d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3

Analysis

max time kernel
159s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe
Size

20KB
MD5

27f664c41e5fabba8557cc84126d2fb0
SHA1

85b06995d141d337ad12f6023937075626d57aea
SHA256

d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3
SHA512

da4547c477963137c19f2c0643c0a8927239c3dc62f1aca61c04e96b59e8b10327dddc880e805f706545cbd29e9fb18158ab92f10611478fb6b473b334280bb3
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBIq:1M3PnQoHDCpHf4I4Qwdc0G5KDJSq

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
2412	winlogon.exe
1452	AE 0124 BE.exe
3912	winlogon.exe
2212	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe

Loads dropped DLL 3 IoCs

pid	Process
1452	AE 0124 BE.exe
3912	winlogon.exe
2212	winlogon.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\f8458c8de3d147a80d90bfeb1dbda24e	AE 0124 BE.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\PCW\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Speech\en-US\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\courer.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\ServiceModelService 3.0.0.0\040C	AE 0124 BE.exe
File opened for modification	C:\Windows\L2Schemas\OneX_v1.xsd	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Cmdletization.OData.Resources\v4.0_3.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.Cmdletization.OData.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel.Selectors.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.IdentityModel.Selectors.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.fr.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\35ac8b8f685e7b0a97d4c94c4df889ca\Microsoft.WSMan.Management.Activities.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\IESecurity\DiagPackage.diagpkg	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\Microsoft.GroupPolicy.AdmTmplEditor.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Culture.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\es	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\38720ac5ef14845a9be0c2386ce0436f	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\TileSmall.contrast-white_scale-150.png	AE 0124 BE.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\images\TileSmall.png	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmvv.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\.NET CLR Networking 4.0.0.0\0000\_Networkingperfcounters_d.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Logs\waasmedic\waasmedic.20221111_133751_864.etl	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Csp	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions.Design	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition.Registration.resources\v4.0_4.0.0.0_it_b77a5c561934e089\System.ComponentModel.Composition.Registration.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.resources\v4.0_4.0.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing\v4.0_4.0.0.0__31bf3856ad364e35\System.Runtime.DurableInstancing.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources\AppConfigCommon.fr.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Core.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\3082	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.Word.Implementation\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Word.Implementation.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess.resources\v4.0_4.0.0.0_it_b03f5f7f11d50a3a\System.ServiceProcess.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Drawing.resources.dll	AE 0124 BE.exe
File created	C:\Windows\AE 0124 BE.exe	winlogon.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\cscompmgd	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\8e67d22c9da389c9e4820cd665e85ad1\Microsoft.Windows.Diagnosis.SDHost.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\mdmcrtix.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.OracleClient.resources\v4.0_4.0.0.0_ja_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardProviderInfo.ascx.it.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ReachFramework\3.0.0.0__31bf3856ad364e35\ReachFramework.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Apps\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\de-DE\RS_ChangeProcessorState.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\.NET Memory Cache 4.0\0410	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing.Design.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\System.Drawing.Design.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Routing.Resources\3.5.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\EFI\da-DK	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\en-US\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\cht4sx64.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\JSByteCodeWin.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets.Resources\v4.0_1.0.0.0_ja_31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClient.resources\v4.0_4.0.0.0_es_31bf3856ad364e35\UIAutomationClient.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\_ServiceModelEndpointPerfCounters.vrg	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\fr\System.ServiceModel.Web.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Resources\3.5.0.0_it_b77a5c561934e089\System.Data.Services.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\SrpUxSnapIn\d2b1ef680213b74225d25f626d5cd58f\SrpUxSnapIn.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.Resources\2.0.0.0_ja_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\flpydisk.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardPermission.ascx.it.resx	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "934210880"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207d1c38c7fdd801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f00000000020000000000106600000001000020000000dec2b9a1f87539e4850e4ebe6334a323c516d44fa3b22836329d0a0e7986b1a0000000000e8000000002000020000000fcba84b47beb7eeb4c668d72b2d164f86f21cb97eb95409d74b67aa943af8adf2000000098aad6870aac6e071cd7b0f1cb7aceb908348474fad660d45da7eb8b38d85ea540000000bd44eb3b90e84db76542644170ccb29f92654d153c5bf9a594fb8e1140cace641ae0d0ca3499c7597f5cea4f5ca349e5774e6e41d2b02bb07683b937219b37f1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "934210880"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{57B8E761-69BA-11ED-B8D8-7A41DBBD5662} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30c7ae37c7fdd801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375210365"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30997959"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cd62b78ee8587e4dac88ae50a840a17f0000000002000000000010660000000100002000000027d4d8c5d71047d40b3743b90ac552f1a88f4c30fb2b04313d46d729f9b8865b000000000e800000000200002000000032577edb813a41e5b6b888b72b07088eb08d1c49887611894b4803ca54b879ac20000000c7b4d83a29481ed239253be1c26b1a1f35c7cd0ced5332979c129692bf998f21400000009e94835e3f6befab45c78e443ec7f20181a2c49d3cf1556207f4d4bd50164b9de27f89fa11d0dccf868067548ae74de3bc2d5cd63c44ed124ce092c2486f6a30	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30997959"	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings	d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1480	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1480	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4820	d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe
1480	iexplore.exe
1480	iexplore.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
2412	winlogon.exe
1452	AE 0124 BE.exe
3912	winlogon.exe
2212	winlogon.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 1480	4820	d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe	83
PID 4820 wrote to memory of 1480	4820	d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe	83
PID 1480 wrote to memory of 1948	1480	iexplore.exe	84
PID 1480 wrote to memory of 1948	1480	iexplore.exe	84
PID 1480 wrote to memory of 1948	1480	iexplore.exe	84
PID 4820 wrote to memory of 2412	4820	d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe	85
PID 4820 wrote to memory of 2412	4820	d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe	85
PID 4820 wrote to memory of 2412	4820	d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe	85
PID 2412 wrote to memory of 1452	2412	winlogon.exe	87
PID 2412 wrote to memory of 1452	2412	winlogon.exe	87
PID 2412 wrote to memory of 1452	2412	winlogon.exe	87
PID 2412 wrote to memory of 3912	2412	winlogon.exe	89
PID 2412 wrote to memory of 3912	2412	winlogon.exe	89
PID 2412 wrote to memory of 3912	2412	winlogon.exe	89
PID 1452 wrote to memory of 2212	1452	AE 0124 BE.exe	90
PID 1452 wrote to memory of 2212	1452	AE 0124 BE.exe	90
PID 1452 wrote to memory of 2212	1452	AE 0124 BE.exe	90

C:\Users\Admin\AppData\Local\Temp\d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe
"C:\Users\Admin\AppData\Local\Temp\d5a77266619fc321b2e372658670b6eec2d8a034df5f0428edde19ffb72557d3.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1948
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Checks computer location settings
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2212
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
eb68c6f523a18c4c843ff9ae58c59492

SHA1
fa881b5990b9e4125cb08c71523854788ccda768

SHA256
39af6d6ab76df33e7254f622453533150eb2259195f7a4fa57019e8883c49c39

SHA512
d29f91a2fb595a085584d7733c795a2fa5dd8873452af2a6ac59748b993f5ef6bb300cf22034d4bdf8e6f70c0efaa93b59841974078c838637375bec605a72db

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
eb68c6f523a18c4c843ff9ae58c59492

SHA1
fa881b5990b9e4125cb08c71523854788ccda768

SHA256
39af6d6ab76df33e7254f622453533150eb2259195f7a4fa57019e8883c49c39

SHA512
d29f91a2fb595a085584d7733c795a2fa5dd8873452af2a6ac59748b993f5ef6bb300cf22034d4bdf8e6f70c0efaa93b59841974078c838637375bec605a72db

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
15ddc0be3dd789b901aa5f7f109333ad

SHA1
d0871051cc6bf067687693d34b141a25fe1a194f

SHA256
e0acd08600c7f33d13d3b8d30ade6b7be8dc6f200f843f55065729ff24300e3d

SHA512
a474d4376d70b2ef3f3cce5d0cbd14071ba5a20a768a05735b08a9458a38faca83339e3518f5fa6f009167f982a8a66cf277315b665e2bb95f2a83044dde3b6a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
eb68c6f523a18c4c843ff9ae58c59492

SHA1
fa881b5990b9e4125cb08c71523854788ccda768

SHA256
39af6d6ab76df33e7254f622453533150eb2259195f7a4fa57019e8883c49c39

SHA512
d29f91a2fb595a085584d7733c795a2fa5dd8873452af2a6ac59748b993f5ef6bb300cf22034d4bdf8e6f70c0efaa93b59841974078c838637375bec605a72db

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
eb68c6f523a18c4c843ff9ae58c59492

SHA1
fa881b5990b9e4125cb08c71523854788ccda768

SHA256
39af6d6ab76df33e7254f622453533150eb2259195f7a4fa57019e8883c49c39

SHA512
d29f91a2fb595a085584d7733c795a2fa5dd8873452af2a6ac59748b993f5ef6bb300cf22034d4bdf8e6f70c0efaa93b59841974078c838637375bec605a72db

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
eb68c6f523a18c4c843ff9ae58c59492

SHA1
fa881b5990b9e4125cb08c71523854788ccda768

SHA256
39af6d6ab76df33e7254f622453533150eb2259195f7a4fa57019e8883c49c39

SHA512
d29f91a2fb595a085584d7733c795a2fa5dd8873452af2a6ac59748b993f5ef6bb300cf22034d4bdf8e6f70c0efaa93b59841974078c838637375bec605a72db

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
eb68c6f523a18c4c843ff9ae58c59492

SHA1
fa881b5990b9e4125cb08c71523854788ccda768

SHA256
39af6d6ab76df33e7254f622453533150eb2259195f7a4fa57019e8883c49c39

SHA512
d29f91a2fb595a085584d7733c795a2fa5dd8873452af2a6ac59748b993f5ef6bb300cf22034d4bdf8e6f70c0efaa93b59841974078c838637375bec605a72db

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads