e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2022, 15:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe
Size

20KB
MD5

1b7c00e998a7eb7528b90a895f4360e0
SHA1

cc6e57f469f3e8e735c192df5e8b0255c5ea506d
SHA256

e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af
SHA512

e2cc9c87ef6158c2fc8e299f08ded85a4e498c9f8a9807ad3d56971718d1be1f6dc1a140b8d5ccbaa3bb9598cc84898c1a0ed3175a7ffc3f3c9ffc18b0975b06
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJB29SKGLI:1M3PnQoHDCpHf4I4Qwdc0G5KDJiSI

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2116	winlogon.exe
364	AE 0124 BE.exe
3548	winlogon.exe
3292	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
364	AE 0124 BE.exe
3548	winlogon.exe
3292	winlogon.exe

Drops desktop.ini file(s) 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wextract.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Devices.Midi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\MSFT_PrinterConfiguration_v1.0.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\MSFT_NetLbfoTeamNic.format.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\AUDIOKSE.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ShiftJIS.uce	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\slcext.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VSP-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-Gpup-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~en-US~10.0.19041.117.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\srm_ps.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_skl.inf_amd64_b68199ad84607c21	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureProcedure.xsd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\PresentationHost.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\EaseOfAccessDialog.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\MuiUnattend.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\timeout.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ts_generic.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_992f4f46e65f30d4	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netsstpa.inf_amd64_e76c5387d67e3fd6	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\TileDataRepository.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_9_for_KB5005699~31bf3856ad364e35~amd64~~19041.1220.1.0.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_9e5602638617558e\bthmodem.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wincredprovider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-63-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\dc21x4vm.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_pnpprinters.inf_amd64_0c653d53a35b896c\c_pnpprinters.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\monitor.inf_amd64_8a98af5011ee4dc6\monitor.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cabapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\IasMigPlugin.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Optional-Features-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayer-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnms008.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\perceptionsimulationsixdof.inf_amd64_3ff016f4df6d2b8a	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DnsClient\PS_DnsClientNRPTRule_v1.0.0.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WPD-UltimatePortableDeviceFeature-Feature-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1151.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\storfwupdate.inf_amd64_e57f4de14d125fac	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\gpprefcl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\nb-NO\comctl32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\hidserv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Devices.Background.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\downlevel\api-ms-win-core-file-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_volume.inf_amd64_a2da2b286ed77704	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS-manifest.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\DeviceDisplayStatusManager.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\legacy\rac-generic-private.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mbsmsapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA324i_5_SS_T.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ykinx64.inf_amd64_0bbd8466b526ef26\ykinx64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ro-RO\SyncRes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\Remove-DscConfigurationDocument.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDCR.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ngclocal.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\nshwfp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_0eaf27d749819837\avc.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Keywords\ti_dnn_pt-BR.table	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\logoncli.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\netprovisionsp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-Feature-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\UsbccidDriver.inf_loc	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\x86_netfx35cdf-system.servicemodel.web_31bf3856ad364e35_10.0.19041.1_none_d66c3b4b09717f82	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dhcp-client-dll-minwin_31bf3856ad364e35_10.0.19041.546_none_4aedf88eb7da0296\r\dhcpcore.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XmlSerializer\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XmlSerializer.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Embedded-EmbeddedLogon-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-pdc-events-container_31bf3856ad364e35_10.0.19041.1_none_7eaa31884cc78e84	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00070c00_31bf3856ad364e35_10.0.19041.1_none_1d193ec7da0c7101	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..t-roaming.resources_31bf3856ad364e35_10.0.19041.1_en-us_f54ce440627d9dc1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..wnlevelmanifests-ds_31bf3856ad364e35_10.0.19041.1_none_50a9b8ad060bef80\SmartCardSubsystem-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-microsoftedge_31bf3856ad364e35_10.0.19041.264_none_ef195f564f00d259\MicrosoftEdgeSquare44x44.targetsize-36_contrast-black.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..gement-mdmevaluator_31bf3856ad364e35_10.0.19041.1_none_6b87ccb833e002f4	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ional-normalization_31bf3856ad364e35_10.0.19041.1_none_abde0e386d4e6bad	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-oobe-machine-dui_31bf3856ad364e35_10.0.19041.746_none_bed47145622fd035	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ngshandlers-flights_31bf3856ad364e35_10.0.19041.1_none_f4476a02f0faffec	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-defrag-core_31bf3856ad364e35_10.0.19041.84_none_100185bde62a04db\f	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management.Activities	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\INetCache	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000449_31bf3856ad364e35_10.0.19041.1_none_ab13ba7135ae8cbc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx-mscorees_dll_31bf3856ad364e35_10.0.19041.1_none_732bfc41722d84f6	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..ment-diagnosticcsps_31bf3856ad364e35_10.0.19041.746_none_a4135e9f727bcecf\DiagnosticLogCSP.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\feedback.png	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Word.v9.0	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\en-US\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\8514oeme.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_eventviewersettings_31bf3856ad364e35_10.0.19041.1_none_aae8e58aa310aa7d\Event Viewer.lnk	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Internal.Tasks.Dataflow\v4.0_4.0.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..tegrity-diagnostics_31bf3856ad364e35_10.0.19041.1_none_224ac1aa56b7c6c2	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..mentmanifests-minio_31bf3856ad364e35_10.0.19041.1_none_642743188b75ab27	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\msil_microsoft.wsman.management_31bf3856ad364e35_1.0.0.0_none_3eb01b8d02613ef5	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-UX-UI-63-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_10.0.19041.1266_none_a88c5999d8585853\pcadm.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_10.0.19041.1202_none_0607b555ed95f3ce\resutils.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..s-mdac-odbcconf-dll_31bf3856ad364e35_10.0.19041.868_none_e5be9917549f5620\f\odbcconf.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-help-datalayer_31bf3856ad364e35_10.0.19041.746_none_a2b3f28a7d262dfe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-cryptsp-dll_31bf3856ad364e35_10.0.19041.1_none_e9a325e2da8acade	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-corperfmonext_dll_b03f5f7f11d50a3a_4.0.15805.0_none_50938c1faa59c71e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-clip_31bf3856ad364e35_10.0.19041.1_none_5dccefa0bb5ef60b\clip.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Package_3_for_KB4552925~31bf3856ad364e35~amd64~~10.0.1.3176.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..se_standard_101_key_31bf3856ad364e35_10.0.19041.662_none_f1a2995bab4ccb3e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.19041.1151_none_f7be996d8409bfa1\n	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing.Primitives	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Containers-Client-Manager-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msvpxenc_31bf3856ad364e35_10.0.19041.1_none_0afd549085d99c7b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..mentmanifests-shell_31bf3856ad364e35_10.0.19041.1_none_761d12dd3e21a6c3\SettingSync-repl.man	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-s..line-user-interface_31bf3856ad364e35_10.0.19041.1_none_9d2d2a9ab0964bc3	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..-host-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_07dc2f32ba97dfa5\WorkFolders-Client.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..anifests-multimedia_31bf3856ad364e35_10.0.19041.746_none_41c9c37e24436d0a\r\audmigplugin.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.ThreadPool	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~ps-af~1.0.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PeerDist-Client-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cmi_31bf3856ad364e35_10.0.19041.746_none_87c79514b95a235e	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_net44amd.inf_31bf3856ad364e35_10.0.19041.1_none_6e2116dc714fa3ac\b44amd64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-pnp-drvsetup_31bf3856ad364e35_10.0.19041.1151_none_d2adca9818c0499a\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-h..hextensions-desktop_31bf3856ad364e35_10.0.19041.746_none_d2fd55f11442594b\HoloSHExtensions.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..elmanifests-enduser_31bf3856ad364e35_10.0.19041.1_none_534fd5ce64a2998b\SpeechCommon-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\rt640x64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-webdavredir-mrxdav_31bf3856ad364e35_10.0.19041.1266_none_8970b8bd7aecfac3	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-holoshellruntime_31bf3856ad364e35_10.0.19041.746_none_967c45b9935c8036	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-rastls.resources_31bf3856ad364e35_10.0.19041.1_en-us_6f8019b5fc3887d8	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-com-dtc-client_31bf3856ad364e35_10.0.19041.1_none_02e3fb3a58ab4f22\msdtcprx.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\changesView.css	AE 0124 BE.exe
File opened for modification	C:\Windows\Prefetch\NGEN.EXE-EC3F9239.pf	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\microsoft-windows-RemoteFX-clientVM-RemoteFXWDDMDriver-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3174862037"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997950"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3190799382"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000eb27af5ee2ce998bd8a0557fcc05f130666b2ff8f51745412add7917d24f2835000000000e8000000002000020000000832493de470a65c2a3f77ceb5fc5674b230c2f32777037c2e148c6a94cccb7fb20000000f5973cf0740865145b99615c392a9f6ad1d7aa88049616e93f07cdbfff26ac8f400000001a9356cd2002b4629efc3ab5d7495b595109321791bb2048598813e10445add3fe8aaa922d3d854e05d792be343337889d2c8ff07690064ceaac51a210e5f402	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03799c0befdd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000004cd1e19dd5da1ce8f47a03557e3497f4e8848106d3d08e4b92001754aabac0b1000000000e80000000020000200000009ec5d6a09825448f4d9d2e2eed39dc34aa764c735845b94d4dcb06e359fed00f200000004b516b58b129a5f6896ba43c2b0b7d064ee8974b6929f59d35d9148723c5adc540000000ff7a20c615a172a45f8bc546ebc37e12b848c1a70cd3854d07b28279cf8068cfa541d7b98f26b256126df55d21435486da59d4da1b870d945c9519cac6817f41	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997950"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E8BD8A21-69B1-11ED-A0EE-5286B00C3051} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3174862037"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997950"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375809810"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0025f6c0befdd801	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1596	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1596	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4844	e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe
1596	iexplore.exe
1596	iexplore.exe
2116	winlogon.exe
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
364	AE 0124 BE.exe
3548	winlogon.exe
3292	winlogon.exe
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 1596	4844	e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe	81
PID 4844 wrote to memory of 1596	4844	e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe	81
PID 1596 wrote to memory of 2576	1596	iexplore.exe	82
PID 1596 wrote to memory of 2576	1596	iexplore.exe	82
PID 1596 wrote to memory of 2576	1596	iexplore.exe	82
PID 4844 wrote to memory of 2116	4844	e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe	83
PID 4844 wrote to memory of 2116	4844	e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe	83
PID 4844 wrote to memory of 2116	4844	e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe	83
PID 2116 wrote to memory of 364	2116	winlogon.exe	84
PID 2116 wrote to memory of 364	2116	winlogon.exe	84
PID 2116 wrote to memory of 364	2116	winlogon.exe	84
PID 2116 wrote to memory of 3548	2116	winlogon.exe	86
PID 2116 wrote to memory of 3548	2116	winlogon.exe	86
PID 2116 wrote to memory of 3548	2116	winlogon.exe	86
PID 364 wrote to memory of 3292	364	AE 0124 BE.exe	87
PID 364 wrote to memory of 3292	364	AE 0124 BE.exe	87
PID 364 wrote to memory of 3292	364	AE 0124 BE.exe	87

C:\Users\Admin\AppData\Local\Temp\e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe
"C:\Users\Admin\AppData\Local\Temp\e8b891b805f4ca0bd88edf3b91e29d04eeac5376fead4469d1346ad5dffec0af.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2576
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3292
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
cb295ed32b0acd9eac87bcc961fb315a

SHA1
a580f2d38c9d1611e25b6aaa3d79b54eb34d3ebe

SHA256
980abeaa872503211925db8acf8bdcdff0bc3c6deb2182fd698f6a444d2625be

SHA512
974f48bdfb8ea90a49cfa25cacc98c9a145702f4e4967dd6ffddd5eaee6144189499682e80b342708e04f812006314b04e5715492170d0f63c7b0530e9cd399a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
470aa83642f5c27075f04a04b6d71a0f

SHA1
c703d048e337957f6d6822f00a046a401799ec93

SHA256
22b6b1be55497f8ba43fe0da3e64035dbd4a1674395c90d7c52d23f76e98e13f

SHA512
6a9fb3d45efdd744e5afbdc38e3e8e54e85099b8d82fc58d503cbe62c124b3c5cdcddf1d6c94bfe8fae6826f5b2ba4037bd9b2bc621375673b575b96e626f235

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
8c373c37d11f22fee4c8c75246977b5f

SHA1
c9c0dd9597372ccbf9cee5ea92f6f0c1b8187dc1

SHA256
a7befe37bc618b5b79b8b6e8de31575a562b1952d4679fd4061fb6883ac95933

SHA512
d5614f4b25b0e9230cf98b74115568013b1acdd9fe5f3ca6eb64ca4066dc3ccd0ee319656f6c0195bb1fd5671be7783cb72df2d4510a3708d2cf3e8a43ab21e5

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
8c373c37d11f22fee4c8c75246977b5f

SHA1
c9c0dd9597372ccbf9cee5ea92f6f0c1b8187dc1

SHA256
a7befe37bc618b5b79b8b6e8de31575a562b1952d4679fd4061fb6883ac95933

SHA512
d5614f4b25b0e9230cf98b74115568013b1acdd9fe5f3ca6eb64ca4066dc3ccd0ee319656f6c0195bb1fd5671be7783cb72df2d4510a3708d2cf3e8a43ab21e5

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
c037df1397c68bd2b15b1e8ec40fcae9

SHA1
ed0e933c2545ed5405f5a55a66654c6a6c1cbf5d

SHA256
8ae00ee0dac156dfafd070f5664007a3f0eeeb1e70c90836cfad43efc981c866

SHA512
50b91a24c4959c3979a21d5ee883b946faf59075957e5c965a559a40913f2350704a2f3e29d2a5aba7b60d12faf66891dd8fd6f9aa05960c5b536dfdcea5b1ea

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
69e5fb74c384939adfeef53bc292f5c4

SHA1
26910efaed488084ecd64e66a273da619b3ea3a6

SHA256
c3af241c42f24ef249ba50095e9e051618b71741740060435715eb0a62a86360

SHA512
2d77e4f6130bd7a2abd85cbc58e5605062877450dc22ce425753d74bed0931c136de658c88ff2c1d6c67f96cc29f15228283def625c146e340d07ca07b409d7f

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
8c373c37d11f22fee4c8c75246977b5f

SHA1
c9c0dd9597372ccbf9cee5ea92f6f0c1b8187dc1

SHA256
a7befe37bc618b5b79b8b6e8de31575a562b1952d4679fd4061fb6883ac95933

SHA512
d5614f4b25b0e9230cf98b74115568013b1acdd9fe5f3ca6eb64ca4066dc3ccd0ee319656f6c0195bb1fd5671be7783cb72df2d4510a3708d2cf3e8a43ab21e5

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
8c373c37d11f22fee4c8c75246977b5f

SHA1
c9c0dd9597372ccbf9cee5ea92f6f0c1b8187dc1

SHA256
a7befe37bc618b5b79b8b6e8de31575a562b1952d4679fd4061fb6883ac95933

SHA512
d5614f4b25b0e9230cf98b74115568013b1acdd9fe5f3ca6eb64ca4066dc3ccd0ee319656f6c0195bb1fd5671be7783cb72df2d4510a3708d2cf3e8a43ab21e5

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
8c373c37d11f22fee4c8c75246977b5f

SHA1
c9c0dd9597372ccbf9cee5ea92f6f0c1b8187dc1

SHA256
a7befe37bc618b5b79b8b6e8de31575a562b1952d4679fd4061fb6883ac95933

SHA512
d5614f4b25b0e9230cf98b74115568013b1acdd9fe5f3ca6eb64ca4066dc3ccd0ee319656f6c0195bb1fd5671be7783cb72df2d4510a3708d2cf3e8a43ab21e5

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
8c373c37d11f22fee4c8c75246977b5f

SHA1
c9c0dd9597372ccbf9cee5ea92f6f0c1b8187dc1

SHA256
a7befe37bc618b5b79b8b6e8de31575a562b1952d4679fd4061fb6883ac95933

SHA512
d5614f4b25b0e9230cf98b74115568013b1acdd9fe5f3ca6eb64ca4066dc3ccd0ee319656f6c0195bb1fd5671be7783cb72df2d4510a3708d2cf3e8a43ab21e5

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads