5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037

Analysis

max time kernel
151s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe
Size

66KB
MD5

450a10e9d651296f4fb3a1668aed2180
SHA1

e192cec4d845b157b79b8d62e27e4542d1d4c457
SHA256

5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037
SHA512

c590a4452d54469832e01aa10857b2adf7e4b7d76bbd9aa8e06df2952e1eabbe37e2b5379318b40025026b263bb8b748c70067386141511c2839ad03475a4c69
SSDEEP

768:4a4r+PpHfXGLOFCk6SLARI+WEkFfsEjUPIOuJI5R7xuMAnXMcMaJIWmS2zIzV9xo:sr+Fum5LMI+WTJjcsnXMcpm/zOxJXKJR

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
860	winlogon.exe
1064	AE 0124 BE.exe
1576	winlogon.exe
616	winlogon.exe

Loads dropped DLL 9 IoCs

pid	Process
1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe
1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe
860	winlogon.exe
860	winlogon.exe
1576	winlogon.exe
1064	AE 0124 BE.exe
1064	AE 0124 BE.exe
616	winlogon.exe
940	iexplore.exe

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\regevent.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vcomp120.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\EAPQEC.DLL.MUI	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\diskpart.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\themeui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseN\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\tsmf.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\faultrep.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\IME\imekr8\applets	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\CertEnroll.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mciavi32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnky003.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wiaca00i.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc4200t.exp	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\pcaui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\SMBHelperClass.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migration\WsUpgrade.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\pubprn.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Help-CoreClientUAHB-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnok002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00c.inf_amd64_neutral_27f4ad26fea72eb1\wiaca00c.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ksxbar.ax.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\QCLIPROV.DLL.MUI	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmags64.inf_amd64_neutral_e68956e24e287714\agrsm64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\Amd64\CNBP_291.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpf4200t.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\vss.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj4680t.exp	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tape.inf_amd64_neutral_c6a6811d3d827dba\dlttape.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\mfpmp.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prndrvr.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\at.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\AuditNativeSnapIn.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Foreach.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\diskcopy.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\WPDShextAutoplay.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBIC4_2.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpbscham.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpQ307w7.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\miguiresource.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnsa002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\acppage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\Microsoft.PowerShell.Commands.Utility.dll-Help.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-RemoteClient-Setup-LanguagePack~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\advapi32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Speech\SpeechUX\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\nettun.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\apss.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\wbemcntl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\remotepg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vssapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc9.inf_amd64_neutral_ff3a566e4b6ba035\Ph3xIB64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr009.inf_amd64_neutral_fd2ac5b9c40bd465\prnbr009.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc005.inf_amd64_neutral_31e08a1c2f933124\Amd64\RIA8100D.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\NetworkItemFactory.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja-JP\xml.xsl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\runonce.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc8.inf_amd64_neutral_c93e7023ef90e637\Ph3xIB64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\prnca00a.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\cero.rs.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_de_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\b883b83d1f72f1fcaf4acdef3c9c381f\Microsoft.MediaCenter.Bml.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\winmeetb.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\wsdprint.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d2d.resources_31bf3856ad364e35_7.1.7601.16492_zh-cn_463c7a50d3c5348f	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\es-ES\TrustedInstaller.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Wired-Network-Drivers-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Package_9_for_KB2639308~31bf3856ad364e35~amd64~~6.1.1.0.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-games.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_612742b24f64d53d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20284_31bf3856ad364e35_6.1.7600.16385_none_b0f99b2efe169557	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.resources\2.0.0.0_ja_b03f5f7f11d50a3a\Microsoft.Build.Tasks.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.h	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\applaunch.exe.config	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~cs-CZ~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationClient_amd64.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Primitives	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\Browsers\Default.browser	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-bluetoothpanapi_31bf3856ad364e35_6.1.7600.16385_none_3e799a0c613390f2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-hotstart-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f0b795e8f857dc7f	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.SmartTag.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\size1_l.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.ComponentModel\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.ComponentModel.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteFX-RemoteClient-Setup-LanguagePack~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PLA\Reports\ja-JP\Report.System.Summary.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\ja-JP\TrustedInstaller.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-miriam_31bf3856ad364e35_6.1.7600.16385_none_7b7a9e11df9f30a1	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\Microsoft.MediaCenter.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\ARIALNI.TTF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\aspnet_state\0000	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\PeerToPeerCaching.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4344f5fd149fa43d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..entsnapin.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_07b03f7e1b1ac028	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes.resources\3.0.0.0_ja_31bf3856ad364e35\UIAutomationTypes.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Performance\ja-JP\CL_LocalizationData.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\en-US\pwrmgm.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\TaskScheduler.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\DigitalLocker.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..ience-common-logger_31bf3856ad364e35_6.1.7600.16385_none_c9643ae2e72c5455	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-blb-cli-main.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f33c2a289d833ef2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-wer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e66dc2bea3073510	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_fr_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MICROSOFT.VISUALBASIC.COMPATIBILITY.resources\8.0.0.0_es_b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Drawing.resources\2.0.0.0_de_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SonicResources\ClickMe.htm	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Help\es-ES\resources.H1S	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0C0A\diskmgt.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\de	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\InstallUtil.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\1.0.0.0_ja_31bf3856ad364e35\Microsoft.PowerShell.Gpowershell.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.resources\3.5.0.0_de_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\games.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..providers.resources_31bf3856ad364e35_6.1.7601.17514_en-us_cf28c79b7f2b526b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..mmandline.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9059980511168697	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ipdmctrl\11.0.0.0__71e9bce111e9429c\IPDMCTRL.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\ahronbd.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~ja-JP~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0\9.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\McxDataPath.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\peopcom.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0410	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000000a8c275d9725c56fe56093bbbeba45726adfb3f681b2c5ead6b393d422e0b5e9000000000e80000000020000200000001bc8dcd7d57e137e5db4017dede57ea21b1c5039061cdffebbb80ad6be7dda532000000047e777a0576ef78d6bd734bd808f2c04578aa85a6c124dbff9b0a90fe7c13aa240000000d6384f87755ca6d850905937199939e5e58121f6f4322cbf89201916a86d1ed89990670d930445445bdfdbcbded6bc97f0d08556b676ff6748af5e274e9aad2a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000f8b9e97d933ba0a68777f7450fdc9c60613e5547e1a60dea1e2666b8ffd3e642000000000e8000000002000020000000c85ed1d13b32f87b9fe1ce28611398b9e0d1088a425fea1130e79f077c60a2b390000000396ce842f0e5ea2326fac7131edce993b1eed7e2664b81b70a87c880c66af6df5766ec9b5e116f7d50579e5220a8babe1a73a63bb6df3d7e99f30515a0cc69a100ed7bf6ac3baf85243b8a4452e72f33b8664e7ffd70a438c56ef3a5747147bd59e033ec283d22e63259c700713a6d2becf37080d87c23b671129275a1ca7bb9358a41d86d443bf0d4ac6dce53dff7ba4000000049fc4e2b8d82a7e6fc77cd3e8798592fdec6eead9496fe11b081a405df144eb33ace2e0ac812d2b3b25dc06e11c22663b1b9a6b6b49063e975d915dea3e6f3ed	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60214f3a84ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376004585"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6384C801-6B77-11ED-BB74-42A406F29BB0} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
940	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe
940	iexplore.exe
940	iexplore.exe
860	winlogon.exe
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE
1064	AE 0124 BE.exe
1576	winlogon.exe
616	winlogon.exe
1776	IEXPLORE.EXE
1776	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 940	1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe	27
PID 1600 wrote to memory of 940	1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe	27
PID 1600 wrote to memory of 940	1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe	27
PID 1600 wrote to memory of 940	1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe	27
PID 940 wrote to memory of 1776	940	iexplore.exe	29
PID 940 wrote to memory of 1776	940	iexplore.exe	29
PID 940 wrote to memory of 1776	940	iexplore.exe	29
PID 940 wrote to memory of 1776	940	iexplore.exe	29
PID 1600 wrote to memory of 860	1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe	30
PID 1600 wrote to memory of 860	1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe	30
PID 1600 wrote to memory of 860	1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe	30
PID 1600 wrote to memory of 860	1600	5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe	30
PID 860 wrote to memory of 1064	860	winlogon.exe	31
PID 860 wrote to memory of 1064	860	winlogon.exe	31
PID 860 wrote to memory of 1064	860	winlogon.exe	31
PID 860 wrote to memory of 1064	860	winlogon.exe	31
PID 860 wrote to memory of 1576	860	winlogon.exe	32
PID 860 wrote to memory of 1576	860	winlogon.exe	32
PID 860 wrote to memory of 1576	860	winlogon.exe	32
PID 860 wrote to memory of 1576	860	winlogon.exe	32
PID 1064 wrote to memory of 616	1064	AE 0124 BE.exe	33
PID 1064 wrote to memory of 616	1064	AE 0124 BE.exe	33
PID 1064 wrote to memory of 616	1064	AE 0124 BE.exe	33
PID 1064 wrote to memory of 616	1064	AE 0124 BE.exe	33

C:\Users\Admin\AppData\Local\Temp\5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe
"C:\Users\Admin\AppData\Local\Temp\5aae8a0a6ffaa86e20b2181a837b58f7607126bb0ecf46fc133d614b7b4d3037.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1776
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:616
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8JAIYV5K.txt

Filesize
608B

MD5
ee9dd036edd880966c1d150422df249e

SHA1
32a13eb5881fa8c0c441abdf1b25e38ac4462378

SHA256
ac41f82655df87ca97999c011d8d63b30b3ed3cc6049aa9f3a75801894dda2ea

SHA512
393d2cbde3a0f32c3e8d823554519f6761e4c927066dba4b2cc50c91943da9adb468dff88305e047ae64e5b12d903705830783a5f0595665c994f9fe262e876e

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
66KB

MD5
de9bd6b3384f3139d7bb4c6b4b8e1d65

SHA1
074d01b089cb22489de43e9552b05e3b9aec76cd

SHA256
3402c818e74268fea171d0c5c5632fb1180fa58dd4675c3ace96c065a3a5c03e

SHA512
acabcd72b4072c92ae5c1ba720071e0c192016459a11a46d71b4fd45bf74212b8c48f5345a28caa34cb64ccb505d337bdf3325e38cd749db0ceebdf484510db1

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
131KB

MD5
39b1c561f3ab12c0f18eea4f62f40372

SHA1
91477f2a5cce4d770da23eddd2f6531316ee1bf9

SHA256
76e7a43c1067cb7fcdf0da6c219d80f40004438b957657bc672180f56db2001b

SHA512
1ace3e06c6b88a16ad71aa46448925cff513e206cab18316a7185b82f53b565fdecac81da0f8b417ed82aca66955d1dba818938b841d142e0f858624d09f518c

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

Filesize
615KB

MD5
7b2a54732d38cd19c79c8184d6932f6f

SHA1
6d42bd8fe510e9a4ed6c13409daf4c7a49e7db04

SHA256
76fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d

SHA512
acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2f5157ddcab9be3659cba6f98a3f8955

SHA1
3a5c0bef8e3c372f21a9f72c8101297a39fa478b

SHA256
299fb768887ca4f4bce900000ea4c4195d53175a32e8726fe5ea7049828eb1fb

SHA512
47bb644412f46213500d200db9528bde68b36a91986a2250a370c8b04801a04e89e158326401263a45cdce08dcf8a5d3a6e6e726c840f32640b56fef266e4fec

Download Submit
memory/1600-56-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1600-57-0x0000000003301000-0x000000000363B000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads