6527fb70da8f7e356ed55db

SHA1
c8edeffa52eb5237b7238062bf2e38ceb3541fa4

SHA256
9be1c7f69ae78f94819db57eddaaf2e1efb35545b0e0eefe59dbd85536e1aa12

SHA512
a9541870b5bb7ddc74f77f7a8378a61c21b8b4a688e6312ee655a8ee29ff74c8d6ab1bb2e87e2f8491a3dd947bfded94bcad45b647da0e90bc3e18cd2a413325

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
afad62372305cffc494c9c93a372c853

SHA1
7309a1d0fe833c63fc2b2de6d87c24ea4a022252

SHA256
8299908170b69bcee7dc7a1627dea885613f21aea4aaa52622d08a579339ea6b

SHA512
60230129dc3469257aa7236cb4dae6402f22eaa822cbe790227dfa3a9437daeb8b56687200e1b2dbe007e78c1a832e1a145da8d7a5166f1ffb63e89665fb3206

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
a618653903c8b98efe9d67b8a35917aa

SHA1
21522a39bc77748e2098d0e36e32bf27308817e5

SHA256
2de593fcea4623886dcd29dbf9c6bd9040990d0b758d11bdab69cf9ddd62ffc7

SHA512
8ad60850f4e67596aa2f39805f980b7a3a4ecf9f6794754b21f3f2b45b7568e73df4e29e3a903a938d91274f66abb392417733aca368022cf854a9f3dc560da6

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
196e8b30d00705ff163e015314b72511

SHA1
9ff25b19041fff181dd16685919e3506b1fb07f8

SHA256
f23f57963097933f3c0115b67d3a49464e47f6d3f96384c736289e1ba7a98565

SHA512
649e79fdd9e7aa4b1a75bb4d1165ff5ca7fa8722f7bc661faf8e577aa8b4c387c424fb6413cd2ca42491d11612a32feafda87b69068fb00041df1d153ca3a47f

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads