Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 10:11
Static task
static1
Behavioral task
behavioral1
Sample
de2858ef35c83552b8dbd001944a4110N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
de2858ef35c83552b8dbd001944a4110N.exe
Resource
win10v2004-20240802-en
General
-
Target
de2858ef35c83552b8dbd001944a4110N.exe
-
Size
717KB
-
MD5
de2858ef35c83552b8dbd001944a4110
-
SHA1
dee07648c9bcecab3c13fe06f288226b30c575ec
-
SHA256
ba715b42b9b023c81247b5d7c834f3b896fc658c1ffc563f4d3fe3d76e161b1a
-
SHA512
40919c8b638bcb395412d4b18dd3e765ad4b2c8150a6d2e5b46dcde0d8d76b8f1cd55fe335a42d929bf4daa374584bd52797d19456c80775cff80f96cd3ce5f1
-
SSDEEP
12288:/MHL/AmVt07kw3jl2tBds5IBjxMbJxuz+N1qqQD:EdVql3CBdxqTm+fgD
Malware Config
Signatures
-
Drops file in Drivers directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF AE 0124 BE.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\uk-UA AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe de2858ef35c83552b8dbd001944a4110N.exe File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\es-ES AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui AE 0124 BE.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll AE 0124 BE.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation de2858ef35c83552b8dbd001944a4110N.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 2672 winlogon.exe 1156 AE 0124 BE.exe 3900 winlogon.exe 3192 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 1156 AE 0124 BE.exe 3720 MsiExec.exe -
Drops desktop.ini file(s) 57 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme1\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Web\Wallpaper\Theme2\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops autorun.inf file 1 TTPs 26 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf AE 0124 BE.exe File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\de-DE\wdmvsc.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wbem\de-DE\MsDtcWmi.mfl AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_L_LE_1.bin AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\IMESEARCHDLL.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\structureTable.xsd AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_securitydevices.inf_amd64_f10a5650b96630b9\c_securitydevices.inf AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\nulhpopr.inf_amd64_9839c838c72c0594\nulhpopr.inf AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psm1 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\wecutil.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\prnms007.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\en-US\objsel.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\F12\uk-UA\IEChooser.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Speech\Common\en-US\sapi.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-msmq-mmc-Opt-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ConfigCI\de-DE AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\Get-DscConfiguration.cdxml AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\displayoverride.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\cht4sx64.inf_amd64_3a69b9b79f49eb50\cht4sx64.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\it-IT\PeerDist.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ChatApis.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\sqmapi.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\bcmfn2.inf_amd64_5ebadf201c5b5845 AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\netloop.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDCR.DLL AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\rdvgwddmdx11.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\AMDSBS.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fr-FR\pwrshplugin.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSMQ-MMC-OptGroup-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-UI-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UpdateTargeting-ClientOS-EKB-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-62-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-SMB-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VMMS-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\hidirkbd.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dpapi.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Optional-Features-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Tools-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_95e01117eb9c1bd2 AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0416\_setup.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetTeredoConfiguration.cdxml AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-Containers-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\nete1e3e.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hidbatt.inf_amd64_a6fa9bcee39a694f\hidbatt.sys AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe.config AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-Common-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\msdtcspoffln.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\en-US\c_extension.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_8bbf44975c626ac5\prnms007.PNF AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WinMetadata\Windows.ApplicationModel.winmd AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mscms.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\de-DE\azman.msc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\netvg63a.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\3ware.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\cht4vx64.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ja-JP\wiadss.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VirtualDevice-FlexIo-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-DisposableClientVM-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-Containers-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-http-api_31bf3856ad364e35_10.0.19041.1110_none_6a7867af5278fb92\httpapi.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_11.0.19041.1165_none_cbcbe0c900c7339c\webplatstorageserver.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-svsvc_31bf3856ad364e35_10.0.19041.1_none_17a6e31f15350b24\svsvc.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-d..nagement-dmcmnutils_31bf3856ad364e35_10.0.19041.1266_none_1638e81fc8fb6e7a\f AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1040\clretwrc.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_c_linedisplay.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_d1871ea3b7588f6c\c_linedisplay.inf_loc AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-display_31bf3856ad364e35_10.0.19041.1_none_188e14feb672dfee\Display.dll AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\DiagPackage.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-o...appxmain.resources_31bf3856ad364e35_10.0.19041.1_en-us_33ed9bfd6d067909.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_windows-id-connecte..guration-production_31bf3856ad364e35_10.0.19041.1_none_cf32ea117c8724fc.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_920963acedc8777d\dciman32.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\JA\Microsoft.Build.Tasks.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_dual_ntprint.inf_31bf3856ad364e35_10.0.19041.906_none_c3423ff2a842a4c8\Amd64\UNIRES.DLL AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ation-net.resources_31bf3856ad364e35_10.0.19041.1_it-it_d5c776ffef77baa1\netdacim.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSplashScreen.scale-125_contrast-white.png AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-n..os-snapin.resources_31bf3856ad364e35_10.0.19041.1_it-it_316391b2b867a9b8.manifest AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\ba094d32157d7acfed89b01413f8effb\Microsoft.PowerShell.Commands.Diagnostics.ni.dll.aux AE 0124 BE.exe File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\pdferrormfnotfound.html AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lockscreendata_31bf3856ad364e35_10.0.19041.746_none_0d7f0c77720a0c7c\f\LockScreenData.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..h-library.resources_31bf3856ad364e35_10.0.19041.1_de-de_a830b51e46b669bd\Windows.Storage.Search.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-g..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_it-it_083b968024dbd8f1.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..redential.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2ff7c235bf2cc359\fingerprintcredential.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-securestartup-service_31bf3856ad364e35_10.0.19041.1202_none_d965e0f65a4ddcdf\r\bdesvc.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_system.web.dynamicdata.design_31bf3856ad364e35_4.0.15805.0_none_eae1b63c4505fd13.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Temp\PendingDeletes\88c11a4536e5d7015d9a00001815341f.XPath.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ie-timeline_is_31bf3856ad364e35_11.0.19041.1_none_63b88d65d3c4709d\Timeline_is.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..olocation.resources_31bf3856ad364e35_10.0.19041.1_es-es_7a569f1bfb20f557\SettingsHandlers_Geolocation.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_wpdmtphw.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_12b5bfea7bc3df8a.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..ion-mfcaptureengine_31bf3856ad364e35_10.0.19041.906_none_d4f48bdf30d21e3d\f AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-SearchEngine-Client-Package-shell-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d2d_31bf3856ad364e35_10.0.19041.546_none_85962dc4bac043a9 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_10.0.19041.746_none_a5751a882524bee1\Defrag.exe AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_lsi_sas2i.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0873b2d1c9ce63b6.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft.powershell.psget.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_792a3c9b7fc0e8ea.manifest AE 0124 BE.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Print.Management.Console~~1.0.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nlevelmanifests-com_31bf3856ad364e35_10.0.19041.746_none_64c0ff19143d9b14\commig.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..mprovider.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_8d14ae891bfb18b6\nfscimprov.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-t..localsessionmanager_31bf3856ad364e35_10.0.19041.1266_none_1a0aa046bfbc05b6_lagcounterdef.h_3e12399d AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_dual_c_image.inf_31bf3856ad364e35_10.0.19041.1_none_544b1663c032846e.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_netrtl64.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_d8bc8131320bf15e.manifest AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Editions-Professional-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..putprocessor-gipdll_31bf3856ad364e35_10.0.19041.153_none_36748f895fe91bee\f AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_netsecurity_de_2bf40c1359a54edc.cdf-ms AE 0124 BE.exe File opened for modification C:\Windows\INF\Windows Workflow Foundation 3.0.0.0\040C\PerfCounters_D.ini AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-a..on-experience-tools_31bf3856ad364e35_10.0.19041.1_none_4abb348747cf9a2c.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-restartmanager_31bf3856ad364e35_10.0.19041.1_none_407b1fa0f7dce496.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-onecore-cdp-winrt_31bf3856ad364e35_10.0.19041.264_none_4be3170c86d4fa37\r AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_e3c17afbb5603422\wmplayer.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-xwizards-duiplugin_31bf3856ad364e35_10.0.19041.746_none_42b611bc30df49f4\f\xwtpdui.dll AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Compute-Storage-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..services-adam-setup_31bf3856ad364e35_10.0.19041.746_none_1a1e8292dcf10728\MS-UserProxy.LDF AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.19041.1_it-it_659c563fd3dde65d\Cpls.adml AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-utilman.resources_31bf3856ad364e35_10.0.19041.1_de-de_6cb9595a33661421\Utilman.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_sensorsservicedriver.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_17dac1c31f98e441 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\de\System.Windows.Input.Manipulations.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\1036\vbc7ui.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mdm-wmiv2-dmwmibridge_31bf3856ad364e35_10.0.19041.1202_none_7f60e559b9e25c1f\DMWmiBridgeProv.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_8514fixr.fon_f67069da AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase-ndiswan_31bf3856ad364e35_10.0.19041.153_none_d123ff5fb624ee15.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-a..on-authui-component_31bf3856ad364e35_10.0.19041.906_none_bafbd92e6e868958.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\amd64_system.net.websockets_b03f5f7f11d50a3a_4.0.15805.0_none_d53ac54f87ada30d\System.Net.WebSockets.dll AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-n..ty-assistant-client_31bf3856ad364e35_10.0.19041.1_none_c63b1f7ef04d3694.manifest AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-unimodem-core_31bf3856ad364e35_10.0.19041.1_none_54ddeaa1a84c37e0 AE 0124 BE.exe File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..nistrator.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_9a13603e96aa7e55.manifest AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language de2858ef35c83552b8dbd001944a4110N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AE 0124 BE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ de2858ef35c83552b8dbd001944a4110N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings de2858ef35c83552b8dbd001944a4110N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4976 msiexec.exe Token: SeIncreaseQuotaPrivilege 4976 msiexec.exe Token: SeSecurityPrivilege 3564 msiexec.exe Token: SeCreateTokenPrivilege 4976 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4976 msiexec.exe Token: SeLockMemoryPrivilege 4976 msiexec.exe Token: SeIncreaseQuotaPrivilege 4976 msiexec.exe Token: SeMachineAccountPrivilege 4976 msiexec.exe Token: SeTcbPrivilege 4976 msiexec.exe Token: SeSecurityPrivilege 4976 msiexec.exe Token: SeTakeOwnershipPrivilege 4976 msiexec.exe Token: SeLoadDriverPrivilege 4976 msiexec.exe Token: SeSystemProfilePrivilege 4976 msiexec.exe Token: SeSystemtimePrivilege 4976 msiexec.exe Token: SeProfSingleProcessPrivilege 4976 msiexec.exe Token: SeIncBasePriorityPrivilege 4976 msiexec.exe Token: SeCreatePagefilePrivilege 4976 msiexec.exe Token: SeCreatePermanentPrivilege 4976 msiexec.exe Token: SeBackupPrivilege 4976 msiexec.exe Token: SeRestorePrivilege 4976 msiexec.exe Token: SeShutdownPrivilege 4976 msiexec.exe Token: SeDebugPrivilege 4976 msiexec.exe Token: SeAuditPrivilege 4976 msiexec.exe Token: SeSystemEnvironmentPrivilege 4976 msiexec.exe Token: SeChangeNotifyPrivilege 4976 msiexec.exe Token: SeRemoteShutdownPrivilege 4976 msiexec.exe Token: SeUndockPrivilege 4976 msiexec.exe Token: SeSyncAgentPrivilege 4976 msiexec.exe Token: SeEnableDelegationPrivilege 4976 msiexec.exe Token: SeManageVolumePrivilege 4976 msiexec.exe Token: SeImpersonatePrivilege 4976 msiexec.exe Token: SeCreateGlobalPrivilege 4976 msiexec.exe Token: SeCreateTokenPrivilege 4976 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4976 msiexec.exe Token: SeLockMemoryPrivilege 4976 msiexec.exe Token: SeIncreaseQuotaPrivilege 4976 msiexec.exe Token: SeMachineAccountPrivilege 4976 msiexec.exe Token: SeTcbPrivilege 4976 msiexec.exe Token: SeSecurityPrivilege 4976 msiexec.exe Token: SeTakeOwnershipPrivilege 4976 msiexec.exe Token: SeLoadDriverPrivilege 4976 msiexec.exe Token: SeSystemProfilePrivilege 4976 msiexec.exe Token: SeSystemtimePrivilege 4976 msiexec.exe Token: SeProfSingleProcessPrivilege 4976 msiexec.exe Token: SeIncBasePriorityPrivilege 4976 msiexec.exe Token: SeCreatePagefilePrivilege 4976 msiexec.exe Token: SeCreatePermanentPrivilege 4976 msiexec.exe Token: SeBackupPrivilege 4976 msiexec.exe Token: SeRestorePrivilege 4976 msiexec.exe Token: SeShutdownPrivilege 4976 msiexec.exe Token: SeDebugPrivilege 4976 msiexec.exe Token: SeAuditPrivilege 4976 msiexec.exe Token: SeSystemEnvironmentPrivilege 4976 msiexec.exe Token: SeChangeNotifyPrivilege 4976 msiexec.exe Token: SeRemoteShutdownPrivilege 4976 msiexec.exe Token: SeUndockPrivilege 4976 msiexec.exe Token: SeSyncAgentPrivilege 4976 msiexec.exe Token: SeEnableDelegationPrivilege 4976 msiexec.exe Token: SeManageVolumePrivilege 4976 msiexec.exe Token: SeImpersonatePrivilege 4976 msiexec.exe Token: SeCreateGlobalPrivilege 4976 msiexec.exe Token: SeCreateTokenPrivilege 4976 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4976 msiexec.exe Token: SeLockMemoryPrivilege 4976 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4976 msiexec.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2596 de2858ef35c83552b8dbd001944a4110N.exe 2672 winlogon.exe 1156 AE 0124 BE.exe 3900 winlogon.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2596 wrote to memory of 4976 2596 de2858ef35c83552b8dbd001944a4110N.exe 86 PID 2596 wrote to memory of 4976 2596 de2858ef35c83552b8dbd001944a4110N.exe 86 PID 2596 wrote to memory of 4976 2596 de2858ef35c83552b8dbd001944a4110N.exe 86 PID 2596 wrote to memory of 2672 2596 de2858ef35c83552b8dbd001944a4110N.exe 89 PID 2596 wrote to memory of 2672 2596 de2858ef35c83552b8dbd001944a4110N.exe 89 PID 2596 wrote to memory of 2672 2596 de2858ef35c83552b8dbd001944a4110N.exe 89 PID 2672 wrote to memory of 1156 2672 winlogon.exe 90 PID 2672 wrote to memory of 1156 2672 winlogon.exe 90 PID 2672 wrote to memory of 1156 2672 winlogon.exe 90 PID 3564 wrote to memory of 3720 3564 msiexec.exe 92 PID 3564 wrote to memory of 3720 3564 msiexec.exe 92 PID 3564 wrote to memory of 3720 3564 msiexec.exe 92 PID 1156 wrote to memory of 3900 1156 AE 0124 BE.exe 93 PID 1156 wrote to memory of 3900 1156 AE 0124 BE.exe 93 PID 1156 wrote to memory of 3900 1156 AE 0124 BE.exe 93 PID 2672 wrote to memory of 3192 2672 winlogon.exe 94 PID 2672 wrote to memory of 3192 2672 winlogon.exe 94 PID 2672 wrote to memory of 3192 2672 winlogon.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\de2858ef35c83552b8dbd001944a4110N.exe"C:\Users\Admin\AppData\Local\Temp\de2858ef35c83552b8dbd001944a4110N.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4976
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3900
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Executes dropped EXE
PID:3192
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F974E26C10B80C216EF947A05624570D C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
Filesize
717KB
MD58c6fd0a6356482d4dc1cf1626fb4cc43
SHA1be14941d6f31819364945356c5040fcc9a77853e
SHA2568faa33bc99d73199a08a9ee7f08ea6cffc3e720066056e46656481322ed728b6
SHA512d8dbfc2b6cfabea4a15c0b5ec3103a00ca1ded0d0bfab82f60d436b791e870259aef8baca0d45a292764404e90d006958454774e7a72e7f24d8b6c02cbe9fabf
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
130KB
MD5a1f4f4e347219a8a6aa41290d11dab29
SHA197ae21420cfb4e2171416c77ada55117e175f894
SHA25646bca533820fecc770e44ab426451cd70a3868f063a5ff4e6512bacda5aabb31
SHA512967110a03247ae35b30ffbbf10fc77de8f0c149db8b2f0b14c3c636ff8aa7564ff21eef0490dc2bde4dc5fd1f7dc06cb73b56db9115ab3fbdb1a43d597a4e76b
-
Filesize
256KB
MD52e8a61cdeabfc5cac0157f5c4f2664fd
SHA12a1e7c768e8f1e00a8b65346268ea47477159d8e
SHA25694110f8f3625fd371d228f0b55e313baeff9c6556ea29be13b6a8c9768381a64
SHA51224b1fda4c686edce4a36048858563f22c8fa513d765ab3614c29188e6aaa7c4cbb1d8ae22ad61f51129e5c75f20acfd76f1ed03992ee7be65013c740940fe58f
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b