f813b84c9b94d49c2c13cb6243994cc57d653ab7f342ab4adb3075259847ed93

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d139b69481bd8d8e19a69076e324060N.exe
Size

488KB
MD5

3d139b69481bd8d8e19a69076e324060
SHA1

055411e49b2fbf273c38339547e3bf9a574574de
SHA256

f813b84c9b94d49c2c13cb6243994cc57d653ab7f342ab4adb3075259847ed93
SHA512

19bbbd58a35def0a91f92eb2295e84b3dbc4fd2e568363065de8800483372d9f8f2d295baeff59dbcb9cb17ccc925033f42fc5864afeb91934ecfd32b18bb91a
SSDEEP

12288:V/ML/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:V0K2O2HIBEd7M

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
2776	Tiwi.exe
2684	IExplorer.exe
1152	winlogon.exe
288	imoet.exe
2708	Tiwi.exe
2816	Tiwi.exe
1816	IExplorer.exe
2020	IExplorer.exe
1128	Tiwi.exe
1524	Tiwi.exe
1944	winlogon.exe
2436	IExplorer.exe
2428	winlogon.exe
2112	Tiwi.exe
1708	imoet.exe
2720	IExplorer.exe
2156	winlogon.exe
2760	IExplorer.exe
2756	winlogon.exe
2716	winlogon.exe
3036	cute.exe
2924	imoet.exe
2744	imoet.exe
2912	imoet.exe
2772	imoet.exe
2964	cute.exe
2584	cute.exe
1728	cute.exe
1400	cute.exe
1204	Tiwi.exe
1764	cute.exe
1808	IExplorer.exe
2796	winlogon.exe
2844	imoet.exe
2600	cute.exe

Loads dropped DLL 53 IoCs

pid	Process
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2776	Tiwi.exe
2776	Tiwi.exe
2776	Tiwi.exe
2776	Tiwi.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2684	IExplorer.exe
2684	IExplorer.exe
2776	Tiwi.exe
2776	Tiwi.exe
2684	IExplorer.exe
2684	IExplorer.exe
288	imoet.exe
288	imoet.exe
288	imoet.exe
288	imoet.exe
1152	winlogon.exe
1152	winlogon.exe
2776	Tiwi.exe
2776	Tiwi.exe
1152	winlogon.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
1152	winlogon.exe
1152	winlogon.exe
288	imoet.exe
2684	IExplorer.exe
2684	IExplorer.exe
1152	winlogon.exe
1152	winlogon.exe
2684	IExplorer.exe
2684	IExplorer.exe
288	imoet.exe
288	imoet.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
2356	3d139b69481bd8d8e19a69076e324060N.exe
3036	cute.exe
3036	cute.exe
3036	cute.exe
3036	cute.exe
3036	cute.exe
3036	cute.exe
3036	cute.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\G:	3d139b69481bd8d8e19a69076e324060N.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\S:	Tiwi.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\V:	3d139b69481bd8d8e19a69076e324060N.exe
File opened (read-only)	\??\I:	cute.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\J:	3d139b69481bd8d8e19a69076e324060N.exe
File opened (read-only)	\??\L:	3d139b69481bd8d8e19a69076e324060N.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\U:	imoet.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\B:	cute.exe
File opened (read-only)	\??\P:	Tiwi.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\I:	imoet.exe
File opened (read-only)	\??\I:	3d139b69481bd8d8e19a69076e324060N.exe
File opened (read-only)	\??\Q:	3d139b69481bd8d8e19a69076e324060N.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\E:	3d139b69481bd8d8e19a69076e324060N.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\B:	3d139b69481bd8d8e19a69076e324060N.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\U:	Tiwi.exe
File opened (read-only)	\??\Y:	3d139b69481bd8d8e19a69076e324060N.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\L:	cute.exe
File opened (read-only)	\??\Y:	cute.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\O:	Tiwi.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\X:	3d139b69481bd8d8e19a69076e324060N.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\R:	3d139b69481bd8d8e19a69076e324060N.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Tiwi.exe
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tiwi.scr	3d139b69481bd8d8e19a69076e324060N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	3d139b69481bd8d8e19a69076e324060N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	3d139b69481bd8d8e19a69076e324060N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	3d139b69481bd8d8e19a69076e324060N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	3d139b69481bd8d8e19a69076e324060N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	3d139b69481bd8d8e19a69076e324060N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\tiwi.exe	3d139b69481bd8d8e19a69076e324060N.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	3d139b69481bd8d8e19a69076e324060N.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d139b69481bd8d8e19a69076e324060N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1"	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Mouse\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s1159 = "Tiwi"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	3d139b69481bd8d8e19a69076e324060N.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3d139b69481bd8d8e19a69076e324060N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2356	3d139b69481bd8d8e19a69076e324060N.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2776	Tiwi.exe
288	imoet.exe
1152	winlogon.exe
2684	IExplorer.exe
3036	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2356	3d139b69481bd8d8e19a69076e324060N.exe
2776	Tiwi.exe
2684	IExplorer.exe
1152	winlogon.exe
288	imoet.exe
2708	Tiwi.exe
2816	Tiwi.exe
2020	IExplorer.exe
1128	Tiwi.exe
1816	IExplorer.exe
1944	winlogon.exe
2436	IExplorer.exe
2112	Tiwi.exe
2720	IExplorer.exe
1524	Tiwi.exe
1708	imoet.exe
2760	IExplorer.exe
2428	winlogon.exe
2756	winlogon.exe
2156	winlogon.exe
2716	winlogon.exe
2744	imoet.exe
3036	cute.exe
2772	imoet.exe
2924	imoet.exe
2912	imoet.exe
2964	cute.exe
2584	cute.exe
1728	cute.exe
1400	cute.exe
1764	cute.exe
1204	Tiwi.exe
1808	IExplorer.exe
2796	winlogon.exe
2844	imoet.exe
2600	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2776	2356	3d139b69481bd8d8e19a69076e324060N.exe	31
PID 2356 wrote to memory of 2776	2356	3d139b69481bd8d8e19a69076e324060N.exe	31
PID 2356 wrote to memory of 2776	2356	3d139b69481bd8d8e19a69076e324060N.exe	31
PID 2356 wrote to memory of 2776	2356	3d139b69481bd8d8e19a69076e324060N.exe	31
PID 2356 wrote to memory of 2684	2356	3d139b69481bd8d8e19a69076e324060N.exe	32
PID 2356 wrote to memory of 2684	2356	3d139b69481bd8d8e19a69076e324060N.exe	32
PID 2356 wrote to memory of 2684	2356	3d139b69481bd8d8e19a69076e324060N.exe	32
PID 2356 wrote to memory of 2684	2356	3d139b69481bd8d8e19a69076e324060N.exe	32
PID 2356 wrote to memory of 1152	2356	3d139b69481bd8d8e19a69076e324060N.exe	33
PID 2356 wrote to memory of 1152	2356	3d139b69481bd8d8e19a69076e324060N.exe	33
PID 2356 wrote to memory of 1152	2356	3d139b69481bd8d8e19a69076e324060N.exe	33
PID 2356 wrote to memory of 1152	2356	3d139b69481bd8d8e19a69076e324060N.exe	33
PID 2356 wrote to memory of 288	2356	3d139b69481bd8d8e19a69076e324060N.exe	34
PID 2356 wrote to memory of 288	2356	3d139b69481bd8d8e19a69076e324060N.exe	34
PID 2356 wrote to memory of 288	2356	3d139b69481bd8d8e19a69076e324060N.exe	34
PID 2356 wrote to memory of 288	2356	3d139b69481bd8d8e19a69076e324060N.exe	34
PID 2356 wrote to memory of 2708	2356	3d139b69481bd8d8e19a69076e324060N.exe	35
PID 2356 wrote to memory of 2708	2356	3d139b69481bd8d8e19a69076e324060N.exe	35
PID 2356 wrote to memory of 2708	2356	3d139b69481bd8d8e19a69076e324060N.exe	35
PID 2356 wrote to memory of 2708	2356	3d139b69481bd8d8e19a69076e324060N.exe	35
PID 2776 wrote to memory of 2816	2776	Tiwi.exe	36
PID 2776 wrote to memory of 2816	2776	Tiwi.exe	36
PID 2776 wrote to memory of 2816	2776	Tiwi.exe	36
PID 2776 wrote to memory of 2816	2776	Tiwi.exe	36
PID 2356 wrote to memory of 1816	2356	3d139b69481bd8d8e19a69076e324060N.exe	38
PID 2356 wrote to memory of 1816	2356	3d139b69481bd8d8e19a69076e324060N.exe	38
PID 2356 wrote to memory of 1816	2356	3d139b69481bd8d8e19a69076e324060N.exe	38
PID 2356 wrote to memory of 1816	2356	3d139b69481bd8d8e19a69076e324060N.exe	38
PID 2776 wrote to memory of 2020	2776	Tiwi.exe	39
PID 2776 wrote to memory of 2020	2776	Tiwi.exe	39
PID 2776 wrote to memory of 2020	2776	Tiwi.exe	39
PID 2776 wrote to memory of 2020	2776	Tiwi.exe	39
PID 2684 wrote to memory of 1128	2684	IExplorer.exe	37
PID 2684 wrote to memory of 1128	2684	IExplorer.exe	37
PID 2684 wrote to memory of 1128	2684	IExplorer.exe	37
PID 2684 wrote to memory of 1128	2684	IExplorer.exe	37
PID 1152 wrote to memory of 1524	1152	winlogon.exe	40
PID 1152 wrote to memory of 1524	1152	winlogon.exe	40
PID 1152 wrote to memory of 1524	1152	winlogon.exe	40
PID 1152 wrote to memory of 1524	1152	winlogon.exe	40
PID 2776 wrote to memory of 1944	2776	Tiwi.exe	41
PID 2776 wrote to memory of 1944	2776	Tiwi.exe	41
PID 2776 wrote to memory of 1944	2776	Tiwi.exe	41
PID 2776 wrote to memory of 1944	2776	Tiwi.exe	41
PID 2356 wrote to memory of 2428	2356	3d139b69481bd8d8e19a69076e324060N.exe	42
PID 2356 wrote to memory of 2428	2356	3d139b69481bd8d8e19a69076e324060N.exe	42
PID 2356 wrote to memory of 2428	2356	3d139b69481bd8d8e19a69076e324060N.exe	42
PID 2356 wrote to memory of 2428	2356	3d139b69481bd8d8e19a69076e324060N.exe	42
PID 2684 wrote to memory of 2436	2684	IExplorer.exe	43
PID 2684 wrote to memory of 2436	2684	IExplorer.exe	43
PID 2684 wrote to memory of 2436	2684	IExplorer.exe	43
PID 2684 wrote to memory of 2436	2684	IExplorer.exe	43
PID 2776 wrote to memory of 1708	2776	Tiwi.exe	44
PID 2776 wrote to memory of 1708	2776	Tiwi.exe	44
PID 2776 wrote to memory of 1708	2776	Tiwi.exe	44
PID 2776 wrote to memory of 1708	2776	Tiwi.exe	44
PID 288 wrote to memory of 2112	288	imoet.exe	45
PID 288 wrote to memory of 2112	288	imoet.exe	45
PID 288 wrote to memory of 2112	288	imoet.exe	45
PID 288 wrote to memory of 2112	288	imoet.exe	45
PID 2684 wrote to memory of 2156	2684	IExplorer.exe	46
PID 2684 wrote to memory of 2156	2684	IExplorer.exe	46
PID 2684 wrote to memory of 2156	2684	IExplorer.exe	46
PID 2684 wrote to memory of 2156	2684	IExplorer.exe	46

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3d139b69481bd8d8e19a69076e324060N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	3d139b69481bd8d8e19a69076e324060N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe

C:\Users\Admin\AppData\Local\Temp\3d139b69481bd8d8e19a69076e324060N.exe
"C:\Users\Admin\AppData\Local\Temp\3d139b69481bd8d8e19a69076e324060N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2356
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2776
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2020
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1944
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3036
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1204
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1808
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2796
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2844
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2600
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2684
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1128
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2436
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2156
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2772
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2584
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1152
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1524
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2744
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2964
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:288
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2112
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2720
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2756
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2912
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1728
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2708
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1816
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2428
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2924
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1400
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
488KB

MD5
7211193bffee1df1c05e295be7fca7e6

SHA1
d3e3306b5eb2b53b1fcd22b7827ab8a4561b0a71

SHA256
5205f1dbaee8385ae249e2ce14f077a62cf77f1fee28198cd1a22998276e7e85

SHA512
ee4f08da3df92c503f4779168a5b99a82819965afde233cb4e2bb2a9a0f29c5f69fa07559217afe80a0efb84ce7873bbd33eb1611280a802f3df61e335b65854

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
cd60cc844ef7e3ddb36006c2215c2c29

SHA1
3c587d18dff91a551d19dbd0ce8ab3d935805669

SHA256
7980776d1387c639a74231a5766c96332305e4bdba78c0377f9e1f610c3e3c2a

SHA512
371defbea47a3d90853900d604f25eeab34b6c752b8dd69ea5143d0acfb0d4a806d3d0135eeb265b03443d40e09004a301488b77c106907b7508169e13290c18

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
488KB

MD5
f2ca9dc34a24d284fcf67a403c845a74

SHA1
e5d05b78ffb92217ecee2327499b01c0669438a0

SHA256
9aeeb224902b90ea4ac2cd66aeed3a5e127d9b147f6d92db77d5a97529080e9a

SHA512
b994ce60add1bafa6a9774219a88835b2d6d81833b4ca2568474ad7d97365f082c0be17397e948442d06c830bc2b21eece5152a4c670340cfbc1895255ae8baf

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
728ff4b35593e33192ce29ea452a694c

SHA1
b7c8d1db560407a68f974b80de876c70ec729065

SHA256
b81ea80d54b5cedee73e70c86c441bed884e1b36d65d965801a37fd591e793c0

SHA512
6659f59f52706b4a64c0aab201562ec667783b0cb95f82a7d2c8d6a361211d0fb67b2f867690f8b9a78251550fbfe47ef2e2b98e05cbf977c0ef18bba9f4781b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
49782caf1232e2b53940db1aa07a9d94

SHA1
e5906c68dfdf4766f82af3fb7c06cfc053f0e028

SHA256
65e62f04f90b4af1fa6ba3e0e4801dcda068cbab1c0b948713941b0ad2dfb1d6

SHA512
a829076f8ec1bc011404d0028fe639ac654a4eb52022f5dbd9856d06415f25c524951bf7d9309e8a945f34c800b7d926b6d874434615ee190d3af999c1a7ea60

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
debdb55a67337d6167b856ae138e5eb2

SHA1
0d5056ab4e5d3706d7f0c93f0c480ee8b8f224e7

SHA256
d0f20f4e21b86e5ad452430929b67f5496d4ab14f668d0461ae2115718e4dc57

SHA512
9e84e0d48efbc3e8299596b0357507db7552bd652fddd8378f487e6b7bbcf82151630204e789d22c3d773c8a36dd76184686d157a572d64f3d5566afec1d822d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
70c6c52df955d3eb50d2ae0da427f34f

SHA1
f70ac0fbf55d2263797c9db33f8821a5ca06bc48

SHA256
1d76f01d806d74f5de66543a3a6a108edcacda0668a4fa8fba53b59e8c16b322

SHA512
11629fcd881080d11af415c9c908dbcb3235d7d40756b32909ceb612569dfba83182e0ffae5a31c4f464b61d948582db922865b82664a695214aa1047d36db3e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
768a6e8bcae287058124b97f406cd31c

SHA1
41d0c17863755818a60b9a720c1fe2a60f26517e

SHA256
db52041d3ebc37bfcd55a73cd1832c003b632c56c02c021c022190c5f8fa157c

SHA512
954a6152a3c57301b88efa5d32ba90b913730e387b31c6da8b567cfbcabbc5514f10cf44fe43cf3b2fe51ae83030627bf12998b70eca1c7b3c439e4e0720df66

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
913bf977b733861750e0ff731d5ea7d9

SHA1
8aa11000e1a6a24a57c1571de665a3a3dd6cd498

SHA256
3657d42db8a6bb5f0c0f6c608467ebc84a56a7a81885ef767cb697fd9ea3c762

SHA512
38561349c5241c680838d0f68f2946adcd9491e469da5006430f22888a6467ff8f7bb08f1191e51585db7954a08e3cc99c5af009f3c992428b822f2ecb80aca6

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
536c3488909514704fecabbdc899fee8

SHA1
35ce7b7afdff315cff2e951def17594caa3393c3

SHA256
db55b868acfdd37bf42487b750606ec29661c785a940681d2c34dbc1e81b7d12

SHA512
d8cf8450ab27d929e2b1fbbc49326daef814d3d9c7619bb60758aa02295c59639be4b9914139e7543f378ce967855af51bec08949f677b8daf9ca66e31cccdfb

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
c174d237b6ab287cf7e7190b9e9bf33a

SHA1
75c0ff9588b1358f38185fc99932b39ef240704d

SHA256
834a57572a343f6ff6e3aeeb9b21836691b8351e1527d99356ba102d764424fb

SHA512
62d08fcf1f6889d1d3a88f227945247e0e6f6ba00e34c4543a0aaa23816c558daae5c2a3f1cc7bc702aad86984428b7260f0750e47fe7e27a4484e3724ed2b1a

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
83889d73e94d8b02d3e7b77513b6f190

SHA1
ab5c7acb7a9672a7cf29362e7954a045e82435ce

SHA256
92c970424e063709fa2d0f0056fac60d3dc99d1771c6ed92d1439f187cfc20aa

SHA512
cf57354578d91c806322b38bb825ee604098d1d16e59fff7190a069d369610329588554251d9e4f286e13623bbedc2c664600ef779af95cc3a71c8371cbc883f

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
46c2ef2116a81fccaef93aa5f9f9e69d

SHA1
199c1730e5424fcd6b9e385a4ab800e7139e2fb1

SHA256
d69aeaa10aa5d47d6f560f12bd0b518f2bf93f60bf2fc279c32957b52e65f9d1

SHA512
2f6de471e3223c02b639a5e0c7ef9c584bf5e817aa64d1d8981bf29a11c0cf174285dd96b076d3c13d40e1ea37add3e42101c787046837534d72ee05981420e1

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
ab2990b0bcfd32a91aa141f2a12cef80

SHA1
5ed36836e72ef81305ad8c91b206199aee7495c4

SHA256
f46dd184734d52da3691155279d8fbbb2340571b6798617b926c8fcb2cc1b441

SHA512
ef763fe31779d62a4913e6a97eacd579ed36a7d3651bc88077a993d7b0a68efaafd1072d194c51299839baa5bf1b811d27e34c57c1317dd2eddce26ed22191c5

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
07321e97441e42e00584bd62567d7321

SHA1
2a10d85c7ea0efe325fcbbdc615718879d7a25b6

SHA256
97566e42a2005165178766fbb595f235033e0492e687324ff33762cae20bb715

SHA512
6acdc7f5954b944b51b46741e8328a01f2f2e24493cb24db439f251a55f25b9eed1f9aa98dd9cf9c229b9581837edb0b0689fae677616c3e1048f3bbde95ba1c

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
8130af817e068dacf609296a9505fe1e

SHA1
3c0b73adb73f627f477c791996a2965c9f687c18

SHA256
ad8936d7def44aa2dcddb1bf7c4da7907b1ee83b2f52ac3bafa8e86993d8149d

SHA512
dcbe90cfe001108093a549609cb3676b64b21c342e8976833ba321c952fdb3d2be17c3cafa1494533369342e902e44a0f915dd7a613831a14d6db08e4b549b9e

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
3d139b69481bd8d8e19a69076e324060

SHA1
055411e49b2fbf273c38339547e3bf9a574574de

SHA256
f813b84c9b94d49c2c13cb6243994cc57d653ab7f342ab4adb3075259847ed93

SHA512
19bbbd58a35def0a91f92eb2295e84b3dbc4fd2e568363065de8800483372d9f8f2d295baeff59dbcb9cb17ccc925033f42fc5864afeb91934ecfd32b18bb91a

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
1942265a98b65c0051db57b3d8ea4106

SHA1
542cd1499c29cb4abef5e57cb0bc41aaa43ef325

SHA256
22440e1920ee70e1b76cc24d6dfd9530f24db8533e2e29b82f7d036bf537848d

SHA512
506886a5b07d62ee343add3256d764ea0e82afd719fe88a9f56ee3380c5c2cc8a8031c196f7edc313ce42a1634edec341e21b1de6618fa592cb671490dd6dc50

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
c64677fc7d5cbeb36bd75c59a45d8950

SHA1
519d6d1dede970cfa6e6ae93dccf1c9c1c7d4668

SHA256
ebf67dfe479e5ec2cc7f2ee768d9d9f04ee5493dadf7bcbdd927b132a5814cb9

SHA512
60060a31cd18b864c80f975fd2637398401417542c6623efa341c852fb19c89c812809628e524fda80f8e331c1a8ef43cb0449cfc7a53b92cf76b5ee17ad62b7

Download Submit
C:\Windows\tiwi.exe

Filesize
488KB

MD5
af0ae8a7c3927761018452b0aac6f6c0

SHA1
7417b026855533f384b731b95bb411c44130872d

SHA256
c98161ee42e38b9f99aa871e3e4e64cd124fd8b60c009caa9454a5dc2575daf9

SHA512
e715208b780e491d2814d09129b3ce833edd16823cd9ca36b06cf4f3729b826c31632d58899f54ece9a0118d65df292fc0578e884834400019a7fa8d5292f817

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
7d8dc315f3fb8fb78442c44ca03b1a17

SHA1
f3d71aed66223ce50b6d850d16b554d27c7bd54a

SHA256
2bba626328438bafa741fb205a7cbb8558b257999b95a45f62ccf1ffa1a5363c

SHA512
4808c0ecd93b01233027c77e55810b1a87c02e480c9b0ddd6c2f7d0d7f37ab87ca6e62047ada57115186385b8797253f10bb91e65fccb8b5cf84419c93908480

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
3064c5b9e10bec17a5ca4596fd7da42b

SHA1
8d93b3bd51463ccfbf73b07acc4585cceb1f387d

SHA256
34e51a69fffa35048b39d2aa93391a613b0550cc22dd677e681e42a6a6c515b6

SHA512
d5c045f6a4b999f1a7a0710f9c2759341abec5bd481edd074702a2ee8a35c4dfcfc577349c5e4fb1a26ce14d53a08522f6d47aaa235d443e7eb8fe66942f10c5

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
c04bcfefb77f208bd7c5d96e1c3af940

SHA1
de0af7d75944d421cba590256dd2d5c420cb5c58

SHA256
538b2db1dc67f4f162f8b1c7bac4829443e6d7bcd19b5bd654b0d078f5184f48

SHA512
8cc4d1d174b598d489ac5e6d15659dc8231ecc35d822831129fbc49322cd3e838c7e6fb4f7d08b821814cee22c4b6b40d74a40edbb4a4dba8c8cc200551c470b

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
488KB

MD5
8bd0718d719c28e2d3c06d57b23d29b4

SHA1
50809f2bbc08ef41def49d5c633c8bbd72eb2fd3

SHA256
9703d21e8555050f40cc5d51f90857b101398ffecc5af4637d067fa76cc0b878

SHA512
7c10e4f7f3f82608352b0b379c752463337ee5b02bbfede321409e1ac65cbc06a9b8b2fc054e55cd2abb8b01c344aa5e0fbd5107b1fde43f7b03dbdd3dbad4ed

Download Submit
memory/288-451-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/288-138-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1128-313-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1152-450-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1152-126-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1204-438-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1524-363-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2020-305-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2020-306-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2112-356-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2112-358-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2356-136-0x00000000037F0000-0x0000000003DEF000-memory.dmp

Filesize
6.0MB

Download
memory/2356-124-0x00000000037F0000-0x0000000003DEF000-memory.dmp

Filesize
6.0MB

Download
memory/2356-99-0x00000000037F0000-0x0000000003DEF000-memory.dmp

Filesize
6.0MB

Download
memory/2356-98-0x00000000037F0000-0x0000000003DEF000-memory.dmp

Filesize
6.0MB

Download
memory/2356-110-0x00000000037F0000-0x0000000003DEF000-memory.dmp

Filesize
6.0MB

Download
memory/2356-439-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2356-111-0x00000000037F0000-0x0000000003DEF000-memory.dmp

Filesize
6.0MB

Download
memory/2356-185-0x00000000037F0000-0x0000000003DEF000-memory.dmp

Filesize
6.0MB

Download
memory/2356-137-0x00000000037F0000-0x0000000003DEF000-memory.dmp

Filesize
6.0MB

Download
memory/2356-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2356-125-0x00000000037F0000-0x0000000003DEF000-memory.dmp

Filesize
6.0MB

Download
memory/2436-326-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2436-327-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2684-112-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2684-449-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2708-264-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2708-265-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2708-186-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2716-374-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2776-448-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2776-100-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2816-224-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2816-268-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2816-270-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download