eb6d8fc63554f3f02119dcf03ba021451f9ee21c63c8075111299709ac144d6b

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

802KB
MD5

2558f8a8234fc3e4db65a9c412d437b7
SHA1

972875b6ed00a202e0bb525cd5a9e6a7bef27322
SHA256

eb6d8fc63554f3f02119dcf03ba021451f9ee21c63c8075111299709ac144d6b
SHA512

a764bf045386a3f4ad10160714db7f8a7be227bf88a54e33da09e43cb1200c18898376b4f71a1499214c43492ff0c15c072d28452e1b261275631d78e6fa42ab
SSDEEP

1536:+EfFNvtgmAl7z5dKY6yuJPW8K43w9NXOM1aRl/i6JWT0S9yXnBibnouy8gHn2JX:+YLmGO4W849NXO9RlK6gOxiDouto2N

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-61692916"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28231978"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-63588302"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-20546799"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 2 IoCs

pid	Process
1052	winlogon.exe
2200	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unzip.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccpfw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcleaner.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\penis32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swnetsup.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ewido.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\callmsi.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak5.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2servic.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Diskmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netscanpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navlu32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\periscope.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rrguard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfsetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VACFix.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fslaunch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccmain.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc42.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsched32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SVCHOST.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwinstall.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4032-132-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral2/files/0x0004000000022e15-136.dat	upx
behavioral2/files/0x0004000000022e15-137.dat	upx
behavioral2/memory/4032-139-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral2/memory/1052-141-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral2/memory/2200-143-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/files/0x0004000000022e15-144.dat	upx
behavioral2/memory/2200-146-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/2200-147-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/2200-154-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/2200-157-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Blocker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 2200	1052	winlogon.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Sound\Beep = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Sound	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\photos.google.com\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f6dc3562f2d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3453F890-5E55-11ED-A0EE-DAAB7EF686E7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000e4be69933d55a8576b00e141faac0e6024b89f37dc84fa20ad7f0079b02fb2f0000000000e80000000020000200000008364e721488d473a4b3b4d349552c40fd8f734cfc42844c03f2e5a2f85b1f5202000000013e54267ef7a32ddea6c021e75fa07274b12489fd5029ad13220357755584eda400000003a0a9c345960572d0ab991b82eba37fb894d13f49cb727b8e7a86ca69b4712ae010e22ccf92d708f2d1e87f63b16931674351ed3afbd2797f9fa6d44912213b8	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://8u71w1f5dfk76ia.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.hugedomains.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hugedomains.com\Total = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "59"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hugedomains.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "53"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://7gsez98v645j9yb.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "152063065"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995042"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000004eab589b8cb7a3f5f69f53f4d0f3266f516121272aa415ad268d02ed583b32c4000000000e8000000002000020000000be4a051f516af4994010aef8a22f6eeea83bac918c0d6742d4eeea4ef41abba62000000047dc9b06ee2754e177771b99d6a4e830336b0c52e06cd63dfe3ac10952419d3440000000e8f385585bb149ce4b6a7cedc9bf20b0a71ddfddf0978fa0c581d93a1a40715b612df7b9b34ff131450233620d15018fe16b5e3d91289ec043929c4b393c71ce	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374560531"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://p3000bxf7jv7zw6.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000063c077b4f6e49aa42b76f2d1ec3e9c97106e8f84e2f06bf2ddef6ecc0771d87c000000000e8000000002000020000000c57f6d1357c353e91bdfa777722c047f82135dbb30df81ef46dbaad3b2e7ff062000000038d27e3577b0ecf1e6a6a5fb5cbc9807934c97d5eb2abf8902c597f45bc0b5b040000000763a2eb314e117bca8836850d6e8e81d5881e9e0fb123df55e33e3f929307a2561fd56e8fd5ff1e6a922cfe6bb6528fb6217e99cdc637c5d290a5ecf00db7b5e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20beab0f62f2d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d4061762f2d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://3fz2k43610y19mg.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\photos.google.com\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\hugedomains.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.hugedomains.com\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000bec546b61ca3135e30613032f0ff38c1990c22da68acf7b95c0c46719fb18402000000000e80000000020000200000006d8938b2b8a4fde916f556c3d33373f60233923db7248d08b3288a22d41f34a820000000351d0353e077e6901c7fb913935d508dad85151d486623a068c8e4884191bd6240000000e22aa2616435bed8bb189bd7011df03083d44785ae25956ad7241b238fc6db28d97d1b7007aa57e1c75f08eb934ca2f26fe6f01ff7f0324be03e6c67722009b1	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000064eec661c47ea26f5078b99c2138e6395a79a587e00e3e514c3aead30a61abb2000000000e800000000200002000000059a18b42023b1692c17e8d33f56c06f38c44af8842b5454a2ce26718998837742000000066de30e98d8c06169056f0bce36c6cf0d4a2d712c7a4640a0c03858dd0cb08ce40000000b06693537aec28de8509c8fb52a94315873bac09b437c89d1b330f781dbd887063698c5c1cd63de5d7ee23c09795906eda00a6dd8d16e7eca69b2fea9266193b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ee702362f2d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f3632a62f2d801	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://1q7ktn9469u2n80.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "149302655"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30995042"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://1d99b8ry6y4zx32.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8049d10862f2d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000007e5f571db5ac08a365ccd1f921ccb7fb22afb6f02dd302ffc4a18f1fba06c347000000000e800000000200002000000003315cbb8bb5832d7a0965ee25594f835ff824140fac49562fddcba203d708ca200000002a783f78dab3785746367a6c0be0f0b0ab721cd7f9ad3324d23edc274d12706c40000000363ad435cd9687489d63c11740db134d11b344598de257c43c69e238ca3c203836d137ca025f27825febcc0f01c53ec2f3d8fd8bfd9e325d3fc7bb9a9100d656	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000001d4e17457e13527e82f7fc95506aa2e5c281b560df05800dd0a28ee398ab200000000000e80000000020000200000004005bd135ede392350f21fbf405819933143c6fb720908d9e522f5941f7220fd20000000280bbb9869be0286b3267cbdd851bd993961e6679abf9f59e5d0bed5ad1f8078400000004dce30ed91615079889a250f97431ae25598aec96ab061317a573aa2e0d258dcbdf1e4fe4b8741ce47d027591cb815b231f7b7120edd9523343c6f11c62609ad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://7ae5e23xz2mm9q1.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://hc1nqec4u22lc7s.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe
2200	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	2200	winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4212	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4032	Trojan-Ransom.Win32.Blocker.exe
1052	winlogon.exe
2200	winlogon.exe
4212	iexplore.exe
4212	iexplore.exe
4500	IEXPLORE.EXE
4500	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 1052	4032	Trojan-Ransom.Win32.Blocker.exe	83
PID 4032 wrote to memory of 1052	4032	Trojan-Ransom.Win32.Blocker.exe	83
PID 4032 wrote to memory of 1052	4032	Trojan-Ransom.Win32.Blocker.exe	83
PID 1052 wrote to memory of 2200	1052	winlogon.exe	90
PID 1052 wrote to memory of 2200	1052	winlogon.exe	90
PID 1052 wrote to memory of 2200	1052	winlogon.exe	90
PID 1052 wrote to memory of 2200	1052	winlogon.exe	90
PID 1052 wrote to memory of 2200	1052	winlogon.exe	90
PID 1052 wrote to memory of 2200	1052	winlogon.exe	90
PID 1052 wrote to memory of 2200	1052	winlogon.exe	90
PID 1052 wrote to memory of 2200	1052	winlogon.exe	90
PID 4212 wrote to memory of 4500	4212	iexplore.exe	93
PID 4212 wrote to memory of 4500	4212	iexplore.exe	93
PID 4212 wrote to memory of 4500	4212	iexplore.exe	93

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\E696D64614\winlogon.exe
  "C:\Users\Admin\E696D64614\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Sets file execution options in registry
    - Windows security modification
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2200

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3736

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4212 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
0774dce1dca53ce5c4f06846dc34a01a

SHA1
b66a92ae7ae2abc81921ed83fea0886c908b14b3

SHA256
653df1e7ee6eb78011d131d41eebad55a6b11e14073ac204587960c404d2300f

SHA512
43582562e20238142d801d97dee6efff1213d38506dc8e21001517d799e52c5157a0ce814e29045fb267200878e964f04d05bb209ac738d510b48ebd689b82e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0ef90204485649be625ea2be1b9018fb

SHA1
28fbc0852140ec51d0c097a4962a160afa4d754b

SHA256
c8028acd9a8c8c795b87cf835fc3182d003264608f161baa0ca020711b22bca0

SHA512
b8bbba0dcc6cb6f87efb47a605953c93fcf93c5a65520b822ebfee25754632d6bb66c2a946f457e1e40a92556683ddb9d14f2703782833e12d7e37bb3b7fcec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
be2b5211e42eb9225d21358e7eb3f78f

SHA1
35b1ab3adde0a5f3cad8862897f1ea7a86946349

SHA256
3185aa19aba785efc822b72e3f2959e07343c1935f8f2b46a4438060763c9111

SHA512
9b20c8dceb160aad20de302c2589b86fae64f7842b370812fd8baba3e8154a357c0a1c282ea95fbc5406ab093593637929edaf83c42e19c7b6a011d286b06b6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F

Filesize
472B

MD5
348f6c5d513404b3c3c6c27f3de2dfdf

SHA1
acb18df838bf8ddb2667e944a82b2930bdecfad8

SHA256
a46606d9bc72c7330fff6849e1caa6c773c79d66236549408380362d28d892a1

SHA512
79dd389bc9a05312290bf69386faa56fd5a6515a0efd7685249831732f6a7c948ac41f288e038a65929e1b56f8fc615db12b7d3955a5e3279ebc8895fd150cab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F

Filesize
472B

MD5
348f6c5d513404b3c3c6c27f3de2dfdf

SHA1
acb18df838bf8ddb2667e944a82b2930bdecfad8

SHA256
a46606d9bc72c7330fff6849e1caa6c773c79d66236549408380362d28d892a1

SHA512
79dd389bc9a05312290bf69386faa56fd5a6515a0efd7685249831732f6a7c948ac41f288e038a65929e1b56f8fc615db12b7d3955a5e3279ebc8895fd150cab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
5abb8a3fb81d2bbe873ccf05988ae260

SHA1
07ca99b809301f3071ed755aec8db36440410db2

SHA256
5cfd2b523d8d5eaafed35dba8a765bc7f3c42030af7bc575e000fbaeab1848b7

SHA512
cd8ad1505111af13053b1861c918a101f1f1e1fe1022a76ca873f495b7567716bb857fd23b31cdfe60e45555ea910d978a41e9961ae700971afacc4b6208f281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
ed99d5d25916ff9785527472be91a5dc

SHA1
f25f8efe26555f128a2bc1eac9cbcf60516569c7

SHA256
a33bb7456f862e4c1cf0ab9b5374c3aeb397034f66c495b48ad124c5874e90ff

SHA512
848faedea92f608144353ef03bb153d111118c2349d00c15f8fb82fac7575bf5d3935f4bd5fc04ffcf337d5a397171960dd88c669ceb1fd3d28b45b30f87e69f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
41ec6d313008262aa6bd91dee42d83ce

SHA1
33d82aa65ff746647f7b98e1ab5225676c1fe657

SHA256
1f7ed6f2d8d0714945f00e264cebeeeadae9f26191b1c2d2b69dd2982b26de8a

SHA512
9ab72f8adae8002e6c396117498e808b1dc48faeec8fd6c868a31ea97f9aeec3bcd8b7f37ab9a2ed467faccba829186a72e234780222773751e976b6ace6b8ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F

Filesize
480B

MD5
9963d32e8ef3580fa1d38476b93cb27a

SHA1
4d335bffd081f1ad53d4d8a5d7c814e230dca108

SHA256
718501f9b764b06106f9b5a8ededa0a7a2ee8bd980fa177a6a48fc2a59d9cc3d

SHA512
8905a20e86d7ee9e0cf055ef03475c560546d70ed774879adcd9e86b6fc5a0f6c4ab8fe8297808e5ef0c4a8e63210a384c98ff4649eb143b8ebe4e308f2aade8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F

Filesize
480B

MD5
d69572f9ed9496c37f05cd5df363c745

SHA1
fbb7e2b722d7b9917e9753cf3bc8180638266de3

SHA256
e90f018a6ebceec700d5b6b44a3e2dbdc5baeb8f2eaa9c48c37b157bc0e273d8

SHA512
673309857b6c12242e86e02fc1ddd5f8923842149d53da4204f30b1b5890038c7fc7e734427a34805c46e8ea545fe3ea4503e0c35a143c247decb26b0419af0d

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
802KB

MD5
2558f8a8234fc3e4db65a9c412d437b7

SHA1
972875b6ed00a202e0bb525cd5a9e6a7bef27322

SHA256
eb6d8fc63554f3f02119dcf03ba021451f9ee21c63c8075111299709ac144d6b

SHA512
a764bf045386a3f4ad10160714db7f8a7be227bf88a54e33da09e43cb1200c18898376b4f71a1499214c43492ff0c15c072d28452e1b261275631d78e6fa42ab

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
802KB

MD5
2558f8a8234fc3e4db65a9c412d437b7

SHA1
972875b6ed00a202e0bb525cd5a9e6a7bef27322

SHA256
eb6d8fc63554f3f02119dcf03ba021451f9ee21c63c8075111299709ac144d6b

SHA512
a764bf045386a3f4ad10160714db7f8a7be227bf88a54e33da09e43cb1200c18898376b4f71a1499214c43492ff0c15c072d28452e1b261275631d78e6fa42ab

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
802KB

MD5
2558f8a8234fc3e4db65a9c412d437b7

SHA1
972875b6ed00a202e0bb525cd5a9e6a7bef27322

SHA256
eb6d8fc63554f3f02119dcf03ba021451f9ee21c63c8075111299709ac144d6b

SHA512
a764bf045386a3f4ad10160714db7f8a7be227bf88a54e33da09e43cb1200c18898376b4f71a1499214c43492ff0c15c072d28452e1b261275631d78e6fa42ab

Download Submit
memory/1052-141-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2200-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-154-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2200-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4032-132-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4032-139-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download