Analysis
-
max time kernel
286s -
max time network
342s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 19:01
Static task
static1
Behavioral task
behavioral1
Sample
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
Resource
win10v2004-20221111-en
General
-
Target
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe
-
Size
65KB
-
MD5
571d52bc7401a718028fec84451e2070
-
SHA1
51a6c0402cfded7892d1c44be87fb73f708219f9
-
SHA256
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91
-
SHA512
22d5700d523c49340e79efe7a7d74399742aa3bee1d613857ebf54b97f9bb361785723ef809aca469c58891f58b44405fdea9f8f06fcf251aadfbed31162536d
-
SSDEEP
768:4a4r+PpHfXGLOFCk6SLARI+WEkFfsEjUPIOuJI5R7FMAnXMcMaJIWmS2zIzV9xJv:sr+Fum5LMI+WTJjcXnXMcpm/zOxJXKJY
Malware Config
Signatures
-
Drops file in Drivers directory 6 IoCs
Processes:
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exewinlogon.exewinlogon.exewinlogon.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe -
Executes dropped EXE 4 IoCs
Processes:
winlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exepid process 1764 winlogon.exe 4420 AE 0124 BE.exe 4844 winlogon.exe 3084 winlogon.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exewinlogon.exeAE 0124 BE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Loads dropped DLL 3 IoCs
Processes:
AE 0124 BE.exewinlogon.exewinlogon.exepid process 4420 AE 0124 BE.exe 3084 winlogon.exe 4844 winlogon.exe -
Drops autorun.inf file 1 TTPs 24 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
winlogon.exedescription ioc process File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\F:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe -
Drops file in System32 directory 1 IoCs
Processes:
AE 0124 BE.exedescription ioc process File opened for modification C:\Windows\SysWOW64\regedit.exe AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
Processes:
AE 0124 BE.exewinlogon.exedescription ioc process File opened for modification C:\Windows\Performance AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\Microsoft.Build.Utilities.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c AE 0124 BE.exe File opened for modification C:\Windows\CbsTemp AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\System.Data.OracleClient AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normnfc.nlp AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Excel.v9.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.Resources\2.0.0.0_es_b03f5f7f11d50a3a\Microsoft.Build.Engine.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_ja_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_de_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\addins AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.PowerPoint AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Data.Linq AE 0124 BE.exe File opened for modification C:\Windows\AE 0124 BE.exe winlogon.exe File opened for modification C:\Windows\Provisioning AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\normnfkd.nlp AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Graph AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.ServiceModel.WasHosting AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_fr_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Excel AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Workflow.Runtime.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\Microsoft.Build.Engine.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\PrintDialog AE 0124 BE.exe File opened for modification C:\Windows\Web AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC\Extensibility AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\WindowsBase AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_es_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.AddIn AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_fr_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\CSC AE 0124 BE.exe File opened for modification C:\Windows\ShellComponents AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\System.Printing.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\PresentationFramework.Classic AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Workflow.ComponentModel AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\15.0.0.0__71e9bce111e9429c AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_ja_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\bcastdvr AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine.Resources\2.0.0.0_fr_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_de_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Workflow.Activities.Resources AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\AspNetMMCExt.Resources\2.0.0.0_fr_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Build.Tasks.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1676247466" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1676247466" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1861714427" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000055e705317208724f818ff84de6ddc69d00000000020000000000106600000001000020000000fc171d77bed1fbc1c1ecb4449155050dbac4d3e8856971303b278bf3c16577b0000000000e80000000020000200000002e72cfa9d4fc1a624345e329c73c4b066b9e72334f9052be04b5732ba50d770f20000000dcab3aaec7a35c2303814b72ed635ec1269229ee3b44acfac8bc7a70919789ed40000000b9aeccd098fc23d501bcb0988bf77f9a0a3711169bc1d6ba46fa28849ea7399a046aa3865a7d4e76560524c9d76b7d775c263809be39b13e943a94a656f81c15 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60ade58a89ffd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000055e705317208724f818ff84de6ddc69d0000000002000000000010660000000100002000000085d4fb57170db14219ef0a4ef89df79f020f33b589738033ab228bfb312dc14b000000000e800000000200002000000098658a710fdc22e96abde726269a3c874a8268f8ce00ee4d68af40128920c00320000000a330ab650338bdd338d33484c853bee913bb97611e3f51079062f3fe8f4c142340000000712f10260403c6c8360e2b60eef932bed65422afb199a0d0fa4c596c635b526d395bbe679d76c42ad7705a7b69427ea895d248597700bf10a05815503a7a1bbd iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 109bb89789ffd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{89DB1F66-6B7C-11ED-B5DD-DAD30C974647} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998409" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998409" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998409" iexplore.exe -
Modifies registry class 4 IoCs
Processes:
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exewinlogon.exeAE 0124 BE.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1112 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exeiexplore.exewinlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exeIEXPLORE.EXEpid process 2396 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe 1112 iexplore.exe 1112 iexplore.exe 1764 winlogon.exe 4420 AE 0124 BE.exe 3084 winlogon.exe 4844 winlogon.exe 1080 IEXPLORE.EXE 1080 IEXPLORE.EXE 1080 IEXPLORE.EXE 1080 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exeiexplore.exewinlogon.exeAE 0124 BE.exedescription pid process target process PID 2396 wrote to memory of 1112 2396 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe iexplore.exe PID 2396 wrote to memory of 1112 2396 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe iexplore.exe PID 1112 wrote to memory of 1080 1112 iexplore.exe IEXPLORE.EXE PID 1112 wrote to memory of 1080 1112 iexplore.exe IEXPLORE.EXE PID 1112 wrote to memory of 1080 1112 iexplore.exe IEXPLORE.EXE PID 2396 wrote to memory of 1764 2396 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe winlogon.exe PID 2396 wrote to memory of 1764 2396 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe winlogon.exe PID 2396 wrote to memory of 1764 2396 69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe winlogon.exe PID 1764 wrote to memory of 4420 1764 winlogon.exe AE 0124 BE.exe PID 1764 wrote to memory of 4420 1764 winlogon.exe AE 0124 BE.exe PID 1764 wrote to memory of 4420 1764 winlogon.exe AE 0124 BE.exe PID 1764 wrote to memory of 4844 1764 winlogon.exe winlogon.exe PID 1764 wrote to memory of 4844 1764 winlogon.exe winlogon.exe PID 1764 wrote to memory of 4844 1764 winlogon.exe winlogon.exe PID 4420 wrote to memory of 3084 4420 AE 0124 BE.exe winlogon.exe PID 4420 wrote to memory of 3084 4420 AE 0124 BE.exe winlogon.exe PID 4420 wrote to memory of 3084 4420 AE 0124 BE.exe winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe"C:\Users\Admin\AppData\Local\Temp\69f52a8bdbe8e91423585b24bff8abe6acea43221a39b98f517ae57be226cf91.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops autorun.inf file
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\AE 0124 BE.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
C:\Windows\AE 0124 BE.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
C:\Windows\AE 0124 BE.gifFilesize
131KB
MD5aba386a2e82a1ae3a117c413bd7f1f79
SHA1ce24ec2e15413e0a7d20288c36f5669517f703fb
SHA2561731576df84429b112876f4f9711a3571a15e8e40f93dbf95a3dff1f86876992
SHA512c84e934e07e9c502a76b5a94704aa7b90f214ad5d6f96fefb69425613a6bba915d99d3b3e0642585aa00a0921bec557f9c844e86751691729e4bc1ba2906132e
-
C:\Windows\AE 0124 BE.gifFilesize
131KB
MD5aba386a2e82a1ae3a117c413bd7f1f79
SHA1ce24ec2e15413e0a7d20288c36f5669517f703fb
SHA2561731576df84429b112876f4f9711a3571a15e8e40f93dbf95a3dff1f86876992
SHA512c84e934e07e9c502a76b5a94704aa7b90f214ad5d6f96fefb69425613a6bba915d99d3b3e0642585aa00a0921bec557f9c844e86751691729e4bc1ba2906132e
-
C:\Windows\Msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\Msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\drivers\MSVBVM60.DLLFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\drivers\Msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\drivers\Msvbvm60.dllFilesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
C:\Windows\SysWOW64\drivers\winlogon.exeFilesize
130KB
MD59b358d4e86d16078d891d9721f886975
SHA1844830757c807f2f1cab7dc5effa754b18f7699c
SHA256077f59c415859a68b3f7f4975bf2459044a061adaee60f297d182a1ce65cdf7a
SHA512fa503b37d2cde384470a0e4dce036d87e47d8d6bd500a7ce745105d245e1649550308891d9d2f9460b33b3d586c2bedc8fcef4fc5c3efa073df0a84afe1b9c33
-
\??\c:\B1uv3nth3x1.dizFilesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
\??\c:\B1uv3nth3x1.dizFilesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
memory/1764-134-0x0000000000000000-mapping.dmp
-
memory/3084-150-0x0000000000000000-mapping.dmp
-
memory/4420-139-0x0000000000000000-mapping.dmp
-
memory/4844-146-0x0000000000000000-mapping.dmp