ba715b42b9b023c81247b5d7c834f3b896fc658c1ffc563f4d3fe3d76e161b1a

Analysis

max time kernel
120s
max time network
62s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de2858ef35c83552b8dbd001944a4110N.exe
Size

717KB
MD5

de2858ef35c83552b8dbd001944a4110
SHA1

dee07648c9bcecab3c13fe06f288226b30c575ec
SHA256

ba715b42b9b023c81247b5d7c834f3b896fc658c1ffc563f4d3fe3d76e161b1a
SHA512

40919c8b638bcb395412d4b18dd3e765ad4b2c8150a6d2e5b46dcde0d8d76b8f1cd55fe335a42d929bf4daa374584bd52797d19456c80775cff80f96cd3ce5f1
SSDEEP

12288:/MHL/AmVt07kw3jl2tBds5IBjxMbJxuz+N1qqQD:EdVql3CBdxqTm+fgD

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	de2858ef35c83552b8dbd001944a4110N.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
1976	winlogon.exe
2416	AE 0124 BE.exe
2040	winlogon.exe
2664	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
2244	de2858ef35c83552b8dbd001944a4110N.exe
2244	de2858ef35c83552b8dbd001944a4110N.exe
1976	winlogon.exe
1976	winlogon.exe
2040	winlogon.exe
2416	AE 0124 BE.exe
2416	AE 0124 BE.exe
2664	winlogon.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	976	msiexec.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\de-DE\mdmvv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\getuname.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\hgcpl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\tzres.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\NlsLexicons001d.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\wiaky002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_neutral_22118b1072f57433\netl1e64.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_neutral_9d0740f32ce81d24\netvwifibus.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa440t.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netl1e64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_join.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\KBDTH3.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\polstore.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08aa.bcm	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc007.inf_amd64_neutral_2df575afa0f7d35f\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ksxbar.ax.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\pt-PT\DWrite.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Sidebar-Killbits-SDP-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StarterEdition~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\hidbth.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\prnlx00c.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\eventvwr.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\perfos.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mciwave.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\wsdapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wscui.cpl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc006.inf_amd64_neutral_7e12a60cc98d3f89\Amd64\RIA30106.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\tsgqec.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\getuname.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhaeu.inf_amd64_neutral_6611a858035bf482\mdmhaeu.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\ricoh.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\volume.inf_amd64_neutral_df8bea40ac96ca21\volsnap.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\Starter	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\gpapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\tpm.msc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\oobefldr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\rpcnsh.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ucmhc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\prnnr002.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnep00a.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmke.inf_amd64_neutral_3e4daa83122b1559\mdmke.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm004.inf_amd64_neutral_d2aee42dc9c393ea\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\Amd64\RPCSRES7.INI	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wininet.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\WsmRes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mssprxy.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~tr-TR~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\msmq-messagingcoreservice-DL.man	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiacn001.inf_amd64_neutral_b7a0b2f53d745b5a\CNHW900.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\pwrshplugin.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\SFPATXP.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpzuiw72.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Winrs.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\IdListen.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\offFilt.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mydocs.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\KYPS250.GDL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dvdupgrd.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS1432E3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\prflbmsg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wshom.ocx.mui	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..egacyshim.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aff54ec74491070e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_722b680e4b585656\winrsmgr.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-system.data.sqlxml_b03f5f7f11d50a3a_6.1.7601.17514_none_141b1b1223b1ada7\System.Data.SqlXml.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_disk.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_fr-fr_c51944c002e3deb3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-rmcast.resources_31bf3856ad364e35_6.1.7600.16385_it-it_741a4285fd085187\netpgm.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\usbvideo.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-diskraid.resources_31bf3856ad364e35_6.1.7600.16385_de-de_178c950d50c582f0\diskraid.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ds-ce-rll.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_9b0f33ccf5419a80	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_en-us_a678a78b761d8649.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-dpiscaling_31bf3856ad364e35_6.1.7600.16385_none_7a1e2959bc43abd5\DpiScaling.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-US\l1033.dlm	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..plistener.resources_31bf3856ad364e35_6.1.7600.16385_es-es_372c6f37d2459aac	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-a..ore-other.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d40846137721c773.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Device\CL_Utility.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnnr004.inf_31bf3856ad364e35_6.1.7600.16385_none_ba2d2131f8a32d84\Amd64\NR1331E3.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..tcmdtools.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c5cffda3a336649f	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-capisp-dll_31bf3856ad364e35_6.1.7600.16385_none_d1de960a9e99a4f2	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_pt-br_039faf2d05cfba61	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-eventcreate.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a33b8f989e32776a\EventCreate.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00b.inf_31bf3856ad364e35_6.1.7600.16385_none_dd3ee736dd6ff736\Amd64\CNBJOP98.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_arrays.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\de-DE\speech.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-wnewue.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e879c43d73507bac	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5d90b64fade2905e\pautoenr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-tabletpc-softkeyboard_31bf3856ad364e35_6.1.7601.17514_none_2fd7b56967fc5c76.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6592e020bec5dc28\prnjobs.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-msident.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_50ed13d9717067a3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_6.1.7601.17514_de-de_f8fabe8ccc93bd3a\OfflineFilesWmiProvider.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\a5daafd496ae30928b7ac626037af53c\Microsoft.Windows.Diagnosis.SDEngine.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\WindowsMediaDRM.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_666db9f744c2fe32.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_win7-microsoft-wind..oyment-languagepack_31bf3856ad364e35_7.1.7601.16492_ja-jp_9d3657eb6b083763.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\debug\WIA\wiatrace.log	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Windows Hardware Remove.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_mchgr.inf_31bf3856ad364e35_6.1.7601.17514_none_7320af8f6febd179\atlmc.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_acpi.inf_31bf3856ad364e35_6.1.7601.17514_none_80aec972e4a75989.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_microsoft.web.ftpserver.resources_31bf3856ad364e35_6.1.7600.16385_en-us_61c361facf36a739.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\umbus.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..kitengine.resources_31bf3856ad364e35_8.0.7600.16385_it-it_e7719af82d7dbe6c	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_microsoft.web.management.ftp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_540f5dc768390d06.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ae40fd03b898f1b3	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_netfx35linq-arrowheadsubsetlist_v30_31bf3856ad364e35_6.1.7600.16385_none_cbce459f97cb4759	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..l-keyboard-00020409_31bf3856ad364e35_6.1.7600.16385_none_8cffd77460c31edb.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_wiaca00e.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b1daa459aa93d40c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-deskmon.resources_31bf3856ad364e35_6.1.7600.16385_en-us_157ecd3a5d823e33	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-rpc-ping.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0432d1ae81a88a45	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-c..n-comrepl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a9142181f8e64ace\comrepl.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-msf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2287c2f822f0e8d1\WinSyncMetastore.rll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..atibility.resources_31bf3856ad364e35_6.1.7600.16385_en-us_55fe4c4365bdd13d	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-bits-client_31bf3856ad364e35_6.1.7600.16385_none_89da60e64783d42e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-iologgingdll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_818c4db00510a616	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pt-br_e3d3caff9933b424.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..input-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_935ee5fc51cf5ff3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-com-complus-setup_31bf3856ad364e35_6.1.7600.16385_none_e97e2f6c50a1c3c0\comsetup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\seguisb.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\opera.browser	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_black_rainy.png	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_0e8038f3d049c3bf\WebAdminHelp_Provider.aspx.fr.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Help\es-ES\Help_SubjectTerm.H1K	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\FileMaps\program_files_x86_windows_sidebar_gadgets_slideshow.gadget_es-es_8dfb19795ab433cb.cdf-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-video.resources_31bf3856ad364e35_6.1.7600.16385_es-es_efaba501df89ec44.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-taskkill_31bf3856ad364e35_6.1.7600.16385_none_25545528bd642170\taskkill.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bb92604e3d64e901\puiapi.dll.mui	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AE 0124 BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de2858ef35c83552b8dbd001944a4110N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	976	msiexec.exe
Token: SeRestorePrivilege	616	msiexec.exe
Token: SeTakeOwnershipPrivilege	616	msiexec.exe
Token: SeSecurityPrivilege	616	msiexec.exe
Token: SeCreateTokenPrivilege	976	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	976	msiexec.exe
Token: SeLockMemoryPrivilege	976	msiexec.exe
Token: SeIncreaseQuotaPrivilege	976	msiexec.exe
Token: SeMachineAccountPrivilege	976	msiexec.exe
Token: SeTcbPrivilege	976	msiexec.exe
Token: SeSecurityPrivilege	976	msiexec.exe
Token: SeTakeOwnershipPrivilege	976	msiexec.exe
Token: SeLoadDriverPrivilege	976	msiexec.exe
Token: SeSystemProfilePrivilege	976	msiexec.exe
Token: SeSystemtimePrivilege	976	msiexec.exe
Token: SeProfSingleProcessPrivilege	976	msiexec.exe
Token: SeIncBasePriorityPrivilege	976	msiexec.exe
Token: SeCreatePagefilePrivilege	976	msiexec.exe
Token: SeCreatePermanentPrivilege	976	msiexec.exe
Token: SeBackupPrivilege	976	msiexec.exe
Token: SeRestorePrivilege	976	msiexec.exe
Token: SeShutdownPrivilege	976	msiexec.exe
Token: SeDebugPrivilege	976	msiexec.exe
Token: SeAuditPrivilege	976	msiexec.exe
Token: SeSystemEnvironmentPrivilege	976	msiexec.exe
Token: SeChangeNotifyPrivilege	976	msiexec.exe
Token: SeRemoteShutdownPrivilege	976	msiexec.exe
Token: SeUndockPrivilege	976	msiexec.exe
Token: SeSyncAgentPrivilege	976	msiexec.exe
Token: SeEnableDelegationPrivilege	976	msiexec.exe
Token: SeManageVolumePrivilege	976	msiexec.exe
Token: SeImpersonatePrivilege	976	msiexec.exe
Token: SeCreateGlobalPrivilege	976	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
976	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2244	de2858ef35c83552b8dbd001944a4110N.exe
1976	winlogon.exe
2416	AE 0124 BE.exe
2040	winlogon.exe
2664	winlogon.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 976	2244	de2858ef35c83552b8dbd001944a4110N.exe	30
PID 2244 wrote to memory of 976	2244	de2858ef35c83552b8dbd001944a4110N.exe	30
PID 2244 wrote to memory of 976	2244	de2858ef35c83552b8dbd001944a4110N.exe	30
PID 2244 wrote to memory of 976	2244	de2858ef35c83552b8dbd001944a4110N.exe	30
PID 2244 wrote to memory of 976	2244	de2858ef35c83552b8dbd001944a4110N.exe	30
PID 2244 wrote to memory of 976	2244	de2858ef35c83552b8dbd001944a4110N.exe	30
PID 2244 wrote to memory of 976	2244	de2858ef35c83552b8dbd001944a4110N.exe	30
PID 2244 wrote to memory of 1976	2244	de2858ef35c83552b8dbd001944a4110N.exe	31
PID 2244 wrote to memory of 1976	2244	de2858ef35c83552b8dbd001944a4110N.exe	31
PID 2244 wrote to memory of 1976	2244	de2858ef35c83552b8dbd001944a4110N.exe	31
PID 2244 wrote to memory of 1976	2244	de2858ef35c83552b8dbd001944a4110N.exe	31
PID 1976 wrote to memory of 2416	1976	winlogon.exe	32
PID 1976 wrote to memory of 2416	1976	winlogon.exe	32
PID 1976 wrote to memory of 2416	1976	winlogon.exe	32
PID 1976 wrote to memory of 2416	1976	winlogon.exe	32
PID 1976 wrote to memory of 2040	1976	winlogon.exe	33
PID 1976 wrote to memory of 2040	1976	winlogon.exe	33
PID 1976 wrote to memory of 2040	1976	winlogon.exe	33
PID 1976 wrote to memory of 2040	1976	winlogon.exe	33
PID 2416 wrote to memory of 2664	2416	AE 0124 BE.exe	35
PID 2416 wrote to memory of 2664	2416	AE 0124 BE.exe	35
PID 2416 wrote to memory of 2664	2416	AE 0124 BE.exe	35
PID 2416 wrote to memory of 2664	2416	AE 0124 BE.exe	35

C:\Users\Admin\AppData\Local\Temp\de2858ef35c83552b8dbd001944a4110N.exe
"C:\Users\Admin\AppData\Local\Temp\de2858ef35c83552b8dbd001944a4110N.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:976
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2664
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabA611.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA614.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
717KB

MD5
8c6fd0a6356482d4dc1cf1626fb4cc43

SHA1
be14941d6f31819364945356c5040fcc9a77853e

SHA256
8faa33bc99d73199a08a9ee7f08ea6cffc3e720066056e46656481322ed728b6

SHA512
d8dbfc2b6cfabea4a15c0b5ec3103a00ca1ded0d0bfab82f60d436b791e870259aef8baca0d45a292764404e90d006958454774e7a72e7f24d8b6c02cbe9fabf

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
a1f4f4e347219a8a6aa41290d11dab29

SHA1
97ae21420cfb4e2171416c77ada55117e175f894

SHA256
46bca533820fecc770e44ab426451cd70a3868f063a5ff4e6512bacda5aabb31

SHA512
967110a03247ae35b30ffbbf10fc77de8f0c149db8b2f0b14c3c636ff8aa7564ff21eef0490dc2bde4dc5fd1f7dc06cb73b56db9115ab3fbdb1a43d597a4e76b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
memory/1976-116-0x00000000037B0000-0x000000000426A000-memory.dmp

Filesize
10.7MB

Download
memory/2244-12-0x0000000003F20000-0x00000000049DA000-memory.dmp

Filesize
10.7MB

Download
memory/2416-143-0x00000000037A0000-0x000000000425A000-memory.dmp

Filesize
10.7MB

Download
memory/2416-252-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2416-433-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads