99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe
Size

22KB
MD5

8c293624022cbc58a1e8997427874e63
SHA1

61d87f15df8f2f84b2adda71ab290f81a2e70535
SHA256

99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad
SHA512

8a03b66b18687834d407b09db7b4a175a04cbf20c413f2e2a211e7e5eef083db24a86652937f32319a2e4a85323bdcac39cf4daae82978cce32a76673d57ff01
SSDEEP

384:4L+q5r+PpHfXhUkKvI4QwjQNa5KDJiF7f5HbQ:4a4r+PpHfXGLOFE7f5HE

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
1624	winlogon.exe
1540	AE 0124 BE.exe
1324	winlogon.exe
1504	winlogon.exe

Loads dropped DLL 9 IoCs

pid	Process
960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe
960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe
1624	winlogon.exe
1624	winlogon.exe
1324	winlogon.exe
1540	AE 0124 BE.exe
1540	AE 0124 BE.exe
1504	winlogon.exe
1376	iexplore.exe

Drops desktop.ini file(s) 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_neutral_4c56d83f6e4d75b0\usb8023x.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\EP0NGR00.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SVC15066.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\qwave.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\c2.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\NetworkList\Icons	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\dspcli.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00z.inf_amd64_neutral_27f402ce616c3ebc\Amd64\CNBLR4.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500at.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\midimap.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\pstorsvc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ParentalControls-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~ko-KR~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\Amd64\lxkpsrd.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\sdiagprv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\msimsg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IN1312E3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\rtffilt.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_remote_FAQ.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\d3dim700.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\MSVidCtl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vbscript.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnis2u.inf_amd64_neutral_de46607a02fe2552\mdmnis2u.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGW9C.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA910D6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\runas.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\DriverStore\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\ndfapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\msadp32.acm.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netrtx64.INF_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnfx002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SA380903.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\DisplaySwitch.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnep005.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa320t.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\MFC42u.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\NetworkList\Icons\StockIcons\house_48.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalE\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NOE9E.DXT	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR1P.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\ctfmon.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\hnetmon.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\winsrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\avifil32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cttunesvr.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDA2.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\svchost.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\slmgr\0C0A	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dsquery.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\sscore.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\osbaseln.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-LocalPack-ZA-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\glu32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\bthmtpenum.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Netplwiz.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0007\_setup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\hbaapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\divacx64.inf_loc	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..r-setup-thunking-32_31bf3856ad364e35_6.1.7600.16385_none_16fe19562e758f02	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_brmfcwia.inf_31bf3856ad364e35_6.1.7600.16385_none_11493a3982b640b7\brmsl01.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ipdmctrl	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Messaging	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\1036\dv_aspnetmmc.chm	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmbr002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_52822c9cd175a059	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnod002.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3baa2a1ed43e41f8	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..k-msctfui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_44205b444ed992c3	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-ocsetup_31bf3856ad364e35_6.1.7601.17514_none_e5849be1bd89e07e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_netfx-csharp_compiler_csc_b03f5f7f11d50a3a_6.1.7600.16385_none_d2fff1dae966863c	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0009	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks.Parallel	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\DE\System.DirectoryServices.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\fr-FR\UserDataBackup.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..serverbox.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f93be8afb9bf6a65	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-security-spp-pidgenx_31bf3856ad364e35_6.1.7600.16385_none_01492afa24f8db99	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\es-ES\multboot.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\WindowsAnytimeUpgrade.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..rience-program-data_31bf3856ad364e35_6.1.7601.17514_none_cf8e57a399a81456\aeinv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft_vsavb_b03f5f7f11d50a3a_6.1.7600.16385_none_3b8492f78a3b9c97	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_ipmidrv.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a3d36836d5736ace\ipmidrv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.Resources\1.0.0.0_it_31bf3856ad364e35\Microsoft.PowerShell.Gpowershell.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\domain.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\COM.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop (create shortcut).DeskLink	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..mscli-pro.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0ab672b781f911b8	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..ional-codepage-1142_31bf3856ad364e35_6.1.7600.16385_none_7e0fd71d23fdd6d5	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..trolpanel.resources_31bf3856ad364e35_8.0.7601.17514_fr-fr_3dedc4e168c6add3	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..workspace.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0f6358929de99b95	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-b..bitsadmin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_776779bec7b394b7	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_machine.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2daccc45d1e19aa2\machine.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Services.resources\2.0.0.0_it_b03f5f7f11d50a3a\System.Web.Services.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..kexplorer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e393513a419397ec	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..nefiles-extend-apis_31bf3856ad364e35_6.1.7601.17514_none_eb18c2a64aeb3fb2	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\ManageAppSettings.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_716121f19d2cc442	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-rpc-ns.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a2957b43b79fe67d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..apc-layer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_21b6e6d65bd4c9c3\adsldpc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\SMDiagnostics\4b5adb098f8ce2890826195454a777b2\SMDiagnostics.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config.comments	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-simkai_31bf3856ad364e35_6.1.7600.16385_none_4e5646f58eea24c2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..nal-nlsdownleveldll_31bf3856ad364e35_6.1.7600.16385_none_649df50371b42c21	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..mcomputer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0e2b27525d382184	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-sethc_31bf3856ad364e35_6.1.7601.17514_none_64c7a8e4d35d675c	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_ds-ui-ext.resources_31bf3856ad364e35_6.1.7600.16385_it-it_06d5ccbade1bb344\dsprop.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\journal.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 3.0.0.0\0409	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Windows Feed Discovered.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..c-mceburnengineicon_31bf3856ad364e35_6.1.7600.16385_none_0a0899f37b2bab4d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-imageres.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d17bb570ccd9cec0	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_e42d49001c40300e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_acpipmi.inf_31bf3856ad364e35_6.1.7601.17514_none_05a4bc65d71b80df\acpipmi.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\RS_CancelAllJobs.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-eventlog-api.resources_31bf3856ad364e35_6.1.7600.16385_es-es_237853bab8fdf2b4	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-n..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_es-es_932b83ab7f6e52ff	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DefineErrorPage.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..rkprofile.resources_31bf3856ad364e35_6.1.7600.16385_en-us_093af4a1747b1901	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_de-de_111bacf3e074578c	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_v_mscdsc.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0c8f41cfeeb42238	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-mfmjpegdec_31bf3856ad364e35_6.1.7600.16385_none_7fa793baa201214e	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377020267"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f11b45882d0e55428473204c99dde9410000000002000000000010660000000100002000000086332ae012551bb7e52165f3ff0a238c96c63bd9df3e6a7f04ab032b961950cc000000000e80000000020000200000002f8f2a01a18f99481e45f5ca25b24f7b8a5561f746b50143dce7a80e76554e2920000000cdd592b55dde1c28f7c9836e03b7fb150ad19cf6df33a91d97eb3268e94bce0240000000ad1a4885cd072b6defa0b81fea265f75567a55b826fab9348e08d1b71941312183f19750d9e2f4de4606169172d9bdfe7b6a90dc655057f44be0fc69937df777	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e53009c108d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{335EF5B1-74B4-11ED-A584-DA3F1CB7DA19} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f11b45882d0e55428473204c99dde9410000000002000000000010660000000100002000000001ceb37e7d591b744d053dedcbe532567a18305845d5ae12e539300d4bbed736000000000e80000000020000200000002b57235e3f175a9a6c88fd07a6a33aa42100c30b6a678e950d0e7578055dae0d90000000f5770e2388ed5a49fe8b8bb1eb5cdf3a2b440b3dc6a805a6ffc9c43667e8583deeb5fa4752930db3fc99710ca5d39f188798989b7972420171d0f1010c3c16986fdceb22ae559931f39835627e58aec9e34895af6fc2ddd53b41a5fac423bf9f9de4143e33b4d860792cad69fe915bd129abc64e49bfbcdc211fda5c81d1cbbe4813062726b458714190e71f9ba5101740000000c6e7a3393db65575c35a0e57b0c5c48b5246db76c756445a34536fb6d4fee71e9ea4ebadf5167b2852bd58808187337a31cfbc58f5e7d3693c8de9a5d782250e	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1376	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe
1376	iexplore.exe
1376	iexplore.exe
1624	winlogon.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
1540	AE 0124 BE.exe
1324	winlogon.exe
1504	winlogon.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1376	960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe	27
PID 960 wrote to memory of 1376	960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe	27
PID 960 wrote to memory of 1376	960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe	27
PID 960 wrote to memory of 1376	960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe	27
PID 1376 wrote to memory of 1692	1376	iexplore.exe	29
PID 1376 wrote to memory of 1692	1376	iexplore.exe	29
PID 1376 wrote to memory of 1692	1376	iexplore.exe	29
PID 1376 wrote to memory of 1692	1376	iexplore.exe	29
PID 960 wrote to memory of 1624	960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe	30
PID 960 wrote to memory of 1624	960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe	30
PID 960 wrote to memory of 1624	960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe	30
PID 960 wrote to memory of 1624	960	99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe	30
PID 1624 wrote to memory of 1540	1624	winlogon.exe	31
PID 1624 wrote to memory of 1540	1624	winlogon.exe	31
PID 1624 wrote to memory of 1540	1624	winlogon.exe	31
PID 1624 wrote to memory of 1540	1624	winlogon.exe	31
PID 1624 wrote to memory of 1324	1624	winlogon.exe	32
PID 1624 wrote to memory of 1324	1624	winlogon.exe	32
PID 1624 wrote to memory of 1324	1624	winlogon.exe	32
PID 1624 wrote to memory of 1324	1624	winlogon.exe	32
PID 1540 wrote to memory of 1504	1540	AE 0124 BE.exe	33
PID 1540 wrote to memory of 1504	1540	AE 0124 BE.exe	33
PID 1540 wrote to memory of 1504	1540	AE 0124 BE.exe	33
PID 1540 wrote to memory of 1504	1540	AE 0124 BE.exe	33

C:\Users\Admin\AppData\Local\Temp\99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe
"C:\Users\Admin\AppData\Local\Temp\99a2de5852f1be8452247abf068b7675229b26b859aebea95deb6ea73b0120ad.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1692
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1504
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L2LZQ2Q3.txt

Filesize
603B

MD5
05977d07a702b90e6a0915bf0723a21b

SHA1
3d509205a7c02689d07e8cc68425576a5495e1f9

SHA256
705d6a7f0f56b8dd0838f2d306d01ed6d4980404ffe7d56a4c8633cfefae333e

SHA512
957c5a2da8a3b5706bf94f207f3514ebd3bdc9bce6f92f57540770f07891f15d51f5ba77473c3a9513956cc7e54fef24921332a60a50e969cf953c0f842693e0

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
22KB

MD5
fc706ff673fc6ce012d81d1be7187404

SHA1
7ec42a4c6458119d807f96538f76d67f7c004c0f

SHA256
fe81234150cd30953c78a0fbf11f37c1ad261165916a439ff5c3ced9008aaeed

SHA512
a816f0e2f2b4ab44f3b5cf70525b06302cfbed424b9f2afa784b8714a3c9e160fda080f3128a00022e3dcf0cb2107447b133db46133e9e17ddc555488d1a01b6

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
42KB

MD5
b02e9d9498d151e4a83685c1af9f4b42

SHA1
c4364886c7b4bfe379f5d0c307d6fbc1dfd4e29f

SHA256
d1255aecbdda993d129618f7a26ffe4785db940c712b3a4b02e7aecb4f932a6d

SHA512
98adc9715981f31d8586c638e8f96562c68a677e24c4ce237344bc76102bc36380bb7d1760c8a71b30ee06464f1827e8b709eca82dcdb2bdde695e0c223f6fca

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

Filesize
615KB

MD5
7b2a54732d38cd19c79c8184d6932f6f

SHA1
6d42bd8fe510e9a4ed6c13409daf4c7a49e7db04

SHA256
76fc819738acfc13818287353b2ee4c5e881d5418e7b6e20c2be03521a2b755d

SHA512
acde084716a0d9da1c0834c8bc683b98721bba6b32c843eee1010779bf51cdc9d4ff3de7a4e35ee8053f70afd7705428d4404ceaf10d597ea8e6e95be2bff0c0

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
de29f5ddf4a47fe6e10decd53ac2a9a6

SHA1
3ca47c7c7133b60a7e4e3df830a5162d002ecc97

SHA256
3cf1b63431b4454047f85f655279a6716be52f64c16731395bc0247eaf0e2ebb

SHA512
27cc3752a1edd90444954a0575950a5ba61376240efbd92effc96afb82940c805f6cf3d32db7902c8bb6d56707ae38391554c74ed419271025e99e10895ba78e

Download Submit
memory/960-56-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads