Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 21:36
Behavioral task
behavioral1
Sample
48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe
Resource
win10v2004-20240508-en
General
-
Target
48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe
-
Size
423KB
-
MD5
ad7cf66560e0c2c57ae299f8c727bf66
-
SHA1
e160143b3037d72a551cfb02a0b98ce32f92dae4
-
SHA256
48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9
-
SHA512
ec3feb22cdd7bcada254123424e402e7ddc142b48b5b1b2ee11afdb6f7cc7276787542a6f4fa7e2cb53bef7c4d13ec6cb2b5aee476a4a954748ec5b49ce0fc71
-
SSDEEP
6144:DP+PtrmEs7eVyYr9AmEcmI5qpYDb1MV+w1ILKcelS4:DP+Pt9sKVyY3EcmIopMbv1Ockd
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 7 IoCs
resource yara_rule behavioral1/memory/2944-0-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/files/0x0007000000014701-43.dat UPX behavioral1/memory/2944-184-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/2816-183-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/2748-612-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/2468-624-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral1/memory/2468-646-0x0000000000400000-0x000000000040B000-memory.dmp UPX -
Drops file in Drivers directory 60 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 2748 winlogon.exe 2468 AE 0124 BE.exe 2816 winlogon.exe 2540 winlogon.exe -
Loads dropped DLL 8 IoCs
pid Process 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 2468 AE 0124 BE.exe 2468 AE 0124 BE.exe 2748 winlogon.exe 2748 winlogon.exe 2816 winlogon.exe 2540 winlogon.exe -
resource yara_rule behavioral1/memory/2944-0-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/files/0x0007000000014701-43.dat upx behavioral1/memory/2944-184-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2816-183-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2748-612-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2468-624-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2468-646-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1032 msiexec.exe 4 2044 msiexec.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\assembly\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini AE 0124 BE.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Drops autorun.inf file 1 TTPs 26 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf AE 0124 BE.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Speech\SpeechUX\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpfvuw73.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\xcbdav.inf_amd64_neutral_cf80e4da1c95e6e2\xccpx64.ax AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\hnetmon.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\Amd64\KYUD3050.GDL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ko-KR\comdlg32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\xsl-mappings.xml AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualPC-Licensing-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netrtx64.inf_amd64_neutral_410e89ed86071c9b\Rt64win7.sys AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1341E3.PPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\syskey.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\termmgr.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNBP_346.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smpsrd1.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\comctl32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\netcorehc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\sendmail.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrBidiIf.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\lsi_sas2.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\lsi_scsi.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\where.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\mssvp.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDINKAN.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Guest-Integration-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Branding-HomePremium-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\fr-FR\PolicMan.mfl AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\wshelper.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\dhcpcore.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssessions.help.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\C_932.NLS AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\da-DK\WMPhoto.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\adpahci.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\nlsbres.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\ipconfig.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\DWWIN.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\xmlfilter.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GSC60006.GPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc660.ppd AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\wlancfg.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\encapi.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_neutral_15bb3ed734fbbeb3\Mdmmct.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\fms.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\dialer.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\drt.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCTP.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\rdpencom.mof AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalE\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmmhrtz.inf_amd64_neutral_10affee00545fb45\mdmmhrtz.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\cipher.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\prnlx00x.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\webio.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\fr-FR\wbemcntl.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Arithmetic_Operators.help.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\ntshrui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNB9BDBA.ICM AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\EP0NGEUC.GPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\rasauto.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\termsrv.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa430t.exp AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\scsidev.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\WindowsSideShowEnhancedDriver.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\NetworkExplorer.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\VAN.dll AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\x86_networking-mpssvc-netsh.resources_31bf3856ad364e35_6.1.7600.16385_it-it_73122acb3d9fdd1e AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-hk_4b2efb22b62d4e89_comdlg32.dll.mui_ac8e62f4 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-bubbles.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_cad0442ba9d196be.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..terface-ldapc-layer_31bf3856ad364e35_6.1.7600.16385_none_bb2765e0802e6023 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\msil_eventviewer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2111e19b2846506f AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\154860df057d588035a8c66a65ea31e7 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_bth.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0b8fcd3ea489d40f\bthport.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1371f719024ec402\metadata.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_de5fc12ac865ab23.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\wow64_microsoft-windows-p..shell-mui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_33ddcaa78e6c5a2b.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.1.7601.17514_none_fc00d9a9415b5f6e AE 0124 BE.exe File opened for modification C:\Windows\winsxs\msil_microsoft.transacti..ridge.dtc.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_e8890b9f05380710 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_th-th_d3425786c0003660\comdlg32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..onitoring.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8ae8e830e791f566\esentprf.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_mf.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4b9698dd58fb9507\mf.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ntfs.resources_31bf3856ad364e35_6.1.7600.16385_en-us_40a72e2477e646bb\ntfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-recdisc-main.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_34bdf648c855aaab\recdisc.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_adp94xx.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_4d3d58761ffa4e2a.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_netb57va.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_it-it_be568ac214282cd8.manifest AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Web.resources\3.5.0.0_de_31bf3856ad364e35\System.ServiceModel.Web.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\831aa231315a31ed3efeba1feb3bb936 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_netrtl64.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0b9fd19a76636d6a\netrtl64.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_networking-mpssvc-rules-slsvc_31bf3856ad364e35_6.1.7600.16385_none_74f824336eb1c897.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_0e8038f3d049c3bf\manageAllRoles.aspx.fr.resx AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.resources\3.5.0.0_ja_31bf3856ad364e35\System.Web.Abstractions.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..tings-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_e79c09909f5a995c AE 0124 BE.exe File opened for modification C:\Windows\winsxs\FileMaps\$$_ime_en-us_0d349188e45a5789.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_6.1.7600.16385_none_fd9ec705e687f8c2.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_server-help-chm.authm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_db7e2ee783b863a3.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\wow64_microsoft-windows-iis-cgi_31bf3856ad364e35_6.1.7600.16385_none_bcf1c0c5b0d6ab5b.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-mobsync.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7a1950c826720eee.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_77292506e0ec2410.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-a..managerui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9b4cdf6b879bc8dd.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..it-snapin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a957712fdcff0cae\gpedit.msc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_wiaca00f.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_514b2ce5cc99857c.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-c..n-comrepl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_78e547b1e6f6c4ab\comrepl.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-dataclen_31bf3856ad364e35_6.1.7600.16385_none_f67c8b94f4c94f5f.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\msil_microsoft.windows.smc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_deb6fe6a396e8374.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\msil_system.data.oracleclient.resources_b77a5c561934e089_6.1.7601.17514_fr-fr_6082fa73b98dca5a\System.Data.OracleClient.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-minkernelapinamespace_31bf3856ad364e35_6.1.7601.22091_none_6907efc6abd0db81\api-ms-win-core-delayload-l1-1-0.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-unimodem-voice_31bf3856ad364e35_6.1.7600.16385_none_44610425b014c1b0.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-c..lus-dtc-vistasp1-mc_31bf3856ad364e35_6.1.7600.16385_none_bdeda2769fc14973.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d4f8a2f961a0e7e4\settings.css AE 0124 BE.exe File opened for modification C:\Windows\ehome\ehProxy.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-onlineidcpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_81b4fa5e308aec80 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_wiacn001.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1ed72f01bed5678a\CNHW760S.DLL.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-devinst-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ac77d5b138db374f.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-openfiles.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0418e2ff50411f0b.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-d..tshow-asf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d80935f74b1c88ea\qasf.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.1.7600.16385_none_237ab8d1f339c9c5\DebugAndTrace.aspx.resx AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..centercpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_771a5388e183d666 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_iscsi.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d5f0cdf505a7cc8e\iscsi.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-n..ce_iassdo.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3f7baabfab616bf2\iassdo.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_prnca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_62efd6227ab667ed\prnca00d.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_wiabr007.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_72121bad08657463\Brmf3wia.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-directwrite.resources_31bf3856ad364e35_7.1.7601.16492_zh-hk_e2d325bf9fa56995\DWrite.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-hgroupp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7d38ef3294cdafa0.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_bth-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_fbd45b0284455882\bthprops.cpl.mui AE 0124 BE.exe File opened for modification C:\Windows\Help\Windows\it-IT\iisbasic.h1s AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-m..ntrol-rll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8c48a0cb5e48b35e AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-c..ilter-rtf.resources_31bf3856ad364e35_7.0.7600.16385_en-us_e38d3c416c0de551 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_brmfcmf.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8910876519478872\brmfcmf.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-c..questtool.resources_31bf3856ad364e35_6.1.7600.16385_it-it_409537159e37bcf7 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_ko-kr_bf37bd127de6c85d_comdlg32.dll.mui_ac8e62f4 AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2044 msiexec.exe 2044 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1032 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeShutdownPrivilege 1032 msiexec.exe Token: SeIncreaseQuotaPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 2044 msiexec.exe Token: SeTakeOwnershipPrivilege 2044 msiexec.exe Token: SeSecurityPrivilege 2044 msiexec.exe Token: SeCreateTokenPrivilege 1032 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1032 msiexec.exe Token: SeLockMemoryPrivilege 1032 msiexec.exe Token: SeIncreaseQuotaPrivilege 1032 msiexec.exe Token: SeMachineAccountPrivilege 1032 msiexec.exe Token: SeTcbPrivilege 1032 msiexec.exe Token: SeSecurityPrivilege 1032 msiexec.exe Token: SeTakeOwnershipPrivilege 1032 msiexec.exe Token: SeLoadDriverPrivilege 1032 msiexec.exe Token: SeSystemProfilePrivilege 1032 msiexec.exe Token: SeSystemtimePrivilege 1032 msiexec.exe Token: SeProfSingleProcessPrivilege 1032 msiexec.exe Token: SeIncBasePriorityPrivilege 1032 msiexec.exe Token: SeCreatePagefilePrivilege 1032 msiexec.exe Token: SeCreatePermanentPrivilege 1032 msiexec.exe Token: SeBackupPrivilege 1032 msiexec.exe Token: SeRestorePrivilege 1032 msiexec.exe Token: SeShutdownPrivilege 1032 msiexec.exe Token: SeDebugPrivilege 1032 msiexec.exe Token: SeAuditPrivilege 1032 msiexec.exe Token: SeSystemEnvironmentPrivilege 1032 msiexec.exe Token: SeChangeNotifyPrivilege 1032 msiexec.exe Token: SeRemoteShutdownPrivilege 1032 msiexec.exe Token: SeUndockPrivilege 1032 msiexec.exe Token: SeSyncAgentPrivilege 1032 msiexec.exe Token: SeEnableDelegationPrivilege 1032 msiexec.exe Token: SeManageVolumePrivilege 1032 msiexec.exe Token: SeImpersonatePrivilege 1032 msiexec.exe Token: SeCreateGlobalPrivilege 1032 msiexec.exe Token: SeBackupPrivilege 2168 vssvc.exe Token: SeRestorePrivilege 2168 vssvc.exe Token: SeAuditPrivilege 2168 vssvc.exe Token: SeBackupPrivilege 2044 msiexec.exe Token: SeRestorePrivilege 2044 msiexec.exe Token: SeRestorePrivilege 1628 DrvInst.exe Token: SeRestorePrivilege 1628 DrvInst.exe Token: SeRestorePrivilege 1628 DrvInst.exe Token: SeRestorePrivilege 1628 DrvInst.exe Token: SeRestorePrivilege 1628 DrvInst.exe Token: SeRestorePrivilege 1628 DrvInst.exe Token: SeRestorePrivilege 1628 DrvInst.exe Token: SeLoadDriverPrivilege 1628 DrvInst.exe Token: SeLoadDriverPrivilege 1628 DrvInst.exe Token: SeLoadDriverPrivilege 1628 DrvInst.exe Token: SeRestorePrivilege 2044 msiexec.exe Token: SeTakeOwnershipPrivilege 2044 msiexec.exe Token: SeRestorePrivilege 2044 msiexec.exe Token: SeTakeOwnershipPrivilege 2044 msiexec.exe Token: SeRestorePrivilege 2044 msiexec.exe Token: SeTakeOwnershipPrivilege 2044 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1032 msiexec.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 2748 winlogon.exe 2468 AE 0124 BE.exe 2816 winlogon.exe 2540 winlogon.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2944 wrote to memory of 1032 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 28 PID 2944 wrote to memory of 1032 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 28 PID 2944 wrote to memory of 1032 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 28 PID 2944 wrote to memory of 1032 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 28 PID 2944 wrote to memory of 1032 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 28 PID 2944 wrote to memory of 1032 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 28 PID 2944 wrote to memory of 1032 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 28 PID 2944 wrote to memory of 2748 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 29 PID 2944 wrote to memory of 2748 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 29 PID 2944 wrote to memory of 2748 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 29 PID 2944 wrote to memory of 2748 2944 48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe 29 PID 2748 wrote to memory of 2468 2748 winlogon.exe 30 PID 2748 wrote to memory of 2468 2748 winlogon.exe 30 PID 2748 wrote to memory of 2468 2748 winlogon.exe 30 PID 2748 wrote to memory of 2468 2748 winlogon.exe 30 PID 2468 wrote to memory of 2540 2468 AE 0124 BE.exe 31 PID 2468 wrote to memory of 2540 2468 AE 0124 BE.exe 31 PID 2468 wrote to memory of 2540 2468 AE 0124 BE.exe 31 PID 2468 wrote to memory of 2540 2468 AE 0124 BE.exe 31 PID 2748 wrote to memory of 2816 2748 winlogon.exe 32 PID 2748 wrote to memory of 2816 2748 winlogon.exe 32 PID 2748 wrote to memory of 2816 2748 winlogon.exe 32 PID 2748 wrote to memory of 2816 2748 winlogon.exe 32 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe"C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1032
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2540
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "00000000000003A8"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5800865fa09ef86890f878bdd0495d7ae
SHA16b3a9c136c54419b035f16d1f15e2cc41d9cd9ea
SHA256da5ef5ad9c56cb2faa14a03eb1c87191ce0b1aaa4b84944d30888bfd780352c7
SHA51282af688faaaab306c3b4e4daef6af39169c57c134af182c99a008d8480b8a43a59cdb750421ff7fceed1611d1d1206d90644de5b150b0b2e609a5db49a4161be
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
423KB
MD5486f9620b2994ba36ef9902cf9753c22
SHA19bc137af24575692930bc1a5072f5190471a82e8
SHA2569c2bac7144ebb4fff2ae479fcd2a40cbf57ef41e609af4f4b53be7f39b915d23
SHA512dde4bcb0cd560bcf427c86e88f2e4e8eb0cdf1108e6b32d8228de9fef192f02906981c6f0572ecfc69929994b6f4f2d344bb8030ec8fcdd3686f7a1985beee9a
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
Filesize
94KB
MD5c9bbc3081799a8fecfa8360c8d0ba1a9
SHA1956f852d525de269c36d356a73b43a42f839aba7
SHA2561f13f61b6ab1621c02ba45ff6c5a0feb655a90226b05b0e2b5511d3a175a432f
SHA512e62ba334df0c9921b7e9e8c79d1791a4e9c8f8181013bf46514b4b507d3092015d5626a4e1a9d1c62454deabcca6aad2a54cb311fe48c89bf73c93f29489a522