ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Size

488KB
MD5

72cfc8e8e51dc82384b5f9de57bdf6fc
SHA1

b2128b6541ea08de013602a1a7b86ef0f098939d
SHA256

ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8
SHA512

3c70409e7f9b7f8d82b4ce4b51a8313a277d68fb0ea77177f3514b06d85610b891bad80bf9c80d787a558f27e7d088484d2bfcb6f898a9a1b0467f8b50dd069c
SSDEEP

12288:V/Mt/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VaK2O2HIBEd7M

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
3432	Tiwi.exe
4336	IExplorer.exe
3688	winlogon.exe
5036	Tiwi.exe
4652	IExplorer.exe
3300	Tiwi.exe
4860	Tiwi.exe
2020	IExplorer.exe
3444	winlogon.exe
1740	IExplorer.exe
4640	winlogon.exe
1600	imoet.exe
1640	winlogon.exe
400	imoet.exe
432	imoet.exe
3080	cute.exe
4592	cute.exe
3492	cute.exe
4840	Tiwi.exe
1756	IExplorer.exe
1448	winlogon.exe
1888	imoet.exe
2876	imoet.exe
2712	Tiwi.exe
1168	cute.exe
332	IExplorer.exe
4984	cute.exe
392	winlogon.exe
4000	Tiwi.exe
556	imoet.exe
1080	IExplorer.exe
4880	cute.exe
2204	winlogon.exe
3996	imoet.exe
1748	cute.exe

Loads dropped DLL 6 IoCs

pid	Process
5036	Tiwi.exe
3300	Tiwi.exe
4860	Tiwi.exe
4840	Tiwi.exe
2712	Tiwi.exe
4000	Tiwi.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\P:	Tiwi.exe
File opened (read-only)	\??\J:	imoet.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\R:	imoet.exe
File opened (read-only)	\??\T:	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened (read-only)	\??\Q:	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened (read-only)	\??\X:	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\H:	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\B:	winlogon.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\O:	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened (read-only)	\??\X:	Tiwi.exe
File opened (read-only)	\??\L:	imoet.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\J:	Tiwi.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\M:	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\J:	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\S:	Tiwi.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\U:	imoet.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\G:	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\I:	imoet.exe
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\O:	Tiwi.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\B:	imoet.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File created	C:\autorun.inf	IExplorer.exe
File opened for modification	C:\autorun.inf	IExplorer.exe
File created	F:\autorun.inf	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened for modification	F:\autorun.inf	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File created	F:\autorun.inf	IExplorer.exe
File opened for modification	F:\autorun.inf	IExplorer.exe
File created	C:\autorun.inf	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tiwi.scr	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\shell.exe	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\tiwi.exe	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\SwapMouseButtons = "1"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s1159 = "Tiwi"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s2359 = "Tiwi"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
3432	Tiwi.exe
1600	imoet.exe
3688	winlogon.exe
4336	IExplorer.exe
3080	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
3432	Tiwi.exe
4336	IExplorer.exe
3688	winlogon.exe
5036	Tiwi.exe
3300	Tiwi.exe
4652	IExplorer.exe
2020	IExplorer.exe
4860	Tiwi.exe
3444	winlogon.exe
1740	IExplorer.exe
4640	winlogon.exe
1600	imoet.exe
1640	winlogon.exe
432	imoet.exe
3080	cute.exe
400	imoet.exe
4592	cute.exe
4840	Tiwi.exe
1756	IExplorer.exe
1448	winlogon.exe
3492	cute.exe
1888	imoet.exe
2876	imoet.exe
2712	Tiwi.exe
1168	cute.exe
332	IExplorer.exe
4984	cute.exe
392	winlogon.exe
4000	Tiwi.exe
556	imoet.exe
1080	IExplorer.exe
4880	cute.exe
2204	winlogon.exe
3996	imoet.exe
1748	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 3432	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	82
PID 3592 wrote to memory of 3432	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	82
PID 3592 wrote to memory of 3432	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	82
PID 3592 wrote to memory of 4336	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	83
PID 3592 wrote to memory of 4336	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	83
PID 3592 wrote to memory of 4336	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	83
PID 3592 wrote to memory of 3688	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	84
PID 3592 wrote to memory of 3688	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	84
PID 3592 wrote to memory of 3688	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	84
PID 3592 wrote to memory of 5036	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	86
PID 3592 wrote to memory of 5036	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	86
PID 3592 wrote to memory of 5036	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	86
PID 3592 wrote to memory of 4652	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	87
PID 3592 wrote to memory of 4652	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	87
PID 3592 wrote to memory of 4652	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	87
PID 3432 wrote to memory of 3300	3432	Tiwi.exe	88
PID 3432 wrote to memory of 3300	3432	Tiwi.exe	88
PID 3432 wrote to memory of 3300	3432	Tiwi.exe	88
PID 4336 wrote to memory of 4860	4336	IExplorer.exe	89
PID 4336 wrote to memory of 4860	4336	IExplorer.exe	89
PID 4336 wrote to memory of 4860	4336	IExplorer.exe	89
PID 3432 wrote to memory of 2020	3432	Tiwi.exe	91
PID 3432 wrote to memory of 2020	3432	Tiwi.exe	91
PID 3432 wrote to memory of 2020	3432	Tiwi.exe	91
PID 3592 wrote to memory of 3444	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	92
PID 3592 wrote to memory of 3444	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	92
PID 3592 wrote to memory of 3444	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	92
PID 4336 wrote to memory of 1740	4336	IExplorer.exe	93
PID 4336 wrote to memory of 1740	4336	IExplorer.exe	93
PID 4336 wrote to memory of 1740	4336	IExplorer.exe	93
PID 3432 wrote to memory of 4640	3432	Tiwi.exe	94
PID 3432 wrote to memory of 4640	3432	Tiwi.exe	94
PID 3432 wrote to memory of 4640	3432	Tiwi.exe	94
PID 3592 wrote to memory of 1600	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	95
PID 3592 wrote to memory of 1600	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	95
PID 3592 wrote to memory of 1600	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	95
PID 4336 wrote to memory of 1640	4336	IExplorer.exe	96
PID 4336 wrote to memory of 1640	4336	IExplorer.exe	96
PID 4336 wrote to memory of 1640	4336	IExplorer.exe	96
PID 3432 wrote to memory of 400	3432	Tiwi.exe	97
PID 3432 wrote to memory of 400	3432	Tiwi.exe	97
PID 3432 wrote to memory of 400	3432	Tiwi.exe	97
PID 4336 wrote to memory of 432	4336	IExplorer.exe	98
PID 4336 wrote to memory of 432	4336	IExplorer.exe	98
PID 4336 wrote to memory of 432	4336	IExplorer.exe	98
PID 4336 wrote to memory of 3080	4336	IExplorer.exe	99
PID 4336 wrote to memory of 3080	4336	IExplorer.exe	99
PID 4336 wrote to memory of 3080	4336	IExplorer.exe	99
PID 3592 wrote to memory of 4592	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	100
PID 3592 wrote to memory of 4592	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	100
PID 3592 wrote to memory of 4592	3592	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe	100
PID 3432 wrote to memory of 3492	3432	Tiwi.exe	101
PID 3432 wrote to memory of 3492	3432	Tiwi.exe	101
PID 3432 wrote to memory of 3492	3432	Tiwi.exe	101
PID 3688 wrote to memory of 4840	3688	winlogon.exe	102
PID 3688 wrote to memory of 4840	3688	winlogon.exe	102
PID 3688 wrote to memory of 4840	3688	winlogon.exe	102
PID 3688 wrote to memory of 1756	3688	winlogon.exe	105
PID 3688 wrote to memory of 1756	3688	winlogon.exe	105
PID 3688 wrote to memory of 1756	3688	winlogon.exe	105
PID 3688 wrote to memory of 1448	3688	winlogon.exe	106
PID 3688 wrote to memory of 1448	3688	winlogon.exe	106
PID 3688 wrote to memory of 1448	3688	winlogon.exe	106
PID 3688 wrote to memory of 1888	3688	winlogon.exe	107

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe

C:\Users\Admin\AppData\Local\Temp\ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe
"C:\Users\Admin\AppData\Local\Temp\ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3592
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3432
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3300
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2020
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4640
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:400
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3492
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4336
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4860
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1740
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1640
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:432
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3080
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4000
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1080
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2204
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3996
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1748
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3688
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4840
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1756
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1448
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1888
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1168
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5036
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4652
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3444
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1600
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2712
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:332
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:392
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:556
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4880
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4592
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
488KB

MD5
80b151257fbe39cc4ebb7c32ebc153de

SHA1
125940f92a5f43e450973acb5b4e3bd1433ed50a

SHA256
df10826e46563189a99a1e4bba8c519afe3ba97619c2124804eb7237af2ded05

SHA512
d8339dd5644d7aaf3e44fae6fa30f63c7bb8c7f8c14417d67f253159b0af48f51757e9085cae044d7411e9b630ace12672ee66ee345df1a0d6fa00802d175501

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
fae6b402e829aaf2747d8d96e2a2f9a5

SHA1
dafe9e575df2620dd36918b254a190443896916c

SHA256
2cd193f2a077a13939293a6dfadc877b7c19c85788b5657d8a1ece6032928169

SHA512
25d16f9299ca1bf07c14735ede67b519c9a25688bc950b2938f4f9bfc364e5f83894ee9228ba81a81d3e2b0fb660995478d3a8d424da0e41faa5907c33e2be96

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
488KB

MD5
cc575f6685527696a4afcf936137fdba

SHA1
0d20830f705fb79bb4e723602150e9ad2c0fcba8

SHA256
8015029c90f816697161b2ab066b1c3ded705cc1d7af9f7b1e6965a4f23b20f6

SHA512
238da8e5ae274784fd0c63fc6b15b8eaab73f008de68f63842ea20ba87979c173040328ad4387c29b9e0b1803a267db32ff80e31aba21a68db519f3f934191ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
7dd30b82994b2027d7c30f1b8acfd7c4

SHA1
0d21cc1ae19181213443a6fae1e2d0e63a40b910

SHA256
07c03d1f561741a215286bd16ceb72591f7648425c1f2eafae67f42d964483f4

SHA512
4bc808196597b16d291fff1af5141a7d0cbb7bb482f4b060586e7d5da3cb4250eeb5ea01fcee04344289af18da3513d3536df2ee1a950f0d7d20303a54688994

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
b344d8903917839f8fef0fd5d7a9321f

SHA1
377c746ad2cc48c182248e81aa440765fc144b30

SHA256
27cbd00126e82c59b0f834902c8764fda199bf63571d92ff419b91238c84a62f

SHA512
23da742808d93417af7d2a6764d9b1339efb370c48e1060cc9597f6509110db9317f90de741dd5d870d013b98beb70f2bf8aec4fb89e6175b67d7f6abd4e134f

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
488KB

MD5
bac59a830156b19d6f8ef551ac03551c

SHA1
66c46e4ba8058c4345636c7fd51166d971ae3ba5

SHA256
280d41732db07ef15f6a67dd10d487013d183645159780ab4508c0666d95d02e

SHA512
b3f4607ee2b7bd0329191b01eef47d421411275ef9908995675b1124a107ef0d57cd56e16eb79f85429cef7096ce5d042a7a96bc1aad63a38935d176a7aa3a89

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
7ba9c82a877059f0972d6877c019b671

SHA1
9b6f4f406357b94d749d1e8cf799d3ad2c028de3

SHA256
6c027a8aabcf4067c0fa4304baf5258baf3a265ca9c801aef46ba3d88d248df1

SHA512
f9d624116e2156f56378483737a01da5b03fcf48ae88c0e29036751a670606e0de43461b73df08f66dc675b0d71865b1034897e5418e040c31787c3a572a0c1c

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
d7828e768d29c2e27afd854f899da913

SHA1
498c14cf1b9fdb89b78bc4db62b5e3872fc357dd

SHA256
23ba03342bd3ecee1521c72b6112c1fc98beaf46fde9c25450ff89436e0f9f57

SHA512
6aa4899d4b5e1d95bb525ace6390d721439e0679dbef441203691cca46f5133ecc887439c3a9faebb5875bcac2afa6a5fda1d1e4d7c45a1001dedb67b760e9c5

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
fbd629bc728fea4770c39e8e00445fba

SHA1
c4e54dbd14d2ec96c6a4e674e7102f2bccd2b858

SHA256
9fdaf8aa814e8380734c4cbe0073fcc2a497147d36d8f3cfa5c6737e867e2e06

SHA512
8db527c1eea508ab813e9840079e86e0afc6820d37acb4145be98c2839e15d9b53bec8483dd1dd7db964fb6e1948ff48cc8e6652b38db9480d0ddc351ec8a903

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
3cea30b45056894080fb0d6e6a5c9e56

SHA1
908a55bff82950ef8403b3f060cae13720c9d7f0

SHA256
2a0b9cea4ed683f6261396a92cdff45c41312a06bd347fc1a6e25ef5cea736ba

SHA512
43e103a2ca81d7663a71b389c640ed61eb6cbd588398328b41a6e98c106fc2354d57748d745135a239532302bee33dc7e8306a061a7ba094ac709c3cee54f7de

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
488KB

MD5
77958e811eab219dbcfb27e3c38bee75

SHA1
b979c0a9a2b95e478f89472d91e6e1bb58eeb9ea

SHA256
6985665458989940c8638e587d212f78abcb312d1fc7d6a48435c32b24e7655c

SHA512
04db998e7245351a2fdcdc6221cfca78f34a45a692aee46be03a0fc2dd141cf2bd0dc7f9cda06dfbf035f085f23a580e097750c981dc6b19d3a7f0d3f10003f1

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
7321445ab804b362a6f07519c1bc49f9

SHA1
9465d5b5a0aa51aa80c53b2f177748c5e5c69503

SHA256
aa2fd144c1ab1490727eb797793a227369fc8636375485bcea3ec53035151fcf

SHA512
ab3c0e0353a02d641a6b7d2dab5a55aef2a8ec4cab6fc0cb7fb0746c8a7fe32dcd726efc39025c94c96b68330eb8031eabeb8f1cc97a8ea723b2a829eb1ff65a

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
72cfc8e8e51dc82384b5f9de57bdf6fc

SHA1
b2128b6541ea08de013602a1a7b86ef0f098939d

SHA256
ea423e5817a1eb1aa9e3efa941f2232542f7dd9dd0c603f5bb8292d1b693fdd8

SHA512
3c70409e7f9b7f8d82b4ce4b51a8313a277d68fb0ea77177f3514b06d85610b891bad80bf9c80d787a558f27e7d088484d2bfcb6f898a9a1b0467f8b50dd069c

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
4a1f72378c284a85facaba3b33bd5929

SHA1
4dc636a6ed61c85b25a580ff99918a35ad86038a

SHA256
fa322aa1e031b4728323cfac19e8079925f4bf59e263f3585fa9505433511d92

SHA512
ed8cb9cdf2cf39a684b9805cd38fe64927650c9935d0279c2def28d378329780d90330a042599ed7d76901bdc93909a7eb9555b5c8a1c538cf78fb959dded916

Download Submit
C:\Windows\tiwi.exe

Filesize
488KB

MD5
68cb25c4d3785c480694786c375bb667

SHA1
ea786b3343f85ec2c37b591aecd5cfb979b3d639

SHA256
3ad99e523c3aa90ac9374dc11b7954024edd9fc772f639dac2b4d6ae9074aaba

SHA512
a760e16957c9fed4ab37c41d021fa09e1c17ab572249e733c39fd9848e49107cb5350105fa36d4ed0ea6fd0474166a7d8fc6276b65daf03df81372606e63290e

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
ec1af735ab529a191cb4b40f528582cc

SHA1
869c6d618129a04aa440a1ca5a18739fb7be2563

SHA256
32f65923d539fc2eb983ca9fe750a63eeecbb3bd88f32a76248ebbbb907d12d0

SHA512
9edadaeaca003b8a61f0044b0d2ef1371846d81ccf308466d432394d8b1121fedb3f3160a68a093c19f4e35bcac21adc25b9f188dc1d194a5b27841be6b2bd60

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
memory/400-277-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/400-304-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/432-295-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1600-416-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1600-271-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1640-275-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1640-289-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1740-254-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1740-265-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2020-247-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2020-241-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3300-238-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3300-194-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3432-256-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3432-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3444-260-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3444-246-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3592-253-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3592-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3592-395-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3688-274-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3688-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4336-269-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4336-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4640-259-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4640-272-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4652-156-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4652-242-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4860-252-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4860-240-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/5036-164-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/5036-148-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download