99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05

Analysis

max time kernel
151s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe
Size

26KB
MD5

3a8ee9a41b0259d5301dedf16aa97da2
SHA1

28dd02497be450521e16ae772e99e3399835542d
SHA256

99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05
SHA512

bf4ec4c0d39e4bfd451c887bc7734441900568f34141ec3e92de644077acf5696411c966a2339ee67799d80248170530e2c62d47b94f985b3a6802691d953a4f
SSDEEP

384:1M3PnQoHDCpHf4I4Qwdc0G5KDJgSxKYDvHv9TmjX2d:1m/QojCpHfx0gSxTlWX2d

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe

Executes dropped EXE 3 IoCs

pid	Process
872	winlogon.exe
524	AE 0124 BE.exe
1648	winlogon.exe

Loads dropped DLL 4 IoCs

pid	Process
756	99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe
756	99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe
524	AE 0124 BE.exe
524	AE 0124 BE.exe

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\scrobj.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netbvbda.inf_amd64_neutral_2bfa4ea57bd5d74a\netbvbda.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mstask.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\wialx006.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfcsto.inf_amd64_neutral_2d7208355536945e\BrFiltLo.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnttd2.inf_amd64_neutral_9dcd97ab7a913b7a\mdmnttd2.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\prnin003.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIC411D6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\takeown.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00h.inf_amd64_neutral_96a8e38189e54d71\Amd64\CNBP_301.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR1F.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky304.inf_amd64_ja-jp_1b1a158086a263a4\Amd64\KYLJ8030.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\hal.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\cryptsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msfeeds.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpc4600a.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RAF21653.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\avmx64c.inf_amd64_neutral_8ebb15bf548db022\c4.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\diskcopy.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmagm64.inf_amd64_neutral_ef322a8cc2738a9b\ltmdm64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_neutral_c239ab5d36a3b3e9\net8187se64.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep304.inf_amd64_ja-jp_27c560b15d9928c0\Amd64\EP7UIP02.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\winbio.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\NAPMONTR.DLL.MUI	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDBASH.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDIC.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\tcpipcfg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\eqossnap.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremiumE\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\hpoa1ss.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Base-WinIP-Package~31bf3856ad364e35~amd64~lv-LV~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\cabview.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\wiaky002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD770CW.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\IF2445.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\tdibth.inf_amd64_neutral_6ad685957123daf1\tdibth.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\WpdBusEnum.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~sk-SK~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00v.inf_amd64_neutral_86ff307c66080d00\Amd64\lxkpclui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnso002.inf_amd64_neutral_c3b7ce4e6f71641f\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\wiabr008.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\netcenter.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\acpi.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpbscarr.gpd	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\arcsas.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB7TDAA.ICM	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOGDS3L.XML	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA25106.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\hh.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\EP0NGJ9G.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYW7AUTO.INI	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~sl-SI~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\tsprint.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgcs.inf_amd64_neutral_aafcd45e4e890862\mdmgcs.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netk57a.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\pla.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\acctres.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\iassdo.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\BRH2140U.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Query.dll	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\netpgm.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\wave.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\sdiageng.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\WinCal.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-MediaCenter-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\es\SqlPersistenceProviderSchema.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~sv-SE~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Design.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.RuntimeUi.Intl\14.0.0.0__71e9bce111e9429c\Microsoft.Office.BusinessApplications.RuntimeUi.Intl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFramework.Aero\3.0.0.0__31bf3856ad364e35\PresentationFramework.Aero.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\009a09f5b2322bb8c5520dc5ddbb28bb	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\instmes.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1033\CvtResUI.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\normnfd.nlp	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\stop.ico	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime.v10.0\10.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\napsnap.resources\6.1.0.0_fr_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv30e99c02#	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\taileb.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\DFS.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PeerToPeer-Full-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v3.5.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Windows Logon Sound.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MMCEx\b46af15d2e2ae2782f384bfc4a4c2c03\MMCEx.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\calibri.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Workflow.VisualBasic.Targets	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\2.0.0.0_de_b03f5f7f11d50a3a\System.DirectoryServices.Protocols.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\mui\0409\pmc.CHM	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\mdmmct.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\fr-FR\PresentationHostDLL.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.SqlXml.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.Luna.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-ShareMedia-ControlPanel-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\9ae837dc03e8519b40fe2c35c8752146	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\001D\aspnet_perf.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Thread\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Thread.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Channels.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx40_IIS_schema_update.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\classic.theme	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Extensions.Design.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\es-ES\WinCal.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-ParentalControls-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationUI\3.0.0.0__31bf3856ad364e35\PresentationUI.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Data.Services.resources\3.5.0.0_de_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\RS_ProcessPrinterjobs.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\cga40850.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\en-US\wasw.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\adpu320.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\aspnet_compiler.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.Presentation\v4.0_4.0.0.0__31bf3856ad364e35\System.Activities.Presentation.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\ja-JP\shellstyle.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Configuration.Install	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\netvsta.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\IME\IMEJP10\help\IMJPTU.CHM	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
856	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
756	99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe
872	winlogon.exe
524	AE 0124 BE.exe
1648	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 872	756	99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe	29
PID 756 wrote to memory of 872	756	99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe	29
PID 756 wrote to memory of 872	756	99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe	29
PID 756 wrote to memory of 872	756	99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe	29
PID 872 wrote to memory of 524	872	winlogon.exe	30
PID 872 wrote to memory of 524	872	winlogon.exe	30
PID 872 wrote to memory of 524	872	winlogon.exe	30
PID 872 wrote to memory of 524	872	winlogon.exe	30
PID 524 wrote to memory of 1648	524	AE 0124 BE.exe	31
PID 524 wrote to memory of 1648	524	AE 0124 BE.exe	31
PID 524 wrote to memory of 1648	524	AE 0124 BE.exe	31
PID 524 wrote to memory of 1648	524	AE 0124 BE.exe	31

C:\Users\Admin\AppData\Local\Temp\99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe
"C:\Users\Admin\AppData\Local\Temp\99a14714902ad890ae06b199dffb5abb790c746da254b126ddb2323a132aaf05.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1648

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.bmp

Filesize
46KB

MD5
95f3aaef82d221904b2027425d996b62

SHA1
a94509c7be084c4f8b6aef50a77a646be1517c73

SHA256
c5e8cdac0cf7bd88e49de51f0ae641c424466f187e84065f655b44a6b3c08b35

SHA512
b99cbe4631bd36757f682808a2325a8f34093ceb7e57c9e9839068448caf11fb7e20ac74b31c4bb405f50c7bf616e9030d1b2cb8ea7b4ff06db03ca433769da0

Download Submit
C:\Windows\AE 0124 BE.bmp

Filesize
46KB

MD5
95f3aaef82d221904b2027425d996b62

SHA1
a94509c7be084c4f8b6aef50a77a646be1517c73

SHA256
c5e8cdac0cf7bd88e49de51f0ae641c424466f187e84065f655b44a6b3c08b35

SHA512
b99cbe4631bd36757f682808a2325a8f34093ceb7e57c9e9839068448caf11fb7e20ac74b31c4bb405f50c7bf616e9030d1b2cb8ea7b4ff06db03ca433769da0

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
0da770c334ebd98c1c7d2603a026812f

SHA1
b8c031251ae5c07ed5ab49acbb607244f6a6acf2

SHA256
3ef9825cb96362826fafd520ff64793da6468f1ff1d72970ee6f96ba23a393d2

SHA512
7fedfee445fbdeb8a7563151d1c15580b47fe232ee89ae9b08b562ca054df681b432d1391f931c0048e94071b4509dde53dbc9155296d13a969c1c06e70eceb8

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
40KB

MD5
0da770c334ebd98c1c7d2603a026812f

SHA1
b8c031251ae5c07ed5ab49acbb607244f6a6acf2

SHA256
3ef9825cb96362826fafd520ff64793da6468f1ff1d72970ee6f96ba23a393d2

SHA512
7fedfee445fbdeb8a7563151d1c15580b47fe232ee89ae9b08b562ca054df681b432d1391f931c0048e94071b4509dde53dbc9155296d13a969c1c06e70eceb8

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
0da770c334ebd98c1c7d2603a026812f

SHA1
b8c031251ae5c07ed5ab49acbb607244f6a6acf2

SHA256
3ef9825cb96362826fafd520ff64793da6468f1ff1d72970ee6f96ba23a393d2

SHA512
7fedfee445fbdeb8a7563151d1c15580b47fe232ee89ae9b08b562ca054df681b432d1391f931c0048e94071b4509dde53dbc9155296d13a969c1c06e70eceb8

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
0da770c334ebd98c1c7d2603a026812f

SHA1
b8c031251ae5c07ed5ab49acbb607244f6a6acf2

SHA256
3ef9825cb96362826fafd520ff64793da6468f1ff1d72970ee6f96ba23a393d2

SHA512
7fedfee445fbdeb8a7563151d1c15580b47fe232ee89ae9b08b562ca054df681b432d1391f931c0048e94071b4509dde53dbc9155296d13a969c1c06e70eceb8

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
0da770c334ebd98c1c7d2603a026812f

SHA1
b8c031251ae5c07ed5ab49acbb607244f6a6acf2

SHA256
3ef9825cb96362826fafd520ff64793da6468f1ff1d72970ee6f96ba23a393d2

SHA512
7fedfee445fbdeb8a7563151d1c15580b47fe232ee89ae9b08b562ca054df681b432d1391f931c0048e94071b4509dde53dbc9155296d13a969c1c06e70eceb8

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
0da770c334ebd98c1c7d2603a026812f

SHA1
b8c031251ae5c07ed5ab49acbb607244f6a6acf2

SHA256
3ef9825cb96362826fafd520ff64793da6468f1ff1d72970ee6f96ba23a393d2

SHA512
7fedfee445fbdeb8a7563151d1c15580b47fe232ee89ae9b08b562ca054df681b432d1391f931c0048e94071b4509dde53dbc9155296d13a969c1c06e70eceb8

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
0da770c334ebd98c1c7d2603a026812f

SHA1
b8c031251ae5c07ed5ab49acbb607244f6a6acf2

SHA256
3ef9825cb96362826fafd520ff64793da6468f1ff1d72970ee6f96ba23a393d2

SHA512
7fedfee445fbdeb8a7563151d1c15580b47fe232ee89ae9b08b562ca054df681b432d1391f931c0048e94071b4509dde53dbc9155296d13a969c1c06e70eceb8

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
0da770c334ebd98c1c7d2603a026812f

SHA1
b8c031251ae5c07ed5ab49acbb607244f6a6acf2

SHA256
3ef9825cb96362826fafd520ff64793da6468f1ff1d72970ee6f96ba23a393d2

SHA512
7fedfee445fbdeb8a7563151d1c15580b47fe232ee89ae9b08b562ca054df681b432d1391f931c0048e94071b4509dde53dbc9155296d13a969c1c06e70eceb8

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
0da770c334ebd98c1c7d2603a026812f

SHA1
b8c031251ae5c07ed5ab49acbb607244f6a6acf2

SHA256
3ef9825cb96362826fafd520ff64793da6468f1ff1d72970ee6f96ba23a393d2

SHA512
7fedfee445fbdeb8a7563151d1c15580b47fe232ee89ae9b08b562ca054df681b432d1391f931c0048e94071b4509dde53dbc9155296d13a969c1c06e70eceb8

Download Submit
memory/756-56-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads