69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91

Analysis

max time kernel
152s
max time network
178s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
Size

65KB
MD5

571d52bc7401a718028fec84451e2070
SHA1

51a6c0402cfded7892d1c44be87fb73f708219f9
SHA256

69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91
SHA512

22d5700d523c49340e79efe7a7d74399742aa3bee1d613857ebf54b97f9bb361785723ef809aca469c58891f58b44405fdea9f8f06fcf251aadfbed31162536d
SSDEEP

768:4a4r+PpHfXGLOFCk6SLARI+WEkFfsEjUPIOuJI5R7FMAnXMcMaJIWmS2zIzV9xJv:sr+Fum5LMI+WTJjcXnXMcpm/zOxJXKJY

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exe69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe

Executes dropped EXE 4 IoCs

Processes:

winlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exe

pid process

1312 winlogon.exe
948 AE 0124 BE.exe
396 winlogon.exe
892 winlogon.exe

pid	process
1312	winlogon.exe
948	AE 0124 BE.exe
396	winlogon.exe
892	winlogon.exe

Loads dropped DLL 7 IoCs

Processes:

69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exewinlogon.exeAE 0124 BE.exewinlogon.exe

pid	process
1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
1312	winlogon.exe
1312	winlogon.exe
948	AE 0124 BE.exe
948	AE 0124 BE.exe
892	winlogon.exe

Drops desktop.ini file(s) 24 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

winlogon.exeAE 0124 BE.exe

description	ioc	process
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

Processes:

AE 0124 BE.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\d7f5c5b7ad6ae9510514a279c1cb5665	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\aero_arrow.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\lsi_sas.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\napsnap\f64692e58aa1a7116024bf3c3cbd1352	AE 0124 BE.exe
File opened for modification	C:\Windows\twunk_16.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.MemoryMappedFiles	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\zh-CN\bootmgr.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\ega40737.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\f305d7d5c93da15933fbb44201c6e0f8\Microsoft.Activities.Build.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\cs-CZ\bootmgr.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\607b6b690789fc9a85244ab7698237e4\System.Activities.Presentation.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\dac48ed7852587d900eb9e2eb8fdf32b	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\scheduled\Maintenance\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\RSSFeed\GB-rss1.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ndiscap.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.resources\3.0.0.0_it_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.XML.resources\2.0.0.0_it_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\001F	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\79f7533caac95e3eee555dba4e616fb9\System.DirectoryServices.Protocols.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\3b0716755fe4e8ba470d7efdc72647d7\Microsoft.VisualBasic.Compatibility.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System\095a3392942c3d4eb888e6a32036acd8	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\usbstor.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.resources\3.5.0.0_es_b77a5c561934e089\System.Windows.Presentation.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Managemen#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.2486c0f5#\d3624bd9507a1d21def2a1c3d713ab5e\System.Web.DynamicData.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Wind5abb17e9#\df19d1cea7d8736ca9ee225332319c3b\System.Windows.Presentation.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\fi-FI_BitLockerToGo.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\vga857.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XamlBuildTask	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.Editor.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Workflow.Activities\3.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\it-IT\ehPresenter.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0407\connmgr.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0411\ipsecpolicy.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Windows Notify.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.Resources\1.0.0.0_de_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\de-DE\ehglid.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\fr-FR\ehjpnime.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationProvider.resources\3.0.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Activities\39f02628df6b23733fbe777a55e7ffdc\System.Activities.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\Windows_SubjectTerm.H1K	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\prnsh002.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Windows Default.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_ja_b77a5c561934e089\System.ServiceModel.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Seri#\8ad0e1382ab6565741bbb64b965f2748\System.Runtime.Serialization.Formatters.Soap.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp6.jpg	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0008\_TransactionBridgePerfCounters.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\wsearchidxpi\0000\idxcntrs.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Windows Information Bar.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_de_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376006662"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38DBD851-6B7C-11ED-91F2-D2F8C2B78FDE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000000806d5809dcb8f10abab82debf5461c8d05b0ee244feaba793bc7a012b13ea95000000000e8000000002000020000000158deedbf3e860e4b0aef20ebb256f393ed4ef90207d10be3b4989d75b9d3656200000003620dae7e7ff439cc0868a2b5c251538e5233af066f5c2705e442e1e6e4ba6634000000039f0b22fe6ae508a4e8eb8fefc6ec5b0e78df1f947b83f3c87626638dd5ec1279ddc02487c9ddbcf21bd2124dff58f1bb916174387361959225ff1aa0436d27c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a03d531189ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000077ad15e9b53d140f72655ae30ccd13238a9940c36e4c3e0b0be1e2e4715f7b69000000000e80000000020000200000006b460bc0986e7dc277ffc9288bb12cba1cdb1c3b927ac2bed54bd5ee6b69fd90900000004f332cb072049c6bc95f4d92f44e472fde083c8325a8e0f4781c13e6c2574bb37a6a18458a58f6fc2a5639be7846c173dba59f8d3a7d64460541286f8a2368337dd1fbcd4b857b4aa3cca34323d78165130e8642297dca0c3e16202819aaf587f3fcde6484717936e96bcec9d9781deaff9ef328969be488e2b90fa44a5c912e348f6984093071285210aec79399c96f40000000d7dc35f85e6acda8845cefa5d7a3931bc2ab646a5d5109b890501265a080db492575a78aed5141f2db9bc11015fdc1f64f0147aef9378ebe28d5bbbdde8b6dba	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

484 iexplore.exe

pid	process
484	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exeiexplore.exewinlogon.exeIEXPLORE.EXEAE 0124 BE.exewinlogon.exewinlogon.exe

pid	process
1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
484	iexplore.exe
484	iexplore.exe
1312	winlogon.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
948	AE 0124 BE.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
396	winlogon.exe
892	winlogon.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exeiexplore.exewinlogon.exeAE 0124 BE.exe

description	pid	process	target process
PID 1120 wrote to memory of 484	1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe	iexplore.exe
PID 1120 wrote to memory of 484	1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe	iexplore.exe
PID 1120 wrote to memory of 484	1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe	iexplore.exe
PID 1120 wrote to memory of 484	1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe	iexplore.exe
PID 484 wrote to memory of 1988	484	iexplore.exe	IEXPLORE.EXE
PID 484 wrote to memory of 1988	484	iexplore.exe	IEXPLORE.EXE
PID 484 wrote to memory of 1988	484	iexplore.exe	IEXPLORE.EXE
PID 484 wrote to memory of 1988	484	iexplore.exe	IEXPLORE.EXE
PID 1120 wrote to memory of 1312	1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe	winlogon.exe
PID 1120 wrote to memory of 1312	1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe	winlogon.exe
PID 1120 wrote to memory of 1312	1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe	winlogon.exe
PID 1120 wrote to memory of 1312	1120	69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe	winlogon.exe
PID 1312 wrote to memory of 948	1312	winlogon.exe	AE 0124 BE.exe
PID 1312 wrote to memory of 948	1312	winlogon.exe	AE 0124 BE.exe
PID 1312 wrote to memory of 948	1312	winlogon.exe	AE 0124 BE.exe
PID 1312 wrote to memory of 948	1312	winlogon.exe	AE 0124 BE.exe
PID 1312 wrote to memory of 396	1312	winlogon.exe	winlogon.exe
PID 1312 wrote to memory of 396	1312	winlogon.exe	winlogon.exe
PID 1312 wrote to memory of 396	1312	winlogon.exe	winlogon.exe
PID 1312 wrote to memory of 396	1312	winlogon.exe	winlogon.exe
PID 948 wrote to memory of 892	948	AE 0124 BE.exe	winlogon.exe
PID 948 wrote to memory of 892	948	AE 0124 BE.exe	winlogon.exe
PID 948 wrote to memory of 892	948	AE 0124 BE.exe	winlogon.exe
PID 948 wrote to memory of 892	948	AE 0124 BE.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
"C:\Users\Admin\AppData\Local\Temp\69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:484

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\AE 0124 BE.exe
"C:\Windows\AE 0124 BE.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E0ADBF0J.txt
Filesize
601B

MD5
e96f71014b8d7abf50807042f45f7bf9

SHA1
e856fef28fcb3211679744ff3dd6042471c032ae

SHA256
a1980121789d392c77e4831169a469e4310431e418bff9d02b6e78e231b3fadf

SHA512
264909168e1d629adfec8722247d53ecef9987dfa98b2cfd9b3aa700c023784f76238c2616b2693c9c42e470980b6766a4eb6bd1bf1a45623aebd52d5793731f

Download Submit
C:\Windows\AE 0124 BE.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
C:\Windows\AE 0124 BE.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
C:\Windows\AE 0124 BE.gif
Filesize
65KB

MD5
4bb748d58c43ae710da6abd88f9c0ce5

SHA1
98ec8f59aaa3dc4ca280484de5333a84906c32dc

SHA256
1310552d6273c21224e200c7858ae3a8b2e6feb55d7ecf05b66f3e33b33ae6d5

SHA512
325dc7eb944b47abd13f64af6d9272dc2c77c0ca099ecddf46e755746039ba15759cc45606cb0604aecf3d336ebd377ab530b3761875ab57fe75bf97a5591e61

Download Submit
C:\Windows\AE 0124 BE.gif
Filesize
131KB

MD5
aba386a2e82a1ae3a117c413bd7f1f79

SHA1
ce24ec2e15413e0a7d20288c36f5669517f703fb

SHA256
1731576df84429b112876f4f9711a3571a15e8e40f93dbf95a3dff1f86876992

SHA512
c84e934e07e9c502a76b5a94704aa7b90f214ad5d6f96fefb69425613a6bba915d99d3b3e0642585aa00a0921bec557f9c844e86751691729e4bc1ba2906132e

Download Submit
C:\Windows\Msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\B1uv3nth3x1.diz
Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz
Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe
Filesize
130KB

MD5
9b358d4e86d16078d891d9721f886975

SHA1
844830757c807f2f1cab7dc5effa754b18f7699c

SHA256
077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a

SHA512
fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33

Download Submit
memory/396-81-0x0000000000000000-mapping.dmp

Download
memory/892-87-0x0000000000000000-mapping.dmp

Download
memory/948-66-0x0000000000000000-mapping.dmp

Download
memory/1120-56-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1312-60-0x0000000000000000-mapping.dmp

Download