1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Size

488KB
MD5

549b285b034030900764b8ca09f9ac26
SHA1

81b386310f280e7788a0ffa1fa05fee6fe0fb817
SHA256

1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a
SHA512

16cc3bb81f57d5d37811764433d4882812d740ab6ec48b1bf96c3492d5cba2a61f01d52dadec6010069e165b7e82e1720d095f1df45865b549093cfa43c7c787
SSDEEP

12288:V/M5/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V6K2O2HIBEd7M

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
2800	Tiwi.exe
956	IExplorer.exe
2196	winlogon.exe
1528	Tiwi.exe
2260	Tiwi.exe
1296	IExplorer.exe
1880	Tiwi.exe
2020	IExplorer.exe
1788	winlogon.exe
1368	IExplorer.exe
2012	winlogon.exe
3028	Tiwi.exe
2444	imoet.exe
1492	winlogon.exe
904	imoet.exe
1996	IExplorer.exe
2204	imoet.exe
2852	cute.exe
1752	cute.exe
2856	cute.exe
3060	winlogon.exe
2720	imoet.exe
2864	imoet.exe
2508	Tiwi.exe
2704	cute.exe
2688	cute.exe
2472	IExplorer.exe
2988	Tiwi.exe
2748	winlogon.exe
1300	IExplorer.exe
1900	imoet.exe
1444	winlogon.exe
2936	imoet.exe
2980	cute.exe
2124	cute.exe

Loads dropped DLL 53 IoCs

pid	Process
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2800	Tiwi.exe
2800	Tiwi.exe
956	IExplorer.exe
956	IExplorer.exe
2800	Tiwi.exe
2800	Tiwi.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
956	IExplorer.exe
956	IExplorer.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
956	IExplorer.exe
956	IExplorer.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2800	Tiwi.exe
2800	Tiwi.exe
2196	winlogon.exe
2196	winlogon.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
956	IExplorer.exe
956	IExplorer.exe
2800	Tiwi.exe
2800	Tiwi.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2196	winlogon.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2196	winlogon.exe
2196	winlogon.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2196	winlogon.exe
2196	winlogon.exe
2444	imoet.exe
2444	imoet.exe
2444	imoet.exe
2444	imoet.exe
2852	cute.exe
2852	cute.exe
2444	imoet.exe
2852	cute.exe
2852	cute.exe
2852	cute.exe
2852	cute.exe
2444	imoet.exe
2444	imoet.exe
2852	cute.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\I:	cute.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\O:	Tiwi.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\H:	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\K:	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\Y:	cute.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\W:	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\U:	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\Q:	imoet.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\T:	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\Z:	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened (read-only)	\??\K:	cute.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\Q:	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened (read-only)	\??\Z:	imoet.exe
File opened (read-only)	\??\B:	cute.exe
File opened (read-only)	\??\Y:	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\R:	imoet.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\U:	imoet.exe
File opened (read-only)	\??\X:	imoet.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	IExplorer.exe
File opened for modification	F:\autorun.inf	IExplorer.exe
File created	C:\autorun.inf	Tiwi.exe
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	Tiwi.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File created	C:\Windows\SysWOW64\tiwi.scr	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\tiwi.exe	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s1159 = "Tiwi"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s2359 = "Tiwi"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\	cute.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1496	Notepad.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2800	Tiwi.exe
2444	imoet.exe
2196	winlogon.exe
956	IExplorer.exe
2852	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
2800	Tiwi.exe
956	IExplorer.exe
2196	winlogon.exe
1528	Tiwi.exe
2260	Tiwi.exe
1296	IExplorer.exe
1880	Tiwi.exe
2020	IExplorer.exe
2012	winlogon.exe
1368	IExplorer.exe
1788	winlogon.exe
1492	winlogon.exe
2444	imoet.exe
3028	Tiwi.exe
904	imoet.exe
2204	imoet.exe
1996	IExplorer.exe
1752	cute.exe
2852	cute.exe
2856	cute.exe
3060	winlogon.exe
2720	imoet.exe
2864	imoet.exe
2508	Tiwi.exe
2704	cute.exe
2688	cute.exe
2472	IExplorer.exe
2988	Tiwi.exe
2748	winlogon.exe
1300	IExplorer.exe
1900	imoet.exe
1444	winlogon.exe
2980	cute.exe
2936	imoet.exe
2124	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2800	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	28
PID 2028 wrote to memory of 2800	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	28
PID 2028 wrote to memory of 2800	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	28
PID 2028 wrote to memory of 2800	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	28
PID 2800 wrote to memory of 1496	2800	Tiwi.exe	29
PID 2800 wrote to memory of 1496	2800	Tiwi.exe	29
PID 2800 wrote to memory of 1496	2800	Tiwi.exe	29
PID 2800 wrote to memory of 1496	2800	Tiwi.exe	29
PID 2028 wrote to memory of 956	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	30
PID 2028 wrote to memory of 956	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	30
PID 2028 wrote to memory of 956	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	30
PID 2028 wrote to memory of 956	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	30
PID 2028 wrote to memory of 2196	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	31
PID 2028 wrote to memory of 2196	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	31
PID 2028 wrote to memory of 2196	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	31
PID 2028 wrote to memory of 2196	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	31
PID 2800 wrote to memory of 1528	2800	Tiwi.exe	32
PID 2800 wrote to memory of 1528	2800	Tiwi.exe	32
PID 2800 wrote to memory of 1528	2800	Tiwi.exe	32
PID 2800 wrote to memory of 1528	2800	Tiwi.exe	32
PID 956 wrote to memory of 2260	956	IExplorer.exe	33
PID 956 wrote to memory of 2260	956	IExplorer.exe	33
PID 956 wrote to memory of 2260	956	IExplorer.exe	33
PID 956 wrote to memory of 2260	956	IExplorer.exe	33
PID 2800 wrote to memory of 1296	2800	Tiwi.exe	34
PID 2800 wrote to memory of 1296	2800	Tiwi.exe	34
PID 2800 wrote to memory of 1296	2800	Tiwi.exe	34
PID 2800 wrote to memory of 1296	2800	Tiwi.exe	34
PID 2028 wrote to memory of 1880	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	35
PID 2028 wrote to memory of 1880	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	35
PID 2028 wrote to memory of 1880	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	35
PID 2028 wrote to memory of 1880	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	35
PID 956 wrote to memory of 2020	956	IExplorer.exe	36
PID 956 wrote to memory of 2020	956	IExplorer.exe	36
PID 956 wrote to memory of 2020	956	IExplorer.exe	36
PID 956 wrote to memory of 2020	956	IExplorer.exe	36
PID 2800 wrote to memory of 1788	2800	Tiwi.exe	37
PID 2800 wrote to memory of 1788	2800	Tiwi.exe	37
PID 2800 wrote to memory of 1788	2800	Tiwi.exe	37
PID 2800 wrote to memory of 1788	2800	Tiwi.exe	37
PID 2028 wrote to memory of 1368	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	38
PID 2028 wrote to memory of 1368	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	38
PID 2028 wrote to memory of 1368	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	38
PID 2028 wrote to memory of 1368	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	38
PID 2196 wrote to memory of 3028	2196	winlogon.exe	39
PID 2196 wrote to memory of 3028	2196	winlogon.exe	39
PID 2196 wrote to memory of 3028	2196	winlogon.exe	39
PID 2196 wrote to memory of 3028	2196	winlogon.exe	39
PID 956 wrote to memory of 2012	956	IExplorer.exe	40
PID 956 wrote to memory of 2012	956	IExplorer.exe	40
PID 956 wrote to memory of 2012	956	IExplorer.exe	40
PID 956 wrote to memory of 2012	956	IExplorer.exe	40
PID 956 wrote to memory of 2444	956	IExplorer.exe	42
PID 956 wrote to memory of 2444	956	IExplorer.exe	42
PID 956 wrote to memory of 2444	956	IExplorer.exe	42
PID 956 wrote to memory of 2444	956	IExplorer.exe	42
PID 2028 wrote to memory of 1492	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	41
PID 2028 wrote to memory of 1492	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	41
PID 2028 wrote to memory of 1492	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	41
PID 2028 wrote to memory of 1492	2028	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe	41
PID 2800 wrote to memory of 904	2800	Tiwi.exe	43
PID 2800 wrote to memory of 904	2800	Tiwi.exe	43
PID 2800 wrote to memory of 904	2800	Tiwi.exe	43
PID 2800 wrote to memory of 904	2800	Tiwi.exe	43

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe

C:\Users\Admin\AppData\Local\Temp\1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe
"C:\Users\Admin\AppData\Local\Temp\1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2028
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2800
- - C:\Windows\Notepad.exe
    Notepad.exe C:\Present.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1496
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1528
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1296
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1788
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:904
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1752
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:956
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2260
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2020
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2012
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2444
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2508
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2472
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2748
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1900
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2980
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2852
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2988
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1300
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1444
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2936
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2124
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2196
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3028
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1996
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3060
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2688
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1880
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1368
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2204
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2856
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2720
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
f38982557a4b242506e764cf61a97236

SHA1
3950c21028d27d4db8b6833387b30687f81ce87e

SHA256
6984a2747816cd6d60e5c76249152168052d7ff01724b5b753ccd8b4ba7cf1c0

SHA512
7f87b6563a3b308a98741f2dde7588a11d1946dbc55fa5e502269a89c325f85216925992bdc9b0e4446e55ad4ebd65e5be183c85f0b9dd2ce9877dc73aefbd1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
203d0b53eff1e45052d82ee6e81f01a3

SHA1
999405c1cc2aec5e7af8a4dd00adc59383d6b524

SHA256
9a311143dc235c6d67e2acc783648171675ec8d2754c53738e397581fa947fc6

SHA512
a14f1b9d7217bbcc05b7cd4455fd0fd4c438c4a416028d0a4bda64423063f7f780730201b48964efe08686998b947ae4c82a1d3a32576a5056635fa75e16d106

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
1efbc50a9752c14ae72979cddf44afbb

SHA1
1a6effbb3c7ff2f40aa00a26b404536145935e0b

SHA256
094d9c043921f8a23492a853404e9b77392cdf23f37b761466d79459951641bf

SHA512
0eb91b6d146bff1955a9b7dca7ff431c7dc8674c7402c05905766303b6f8fa1e25f32e02bb28d2cb90b11cc00d86015f808632c2cce64f27d2b3f52c3cfebf4d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
488KB

MD5
795df6225b0539613695d79f527f9dfc

SHA1
c94dc8289d8be23d542aee91e0e9fd652488a60a

SHA256
eadb013434c848728883d2606ffea398f18f18623d10ec37d71c0c6752ee68c5

SHA512
686fc7b60c3230222567245c1df2eece66b527f9433a7e32ff755f859cca6148a38195b3bc03559add1086823b1cea469e86374124f75ef9b544c22e5f256467

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
488KB

MD5
534f9567ab574cc543a52fb54c8934c0

SHA1
49040982557053b26fe6917fd0674a86e4bbf5ee

SHA256
1fa145fd3643d3405fe84414d6458349e91f1c2fdcc99fbffd1af1f80a604a0d

SHA512
7750e5684fec2b7c72bbbfcb2ca0dbcb1cc72ded8b2d1258b8a7d451411709c5f035de79a55f6ab228d48b0625eff97b0ff187865ef8071d6dee5f95dad4559e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
b0f8fb4a0da4e9f61db791a9dbcffcb3

SHA1
88b2d3acaa2c44b31882416a81b8ab651040f429

SHA256
bf6d7970ef98a1f54187e049066ee0f849fd519f10e7360604b0612cdd8bbad0

SHA512
2739e7ecad36395db0fe467c578b66b620e007272e2d2e8cbd80c5215ee3b14c968f1f3ed37593a1e7f210f127c3ed1c98996faca5221cfdc1a255ac44e9872e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
d87c751c7b3d54ff621d65edbd3367ac

SHA1
d3fccf7ca224d1edf0590866645146e4f2a82d9e

SHA256
3e4df67efa74adf257363a2aa081a104eb035cc49b913a04f1f45bfe0315e041

SHA512
eebab34655963a177904f3a18ffb447073cf4fd15e90b4096c0466242c55b8093f573479f40b8a33452505afc012abe36eb639fb0d9198efe8f4d0b485a0aaef

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
a3f8bd7618267d28469493ebca915b2d

SHA1
150629b2af45ed0f421caaf182b9b6948443c1d6

SHA256
eaa46d3a152e407f8a1ad6af243a237fda7ca4ac0c642451947814f45243ef8e

SHA512
6fbd3ca92f3f1dae8900f7f6bf8aad78e80487a8e4c4ffebf718ccf2ca3b6e3be6763b2c1a995d2a0b8d5325492d661aba2217c6165b6f11484ab4d6e367f47b

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
6dc0979f57c851bb04ffb7e9281bfeed

SHA1
b1b3f69fbc80d78b76e264a4b5bf50305df9ced5

SHA256
8841ab6845b31f19f110a5a6a9442ec39a576495e020af1c33eff16f3059366e

SHA512
5e93a01071ac4f376eab8c5ceabb9b80013d865738a073bf10e7594c0fb240ffe600ef414af62a3e1d4aa465831c1460b179810d89e372e8ebd2f6a87de6ee0d

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
8824fd3e4f78823950ea107a32d6085c

SHA1
843f11aebb54b9d73cc35dd3d1d52450dc97527e

SHA256
e4e06548dd15840ac5efc2ac43e1fa3514ad6c3a79d8e86329703d3f71647c8a

SHA512
6ea81b155e061162c964e2839e6adfd3e8fe77a8489975f9b51bfd68e649583c54e948a7fa2117f25576c19840aace371734025568d83206482337f4915b7fd4

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
ac6240dd953c9eec8917eeed018aeb5d

SHA1
43b3d49167480e7d21ecb7740d26d08ae36ca748

SHA256
fcbfe933d452e925c79503ca71e42d51e72fccaa107ab3103daf50dc199fcbff

SHA512
fda983712581815a385927a206bc9c1956621485e59d4ef1ae0d3719629c26174e854f1048bdddfbbd9cfd327d1914d81103234344603ce49141d3264eb33cf7

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
514f03c309e9a6c0d6545fb98cbaa8fd

SHA1
383f400be54332dbd8e7534b2ce799fb911df26c

SHA256
dde6077f115ce1f37f89827fd0a1b320ca8459bd59b2e1fd71c16d51b1f76fe8

SHA512
39da3dcaa18a4f02a304ff71c626ab21001d73077531a55e2e3d0b6b6f2691f625ebe5f91befb5436e00770dd179e7ee27d9a11f0738a7c95ae8f0cf368cd634

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
7d41172382fdf8a56c09781e1af4863b

SHA1
01a464063c7bbb2965b718c57e1ba053c0cb8254

SHA256
93f03b4988f054c7611933b4892d85ffe37a6b5d4df6926ed362809041d7340f

SHA512
de499b9a38a9b38c2d4d8030affa52afdb615e9eb4b8079f9de6a1c1a529fa54859f823b2232ab78c9f65d842e8cee457b58b31d525e2390b42207bded10933e

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
959f0837094064e7f411d865624c980c

SHA1
44c7e3415ca6161eff77e08272a4c1c2eee6279d

SHA256
3eacba4646d8ba779e7a53a0ad3136047be6ab596aa1c75e9ceb8c3b5a5a1fc9

SHA512
95e8577542fb1ecb763c84e7b3b7fec3176846f3392b81bc252a5ad74fbbfceb832da1c3072a54cf615c65c17cf37746c15848000fa8e7dc3a0806324e8528dd

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
549b285b034030900764b8ca09f9ac26

SHA1
81b386310f280e7788a0ffa1fa05fee6fe0fb817

SHA256
1dc4f4836b0e26d76152109e35931966d7e5b142dbcbf86b583026c90989a93a

SHA512
16cc3bb81f57d5d37811764433d4882812d740ab6ec48b1bf96c3492d5cba2a61f01d52dadec6010069e165b7e82e1720d095f1df45865b549093cfa43c7c787

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
74a955f645cfefc86d58e98e5b5501b7

SHA1
cbcb2599bdd050226e5deead81fb0fac814fc589

SHA256
f9564c16416278714b9eed95ce9b7ced667eb94bc9e0b0c472fb7c1e491e5db8

SHA512
116c2d6c696a642b4f1a02400398d536f8fd46617c2e9acbe0a2ee73db29e44f14a5db178f243ad1a630604706c52d92b317f198ea6355f20d17d9838b682723

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
5680d5e7fd8eaafb49d5f2a1ef3775d2

SHA1
49ef2d607f2760d17f9406b03f0639fa7d433280

SHA256
aded04e6239ce5337d55b2c5b3fcc957d68a7d6bd35ad015afb194097873ac55

SHA512
be910d81e772856a5ddf92a74a169dc1430592cf80bcd5d6a301afe51030bb31ef9bc3523852c463b52a32c3fea992db1feb49c8c9250df89edb47eeec79b02e

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
207ac393a24782fdf74684cd001d9258

SHA1
1edb791ea8c9e82579b97f107629f33b4dd84808

SHA256
6152764af5319b7e58f9d2dcfe0f81be3138e07bea2ac3c6332904f27e24b323

SHA512
422eb5982947c1fe7921435d8cc739a8b959914c49f6c65e8fb988fed9ae8309fed365af16dcdd592cf7f9e74384f66b697f965a30b5336fd0ce63b2dabcbcc4

Download Submit
C:\Windows\tiwi.exe

Filesize
488KB

MD5
e0c74f1dcca103c9196274b6675a17ee

SHA1
e10952bea0d5a75f95ec425c9601784f1cb19ec2

SHA256
1cf485c9408488de3168c5913dd38a37ee3a2ae430e9dfcd93c7b20e875621ce

SHA512
2e3e159bc03c5efd5e4fc07c2f81eae7f7a18139235ee27019bfc32e65c0770959ed0f84e8e9514dfc1263baab7c4c1013c7f415500ea8944fc496806118569f

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
5225eacfc18b080668e4f23d735449be

SHA1
7da5b73b1c39b881b1de9b0052bbee05c07eb943

SHA256
67054049ab4d4b56eeb9b69ebcb0661595ecbf943cf11e3ce2c9cc31a46f3871

SHA512
2cfbc1eebb08278e16207b19a95ecf55673a2a580a3de5d174f7c1e333475268706ef918f30b2ea19301f33976e74dd454c571218eaa9c50f7e070c61b47f6bb

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
1eb0a700bf0a31e72421b74b0779c474

SHA1
e7e3183c9b22d1268edab8a9e8e5ef4f2a1d6056

SHA256
8d6aebeae0aa750074bcd9962f71c9d7b0fadc60cb9b5613a3abc1d52b1febd7

SHA512
20c8eed260226804c0c99e408b9e1d94f434c968d02523024715aa39a4003246c108c0746086fca35a15781a88a6d06cf09f0f2008fc132a440dab34136eef63

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
488KB

MD5
ebb9921f817e95e0bf453fe29a3c92cd

SHA1
bb80776543eed9ea6e14b8d1ced3a5731078f814

SHA256
1414d38bcb3564cad6d3fa0c0d890a9df1921c2a3ec95d788866a6d4b00c0d0b

SHA512
0d3a16b144ef6badd5ca76c72c8e98baa1e31c80bb6be87ecb725a82952aeaeda6dc56baa14e1e108383b28f2eb64e01a270b0f71b6c0cf42345ffdb561d44f3

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
488KB

MD5
dbd5103957fd05785fc0ebf30138ad05

SHA1
a757a6a6185801d8c931c5dc0e031fb443b6e126

SHA256
689f61272fd441d1b0feb580a299b415226e353129196b14e3056a1dc4fc60f3

SHA512
c118317daff464fa5f4b19ebd186d921e3f536381e7b933cb4e61a5bd066c53c304270e7f2c586b195e3bcb204f88a6b7ca526bbcc81d5bed911f1a87623bda7

Download Submit
memory/956-111-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/956-234-0x00000000036C0000-0x0000000003CBF000-memory.dmp

Filesize
6.0MB

Download
memory/956-442-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/956-444-0x00000000036C0000-0x0000000003CBF000-memory.dmp

Filesize
6.0MB

Download
memory/1296-268-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1296-258-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1528-236-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1528-235-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1528-167-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1880-276-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2028-257-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2028-399-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2028-124-0x00000000037B0000-0x0000000003DAF000-memory.dmp

Filesize
6.0MB

Download
memory/2028-110-0x00000000037B0000-0x0000000003DAF000-memory.dmp

Filesize
6.0MB

Download
memory/2028-112-0x00000000037B0000-0x0000000003DAF000-memory.dmp

Filesize
6.0MB

Download
memory/2028-98-0x00000000037B0000-0x0000000003DAF000-memory.dmp

Filesize
6.0MB

Download
memory/2028-125-0x00000000037B0000-0x0000000003DAF000-memory.dmp

Filesize
6.0MB

Download
memory/2028-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2196-126-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2196-443-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2260-267-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2260-254-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2508-398-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2800-255-0x00000000038B0000-0x0000000003EAF000-memory.dmp

Filesize
6.0MB

Download
memory/2800-259-0x00000000038B0000-0x0000000003EAF000-memory.dmp

Filesize
6.0MB

Download
memory/2800-446-0x00000000038B0000-0x0000000003EAF000-memory.dmp

Filesize
6.0MB

Download
memory/2800-445-0x00000000038B0000-0x0000000003EAF000-memory.dmp

Filesize
6.0MB

Download
memory/2800-99-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2800-441-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2864-393-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2988-426-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/3028-331-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/3060-368-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/3060-369-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download