c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b

General

Target

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
Size

400KB
MD5

32048b9e1b6d5002e5260b4cd63de46a
SHA1

2c1d2659598cc39eca6e28a43325b802a57d467b
SHA256

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b
SHA512

b01b18ba715f423d9c200bd3bc452da647bd9dcbd90564ac5144ffd667892660aeaa489d0f2ef3e1493e005105311d34e1a557f37ef1e06221c2add40944df49
SSDEEP

6144:xCTPgrnq0/FniJi6uTJKvePPMqLckUet72FwBI+AFdb8MucbSVtRNOcamDGT8eWj:xCTPgrnZiJiAaMVkUet7EwBI+APuALDc

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rmpmmhy = "dsoyfom.exe"	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Drops desktop.ini file(s) 48 IoCs

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	ioc	process
File opened for modification	\??\y:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\k:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\q:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\i:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\j:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\n:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\p:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\s:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\w:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\f:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\g:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\x:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\e:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\j:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\k:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\o:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\p:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\v:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\c:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\c:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\x:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\r:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\s:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\t:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\t:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\u:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\z:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\e:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\f:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\m:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\o:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\q:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\v:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\h:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\u:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\n:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\l:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\r:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\g:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\i:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\m:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\w:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\y:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\z:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\h:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\l:\Desktop.ini	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	ioc	process
File opened (read-only)	\??\g:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\r:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\t:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\y:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\z:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\e:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\j:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\q:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\w:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\x:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\i:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\u:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\n:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\o:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\p:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\f:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\h:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\k:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\l:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\m:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\s:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened (read-only)	\??\v:	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Drops autorun.inf file 1 TTPs 47 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	ioc	process
File created	\??\k:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\p:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\q:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\r:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\s:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	C:\Documents and Settings\Admin\Application Data\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\c:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\j:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\y:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\t:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\w:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\x:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\i:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\p:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\t:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\u:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\v:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\c:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\f:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\h:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\j:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\r:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\z:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\f:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\g:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\m:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\i:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\l:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\m:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\u:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\w:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\x:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\y:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\g:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\q:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\s:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\o:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\e:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\h:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\o:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\n:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\n:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\v:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\z:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\e:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	\??\k:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	\??\l:\Autorun.inf	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Drops file in System32 directory 3 IoCs

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msvbvm60.dll	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File created	C:\Windows\SysWOW64\dsoyfom.exe	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
File opened for modification	C:\Windows\SysWOW64\dsoyfom.exe	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Drops file in Windows directory 1 IoCs

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	ioc	process
File created	C:\Windows\Negeri Serumpun Sebalai .pif .bat .com .scr .exe	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
716	1844	WerFault.exe	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
2440	1844	WerFault.exe	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\Desktop\SCRNSAVE.EXE = "MR_COO~1.SCR"	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Modifies registry class 3 IoCs

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "JPEG Image"	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ = "Princess Document"	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

pid	process
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

pid process

1844 c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe

description	pid	process	target process
PID 1844 wrote to memory of 716	1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe	WerFault.exe
PID 1844 wrote to memory of 716	1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe	WerFault.exe
PID 1844 wrote to memory of 716	1844	c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe
"C:\Users\Admin\AppData\Local\Temp\c8dca94f7f8b5f7ce7ce53314e8c0006a28b5123460552b708f3a08bea12486b.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1844