b9a04095299998dff70917a88ac84ad63d7c2edb786aa2730b81efd719434eb8

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e57e5d01d303e506a2ae30da97014570N.exe
Size

488KB
MD5

e57e5d01d303e506a2ae30da97014570
SHA1

b2335afa47a698e1d2fa3f5b95638d3e8177984d
SHA256

b9a04095299998dff70917a88ac84ad63d7c2edb786aa2730b81efd719434eb8
SHA512

8e74228839ced84ea77bc891bd3a7e258ea94596ecb6ba25211331bcb7d0afd84c20ad243ebb9d058cf8f4f417d6791ac6f4aca953793283e62042fe648460c1
SSDEEP

12288:V/Mz/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VEK2O2HIBEd7M

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
4560	Tiwi.exe
396	IExplorer.exe
2428	winlogon.exe
1796	Tiwi.exe
752	IExplorer.exe
1416	Tiwi.exe
1580	IExplorer.exe
4704	winlogon.exe
1740	winlogon.exe
3300	imoet.exe
640	Tiwi.exe
2916	imoet.exe
1260	cute.exe
4724	cute.exe
4216	IExplorer.exe
1872	Tiwi.exe
4048	IExplorer.exe
4636	winlogon.exe
2468	imoet.exe
404	imoet.exe
2908	cute.exe
3556	Tiwi.exe
4464	Tiwi.exe
2600	IExplorer.exe
2596	winlogon.exe
2928	IExplorer.exe
2016	imoet.exe
1008	winlogon.exe
2576	winlogon.exe
2696	cute.exe
2496	imoet.exe
1156	cute.exe
1392	imoet.exe
3996	cute.exe
3716	cute.exe

Loads dropped DLL 6 IoCs

pid	Process
1796	Tiwi.exe
1416	Tiwi.exe
640	Tiwi.exe
1872	Tiwi.exe
3556	Tiwi.exe
4464	Tiwi.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e57e5d01d303e506a2ae30da97014570N.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\P:	imoet.exe
File opened (read-only)	\??\L:	cute.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\P:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\O:	Tiwi.exe
File opened (read-only)	\??\L:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\T:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\K:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\V:	imoet.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\M:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\P:	Tiwi.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\J:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\S:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\I:	cute.exe
File opened (read-only)	\??\J:	Tiwi.exe
File opened (read-only)	\??\I:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\J:	imoet.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\L:	imoet.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\B:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\K:	cute.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\Y:	cute.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\O:	e57e5d01d303e506a2ae30da97014570N.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\N:	IExplorer.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	e57e5d01d303e506a2ae30da97014570N.exe
File opened for modification	F:\autorun.inf	e57e5d01d303e506a2ae30da97014570N.exe
File created	C:\autorun.inf	Tiwi.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\tiwi.scr	e57e5d01d303e506a2ae30da97014570N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	e57e5d01d303e506a2ae30da97014570N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	e57e5d01d303e506a2ae30da97014570N.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	e57e5d01d303e506a2ae30da97014570N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	e57e5d01d303e506a2ae30da97014570N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\shell.exe	e57e5d01d303e506a2ae30da97014570N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	e57e5d01d303e506a2ae30da97014570N.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	e57e5d01d303e506a2ae30da97014570N.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e57e5d01d303e506a2ae30da97014570N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\	e57e5d01d303e506a2ae30da97014570N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi"	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	e57e5d01d303e506a2ae30da97014570N.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	e57e5d01d303e506a2ae30da97014570N.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e57e5d01d303e506a2ae30da97014570N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2664	e57e5d01d303e506a2ae30da97014570N.exe
2664	e57e5d01d303e506a2ae30da97014570N.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
4560	Tiwi.exe
3300	imoet.exe
2428	winlogon.exe
396	IExplorer.exe
4724	cute.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
2664	e57e5d01d303e506a2ae30da97014570N.exe
4560	Tiwi.exe
396	IExplorer.exe
2428	winlogon.exe
1796	Tiwi.exe
1416	Tiwi.exe
752	IExplorer.exe
1580	IExplorer.exe
4704	winlogon.exe
1740	winlogon.exe
3300	imoet.exe
640	Tiwi.exe
1260	cute.exe
4724	cute.exe
1872	Tiwi.exe
4048	IExplorer.exe
4636	winlogon.exe
2468	imoet.exe
4216	IExplorer.exe
3556	Tiwi.exe
404	imoet.exe
2908	cute.exe
4464	Tiwi.exe
2596	winlogon.exe
2600	IExplorer.exe
2928	IExplorer.exe
2016	imoet.exe
1008	winlogon.exe
2576	winlogon.exe
2696	cute.exe
1156	cute.exe
2496	imoet.exe
1392	imoet.exe
3996	cute.exe
3716	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 4560	2664	e57e5d01d303e506a2ae30da97014570N.exe	85
PID 2664 wrote to memory of 4560	2664	e57e5d01d303e506a2ae30da97014570N.exe	85
PID 2664 wrote to memory of 4560	2664	e57e5d01d303e506a2ae30da97014570N.exe	85
PID 2664 wrote to memory of 396	2664	e57e5d01d303e506a2ae30da97014570N.exe	88
PID 2664 wrote to memory of 396	2664	e57e5d01d303e506a2ae30da97014570N.exe	88
PID 2664 wrote to memory of 396	2664	e57e5d01d303e506a2ae30da97014570N.exe	88
PID 2664 wrote to memory of 2428	2664	e57e5d01d303e506a2ae30da97014570N.exe	89
PID 2664 wrote to memory of 2428	2664	e57e5d01d303e506a2ae30da97014570N.exe	89
PID 2664 wrote to memory of 2428	2664	e57e5d01d303e506a2ae30da97014570N.exe	89
PID 2664 wrote to memory of 1796	2664	e57e5d01d303e506a2ae30da97014570N.exe	90
PID 2664 wrote to memory of 1796	2664	e57e5d01d303e506a2ae30da97014570N.exe	90
PID 2664 wrote to memory of 1796	2664	e57e5d01d303e506a2ae30da97014570N.exe	90
PID 2664 wrote to memory of 752	2664	e57e5d01d303e506a2ae30da97014570N.exe	91
PID 2664 wrote to memory of 752	2664	e57e5d01d303e506a2ae30da97014570N.exe	91
PID 2664 wrote to memory of 752	2664	e57e5d01d303e506a2ae30da97014570N.exe	91
PID 4560 wrote to memory of 1416	4560	Tiwi.exe	92
PID 4560 wrote to memory of 1416	4560	Tiwi.exe	92
PID 4560 wrote to memory of 1416	4560	Tiwi.exe	92
PID 4560 wrote to memory of 1580	4560	Tiwi.exe	93
PID 4560 wrote to memory of 1580	4560	Tiwi.exe	93
PID 4560 wrote to memory of 1580	4560	Tiwi.exe	93
PID 2664 wrote to memory of 4704	2664	e57e5d01d303e506a2ae30da97014570N.exe	94
PID 2664 wrote to memory of 4704	2664	e57e5d01d303e506a2ae30da97014570N.exe	94
PID 2664 wrote to memory of 4704	2664	e57e5d01d303e506a2ae30da97014570N.exe	94
PID 4560 wrote to memory of 1740	4560	Tiwi.exe	95
PID 4560 wrote to memory of 1740	4560	Tiwi.exe	95
PID 4560 wrote to memory of 1740	4560	Tiwi.exe	95
PID 2664 wrote to memory of 3300	2664	e57e5d01d303e506a2ae30da97014570N.exe	96
PID 2664 wrote to memory of 3300	2664	e57e5d01d303e506a2ae30da97014570N.exe	96
PID 2664 wrote to memory of 3300	2664	e57e5d01d303e506a2ae30da97014570N.exe	96
PID 396 wrote to memory of 640	396	IExplorer.exe	97
PID 396 wrote to memory of 640	396	IExplorer.exe	97
PID 396 wrote to memory of 640	396	IExplorer.exe	97
PID 4560 wrote to memory of 2916	4560	Tiwi.exe	98
PID 4560 wrote to memory of 2916	4560	Tiwi.exe	98
PID 4560 wrote to memory of 2916	4560	Tiwi.exe	98
PID 4560 wrote to memory of 1260	4560	Tiwi.exe	99
PID 4560 wrote to memory of 1260	4560	Tiwi.exe	99
PID 4560 wrote to memory of 1260	4560	Tiwi.exe	99
PID 2664 wrote to memory of 4724	2664	e57e5d01d303e506a2ae30da97014570N.exe	100
PID 2664 wrote to memory of 4724	2664	e57e5d01d303e506a2ae30da97014570N.exe	100
PID 2664 wrote to memory of 4724	2664	e57e5d01d303e506a2ae30da97014570N.exe	100
PID 396 wrote to memory of 4216	396	IExplorer.exe	101
PID 396 wrote to memory of 4216	396	IExplorer.exe	101
PID 396 wrote to memory of 4216	396	IExplorer.exe	101
PID 2428 wrote to memory of 1872	2428	winlogon.exe	102
PID 2428 wrote to memory of 1872	2428	winlogon.exe	102
PID 2428 wrote to memory of 1872	2428	winlogon.exe	102
PID 2428 wrote to memory of 4048	2428	winlogon.exe	103
PID 2428 wrote to memory of 4048	2428	winlogon.exe	103
PID 2428 wrote to memory of 4048	2428	winlogon.exe	103
PID 2428 wrote to memory of 4636	2428	winlogon.exe	104
PID 2428 wrote to memory of 4636	2428	winlogon.exe	104
PID 2428 wrote to memory of 4636	2428	winlogon.exe	104
PID 2428 wrote to memory of 2468	2428	winlogon.exe	105
PID 2428 wrote to memory of 2468	2428	winlogon.exe	105
PID 2428 wrote to memory of 2468	2428	winlogon.exe	105
PID 2664 wrote to memory of 404	2664	e57e5d01d303e506a2ae30da97014570N.exe	106
PID 2664 wrote to memory of 404	2664	e57e5d01d303e506a2ae30da97014570N.exe	106
PID 2664 wrote to memory of 404	2664	e57e5d01d303e506a2ae30da97014570N.exe	106
PID 2428 wrote to memory of 2908	2428	winlogon.exe	107
PID 2428 wrote to memory of 2908	2428	winlogon.exe	107
PID 2428 wrote to memory of 2908	2428	winlogon.exe	107
PID 3300 wrote to memory of 3556	3300	imoet.exe	108

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	e57e5d01d303e506a2ae30da97014570N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e57e5d01d303e506a2ae30da97014570N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe

C:\Users\Admin\AppData\Local\Temp\e57e5d01d303e506a2ae30da97014570N.exe
"C:\Users\Admin\AppData\Local\Temp\e57e5d01d303e506a2ae30da97014570N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2664
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4560
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1416
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1580
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1740
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1260
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:396
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:640
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4216
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2596
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2016
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2696
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2428
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1872
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4048
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4636
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2468
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2908
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1796
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:752
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4704
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3300
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3556
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2600
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1008
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2496
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3996
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4724
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4464
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2928
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2576
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1392
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3716
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:404
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

Filesize
488KB

MD5
fc58101f93e70358dab38a88b94538be

SHA1
dbfeeb488291c33394264178347e5edd31e82b82

SHA256
6fec3171425c8e0d07d0496fbad08c3dbbe32aa01aba558d818648231c42d200

SHA512
a8889560c1c544f10f93d72d6d7cd9a4a458114a74b508384f2564b0c9efbe4a0fd6413025d635f1d346f53d7b1144db622de8aad50c677d91c1de5dd784690a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
003a7cd70747705cd9b520fed28e688b

SHA1
328300d0e999c05fa3da77c531176a8768b332d1

SHA256
f7c4d347ae62750f82e5d0c309e0800a70ce08518de3142db633c89ed06f2601

SHA512
41a24d5a5287b11529ed0fefe747a724f64d32670d69670bac90fc6ff1e3ed8aa156e64710f3cdfc04902ec4387209afafc6b44e87aa599f6845a86ca9c01fc7

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
488KB

MD5
e199ecd7454b9a3b7c31e3df87ed58dc

SHA1
11a97f039762ac25f73c28bc30de2db309ff5f77

SHA256
85d9d17af8912b2976803921b4aac4bce02e7cf6aafd0d30c63dd9d665086ad8

SHA512
f4ae306825c9e6efdec035c716ac54c3713835ad404b26f073dcc5f1d3c19bf58f6eb1e99c681a8ba64998a9fc4ccff7e540ce222e70a34cf2cef9503b424992

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
488KB

MD5
62802b7923ee4b91bc06f8ab024433de

SHA1
a7e84094fee94a79afcbf2272a51eb3465c97168

SHA256
b54ceac633270feeb6df31dc3207408a588d68075586329182da0983fb3b1bca

SHA512
de540993076bd850a5e29372255717a40caff46ababb012a31ee04de04686acf991f5755322f50ef62182291c322f48b59e410b4de8813503fc4d737ca005e68

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
488KB

MD5
97007437915db84cf2ce96b3227d0c07

SHA1
85d973cb84af9b0dbf15525570fca66a85a6babf

SHA256
dd73acb015f7b25dfa5dab3d3b75b48484eb42aca08b8753be7224308f151885

SHA512
1f7814501c4adce7aba14511b61d616e0e47d0116200b9a9fc1ba012c1c597284a5a6a3d1ec890dd4168668e074b49e53208cd6255cc383dd141a4d0a5e0da91

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
57ff6d5fe85e6a4f82239daa68c0a26e

SHA1
76680d0210e6a0cf13fe53c531ad0d7fdc664190

SHA256
2149ad5a4f7e0130dc405eb28c47cbde5bd09c39422b2ee0a302858c8118653f

SHA512
5cafead9283f4acd7904655ea48402c0ff99267ae7a68360330c2efd1dc264e7aa7c8fd69a1f5f2d0f7c567be55a5a32c330f025345aa325a271c8bc4f7cea40

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
8def2536bc710ec7d819355ce214a978

SHA1
3d1313bbaef92cf4c8c2162375df9951ec1fb5c7

SHA256
abfeb030fad5ef34a57bc4887b7ea61e58e63335f419f7403e8f9166e5e59819

SHA512
2142d874f48059b5e2779a3621e74caf23b15a7dc1b0f0cbe6a238ce2a03a48c88ce37c47fbd40fcb05a775a1d772434647e0a9911ae5eda3d3ec0bee9fd1922

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
7c047cba6403566cd484183e9e6f110c

SHA1
a459af07bd3347a35d933d65e309262730d3920e

SHA256
c2fa4becbb1d471010d480d560f2c5238846d1bda913acc4553fec1f02096c73

SHA512
941e17314873d7f3055ec076dde1ba25b67f5619e06fdee55802c4add93fb0a8b7d841c31bcada69c4a4bb9360e07e00c2d4c566b3b3ec9a41b0e8f28e881d9f

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
79393fcb8a52150da2d21a920c5c6120

SHA1
ded0a1b36fb5bc6eb3783ca91e5fd4b18af35c8e

SHA256
d94cedfef0a3f8e022ed93ee8e3ad2cb24df2e5874b31dbc524faa8b82611946

SHA512
d65ce3e72f065e7b444d8477326ae8ee84eb1e356c1ab0bcadf9514b421155c9b8a75bbae6e55987087f599b6d049774587a54a1b1e424487e327cb1c072c2e9

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
4f9d6147b084cabd1cd4a6f46811d3e0

SHA1
5aee449f2d3aa42d83712eeec3ce3ce725e97e30

SHA256
a681e5a18091816c56c4cc7adf21fadca211febf972b047533930e7098ceab9e

SHA512
52c651ce4a5b9030d3eb9f7993cdc7de4b17ff54119957fc318b36a390492ddc41bf62dae9a2f96cd442a6680f6e542d20ea6abf5a5ad93c1337fa6ddb38ea54

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
488KB

MD5
43ad5e39e38e55e9445f4f704637ef50

SHA1
9a6d269fa08c5d787113d76835555fc40bf78b63

SHA256
a412b693c7313f4902a6fd21eee88999dd1587d5061161e32db6e27865c60700

SHA512
0034eeeff5b8e3610e9fc03eeed7975ada14b5ee0f7a7305face79889b5675e96a8d2b9ce9567a9f822ab695939971af4c9d3c9b47a1f52284bf36e7dc9e1808

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
488KB

MD5
b9d73c5ff037bb121fb3edc87e809af9

SHA1
36c7659dafff64009652e752587a7bc833799274

SHA256
92b6342368b057a47b3485bf0be5b2df3af0f4981ef30bcbd611750fa642f9aa

SHA512
08588b45cf77d0639c9bc4af58ee7a520cfdce325d2fdddfbac4e5793f4cc493ffcfe47f8f2692e8818ad4246e825c8401de6c33754b1a20111b05f2c9092d10

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
1c41e2aa392b2fa68a43da422075c5e5

SHA1
31ca3c0897ec6b85ff569b9875af1a4cbcd7e2d1

SHA256
a4777c1153d40725459774fc6cb0484a69fb6788e1d2be554e48edeed596d844

SHA512
aad34670e41bc002638fa85250e5f56c5a123fd2c8784a5e67873c0143893928794d48dcfb6a8da75c92af6de5d14f311a8f968699e71775e46fb334500570c9

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
7ce76ea382fc97ed200c0f43f4b6d34f

SHA1
9257b592e1ea8c89d0ec7c3a5d0ee91703a033ad

SHA256
28ffdc73c51cfc7b3a81e98c7b73de9fc14b21ab60bdb18bcac0616ac943a182

SHA512
98eb47c66dbc0d5f03b95f80b4a58a08c1102e457edb63a76cbf6e913c25e4eb2d335c53ed8987616fbd02c5210c0cc1810747d878588e2b130922515a907d19

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
488KB

MD5
e57e5d01d303e506a2ae30da97014570

SHA1
b2335afa47a698e1d2fa3f5b95638d3e8177984d

SHA256
b9a04095299998dff70917a88ac84ad63d7c2edb786aa2730b81efd719434eb8

SHA512
8e74228839ced84ea77bc891bd3a7e258ea94596ecb6ba25211331bcb7d0afd84c20ad243ebb9d058cf8f4f417d6791ac6f4aca953793283e62042fe648460c1

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
c7a3e539bcddc5aee61f9b5ae7e8d858

SHA1
f7eab908ae4ad1bbc89d4fb8ff5606ea655becf7

SHA256
8e56a1b71f05aad4eae4db4477bf6bd38c0b7c9bdaafba212593acd42e91b4f3

SHA512
007c7b19ffcb042ebf91c39b644f400621ca713706060a8da944a6b5ac7b16227bf33c5903510ba46ece5b8aa4cfa035bfc8907abdd8e5d6154936b47a3642a6

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
488KB

MD5
e262a2e10808c14a668085b0527737c3

SHA1
f24d0d9e86c7c417178b007be2eccf570893872d

SHA256
232cb25f68c6769ab07e67f6fea07d39c3a4b26f1070b842893417d16853f262

SHA512
58644cee59089c0559ae7461c8c54874d0ca84e61a2e7abdc5cd3c1422149ddf685f4775b632642b1f7664ec05e065768f342e1ec64f5b76d9b1d6cbb6b872e5

Download Submit
C:\Windows\tiwi.exe

Filesize
488KB

MD5
d60f6cdfbab29ed4e7bfd4711699a2af

SHA1
9041e5c1ead5b4b66dc7429811ebefc4b0dd8dd3

SHA256
6d410d3dd3cc993119950043ec1da20c4ec3fc3956e48744bc1e7871139e6d92

SHA512
02d957f08dd6296def2ebf79ea66730825ecf9feeb6277e694144eefe9449b832f943e20673885b324c816df1220c4073ee30314ea480dfad24a344ad93c9ff9

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
4f5ec8b80cc27d096ec7deaa9e1e13fc

SHA1
baed37281b2efc48e718eeb142ca2836b6af694a

SHA256
e4b4d5c38bdc3dce9cebae9c28d779d689a9ee095385be3a24c91196e1a2c685

SHA512
e246de4a5e6253cf0293bf96c80cd0719021a3eda920971313d12c306d7abae05f23fbcc6342db325cc401f3c555a12839165dbd4c36b2dc8342f64efd9566ab

Download Submit
C:\tiwi.exe

Filesize
488KB

MD5
d4d97f258704c5d6d3f0ae0efb80c91d

SHA1
ebe812547e96777f4ece1b3dbca3be04ddc24b77

SHA256
35150b14afab90a580e08a447517b56d907aeabd042e25fe303fc31bce56a321

SHA512
803e37fea1e8f0b83ecae409c7b39e34c745c72d2a6330237c740f2fa50ab7fcfaa419943889dc1080df6fb3eeb51c96efc03701fbe9f5581df6dd118f72a8f9

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
memory/396-280-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/396-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/640-296-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/640-278-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/752-215-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1260-302-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1260-292-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1416-209-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1416-192-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1580-231-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1580-211-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1740-234-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1740-273-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1796-153-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2428-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2428-290-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2664-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2664-249-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2664-394-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2916-281-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2916-287-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3300-250-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3300-401-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4216-367-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4560-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4560-277-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4704-238-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4704-217-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4724-295-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4724-402-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download