c3cad1e69db3db9f6382cb77603b1e0fb5e8bf4a88014db5dadb57ad0adc8b1e

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

209c4b0b4275c3582bdb68c273174ce0.exe
Size

185KB
MD5

209c4b0b4275c3582bdb68c273174ce0
SHA1

8dead76015df07002ab775cf9a322ab895374926
SHA256

c3cad1e69db3db9f6382cb77603b1e0fb5e8bf4a88014db5dadb57ad0adc8b1e
SHA512

5518ee09ff24d7262d6ad37da9c836e981dec11c2718330ce3f6edc5ac186e9d6cec721602c96e38cf6293aaa040c9f4013ed794cf5cffa30ba28508c7b418ab
SSDEEP

3072:sr+Fu2II+HiXMcI/AKJOmCIngQ+OIyy6wg4uh1oxt:/MHD3/AKtHSSoxt

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	209c4b0b4275c3582bdb68c273174ce0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	209c4b0b4275c3582bdb68c273174ce0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2640	winlogon.exe
2588	AE 0124 BE.exe
3976	winlogon.exe
3112	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
2588	AE 0124 BE.exe
3976	winlogon.exe
3112	winlogon.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ja-JP\rasplap.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\vdswmi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mfvfw.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-UI-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netrasa.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\PCLXL.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\L1C63x64.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\credui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-Administration-D-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB4557968~31bf3856ad364e35~amd64~~19041.262.1.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\iaLPSSi_I2C.INF_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\CompPkgSup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\upnp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SmbDirect-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\MSFT_UserResource.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\icsigd.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\tvratings.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\netlldp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnqctl.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Virtualization-RemoteFX-User-Mode-Transport-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\fr-FR\wsp_sr.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\iertutil.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_416a5877e9180787\WSDScDrv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-3-ul-store-rtm.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ddraw.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-AssignedAccess-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\winmsipc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\jscript.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\de-DE\UnattendProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ieui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migration\WsUpgrade.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VpnClient\PS_VpnConnectionTriggerDnsConfiguration_v1.0.cdxml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-FibreChannel-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Legacy-Components-OC-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\NetworkItemFactory.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\msfeeds.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja-JP\FolderRedirectionWMIProvider.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\it-IT\TestDtc.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Devices.Haptics.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VmDirect-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmct.inf_amd64_0f3268711a5b2622\mdmmct.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\listsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\gpedit.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\rdpbus.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Media.MediaControl.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-ShellLauncher-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de\AuthFWWizFwk.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\nett4x64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\mofcomp.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDCHERP.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\srcore.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netbxnda.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\prnms005.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\wcnwiz.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_pcmcia.inf_amd64_92be188847324ddb\c_pcmcia.inf	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_chargearbitration.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_5361bb24a09189d1\CAD.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_it-it_09cd7363afc7ebfa\rasauto.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-c..domainjoindatamodel_31bf3856ad364e35_10.0.19041.264_none_03fe095b3e51c0fc.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-pentraining-adm_31bf3856ad364e35_10.0.19041.1_none_f1d474fb84e1759b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-c..res-deployment02150_31bf3856ad364e35_10.0.19041.906_none_d314133173b49128.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..nagement-dmcmnutils_31bf3856ad364e35_10.0.19041.1266_none_0be43dcd949aac7f.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-shpafact_31bf3856ad364e35_10.0.19041.1_none_876712f895a64cb7.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..dation-languagepack_31bf3856ad364e35_10.0.19041.1_en-us_b7f0a4845ef53351.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-ie-ielowutil_31bf3856ad364e35_11.0.19041.1_none_9439f8fec314ad47	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-u..aml-phone.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_42dd145d1f4ad385\Windows.UI.Xaml.Phone.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\AppVStreamMap.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_10.0.19041.1_es-es_8781bf6ec208f12b\sqlsoldb.chm	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_dual_c_1394.inf_31bf3856ad364e35_10.0.19041.1_none_6118cd98bdc15ff6.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-p..-wsdahost.resources_31bf3856ad364e35_10.0.19041.1_en-us_74b691e3f584b783.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rasmprddm.resources_31bf3856ad364e35_10.0.19041.1_en-us_eb1eae5383d921b0	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hidbth.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_8278810112c21d44\hidbth.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-chkwudrv.resources_31bf3856ad364e35_10.0.19041.1_es-es_81e2b73dd9b1b23f.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-o..s-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_0e4032a46f8d166d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-UtilityVm-SetupAgent-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-stobject.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_edc079ebdcf12a3b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\msil_microsoft.visualbas..atibility.resources_b03f5f7f11d50a3a_10.0.19041.1_en-us_75ff696f800bec35.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.19041.1_none_25b40e9a744f0270	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..ager-core.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_ac90d23a9a6b68c2\fltmgr.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\msil_regasm.resources_b03f5f7f11d50a3a_10.0.19041.1_en-us_a3273d718673fdf0.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mskeyprotcli-dll_31bf3856ad364e35_10.0.19041.423_none_a674d42538bb790e\f	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\aspnet.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\Speech\Common\it-IT\sapisvr.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..nframeworkmigration_31bf3856ad364e35_10.0.19041.746_none_29c729f4d7c7e51e\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.19041.1_none_0e98e5367a9d834f\SFPATWB.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.19041.1110_none_cb6797856a7aa91e\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-application..meventsbroker-winrt_31bf3856ad364e35_10.0.19041.264_none_d4d2dda1454e8c54\SystemEventsBrokerClient.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_es_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_GlobalResources\AppConfigCommon.de.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\BlockSite.htm	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-cryptnet-dll_31bf3856ad364e35_10.0.19041.906_none_ff9279b48ee54a8e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~sv-se~1.0.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\microsoft-windows-quickassist-package-Wrapper~31bf3856ad364e35~amd64~~10.0.19041.1266.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..andgroups.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_02b5417e30a372f0	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..mitymessaging-rtapi_31bf3856ad364e35_10.0.19041.1_none_0bcd7a43d3d6e27b\Windows.Networking.Proximity.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework.Luna.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Portable-Devices-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_10.0.19041.1_none_5373adf4ec6c18fc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-a..sourcepolicy-client_31bf3856ad364e35_10.0.19041.546_none_d8c4f6ebff715d2e\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-digest_31bf3856ad364e35_10.0.19041.388_none_189d4f2fdba30664\r	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\v4.0_1.0.0.0_ja_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..lperclass.resources_31bf3856ad364e35_10.0.19041.1_es-es_9db14eab7b0b174f	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\css\settings-desktop.css	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cdp-api_31bf3856ad364e35_10.0.19041.1151_none_50e83afe2943ec34\r\cdp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-management-oobe_31bf3856ad364e35_10.0.19041.1266_none_e6ebbe2a02425392\r\accountsetupcategoryviewmodel.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-scripting-chakra_31bf3856ad364e35_11.0.19041.264_none_e4f8244462cd338d\f\Chakrathunk.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-scripting-jscript9_31bf3856ad364e35_11.0.19041.153_none_65cd0f4146003466\f\jscript9diag.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-fsavailux.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2b4e14852e6455c9.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\MiguiControls.Resources\v4.0_1.0.0.0_es_31bf3856ad364e35\MIGUIControls.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-DataCenterBridging-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevpsmof_31bf3856ad364e35_10.0.19041.1_none_618eb0af01f8976d\UEV.Types.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..e_runtime.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4bc30b1a0025e6af	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_bthspp.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_4dfd36eb7ba02fe2\bthspp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..p-cleanup.resources_31bf3856ad364e35_10.0.19041.1_it-it_4398e4af94477e93\setupcln.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_psdesiredstateconfiguration_dscresources_msft_packagereso_2772017cc6760a15.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_hyperv-compute-host..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_es-es_04d61072007e2c9b.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-com-ole_31bf3856ad364e35_10.0.19041.1_none_ac20fe64570bc53f\comcat.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ets.icons.searchapp_31bf3856ad364e35_10.0.19041.1_none_ceba36fd1b479c4c\AppListIcon.targetsize-80_altform-unplated.png	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e261df8998130ee40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e261df890000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e261df89000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de261df89000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e261df8900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	209c4b0b4275c3582bdb68c273174ce0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	209c4b0b4275c3582bdb68c273174ce0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	msiexec.exe
2212	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1600	msiexec.exe
Token: SeSecurityPrivilege	2212	msiexec.exe
Token: SeCreateTokenPrivilege	1600	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1600	msiexec.exe
Token: SeLockMemoryPrivilege	1600	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1600	msiexec.exe
Token: SeMachineAccountPrivilege	1600	msiexec.exe
Token: SeTcbPrivilege	1600	msiexec.exe
Token: SeSecurityPrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeLoadDriverPrivilege	1600	msiexec.exe
Token: SeSystemProfilePrivilege	1600	msiexec.exe
Token: SeSystemtimePrivilege	1600	msiexec.exe
Token: SeProfSingleProcessPrivilege	1600	msiexec.exe
Token: SeIncBasePriorityPrivilege	1600	msiexec.exe
Token: SeCreatePagefilePrivilege	1600	msiexec.exe
Token: SeCreatePermanentPrivilege	1600	msiexec.exe
Token: SeBackupPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeShutdownPrivilege	1600	msiexec.exe
Token: SeDebugPrivilege	1600	msiexec.exe
Token: SeAuditPrivilege	1600	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1600	msiexec.exe
Token: SeChangeNotifyPrivilege	1600	msiexec.exe
Token: SeRemoteShutdownPrivilege	1600	msiexec.exe
Token: SeUndockPrivilege	1600	msiexec.exe
Token: SeSyncAgentPrivilege	1600	msiexec.exe
Token: SeEnableDelegationPrivilege	1600	msiexec.exe
Token: SeManageVolumePrivilege	1600	msiexec.exe
Token: SeImpersonatePrivilege	1600	msiexec.exe
Token: SeCreateGlobalPrivilege	1600	msiexec.exe
Token: SeBackupPrivilege	5048	vssvc.exe
Token: SeRestorePrivilege	5048	vssvc.exe
Token: SeAuditPrivilege	5048	vssvc.exe
Token: SeBackupPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeBackupPrivilege	632	srtasks.exe
Token: SeRestorePrivilege	632	srtasks.exe
Token: SeSecurityPrivilege	632	srtasks.exe
Token: SeTakeOwnershipPrivilege	632	srtasks.exe
Token: SeBackupPrivilege	632	srtasks.exe
Token: SeRestorePrivilege	632	srtasks.exe
Token: SeSecurityPrivilege	632	srtasks.exe
Token: SeTakeOwnershipPrivilege	632	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1600	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2724	209c4b0b4275c3582bdb68c273174ce0.exe
2640	winlogon.exe
2588	AE 0124 BE.exe
3976	winlogon.exe
3112	winlogon.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 1600	2724	209c4b0b4275c3582bdb68c273174ce0.exe	85
PID 2724 wrote to memory of 1600	2724	209c4b0b4275c3582bdb68c273174ce0.exe	85
PID 2724 wrote to memory of 1600	2724	209c4b0b4275c3582bdb68c273174ce0.exe	85
PID 2724 wrote to memory of 2640	2724	209c4b0b4275c3582bdb68c273174ce0.exe	87
PID 2724 wrote to memory of 2640	2724	209c4b0b4275c3582bdb68c273174ce0.exe	87
PID 2724 wrote to memory of 2640	2724	209c4b0b4275c3582bdb68c273174ce0.exe	87
PID 2640 wrote to memory of 2588	2640	winlogon.exe	89
PID 2640 wrote to memory of 2588	2640	winlogon.exe	89
PID 2640 wrote to memory of 2588	2640	winlogon.exe	89
PID 2640 wrote to memory of 3976	2640	winlogon.exe	92
PID 2640 wrote to memory of 3976	2640	winlogon.exe	92
PID 2640 wrote to memory of 3976	2640	winlogon.exe	92
PID 2588 wrote to memory of 3112	2588	AE 0124 BE.exe	93
PID 2588 wrote to memory of 3112	2588	AE 0124 BE.exe	93
PID 2588 wrote to memory of 3112	2588	AE 0124 BE.exe	93
PID 2212 wrote to memory of 632	2212	msiexec.exe	95
PID 2212 wrote to memory of 632	2212	msiexec.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\209c4b0b4275c3582bdb68c273174ce0.exe
"C:\Users\Admin\AppData\Local\Temp\209c4b0b4275c3582bdb68c273174ce0.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1600
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3112
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AE 0124 BE.msi

Filesize
185KB

MD5
deddec41769fe03889e07203188f03a1

SHA1
aef4ede7189b3a31bdead7124a517c478d4848ef

SHA256
e01e268b1d6903e0e1ffa8974ac11f023c261aeabc8957b842b7977d37e2f734

SHA512
1dab0b6b8ba93fe6e4e4d87f31e772c378f71a9146672fd00114c6246e8ed4c9952a67029d70a765e909355a02393e1e9167980082a9159aef957d0afce3192a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
155KB

MD5
e1f8f5f4e9bcdd58e65a7b6b5b7281ab

SHA1
a7e9b6b57c0f12824262cc9c695850c67d06b224

SHA256
ac3055d7101f02be2d9e33ff8a1a4b10d25925de9d998ef62fe5e3345a684ac5

SHA512
8d04f1ae259470a505e2186588630fe913f87c1eff848f3805d0da65ac8f884eaad617c0f27b5b1c177b281de1e6acd63ac91c729c04c6d08f7e701fe10d0ce2

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Prefetch\AgGlFaultHistory.db

Filesize
151KB

MD5
22440018391a2e0f1360962fac29abe0

SHA1
e966b473e4a36d75df63f7a9e941c6a2423ea7ab

SHA256
0922463c0b42c8b18edadc5c02e3965d5d2ac29fd3f74fb2b13f96a1278c6dc2

SHA512
282d972e890f0ac39dba099ed8ff6e08c906a3fe2ad0cc8833b0b3c132a879e623d74bfaf8c69d8d1c652b8e3fae59ea0e4fc573d077186c782d7c6087042997

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
2e34bb10eefc7d28e6f6be52651e052f

SHA1
15b71e68a0d9c12f0691b688b3c61139bfb31b67

SHA256
c2c87c3dd57532d76d836911541a975e7096155a039f61afb82f200466c8be2e

SHA512
5bb7fad0c6af44e70e5356f72ab6f25b38780863b527d8dcff7604571c1f69b26199d4c6f679aeea45ba505f0aeb35f0f173105e494ed9b0ec3dacb0a3d1a671

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
76185032d48804b85c2fabb1b12c8077

SHA1
db2b245c40e6dff5637efb535bd171bcf1890ad1

SHA256
e608d791d982b191daa911087e102cad4d029324417a8545d4d0718e9b23e6a3

SHA512
f37a1ed708d429097f3f46361349275616793dfe38eae1010ae138ccefb3944b3b0760d04729c809081eb4dffd6d6c0b50cde814fdb4f32c5f9d8f4916f762ab

Download Submit
\??\Volume{89df61e2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fb6d2e6f-b7dc-4612-ac58-c71cfe8582f6}_OnDiskSnapshotProp

Filesize
6KB

MD5
0f0a40cf3749fa41b3e273e855a93aca

SHA1
7f434804af31121fd92d42acb7d3a1d8319184d6

SHA256
1b7a8497950edc30345c65bf76da44df58dda17ec8aa0fe89685805cf1bd3f9f

SHA512
afeb20336f8bc23dc49e31a340b7a016990efb4d3aa4b6e77a6f5e9cb0ca73a8a12c47b727d8b421675972223eb68ec931b0973a05834824959b352f4d6572c2

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit