Analysis
-
max time kernel
152s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 19:01
Static task
static1
Behavioral task
behavioral1
Sample
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
Resource
win10v2004-20221111-en
General
-
Target
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
-
Size
65KB
-
MD5
571d52bc7401a718028fec84451e2070
-
SHA1
51a6c0402cfded7892d1c44be87fb73f708219f9
-
SHA256
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91
-
SHA512
22d5700d523c49340e79efe7a7d74399742aa3bee1d613857ebf54b97f9bb361785723ef809aca469c58891f58b44405fdea9f8f06fcf251aadfbed31162536d
-
SSDEEP
768:4a4r+PpHfXGLOFCk6SLARI+WEkFfsEjUPIOuJI5R7FMAnXMcMaJIWmS2zIzV9xJv:sr+Fum5LMI+WTJjcXnXMcpm/zOxJXKJY
Malware Config
Signatures
-
Drops file in Drivers directory 6 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exe69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exedescription ioc process File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe -
Executes dropped EXE 4 IoCs
Processes:
winlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exepid process 1312 winlogon.exe 948 AE 0124 BE.exe 396 winlogon.exe 892 winlogon.exe -
Loads dropped DLL 7 IoCs
Processes:
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exewinlogon.exeAE 0124 BE.exewinlogon.exepid process 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe 1312 winlogon.exe 1312 winlogon.exe 948 AE 0124 BE.exe 948 AE 0124 BE.exe 892 winlogon.exe -
Drops desktop.ini file(s) 24 IoCs
Processes:
AE 0124 BE.exedescription ioc process File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Delta\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Festival\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Afternoon\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\assembly\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 25 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
winlogon.exeAE 0124 BE.exedescription ioc process File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\F:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe -
Drops file in System32 directory 1 IoCs
Processes:
AE 0124 BE.exedescription ioc process File opened for modification C:\Windows\SysWOW64\regedit.exe AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
Processes:
AE 0124 BE.exedescription ioc process File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\d7f5c5b7ad6ae9510514a279c1cb5665 AE 0124 BE.exe File opened for modification C:\Windows\Boot\PCAT\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\Cursors\aero_arrow.cur AE 0124 BE.exe File opened for modification C:\Windows\inf\lsi_sas.PNF AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_es_b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\napsnap\f64692e58aa1a7116024bf3c3cbd1352 AE 0124 BE.exe File opened for modification C:\Windows\twunk_16.exe AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.MemoryMappedFiles AE 0124 BE.exe File opened for modification C:\Windows\Boot\PCAT\zh-CN\bootmgr.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A AE 0124 BE.exe File opened for modification C:\Windows\Fonts\ega40737.fon AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\f305d7d5c93da15933fbb44201c6e0f8\Microsoft.Activities.Build.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\Boot\PCAT\cs-CZ\bootmgr.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628# AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\607b6b690789fc9a85244ab7698237e4\System.Activities.Presentation.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\dac48ed7852587d900eb9e2eb8fdf32b AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\scheduled\Maintenance\es-ES AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\RSSFeed\GB-rss1.ini AE 0124 BE.exe File opened for modification C:\Windows\inf\ndiscap.PNF AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.resources\3.0.0.0_it_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.XML.resources\2.0.0.0_it_b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\inf\ASP.NET_4.0.30319\001F AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\79f7533caac95e3eee555dba4e616fb9\System.DirectoryServices.Protocols.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\3b0716755fe4e8ba470d7efdc72647d7\Microsoft.VisualBasic.Compatibility.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System\095a3392942c3d4eb888e6a32036acd8 AE 0124 BE.exe File opened for modification C:\Windows\inf\usbstor.PNF AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.resources\3.5.0.0_es_b77a5c561934e089\System.Windows.Presentation.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Managemen# AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.2486c0f5#\d3624bd9507a1d21def2a1c3d713ab5e\System.Web.DynamicData.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Wind5abb17e9#\df19d1cea7d8736ca9ee225332319c3b\System.Windows.Presentation.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\fi-FI_BitLockerToGo.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\Fonts\vga857.fon AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XamlBuildTask AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.Editor.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Workflow.Activities\3.0.0.0__31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\ehome\it-IT\ehPresenter.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\Help\mui\0407\connmgr.CHM AE 0124 BE.exe File opened for modification C:\Windows\Help\mui\0411\ipsecpolicy.CHM AE 0124 BE.exe File opened for modification C:\Windows\Media\Festival\Windows Notify.wav AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.Resources\1.0.0.0_de_31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_es_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\ehome\de-DE\ehglid.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\ehome\fr-FR\ehjpnime.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\System.Transactions\2.0.0.0__b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\UIAutomationProvider.resources\3.0.0.0_it_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Activities\39f02628df6b23733fbe777a55e7ffdc\System.Activities.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\Help\Windows\it-IT\Windows_SubjectTerm.H1K AE 0124 BE.exe File opened for modification C:\Windows\inf\prnsh002.PNF AE 0124 BE.exe File opened for modification C:\Windows\Media\Calligraphy\Windows Default.wav AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_ja_b77a5c561934e089\System.ServiceModel.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Runtime.Seri#\8ad0e1382ab6565741bbb64b965f2748\System.Runtime.Serialization.Formatters.Soap.ni.dll AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp6.jpg AE 0124 BE.exe File opened for modification C:\Windows\inf\MSDTC Bridge 4.0.0.0\0008\_TransactionBridgePerfCounters.ini AE 0124 BE.exe File opened for modification C:\Windows\inf\wsearchidxpi\0000\idxcntrs.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Sonata\Windows Information Bar.wav AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_de_b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376006662" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38DBD851-6B7C-11ED-91F2-D2F8C2B78FDE} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000000806d5809dcb8f10abab82debf5461c8d05b0ee244feaba793bc7a012b13ea95000000000e8000000002000020000000158deedbf3e860e4b0aef20ebb256f393ed4ef90207d10be3b4989d75b9d3656200000003620dae7e7ff439cc0868a2b5c251538e5233af066f5c2705e442e1e6e4ba6634000000039f0b22fe6ae508a4e8eb8fefc6ec5b0e78df1f947b83f3c87626638dd5ec1279ddc02487c9ddbcf21bd2124dff58f1bb916174387361959225ff1aa0436d27c iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a03d531189ffd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000077ad15e9b53d140f72655ae30ccd13238a9940c36e4c3e0b0be1e2e4715f7b69000000000e80000000020000200000006b460bc0986e7dc277ffc9288bb12cba1cdb1c3b927ac2bed54bd5ee6b69fd90900000004f332cb072049c6bc95f4d92f44e472fde083c8325a8e0f4781c13e6c2574bb37a6a18458a58f6fc2a5639be7846c173dba59f8d3a7d64460541286f8a2368337dd1fbcd4b857b4aa3cca34323d78165130e8642297dca0c3e16202819aaf587f3fcde6484717936e96bcec9d9781deaff9ef328969be488e2b90fa44a5c912e348f6984093071285210aec79399c96f40000000d7dc35f85e6acda8845cefa5d7a3931bc2ab646a5d5109b890501265a080db492575a78aed5141f2db9bc11015fdc1f64f0147aef9378ebe28d5bbbdde8b6dba iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 484 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exeiexplore.exewinlogon.exeIEXPLORE.EXEAE 0124 BE.exewinlogon.exewinlogon.exepid process 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe 484 iexplore.exe 484 iexplore.exe 1312 winlogon.exe 1988 IEXPLORE.EXE 1988 IEXPLORE.EXE 948 AE 0124 BE.exe 1988 IEXPLORE.EXE 1988 IEXPLORE.EXE 396 winlogon.exe 892 winlogon.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exeiexplore.exewinlogon.exeAE 0124 BE.exedescription pid process target process PID 1120 wrote to memory of 484 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe iexplore.exe PID 1120 wrote to memory of 484 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe iexplore.exe PID 1120 wrote to memory of 484 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe iexplore.exe PID 1120 wrote to memory of 484 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe iexplore.exe PID 484 wrote to memory of 1988 484 iexplore.exe IEXPLORE.EXE PID 484 wrote to memory of 1988 484 iexplore.exe IEXPLORE.EXE PID 484 wrote to memory of 1988 484 iexplore.exe IEXPLORE.EXE PID 484 wrote to memory of 1988 484 iexplore.exe IEXPLORE.EXE PID 1120 wrote to memory of 1312 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe winlogon.exe PID 1120 wrote to memory of 1312 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe winlogon.exe PID 1120 wrote to memory of 1312 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe winlogon.exe PID 1120 wrote to memory of 1312 1120 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe winlogon.exe PID 1312 wrote to memory of 948 1312 winlogon.exe AE 0124 BE.exe PID 1312 wrote to memory of 948 1312 winlogon.exe AE 0124 BE.exe PID 1312 wrote to memory of 948 1312 winlogon.exe AE 0124 BE.exe PID 1312 wrote to memory of 948 1312 winlogon.exe AE 0124 BE.exe PID 1312 wrote to memory of 396 1312 winlogon.exe winlogon.exe PID 1312 wrote to memory of 396 1312 winlogon.exe winlogon.exe PID 1312 wrote to memory of 396 1312 winlogon.exe winlogon.exe PID 1312 wrote to memory of 396 1312 winlogon.exe winlogon.exe PID 948 wrote to memory of 892 948 AE 0124 BE.exe winlogon.exe PID 948 wrote to memory of 892 948 AE 0124 BE.exe winlogon.exe PID 948 wrote to memory of 892 948 AE 0124 BE.exe winlogon.exe PID 948 wrote to memory of 892 948 AE 0124 BE.exe winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe"C:\Users\Admin\AppData\Local\Temp\69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:484 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E0ADBF0J.txtFilesize
601B
MD5e96f71014b8d7abf50807042f45f7bf9
SHA1e856fef28fcb3211679744ff3dd6042471c032ae
SHA256a1980121789d392c77e4831169a469e4310431e418bff9d02b6e78e231b3fadf
SHA512264909168e1d629adfec8722247d53ecef9987dfa98b2cfd9b3aa700c023784f76238c2616b2693c9c42e470980b6766a4eb6bd1bf1a45623aebd52d5793731f
-
C:\Windows\AE 0124 BE.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
C:\Windows\AE 0124 BE.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
C:\Windows\AE 0124 BE.gifFilesize
65KB
MD54bb748d58c43ae710da6abd88f9c0ce5
SHA198ec8f59aaa3dc4ca280484de5333a84906c32dc
SHA2561310552d6273c21224e200c7858ae3a8b2e6feb55d7ecf05b66f3e33b33ae6d5
SHA512325dc7eb944b47abd13f64af6d9272dc2c77c0ca099ecddf46e755746039ba15759cc45606cb0604aecf3d336ebd377ab530b3761875ab57fe75bf97a5591e61
-
C:\Windows\AE 0124 BE.gifFilesize
131KB
MD5aba386a2e82a1ae3a117c413bd7f1f79
SHA1ce24ec2e15413e0a7d20288c36f5669517f703fb
SHA2561731576df84429b112876f4f9711a3571a15e8e40f93dbf95a3dff1f86876992
SHA512c84e934e07e9c502a76b5a94704aa7b90f214ad5d6f96fefb69425613a6bba915d99d3b3e0642585aa00a0921bec557f9c844e86751691729e4bc1ba2906132e
-
C:\Windows\Msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\SysWOW64\drivers\MSVBVM60.DLLFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\B1uv3nth3x1.dizFilesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
\??\c:\B1uv3nth3x1.dizFilesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
\Windows\SysWOW64\drivers\Msvbvm60.dllFilesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
memory/396-81-0x0000000000000000-mapping.dmp
-
memory/892-87-0x0000000000000000-mapping.dmp
-
memory/948-66-0x0000000000000000-mapping.dmp
-
memory/1120-56-0x0000000075291000-0x0000000075293000-memory.dmpFilesize
8KB
-
memory/1312-60-0x0000000000000000-mapping.dmp