d084dcae942a3b6b27b8b85fc44b9c81334132ba6ea271d58ae45625e8b25f4f

Analysis

max time kernel
120s
max time network
73s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bb5de396611f142f328ef2fa6990400N.exe
Size

232KB
MD5

8bb5de396611f142f328ef2fa6990400
SHA1

4d2f9fe3cba1cab89f522a646a1591a7630186db
SHA256

d084dcae942a3b6b27b8b85fc44b9c81334132ba6ea271d58ae45625e8b25f4f
SHA512

cf7fd9a173914b0458e3c48560d88790e485717c56ff05df3912e6ec5bc1c421e6beef454e7b2f2badaa0297080da77f7ef9363cf4f5a5b4ddffbb1652cc7fd8
SSDEEP

3072:2r+Fu+gOSmvuVQL9KpjbbNC8vM7Mh8nWmEw7/8kuuc+BxWhJ+UV05M1:RSm26UbbZvMgrmEs7eVMM1

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	8bb5de396611f142f328ef2fa6990400N.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2260	winlogon.exe
2268	AE 0124 BE.exe
3028	winlogon.exe
3000	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
2796	8bb5de396611f142f328ef2fa6990400N.exe
2796	8bb5de396611f142f328ef2fa6990400N.exe
2260	winlogon.exe
2260	winlogon.exe
2268	AE 0124 BE.exe
2268	AE 0124 BE.exe
3028	winlogon.exe
3000	winlogon.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2796-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x00070000000186f7-43.dat	upx
behavioral1/memory/2260-58-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2260-75-0x0000000001BD0000-0x0000000001BDB000-memory.dmp	upx
behavioral1/memory/2796-80-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3000-104-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3028-105-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2260-624-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2268-627-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2268-650-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2824	msiexec.exe
4	1744	msiexec.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ja-JP\FirewallAPI.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\ADSI-LDAP-Provider-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\winsockhc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\azsqlext.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr007.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmsmart.inf_amd64_neutral_829e8c7d1c8d5207\mdmsmart.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\Amd64\LN1341E3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wpcsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\netstat.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\netprof.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\FXSXP32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\SensorsApi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PeerToPeer-Full-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnlx00v.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBP_315.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\StarterN\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\cipher.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\comsnap.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\pcaui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Return.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1236mk5_ibv64.inf_amd64_neutral_b81bec917adfaea5	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wsdscdrv.inf_amd64_neutral_47406488f9e8d5b8\wsdscdrv.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\diskperf.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\rasmontr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_pipelines.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\cfgbkend.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\es-ES\migsetup.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_neutral_b8ebf59556c3dbf0\mdmar1.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\userinit.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\profapi.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\schtasks.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\ntvdm64.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Arithmetic_Operators.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\lsmproxy.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msimg32.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SnippingTool-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\LRC75006.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA810D6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_aliases.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\quartz.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adpu320.inf_amd64_neutral_4ea3d42a9839982a\adpu320.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\blbdrive.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wlgpclnt.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\utildll.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ppcsnap.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualXP-Licensing-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky008.inf_amd64_neutral_9f6abc54cbf095f2\Amd64\KYTS400c.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\imapi2.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\netr7364.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\appmgr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\PlaySndSrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\EnterpriseN\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Comment_Based_Help.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msieftp.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\signdrv.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\igdlh.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\fsmgmt.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\hdaudio.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\netathrx.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wiavideo.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\csrss.exe.mui	AE 0124 BE.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Kits\10\UnionMetadata\Facade\Windows.WinMD	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..e-upgrade.resources_31bf3856ad364e35_6.1.7600.16385_it-it_484a5ac5d5c1ab46	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-i..-wow64-setupdll0816_31bf3856ad364e35_6.1.7600.16385_none_4a68944cc9c395a1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..escriptdetectiondll_31bf3856ad364e35_6.1.7600.16385_none_22c2050af8e2b32b	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..t-snapins.resources_31bf3856ad364e35_6.1.7600.16385_en-us_34d5b44762b4bcc4\MMFUtil.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-legacyhwui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a7faa65cac325ae1_hdwwiz.exe.mui_b4acc7bc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-b..ents-main.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2a84ffed6cf35d53.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\DCOM.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..converter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_43d52740d57b4ca7	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-cpfilters.resources_31bf3856ad364e35_6.1.7600.16385_it-it_11521d321083d211	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\System.Web.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..alization.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b3af76a53e79592a\luafv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_6.1.7600.16385_none_e5e3f53c23550761\TS_InaccurateSystemTime.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-htmlhelp-feature_31bf3856ad364e35_6.1.7600.16385_none_e61b0ad1d51d58aa.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_pl-pl_ec45e4073c5a6ba2.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-x..achviewer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_11eb49d7192aa595.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..orkbridge.resources_31bf3856ad364e35_6.1.7600.16385_es-es_37c6115e8a09974a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3f3bc9163ae8cff9\expand.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-sonic-tables-2cb2_31bf3856ad364e35_6.1.7600.16385_none_c46817fc7e0a807d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tapi3.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a67c933c834f810a\wavemsp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_25ed7915bb55b076_ntdll.dll.mui_d908d391	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_usbcir.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fff548bd4fe6b13d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_wpf-windowsformsintegration_31bf3856ad364e35_6.1.7600.16385_none_f9f26586dd23a6fc.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-spp-main.resources_31bf3856ad364e35_6.1.7600.16385_de-de_179abaabcc3cac60\spp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-jscriptdebugui_31bf3856ad364e35_11.2.9600.16428_none_9cc361ebe2b36e75	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..component.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7ff31bbac650f222\W32UIRes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-waitfor_31bf3856ad364e35_6.1.7600.16385_none_125aa78894e49f8f\waitfor.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..ure-other.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac553040a56eff44_wshelper.dll.mui_be261ecd	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Catalogs\1a5ba87ba3ab8e3c08f93db7cbafadfafd3cbd1ed9535f1a5d84282e52583574.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..mhardware.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ea9211155735d624\SystemPropertiesHardware.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_mscorlib.resources_b77a5c561934e089_6.1.7600.16385_ja-jp_49d98ea50b16ca4a.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\TabletPCInputPanel.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_system.enterpriseservices.resources_b03f5f7f11d50a3a_6.1.7600.16385_it-it_f421496246ac9518	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c342610ed289dc75\perfh.dat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-syncui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e8aa659cf9a71724\syncui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\FileMaps\program_files_x86_common_files_system_ole_db_es-es_f84690bd74666912.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..readwrite.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b1de16c094db0cd3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_4f6b8363c57e4032\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions.resources\3.5.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_hightrust.config	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_syswow64_migwiz_dlmanifests_microsoft-windows-com-complus-setup-dl_9da603da79e3577a.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-a..managerui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_cf2c991eec1d4538.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5f3874d6c7dfca9f	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_msbuild.resources_b03f5f7f11d50a3a_3.5.7600.16385_ja-jp_586fdad8bd134e99	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_82c1d681ff5e2d6f\OOBE_HELP_What_is_HomeGroup.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00e.inf_31bf3856ad364e35_6.1.7600.16385_none_deda1dd628caac71\Amd64\CNB_0297.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..itycenter.resources_31bf3856ad364e35_6.1.7600.16385_de-de_26b1890b3258ea6b.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-sethc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_40327e9d4b935204.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnle002.inf_31bf3856ad364e35_6.1.7600.16385_none_3b502763cd055411\Amd64\LRC400D.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-soundrec-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f53b85b846ced058.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\AuditPolicyGPManagedStubs.Interop.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..icecommon.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bc8561d363092f37	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..o5-codecs.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2df9f88840d7da5e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..nvservice.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_156a09ae10d25f64.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-sync.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ee9ea6008c41eda	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-upnpssdp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9fada492807dfef9	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c8a8ee4f97b7f12\sqlsoldb.chm	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Catalogs\19f2a84f5a84977dc21725d93db3f0776599d56925550ab5adb361486cf5b5fe.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-windowscodecext_31bf3856ad364e35_7.1.7601.16492_none_e2cfe30f5a6e4384.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3ca326d24eecb0f3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-e..host-peer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_29f6f74381d53337.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_wpf-presentationframework.luna_31bf3856ad364e35_6.1.7601.17514_none_33660260677d7e6a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.1.7601.17514_none_d961938b8cd1e885_dhcpcore.dll_8036fe08	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-winsrv_31bf3856ad364e35_6.1.7601.17932_none_1ee1ad8fe7677bb7.manifest	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CE81681EBD9DECB43B2858DA2ABC3B04\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.UAPSDKAddOn.SDK,10	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.UAPSDKAddOn.SDK,10\Version = "10.1.0.0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\331F16082EF4CA241854303F8F66FC96\CE81681EBD9DECB43B2858DA2ABC3B04	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\PackageName = "AE 0124 BE.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\LastUsedSource = "n;1;C:\\Windows\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.UAPSDKAddOn.SDK,10\ = "{E18618EC-D9DB-4BCE-B382-85ADA2CBB340}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\ProductName = "Windows SDK AddOn"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\331F16082EF4CA241854303F8F66FC96	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\Net\1 = "C:\\Windows\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CE81681EBD9DECB43B2858DA2ABC3B04\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.UAPSDKAddOn.SDK,10\DisplayName = "Windows SDK AddOn"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\PackageCode = "B85649425361A4C458AA3EA144083AAF"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CE81681EBD9DECB43B2858DA2ABC3B04	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CE81681EBD9DECB43B2858DA2ABC3B04\Version = "167837696"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1744	msiexec.exe
1744	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	1744	msiexec.exe
Token: SeTakeOwnershipPrivilege	1744	msiexec.exe
Token: SeSecurityPrivilege	1744	msiexec.exe
Token: SeCreateTokenPrivilege	2824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2824	msiexec.exe
Token: SeLockMemoryPrivilege	2824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2824	msiexec.exe
Token: SeMachineAccountPrivilege	2824	msiexec.exe
Token: SeTcbPrivilege	2824	msiexec.exe
Token: SeSecurityPrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeLoadDriverPrivilege	2824	msiexec.exe
Token: SeSystemProfilePrivilege	2824	msiexec.exe
Token: SeSystemtimePrivilege	2824	msiexec.exe
Token: SeProfSingleProcessPrivilege	2824	msiexec.exe
Token: SeIncBasePriorityPrivilege	2824	msiexec.exe
Token: SeCreatePagefilePrivilege	2824	msiexec.exe
Token: SeCreatePermanentPrivilege	2824	msiexec.exe
Token: SeBackupPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeShutdownPrivilege	2824	msiexec.exe
Token: SeDebugPrivilege	2824	msiexec.exe
Token: SeAuditPrivilege	2824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2824	msiexec.exe
Token: SeChangeNotifyPrivilege	2824	msiexec.exe
Token: SeRemoteShutdownPrivilege	2824	msiexec.exe
Token: SeUndockPrivilege	2824	msiexec.exe
Token: SeSyncAgentPrivilege	2824	msiexec.exe
Token: SeEnableDelegationPrivilege	2824	msiexec.exe
Token: SeManageVolumePrivilege	2824	msiexec.exe
Token: SeImpersonatePrivilege	2824	msiexec.exe
Token: SeCreateGlobalPrivilege	2824	msiexec.exe
Token: SeBackupPrivilege	612	vssvc.exe
Token: SeRestorePrivilege	612	vssvc.exe
Token: SeAuditPrivilege	612	vssvc.exe
Token: SeBackupPrivilege	1744	msiexec.exe
Token: SeRestorePrivilege	1744	msiexec.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1332	DrvInst.exe
Token: SeLoadDriverPrivilege	1332	DrvInst.exe
Token: SeLoadDriverPrivilege	1332	DrvInst.exe
Token: SeLoadDriverPrivilege	1332	DrvInst.exe
Token: SeRestorePrivilege	1744	msiexec.exe
Token: SeTakeOwnershipPrivilege	1744	msiexec.exe
Token: SeRestorePrivilege	1744	msiexec.exe
Token: SeTakeOwnershipPrivilege	1744	msiexec.exe
Token: SeRestorePrivilege	1744	msiexec.exe
Token: SeTakeOwnershipPrivilege	1744	msiexec.exe
Token: SeRestorePrivilege	1744	msiexec.exe
Token: SeTakeOwnershipPrivilege	1744	msiexec.exe
Token: SeRestorePrivilege	1744	msiexec.exe
Token: SeTakeOwnershipPrivilege	1744	msiexec.exe
Token: SeRestorePrivilege	1744	msiexec.exe
Token: SeTakeOwnershipPrivilege	1744	msiexec.exe
Token: SeRestorePrivilege	1744	msiexec.exe
Token: SeTakeOwnershipPrivilege	1744	msiexec.exe
Token: SeRestorePrivilege	1744	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2824	msiexec.exe
2824	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2796	8bb5de396611f142f328ef2fa6990400N.exe
2260	winlogon.exe
2268	AE 0124 BE.exe
3028	winlogon.exe
3000	winlogon.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2824	2796	8bb5de396611f142f328ef2fa6990400N.exe	30
PID 2796 wrote to memory of 2824	2796	8bb5de396611f142f328ef2fa6990400N.exe	30
PID 2796 wrote to memory of 2824	2796	8bb5de396611f142f328ef2fa6990400N.exe	30
PID 2796 wrote to memory of 2824	2796	8bb5de396611f142f328ef2fa6990400N.exe	30
PID 2796 wrote to memory of 2824	2796	8bb5de396611f142f328ef2fa6990400N.exe	30
PID 2796 wrote to memory of 2824	2796	8bb5de396611f142f328ef2fa6990400N.exe	30
PID 2796 wrote to memory of 2824	2796	8bb5de396611f142f328ef2fa6990400N.exe	30
PID 2796 wrote to memory of 2260	2796	8bb5de396611f142f328ef2fa6990400N.exe	31
PID 2796 wrote to memory of 2260	2796	8bb5de396611f142f328ef2fa6990400N.exe	31
PID 2796 wrote to memory of 2260	2796	8bb5de396611f142f328ef2fa6990400N.exe	31
PID 2796 wrote to memory of 2260	2796	8bb5de396611f142f328ef2fa6990400N.exe	31
PID 2260 wrote to memory of 2268	2260	winlogon.exe	32
PID 2260 wrote to memory of 2268	2260	winlogon.exe	32
PID 2260 wrote to memory of 2268	2260	winlogon.exe	32
PID 2260 wrote to memory of 2268	2260	winlogon.exe	32
PID 2260 wrote to memory of 3028	2260	winlogon.exe	33
PID 2260 wrote to memory of 3028	2260	winlogon.exe	33
PID 2260 wrote to memory of 3028	2260	winlogon.exe	33
PID 2260 wrote to memory of 3028	2260	winlogon.exe	33
PID 2268 wrote to memory of 3000	2268	AE 0124 BE.exe	34
PID 2268 wrote to memory of 3000	2268	AE 0124 BE.exe	34
PID 2268 wrote to memory of 3000	2268	AE 0124 BE.exe	34
PID 2268 wrote to memory of 3000	2268	AE 0124 BE.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8bb5de396611f142f328ef2fa6990400N.exe
"C:\Users\Admin\AppData\Local\Temp\8bb5de396611f142f328ef2fa6990400N.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2824
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3000
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000038C" "00000000000005A0"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7697fd.rbs

Filesize
7KB

MD5
0945df3280d2edfd8d8e63badf0ff985

SHA1
b3537963c5d4bc28694abc031fb4f8d9f73ab933

SHA256
92cf290c3d5ea4d33fbfcaa9ae511f7b93052731f0b81df9a9343ce0bb16de01

SHA512
a78a4badb88c0f693400d08410a4a78c62affa1dfbc43260b83c4baa1ba4186dff832404ee8d046f09ceb8e253c4543d02523b1021e8f570ac6429631a9089f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
034b6351253f7c9194c04567fe701bec

SHA1
db5cb348159159196f8c665f3f06a6bf944667b1

SHA256
db333927c49d4a480d01688aa118510d157bdaa9f1d140da987b48f18355567c

SHA512
4ba885d960cdedbad50104989c20fa55fe74098c5ec1124dd0697b60fd57049365ee46681e95c43ab3f4d6d7a9937a7d3170abc010de667702f884d6d93ccd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6AC6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6AD9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
232KB

MD5
81c0a159dea085a06e23a9a915a90cff

SHA1
709146f18808c65ed22585ff75d8403b212a0fef

SHA256
481b9932ef5d4de7e4c1c8b7524e34177f3008e620c5196012e5ed1689201bd9

SHA512
bf6698e6a3d46526e619dd21da3f36e4f1719d9343f7eeb2590888237362a60a16d23cc27c6bb2fd910d99bc2710bc2562d64308e84617334ec0aa972c276d54

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
48KB

MD5
a2651cf270a4bc62dddb4899b4905c2c

SHA1
9e8224927840274f75fedf18651297e1490ffa63

SHA256
923afcc3a47d6e5728391bfcc7105c1471cb0f2a31de5dd10e61e080e9ea4219

SHA512
255a12a7eb73fab5b9fbd202dcbe0a32494e81b5d0a089d2bc2d7354271fa0c5964b9b49dc3f5f82b1a31069c806b859c16a45654a88d361eddb97f63bbcf8ad

Download Submit
memory/2260-626-0x0000000001BD0000-0x0000000001BDB000-memory.dmp

Filesize
44KB

Download
memory/2260-95-0x0000000003520000-0x000000000352B000-memory.dmp

Filesize
44KB

Download
memory/2260-76-0x0000000001BD0000-0x0000000001BDB000-memory.dmp

Filesize
44KB

Download
memory/2260-75-0x0000000001BD0000-0x0000000001BDB000-memory.dmp

Filesize
44KB

Download
memory/2260-630-0x0000000003520000-0x000000000352B000-memory.dmp

Filesize
44KB

Download
memory/2260-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2260-624-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2260-625-0x0000000001BD0000-0x0000000001BDB000-memory.dmp

Filesize
44KB

Download
memory/2260-94-0x0000000003520000-0x000000000352B000-memory.dmp

Filesize
44KB

Download
memory/2260-629-0x0000000003520000-0x000000000352B000-memory.dmp

Filesize
44KB

Download
memory/2268-627-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2268-308-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2268-649-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2268-650-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2268-96-0x0000000003740000-0x000000000374B000-memory.dmp

Filesize
44KB

Download
memory/2796-80-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2796-13-0x00000000038E0000-0x0000000003CEB000-memory.dmp

Filesize
4.0MB

Download
memory/2796-45-0x0000000003830000-0x000000000383B000-memory.dmp

Filesize
44KB

Download
memory/2796-57-0x0000000003830000-0x000000000383B000-memory.dmp

Filesize
44KB

Download
memory/2796-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3000-104-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3028-105-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download