1910c5391ec25b53e3ddbb97b4971be6e42ba0a8de539abaf972adbea6af32fd

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 16:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

030d78fcf7df69edcfaddfd4b4f05ec0N.exe
Size

44KB
MD5

030d78fcf7df69edcfaddfd4b4f05ec0
SHA1

5e60189eb4bb3fcb1fb61c383776beb7b8674e66
SHA256

1910c5391ec25b53e3ddbb97b4971be6e42ba0a8de539abaf972adbea6af32fd
SHA512

98c70e95a977373f3a344c07cf7128699e4c98a8cd699529de407bbcce71e64f3c050f97eb7a571837cf0e1882af3b64de5b8f8f348e98072e9128f4abdb87b9
SSDEEP

384:CxL+q5r+PpHfXhUkKvI4QwjQ/vFJhheJ06oZrj/vBKDJZZ/:ua4r+PpHfXGLOnNh8noR+v/

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	030d78fcf7df69edcfaddfd4b4f05ec0N.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	030d78fcf7df69edcfaddfd4b4f05ec0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
4680	winlogon.exe
4064	AE 0124 BE.exe
4876	winlogon.exe
5608	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
4064	AE 0124 BE.exe
4876	winlogon.exe
5608	winlogon.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3180-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/files/0x0007000000023476-10.dat	upx
behavioral2/memory/4680-45-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3180-57-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4876-74-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/5608-82-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/5608-79-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4680-441-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4064-442-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4064-447-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf	AE 0124 BE.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsCodecs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-AssignedAccess-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.844.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_A_TP203NA.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\ntprint.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\Volume	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-Client-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ProximityCommon.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\uefi.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-UtilityVM-Containers-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.867.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\p2p.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\cmstp.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\onex.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDBE.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\licmgr10.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\MapControlStringsRes.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\perfhost.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mlx4_bus.inf_amd64_4c426f3bebc68844\ndfltr.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\activeds.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja-JP\mispace.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ConsoleLogon.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\csrsrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\microsoft_bluetooth_hfp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\et-EE\SyncRes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0215~31bf3856ad364e35~amd64~~10.0.19041.906.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RemoteDesktopServices-Base-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.Management.Infrastructure.Native.Unmanaged.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\rekeywiz.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\EapTeapConfig.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Storage-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Composable-PlatformExtension-DragDropCommon-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WindowsSearchEngineSKU-Group-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netmlx5.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\hidcfu.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_hfp_hf.inf_amd64_0c00f8f3a465c9a4	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\modemcsa.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_LE_4.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Foundation-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Printing-LPRPortMonitor-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0013\_setup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\MSFT_WaitForAll.psm1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\perfts.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package01~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\dot3gpui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\XInput9_1_0.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\iepeers.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-RDP4VS-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-RDP4VS-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\MultiPoint-Connector-Opt-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_sdhost.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\WUDFUsbccidDriver.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_legacydriver.inf_amd64_c07aa9c633b5271e	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms004.inf_amd64_c28ee88ec1bd4178\Amd64\unisharev4-pipelineconfig.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wmpeffects.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\da-DK\cdosys.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\gamingtcui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx-Shared-WPF-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\rspndr.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\acpitime.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\es-ES	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rescache\_merged\2137598169	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_10.0.19041.1_en-us_81f80a2d752be55c\default.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-captureservice_31bf3856ad364e35_10.0.19041.789_none_29c82c298f0789ff\r	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\ExternalBoot.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wlanutil.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_48bcbaf60d768634	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-analog-h2-animpkg-baked_31bf3856ad364e35_10.0.19041.1_none_3f2b130eba574dfc\preseteasecurveincubic.hbakedcurve	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-tiledatarepository_31bf3856ad364e35_10.0.19041.264_none_ac56521bfe3760e4\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\FileMaps\$$_syswow64_sru_1bf25359a7665016.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_netfx4-web_lowtrust_config_b03f5f7f11d50a3a_4.0.15805.0_none_25a7378719e6a9fb.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msmq-admin_31bf3856ad364e35_10.0.19041.746_none_95474c6a9c3ba97b\r\mqsnap.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..inter-mof.resources_31bf3856ad364e35_10.0.19041.1_en-us_1f78a91110be7349\win32_printer.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..ecore-acm.resources_31bf3856ad364e35_10.0.19041.1_es-es_0f6b55f6a3810546	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommoninetcore_31bf3856ad364e35_10.0.19041.292_none_994eb7d332ed2c04\WindowsInternal.Xaml.Controls.Tabs.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-f..story-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6a211abd191fcebc.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..-credprov.resources_31bf3856ad364e35_10.0.19041.1_en-us_a529a6c82f384a94.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_b390ddf34aa76759\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.153_none_3c9b504ec5293ad0\r\WpcTok.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-dssec.resources_31bf3856ad364e35_10.0.19041.1_es-es_824e5164c84f4401.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft.certifica..s.pkiclient.cmdlets_31bf3856ad364e35_10.0.19041.1_none_47ecebd5aa9b1862.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-devicecenter.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3ea6bba55d18f0e5	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-m..-odbc-installer-dll_31bf3856ad364e35_10.0.19041.1_none_4d70bc4a28f3092b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\F12Logo.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.packagema..e.package.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_267cc9e3b929e4bb\MSFT_PackageManagement.strings.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-appdefaults.resources_31bf3856ad364e35_10.0.19041.1_de-de_b9babb051b2c1388.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingDeletes\f784864736e5d701e6a100001815341f.asptlb.tlb	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_10.0.19041.1_da-dk_729e661a448c2b42	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.jscript_b03f5f7f11d50a3a_4.0.15805.0_none_2d3289316e383500	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_10.0.19041.746_none_28fa11124ad934f2\f\PortableDeviceApi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..ion-admxdeviceguard_31bf3856ad364e35_10.0.19041.1202_none_a269dfe23ae4758c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1_none_4028e460f6e7e25b.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Worker-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..a-renewal.resources_31bf3856ad364e35_10.0.19041.1_en-us_91c59ce471e9015a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-m..a-casting-shell-ext_31bf3856ad364e35_10.0.19041.746_none_b848ba69842ffe9a\f	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.Resources\2.0.0.0_ja_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..tings-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_cde59ac0ef541089\MobilePCPresentationSettings.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_it-it_a0b367f31f29d0aa.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\992b589bac624d119690c20e585e86168fc636cccfbeea251d53107f2aea7bf4.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-portableworkspaces-sso_31bf3856ad364e35_10.0.19041.1_none_ce500b669df90d6a.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-diskpart_31bf3856ad364e35_10.0.19041.1_none_291e1d3069ab2f3a\diskpart.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceState\EventLog	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dafwfdprovider_31bf3856ad364e35_10.0.19041.1_none_b058c457605b2980\dafWfdProvider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_it-it_308ba2a61630130b.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-d..ctionflow.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7ee11b7cdfbb9de8.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft.security...gement.policyengine_31bf3856ad364e35_10.0.19041.1_none_ed7abf52c2a42a9d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_system.xaml.hosting.resources_31bf3856ad364e35_4.0.15805.0_ja-jp_39ef447e5043a4bf\System.Xaml.Hosting.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\netserv.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-efs-lsa-extension_31bf3856ad364e35_10.0.19041.1165_none_3e0b1e846a203ebe\f\efslsaext.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..l-keyboard-00000428_31bf3856ad364e35_10.0.19041.1_none_aaa260d335f754f3	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b...appxmain.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2764d42ed8c9566f\resources.fr-FR.pri	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.84_none_24f8aafdaceaf0b5\square44x44logo.scale-100.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..in.deploy.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_02a093c3971a7e52\resources.fr-FR.pri	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_ntprint4.inf_31bf3856ad364e35_10.0.19041.746_none_284758abe10778d6\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-c..xperfcore.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_2b3772d51a33d187.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-g..shell-exe.resources_31bf3856ad364e35_10.0.19041.1_en-us_010ac3c9c8bf957a\powershell_ise.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-UX-UI-Client-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-u..tionuxexe.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_247930607e3d4efc.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-wmpdxm_31bf3856ad364e35_10.0.19041.1266_none_2352a132115da13b\f	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\Camera.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\i_show_pseudo_classes.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\iisreg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\ProviderList.ascx	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-smbserver-v2.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_896f1a1dc2d43e0f\srv2.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..per-tcpip.resources_31bf3856ad364e35_10.0.19041.1_en-us_191f132b3e6a20ca\wshtcpip.dll.mui	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	030d78fcf7df69edcfaddfd4b4f05ec0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Windows\AE 0124 BE.C:\WINDOWS\Installer\SourceHash{90120000-006E-0409-0000-0000000FF1CE}	030d78fcf7df69edcfaddfd4b4f05ec0N.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3180	030d78fcf7df69edcfaddfd4b4f05ec0N.exe
4680	winlogon.exe
4064	AE 0124 BE.exe
4876	winlogon.exe
5608	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 4680	3180	030d78fcf7df69edcfaddfd4b4f05ec0N.exe	89
PID 3180 wrote to memory of 4680	3180	030d78fcf7df69edcfaddfd4b4f05ec0N.exe	89
PID 3180 wrote to memory of 4680	3180	030d78fcf7df69edcfaddfd4b4f05ec0N.exe	89
PID 4680 wrote to memory of 4064	4680	winlogon.exe	90
PID 4680 wrote to memory of 4064	4680	winlogon.exe	90
PID 4680 wrote to memory of 4064	4680	winlogon.exe	90
PID 4680 wrote to memory of 4876	4680	winlogon.exe	91
PID 4680 wrote to memory of 4876	4680	winlogon.exe	91
PID 4680 wrote to memory of 4876	4680	winlogon.exe	91
PID 4064 wrote to memory of 5608	4064	AE 0124 BE.exe	92
PID 4064 wrote to memory of 5608	4064	AE 0124 BE.exe	92
PID 4064 wrote to memory of 5608	4064	AE 0124 BE.exe	92

C:\Users\Admin\AppData\Local\Temp\030d78fcf7df69edcfaddfd4b4f05ec0N.exe
"C:\Users\Admin\AppData\Local\Temp\030d78fcf7df69edcfaddfd4b4f05ec0N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:5608
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
48KB

MD5
fa1cce05f53d7bfafa6ff691015feeca

SHA1
423d46f95efb2b40a145b42caeb6475771aef99e

SHA256
12c963b0b8249b52bd65a3afadbfd7b2a9582f82bdb7c6d4333f24d35e05ec34

SHA512
cd695081e020b7aa1cbb59a08d6cfe51916ac6f602600a1c1c95dde3f5eaca0f2d5fd428856c5a1914550391368aac166ed77e6be908756a7e12fb457da414d0

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
memory/3180-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3180-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4064-442-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4064-447-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4680-45-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4680-441-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4876-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5608-82-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5608-79-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads