Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 11:44
Behavioral task
behavioral1
Sample
1341312bfb3c34ef6e32177a2cc55c70N.exe
Resource
win7-20240705-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
1341312bfb3c34ef6e32177a2cc55c70N.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
1341312bfb3c34ef6e32177a2cc55c70N.exe
-
Size
276KB
-
MD5
1341312bfb3c34ef6e32177a2cc55c70
-
SHA1
18c8ca4d187cfa1c6b903767ea17e62975942266
-
SHA256
71dd258ceb35ca8e3cfc692f294c8971a92c35fae0098cf3342d511448b2044a
-
SHA512
7386b373102f43facf1e4c571f0657e5461fc3825c1081437a35392b8d310867c7522dc5c781a76abe790760ebab964a2a47bc3a9169dc2255604bc957076704
-
SSDEEP
3072:PiVj/n1Y4p4gMRIO8uwBKEQ+cULflQnL5lV+N6uDiNt0Uy6wg4uh1o7l:KVj/9nGx+cUgust0QSSo7l
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 60 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\ja-JP AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe 1341312bfb3c34ef6e32177a2cc55c70N.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 2972 winlogon.exe 652 AE 0124 BE.exe 1448 winlogon.exe 2408 winlogon.exe -
Loads dropped DLL 8 IoCs
pid Process 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 2972 winlogon.exe 2972 winlogon.exe 652 AE 0124 BE.exe 652 AE 0124 BE.exe 2408 winlogon.exe 1448 winlogon.exe -
resource yara_rule behavioral1/memory/3056-0-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/files/0x0008000000016d5a-51.dat upx behavioral1/memory/2972-61-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/3056-77-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/652-86-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2408-157-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1448-158-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/652-174-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2972-173-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/652-578-0x0000000000400000-0x000000000040A000-memory.dmp upx -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2692 msiexec.exe 9 1004 msiexec.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Afternoon\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Calligraphy\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Characters\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Delta\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\assembly\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Nature\Desktop.ini AE 0124 BE.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops autorun.inf file 1 TTPs 26 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf AE 0124 BE.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\it-IT\joy.cpl.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\SMBHelperClass.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\ph3xibc7.inf_amd64_neutral_348f512722c79525\ph3xibc7.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\com\es-ES AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpzprw71.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmmega.inf_amd64_neutral_f9c441ed24f00358\mdmmega.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\usbui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\msvidc32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\Vault.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\wlgpclnt.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4200t.xml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\shellstyle.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\devenum.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\devmgr.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\WinSATAPI.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\dmusic.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\netxex64.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBP_317.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmcxhv6.inf_amd64_neutral_81ba64c5b6150dd3\VSTCNXT6.SYS AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\prnca00e.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\KYW7QUR7.XML AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\winusb.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\tpm.msc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\tree.com AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL04.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hpfllw73.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\prnlx004.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64\RI1431E3.PPD AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\themeui.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE} AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\irprops.cpl.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\pidgenx.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx00e.inf_amd64_neutral_0a4797d9b127d3a7 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmaus.inf_amd64_neutral_5fa4270b9924b918\mdmaus.PNF AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx002.inf_amd64_neutral_12563574abbc36eb\Amd64\LEXC772.PPD AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00a.inf_amd64_neutral_163313056d8f34ab\CNHLX700.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\fltlib.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\C_855.NLS AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\NlsLexicons0024.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ServicingBaseline-Ultimate-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\eval\ProfessionalN AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netxfx64.inf_amd64_neutral_3336ecb2950fdc45\netxfx64.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\OptionalFeatures.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\NetworkExplorer.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\srchadmin.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\grb.rs AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\RestartManager.mfl AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\termmgr.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\TpmInit.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\wscript.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\whqlprov.mof AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\prnnr004.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000at.xml AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\es-ES\odbcconf.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\ppdlic\Security-SPP-Component-SKU-OCUR-ppdlic.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\polstore.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\com\en-US\MigRegDB.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NM4R0.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasic\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\dhcpsapi.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\migration\ja-JP\WsUpgrade.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_FAQ.help.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dmvdsitf.dll AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\msil_system.configuration.install_b03f5f7f11d50a3a_6.1.7601.17514_none_601db3083549c1a6 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-qos.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_39da7078bb023416\wshqos.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d3dd093ad06026e1.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-u..rsalcrt-apifwd-win7_31bf3856ad364e35_6.1.7601.23175_none_4e12eb8b85dd5f41\api-ms-win-core-file-l2-1-0.dll AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\index\PowerDiagnostic.xml AE 0124 BE.exe File opened for modification C:\Windows\winsxs\FileMaps\program_files_common_files_microsoft_shared_ink_sk-sk_a4b08eb1f225243d.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_wwf-system.workflow.activities_31bf3856ad364e35_6.1.7601.17514_none_908bf8518e9e379a.manifest AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.IdentityModel.Selectors\3.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_bth.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e350eb6e50addf34 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-robocopy.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3f8ff8e5c765876f\Robocopy.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Catalogs\0483cae80e6b5b67a993c4791e4f4636e229225678f009f9eadddff90e6a1aeb.cat AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_7f7284b09b6ed3a7.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-msxml60.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6aad367e92b2a27c\msxml6r.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\inetres.admx AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-help-wu.resources_31bf3856ad364e35_6.1.7600.16385_it-it_dc4f3942df30e415 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_nl-nl_022825090f956f24\comdlg32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\chgport.exe AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_47cac8606858fb44 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\msil_system.runtime.remoting.resources_b77a5c561934e089_6.1.7600.16385_de-de_1e562de71af33718 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-intl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7e13654d5786e6d2.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7544be01dc81434b\tscon.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-storprop.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b1428efce065d414\Storprop.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_netfx-mscorsvw_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_acd03d9b9048bd78\mscorsvw.exe AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_disk.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_229671dd0fead6ac.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-c..legacyole.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dc27035732ffe791\olecli32.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-tcpip-nettcpip-pro_31bf3856ad364e35_6.1.7600.16385_none_0451aba3e9d81445.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-winhstb.resources_31bf3856ad364e35_6.1.7600.16385_de-de_855ef34e58b10a86.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..portingui.resources_31bf3856ad364e35_6.1.7601.17514_en-us_ed4e8e21da95f622 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-e..orenderer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05eeee234ddc6bc8\evr.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mydocs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_98b94fd06b7ed874\mydocs.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_b8b7e5c5ba11edf8\aspnetmmcext.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\fr-FR\Sensors.adml AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mobsync.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0666c61bf0bf0647 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-uiribbon_31bf3856ad364e35_6.1.7601.17514_none_d102e18929d497cb_uiribbonres.dll_b1ad5a7c AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-wlansvc_31bf3856ad364e35_6.1.7601.17514_none_04bef2144fe66d74\wlanhlp.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_wcf-m_svc_mon_sup_dll_31bf3856ad364e35_6.1.7600.16385_none_a5b45b70acf2004e.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ed3c551ce72d5eac\license.rtf AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-rasserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b176a691d8ef141\iprtrmgr.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Common AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\System.DirectoryServices.Resources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-servicepackerror_31bf3856ad364e35_6.1.7600.16385_none_eaa0728ab4570513.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-t..-msctfime.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_eb06c896b1e71881.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.2.9600.16428_none_caf2ec2ca6b08f27 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7b614a5dfbb391be AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_226c70953d052250.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\search_background.png AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-w..eprovider.resources_31bf3856ad364e35_6.1.7600.16385_it-it_efcf0cf63c3236b0 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..cess-control-driver_31bf3856ad364e35_6.1.7600.16385_none_22f4887244c226bd\mqac.sys AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_msports.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0684326c3fe0cf31\parport.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-c..snapindll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_88ae8d4bcff12f4a\certmgr.msc AE 0124 BE.exe File opened for modification C:\Windows\Fonts\8514fixr.fon AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_mcupdate_31bf3856ad364e35_6.1.7601.17514_none_26c2d72ec26de8d9 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-help-efs.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7b42dfac415afe76 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-help-video.resources_31bf3856ad364e35_6.1.7600.16385_de-de_46ef7224f084eeda AE 0124 BE.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-w..extension.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_edad9550b038d804 AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_server-help-chm.rsop.resources_31bf3856ad364e35_6.1.7600.16385_en-us_66133c4d4e59cfed\rsop.CHM AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-ime-korean-commonapi_31bf3856ad364e35_6.1.7600.16385_none_d96db983ac8462fd.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_6.1.7600.16385_it-it_86a68a63a4aaf841\wevtsvc.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..nt-sku-professional_31bf3856ad364e35_6.1.7601.17514_none_a8ea294e63b19921\Security-SPP-Component-SKU-Professional-OEM-NONSLP1-ul-phn.xrm-ms AE 0124 BE.exe File opened for modification C:\Windows\winsxs\Manifests\amd64_microsoft-windows-devicepairingapp_31bf3856ad364e35_6.1.7600.16385_none_cb9353551bbd8ed8.manifest AE 0124 BE.exe File opened for modification C:\Windows\winsxs\msil_system.data.sqlxml.resources_b77a5c561934e089_6.1.7600.16385_ja-jp_ea24f6cdc947978f\system.data.sqlxml.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-vault_31bf3856ad364e35_6.1.7600.16385_none_4d5e025e54ba15f8\VaultSysUi.exe AE 0124 BE.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_9acdae479a96bb18\Microsoft.VisualBasic.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\ehome\es-ES\cbva.dll.mui AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1004 msiexec.exe 1004 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2692 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
description pid Process Token: SeShutdownPrivilege 2692 msiexec.exe Token: SeIncreaseQuotaPrivilege 2692 msiexec.exe Token: SeRestorePrivilege 1004 msiexec.exe Token: SeTakeOwnershipPrivilege 1004 msiexec.exe Token: SeSecurityPrivilege 1004 msiexec.exe Token: SeCreateTokenPrivilege 2692 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2692 msiexec.exe Token: SeLockMemoryPrivilege 2692 msiexec.exe Token: SeIncreaseQuotaPrivilege 2692 msiexec.exe Token: SeMachineAccountPrivilege 2692 msiexec.exe Token: SeTcbPrivilege 2692 msiexec.exe Token: SeSecurityPrivilege 2692 msiexec.exe Token: SeTakeOwnershipPrivilege 2692 msiexec.exe Token: SeLoadDriverPrivilege 2692 msiexec.exe Token: SeSystemProfilePrivilege 2692 msiexec.exe Token: SeSystemtimePrivilege 2692 msiexec.exe Token: SeProfSingleProcessPrivilege 2692 msiexec.exe Token: SeIncBasePriorityPrivilege 2692 msiexec.exe Token: SeCreatePagefilePrivilege 2692 msiexec.exe Token: SeCreatePermanentPrivilege 2692 msiexec.exe Token: SeBackupPrivilege 2692 msiexec.exe Token: SeRestorePrivilege 2692 msiexec.exe Token: SeShutdownPrivilege 2692 msiexec.exe Token: SeDebugPrivilege 2692 msiexec.exe Token: SeAuditPrivilege 2692 msiexec.exe Token: SeSystemEnvironmentPrivilege 2692 msiexec.exe Token: SeChangeNotifyPrivilege 2692 msiexec.exe Token: SeRemoteShutdownPrivilege 2692 msiexec.exe Token: SeUndockPrivilege 2692 msiexec.exe Token: SeSyncAgentPrivilege 2692 msiexec.exe Token: SeEnableDelegationPrivilege 2692 msiexec.exe Token: SeManageVolumePrivilege 2692 msiexec.exe Token: SeImpersonatePrivilege 2692 msiexec.exe Token: SeCreateGlobalPrivilege 2692 msiexec.exe Token: SeBackupPrivilege 732 vssvc.exe Token: SeRestorePrivilege 732 vssvc.exe Token: SeAuditPrivilege 732 vssvc.exe Token: SeBackupPrivilege 1004 msiexec.exe Token: SeRestorePrivilege 1004 msiexec.exe Token: SeRestorePrivilege 2756 DrvInst.exe Token: SeRestorePrivilege 2756 DrvInst.exe Token: SeRestorePrivilege 2756 DrvInst.exe Token: SeRestorePrivilege 2756 DrvInst.exe Token: SeRestorePrivilege 2756 DrvInst.exe Token: SeRestorePrivilege 2756 DrvInst.exe Token: SeRestorePrivilege 2756 DrvInst.exe Token: SeLoadDriverPrivilege 2756 DrvInst.exe Token: SeLoadDriverPrivilege 2756 DrvInst.exe Token: SeLoadDriverPrivilege 2756 DrvInst.exe Token: SeRestorePrivilege 1004 msiexec.exe Token: SeTakeOwnershipPrivilege 1004 msiexec.exe Token: SeRestorePrivilege 1004 msiexec.exe Token: SeTakeOwnershipPrivilege 1004 msiexec.exe Token: SeRestorePrivilege 1004 msiexec.exe Token: SeTakeOwnershipPrivilege 1004 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2692 msiexec.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 2972 winlogon.exe 652 AE 0124 BE.exe 1448 winlogon.exe 2408 winlogon.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2692 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 31 PID 3056 wrote to memory of 2692 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 31 PID 3056 wrote to memory of 2692 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 31 PID 3056 wrote to memory of 2692 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 31 PID 3056 wrote to memory of 2692 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 31 PID 3056 wrote to memory of 2692 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 31 PID 3056 wrote to memory of 2692 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 31 PID 3056 wrote to memory of 2972 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 32 PID 3056 wrote to memory of 2972 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 32 PID 3056 wrote to memory of 2972 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 32 PID 3056 wrote to memory of 2972 3056 1341312bfb3c34ef6e32177a2cc55c70N.exe 32 PID 2972 wrote to memory of 652 2972 winlogon.exe 33 PID 2972 wrote to memory of 652 2972 winlogon.exe 33 PID 2972 wrote to memory of 652 2972 winlogon.exe 33 PID 2972 wrote to memory of 652 2972 winlogon.exe 33 PID 2972 wrote to memory of 1448 2972 winlogon.exe 34 PID 2972 wrote to memory of 1448 2972 winlogon.exe 34 PID 2972 wrote to memory of 1448 2972 winlogon.exe 34 PID 2972 wrote to memory of 1448 2972 winlogon.exe 34 PID 652 wrote to memory of 2408 652 AE 0124 BE.exe 35 PID 652 wrote to memory of 2408 652 AE 0124 BE.exe 35 PID 652 wrote to memory of 2408 652 AE 0124 BE.exe 35 PID 652 wrote to memory of 2408 652 AE 0124 BE.exe 35 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1341312bfb3c34ef6e32177a2cc55c70N.exe"C:\Users\Admin\AppData\Local\Temp\1341312bfb3c34ef6e32177a2cc55c70N.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2692
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1448
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:732
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000558" "0000000000000320"1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59bb42a0fe87814aa7b8f7a2fa029f514
SHA1a59ef5c29c74cf0d12716cb3fd44bab4f12a40d7
SHA256d600e3798f02a131393f020b3c3e8fec51d3a2bc872599e7c5970ec433455617
SHA5126d12d48cda257a981dc084de42fe65fb8fb03601751c2f87780e37bf00000b75b3176a2690433d5482a235752e3d95085c129eec6b1199280fb237dfbb849fc7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
276KB
MD53ae31e2e4ac9828e2cbf4a34be6e287c
SHA10f922ef93743eb0bb9d85e49f66beeee5816a0eb
SHA256e30ea11a857dfb07bcd65d9480b837ec9e194318b515aba7b19b94e12dcffcc0
SHA51215fa607215aa77a7e5a0e9e2ce1a916eaee443352b6408fd16371733742727e035c33d2fd2463b0d1f3d698644a92f23969c4c89e260b5347e84ffb972bcc270
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b
-
Filesize
312KB
MD5ebae75c9c80e9fcf9c7db14d0fd38a06
SHA11de444dc0a8cb50183ca5087d3be4cc7ab5b17bc
SHA256223406bbd32afe4ff161d3987d704d27ee5ea0fcf3e7fe6d15abd32659674640
SHA5124007b2b74de7d12fbc050ce1d9921a4655e7a17d505cd494a9414dcc7134e574f9afbe7364c9f7cdb65d8671ec9a194be5fa47371995585cb32bec6b00776a15