70c95afec201ec4248a126cef8e963a407029a986ba225efa537b2575ecfa85b

Analysis

max time kernel
140s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2024, 09:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cdb35d164336b889c4e5f8e6d336b179.exe
Size

122KB
MD5

cdb35d164336b889c4e5f8e6d336b179
SHA1

5c2bc02bcf32846275dc0c396a1bf278b1e9fa9d
SHA256

70c95afec201ec4248a126cef8e963a407029a986ba225efa537b2575ecfa85b
SHA512

84f754bfc8934dd817b4abdcd89fb7b8d9a757181e849e0581ecdf21d8258592976c94798469205614c83da4955a1e9847cd11b0cad61a5ae17b05b47af38270
SSDEEP

3072:62ScCYWi1iT3yKMSIxvxj7yU82LNtedVk1H8m0/IKGwhqZab:62SWgCjSIxhv/j1cm0p

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\system32\\HideFyles\\logoffy.exe"	cdb35d164336b889c4e5f8e6d336b179.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\system32\\HideFyles\\logoffy.exe, C:\\Windows\\system32\\antav\\av.exe"	logoffy.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	logoffy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPOLSV = "C:\\Windows\\system32\\HideFyles\\mspainte.exe"	cdb35d164336b889c4e5f8e6d336b179.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FilesLogsHide\25.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\34.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\arq.bat	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\16.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\30.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\17.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\15.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\46.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\47.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\06.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\19.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\23.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\26.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\27.log	cdb35d164336b889c4e5f8e6d336b179.exe
File opened for modification	C:\Windows\SysWOW64\FilesLogsHide	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\03.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\22.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\43.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\14.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\07.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\10.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\28.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\37.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\39.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\49.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\HideFyles\logoffy.exe	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\02.log	cdb35d164336b889c4e5f8e6d336b179.exe
File opened for modification	C:\Windows\SysWOW64\antav	logoffy.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\11.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\36.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\HideFyles\inuus	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\08.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\20.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\32.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\09.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\50.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\51.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\sair.log	cdb35d164336b889c4e5f8e6d336b179.exe
File opened for modification	C:\Windows\SysWOW64\HideFyles\logoffy.exe	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\41.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\48.log	cdb35d164336b889c4e5f8e6d336b179.exe
File opened for modification	C:\Windows\SysWOW64\HideFyles\	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\29.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\24.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\HideFyles\mspainte.exe	cdb35d164336b889c4e5f8e6d336b179.exe
File opened for modification	C:\Windows\SysWOW64\HideFyles\mspainte.exe	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\01.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\12.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\18.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\35.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\44.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\45.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\antav\nameversion	logoffy.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\04.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\38.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\40.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\31.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\13.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\21.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\33.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\42.log	cdb35d164336b889c4e5f8e6d336b179.exe
File created	C:\Windows\SysWOW64\FilesLogsHide\05.log	cdb35d164336b889c4e5f8e6d336b179.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ig.com.br\Total = "162"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br\ = "526"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "433"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "526"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31094660"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b883981b30f3694996f9cdb73b998e5e00000000020000000000106600000001000020000000940fb415b47da7bc2af2a8212e6a23c84c631c591f05e558389810322fd6a4fa000000000e80000000020000200000009bb89147273452326af16cd5402ca84fa3a28f24c8addbda7d2950a5dd7c819320000000b791f5f29ec39e7be1c1d365700ad342c2cc04bda28da549a1b3bbc083d56cb240000000f8a13058041bcc85453098235c22abc71dad5e93f9fbf73aa8a957131b803775723904a632521b5e671d9f4408a0b515a8330491a14bfb75795aaa62ec5a0f01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ig.com.br\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "85"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "492"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094660"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br\ = "462"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br\ = "433"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\DOMStorage\ig.com.br	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "340"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "245"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ig.com.br\Total = "340"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2206319809"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c03591878477da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ig.com.br\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br\ = "492"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ig.com.br\Total = "492"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ig.com.br\Total = "245"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ig.com.br\Total = "462"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "465"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31094660"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AE6D7E1E-E377-11EE-9846-E63A1A6527EC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br\ = "4"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "462"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2206319809"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ig.com.br\Total = "4"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "162"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ig.com.br\Total = "592"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2214601625"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "4"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br\ = "162"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br\ = "592"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31094660"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br\ = "245"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.ig.com.br\ = "465"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ig.com.br\Total = "465"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0b17b878477da01	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4048	reg.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3600	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
812	cdb35d164336b889c4e5f8e6d336b179.exe
3600	iexplore.exe
3600	iexplore.exe
2860	IEXPLORE.EXE
2860	IEXPLORE.EXE
2760	logoffy.exe
2760	logoffy.exe
2760	logoffy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 4100	812	cdb35d164336b889c4e5f8e6d336b179.exe	88
PID 812 wrote to memory of 4100	812	cdb35d164336b889c4e5f8e6d336b179.exe	88
PID 812 wrote to memory of 4100	812	cdb35d164336b889c4e5f8e6d336b179.exe	88
PID 4100 wrote to memory of 4048	4100	cmd.exe	90
PID 4100 wrote to memory of 4048	4100	cmd.exe	90
PID 4100 wrote to memory of 4048	4100	cmd.exe	90
PID 3600 wrote to memory of 2860	3600	iexplore.exe	95
PID 3600 wrote to memory of 2860	3600	iexplore.exe	95
PID 3600 wrote to memory of 2860	3600	iexplore.exe	95
PID 812 wrote to memory of 2760	812	cdb35d164336b889c4e5f8e6d336b179.exe	98
PID 812 wrote to memory of 2760	812	cdb35d164336b889c4e5f8e6d336b179.exe	98
PID 812 wrote to memory of 2760	812	cdb35d164336b889c4e5f8e6d336b179.exe	98

C:\Users\Admin\AppData\Local\Temp\cdb35d164336b889c4e5f8e6d336b179.exe
"C:\Users\Admin\AppData\Local\Temp\cdb35d164336b889c4e5f8e6d336b179.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\arq.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - Modifies registry key
    PID:4048
- C:\Windows\SysWOW64\HideFyles\logoffy.exe
  C:\Windows\system32\HideFyles\logoffy.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2760

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3600 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\Z2MHKNGV\www.ig.com[1].xml

Filesize
801B

MD5
088929e6a24b9afcd2329411f26b383c

SHA1
a1b9a46ff59ca2282f74baf814fd6e0f413995d5

SHA256
b24a219f8c0391690582ae9ed77fa864491811f7b5bfacbd471f08d8a6c8134f

SHA512
ccb7b0309831ddefcc26dc59b209622a0919769fc81479bc636c39c74136723c87e55969bf573b31505a6a2bb357cd98edc4b69fd1fd1dd3048f33275c62745b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verEC35.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\br9amda\imagestore.dat

Filesize
5KB

MD5
9ee56100cd140deaeeb7c833978fa47a

SHA1
865df30e07820196527aee12c0749c7d265f7e2c

SHA256
f76c50c5123e2765240081ea21f99061f68eaf7cb5ea8a70a2c7338095b0e85a

SHA512
ba23ff8b9ff716de0c8312323beb66d9894cc679d36f5fcba272a3c18295fcbf8322c09eb092aa722fd5672ade1b891237cc59cb372ec977ab7e0eb79116ce34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZZV2MGD\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R2H8ZEZE\logo-ig[1].png

Filesize
5KB

MD5
b3b4af8425eda6457518445649562041

SHA1
75827102d9d5d610835ed4b1c25eb61506c3fa57

SHA256
e3b22a537e12467726b4e77539f20175c1effbf18f5910d77073dbb6ab1a71fe

SHA512
7cf18c9ffdff11d044dab89898cae82b4243e97b6e01598eded8578d62118fb98ae18b75fcc0c319c675c11fe83008a6114e8917e5de3157597835fb0f9214c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\R2H8ZEZE\ws-ad[1].js

Filesize
21KB

MD5
7cbd8156d0e2a037b90e8613021292e5

SHA1
088237571ecff682603d02941d83baa6e0726d87

SHA256
9d02c3facc410ee6a9dceade80ce0bc710f6037df881453124d3f5c83a6241b5

SHA512
4475f8cca3e7f4ce83f184b14100dc0a6f812aeb73f7bc1aae7c50a7546f1cf8951812c089472a00853fdc33afdd8b2398f603357df6b5bad595617850aea0c4

Download Submit
C:\Windows\SysWOW64\FilesLogsHide\05.log

Filesize
26B

MD5
5be20fa2500878b0789c20e7c4ee5114

SHA1
8ffa467281946fde01a5add82006146423302076

SHA256
b07fd4684ea337d49388fbf72a68c430851ede803e7eb48dc301c3d7085ffc3d

SHA512
9be58471ba2d22abbda9cacf78d8ca7e0facba105134700263d13c2c9138d08e09011e317c71f26df5b5318cbe2bfc69a6f5b65fb43bcb947868034fbcbcb44c

Download Submit
C:\Windows\SysWOW64\HideFyles\logoffy.exe

Filesize
122KB

MD5
cdb35d164336b889c4e5f8e6d336b179

SHA1
5c2bc02bcf32846275dc0c396a1bf278b1e9fa9d

SHA256
70c95afec201ec4248a126cef8e963a407029a986ba225efa537b2575ecfa85b

SHA512
84f754bfc8934dd817b4abdcd89fb7b8d9a757181e849e0581ecdf21d8258592976c94798469205614c83da4955a1e9847cd11b0cad61a5ae17b05b47af38270

Download Submit
C:\Windows\SysWOW64\arq.bat

Filesize
119B

MD5
9f08b6d102fd194ec2f3ce202a2de949

SHA1
13520089e21c5793990e608a2471ec6743200449

SHA256
d57b5b62148a2dc2aae12fa74bd0d1d12e9fade7880c0e939ecb0fb0fc9d3024

SHA512
d559d9c1b54d83e1eb12bec5dd29cc7e07b22de83a722d0b4103014e39be5afac2f08c7bb5b24f25fe3ba65e38e8d438d00d8aa4a07ee3791b1641e0945a3403

Download Submit
memory/812-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/812-193-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/2760-191-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download