017896522203c35720725c13f9123954d07b298f738b4c76dec0b6b74570f70d

Analysis

max time kernel
120s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2f33e589970c245dac03bbcaf1f1500N.exe
Size

351KB
MD5

f2f33e589970c245dac03bbcaf1f1500
SHA1

f0c27c8b3163a108626c7f34baef121f0980c210
SHA256

017896522203c35720725c13f9123954d07b298f738b4c76dec0b6b74570f70d
SHA512

22f02a80498412854e4618282f60b80b7960f4d3c0756f8393ca89033caf95aa18c506d4edce60d408ddb8aadeff77d2585fe9e5d606389db80036bc8054cb20
SSDEEP

6144:V/OZpl9YZplx/OZpl7/OZplx/OZplQ/OZplU:V/M9qx/M7/Mx/MQ/MU

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	f2f33e589970c245dac03bbcaf1f1500N.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
1232	Tiwi.exe
2732	IExplorer.exe
5116	Tiwi.exe
2712	IExplorer.exe
3396	Tiwi.exe
2244	IExplorer.exe
2940	winlogon.exe
4368	imoet.exe
2320	winlogon.exe
2248	Tiwi.exe
2204	imoet.exe
2900	IExplorer.exe
4692	cute.exe
3972	winlogon.exe
2312	cute.exe
2480	imoet.exe
1824	cute.exe
3436	winlogon.exe
4560	imoet.exe
3756	cute.exe
4420	Tiwi.exe
3116	Tiwi.exe
860	Tiwi.exe
2244	IExplorer.exe
4556	IExplorer.exe
4476	winlogon.exe
1092	IExplorer.exe
2552	winlogon.exe
2916	imoet.exe
3736	imoet.exe
1560	winlogon.exe
1568	cute.exe
2360	cute.exe
1820	imoet.exe
1612	cute.exe

Loads dropped DLL 6 IoCs

pid	Process
5116	Tiwi.exe
3396	Tiwi.exe
2248	Tiwi.exe
4420	Tiwi.exe
3116	Tiwi.exe
860	Tiwi.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened (read-only)	\??\J:	Tiwi.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\W:	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\K:	cute.exe
File opened (read-only)	\??\I:	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\T:	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\P:	imoet.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\L:	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\S:	Tiwi.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\Q:	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\J:	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\L:	imoet.exe
File opened (read-only)	\??\G:	cute.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\P:	Tiwi.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\Y:	cute.exe
File opened (read-only)	\??\O:	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened (read-only)	\??\V:	Tiwi.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\Q:	imoet.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\K:	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened (read-only)	\??\Z:	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\T:	winlogon.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened for modification	F:\autorun.inf	f2f33e589970c245dac03bbcaf1f1500N.exe
File created	C:\autorun.inf	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened for modification	C:\autorun.inf	f2f33e589970c245dac03bbcaf1f1500N.exe
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\shell.exe	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	f2f33e589970c245dac03bbcaf1f1500N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\tiwi.scr	f2f33e589970c245dac03bbcaf1f1500N.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\tiwi.exe	f2f33e589970c245dac03bbcaf1f1500N.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	f2f33e589970c245dac03bbcaf1f1500N.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2f33e589970c245dac03bbcaf1f1500N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s1159 = "Tiwi"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\SwapMouseButtons = "1"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s2359 = "Tiwi"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\	cute.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	f2f33e589970c245dac03bbcaf1f1500N.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	f2f33e589970c245dac03bbcaf1f1500N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3120	f2f33e589970c245dac03bbcaf1f1500N.exe
3120	f2f33e589970c245dac03bbcaf1f1500N.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1232	Tiwi.exe
4368	imoet.exe
2940	winlogon.exe
2732	IExplorer.exe
4692	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
3120	f2f33e589970c245dac03bbcaf1f1500N.exe
1232	Tiwi.exe
2732	IExplorer.exe
5116	Tiwi.exe
3396	Tiwi.exe
2712	IExplorer.exe
2940	winlogon.exe
2244	IExplorer.exe
2320	winlogon.exe
4368	imoet.exe
2204	imoet.exe
2248	Tiwi.exe
2900	IExplorer.exe
4692	cute.exe
3972	winlogon.exe
2312	cute.exe
2480	imoet.exe
1824	cute.exe
3436	winlogon.exe
4560	imoet.exe
3756	cute.exe
4420	Tiwi.exe
3116	Tiwi.exe
2244	IExplorer.exe
860	Tiwi.exe
4556	IExplorer.exe
4476	winlogon.exe
2552	winlogon.exe
1092	IExplorer.exe
2916	imoet.exe
3736	imoet.exe
1560	winlogon.exe
1568	cute.exe
2360	cute.exe
1820	imoet.exe
1612	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 1232	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	92
PID 3120 wrote to memory of 1232	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	92
PID 3120 wrote to memory of 1232	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	92
PID 3120 wrote to memory of 2732	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	94
PID 3120 wrote to memory of 2732	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	94
PID 3120 wrote to memory of 2732	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	94
PID 3120 wrote to memory of 5116	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	96
PID 3120 wrote to memory of 5116	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	96
PID 3120 wrote to memory of 5116	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	96
PID 3120 wrote to memory of 2712	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	97
PID 3120 wrote to memory of 2712	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	97
PID 3120 wrote to memory of 2712	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	97
PID 1232 wrote to memory of 3396	1232	Tiwi.exe	98
PID 1232 wrote to memory of 3396	1232	Tiwi.exe	98
PID 1232 wrote to memory of 3396	1232	Tiwi.exe	98
PID 1232 wrote to memory of 2244	1232	Tiwi.exe	118
PID 1232 wrote to memory of 2244	1232	Tiwi.exe	118
PID 1232 wrote to memory of 2244	1232	Tiwi.exe	118
PID 3120 wrote to memory of 2940	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	100
PID 3120 wrote to memory of 2940	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	100
PID 3120 wrote to memory of 2940	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	100
PID 3120 wrote to memory of 4368	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	101
PID 3120 wrote to memory of 4368	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	101
PID 3120 wrote to memory of 4368	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	101
PID 1232 wrote to memory of 2320	1232	Tiwi.exe	102
PID 1232 wrote to memory of 2320	1232	Tiwi.exe	102
PID 1232 wrote to memory of 2320	1232	Tiwi.exe	102
PID 2732 wrote to memory of 2248	2732	IExplorer.exe	103
PID 2732 wrote to memory of 2248	2732	IExplorer.exe	103
PID 2732 wrote to memory of 2248	2732	IExplorer.exe	103
PID 1232 wrote to memory of 2204	1232	Tiwi.exe	104
PID 1232 wrote to memory of 2204	1232	Tiwi.exe	104
PID 1232 wrote to memory of 2204	1232	Tiwi.exe	104
PID 2732 wrote to memory of 2900	2732	IExplorer.exe	106
PID 2732 wrote to memory of 2900	2732	IExplorer.exe	106
PID 2732 wrote to memory of 2900	2732	IExplorer.exe	106
PID 1232 wrote to memory of 4692	1232	Tiwi.exe	107
PID 1232 wrote to memory of 4692	1232	Tiwi.exe	107
PID 1232 wrote to memory of 4692	1232	Tiwi.exe	107
PID 2732 wrote to memory of 3972	2732	IExplorer.exe	108
PID 2732 wrote to memory of 3972	2732	IExplorer.exe	108
PID 2732 wrote to memory of 3972	2732	IExplorer.exe	108
PID 3120 wrote to memory of 2312	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	109
PID 3120 wrote to memory of 2312	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	109
PID 3120 wrote to memory of 2312	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	109
PID 2732 wrote to memory of 2480	2732	IExplorer.exe	110
PID 2732 wrote to memory of 2480	2732	IExplorer.exe	110
PID 2732 wrote to memory of 2480	2732	IExplorer.exe	110
PID 2732 wrote to memory of 1824	2732	IExplorer.exe	111
PID 2732 wrote to memory of 1824	2732	IExplorer.exe	111
PID 2732 wrote to memory of 1824	2732	IExplorer.exe	111
PID 3120 wrote to memory of 3436	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	112
PID 3120 wrote to memory of 3436	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	112
PID 3120 wrote to memory of 3436	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	112
PID 3120 wrote to memory of 4560	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	113
PID 3120 wrote to memory of 4560	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	113
PID 3120 wrote to memory of 4560	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	113
PID 3120 wrote to memory of 3756	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	114
PID 3120 wrote to memory of 3756	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	114
PID 3120 wrote to memory of 3756	3120	f2f33e589970c245dac03bbcaf1f1500N.exe	114
PID 2940 wrote to memory of 4420	2940	winlogon.exe	115
PID 2940 wrote to memory of 4420	2940	winlogon.exe	115
PID 2940 wrote to memory of 4420	2940	winlogon.exe	115
PID 4368 wrote to memory of 3116	4368	imoet.exe	116

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	f2f33e589970c245dac03bbcaf1f1500N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	f2f33e589970c245dac03bbcaf1f1500N.exe

C:\Users\Admin\AppData\Local\Temp\f2f33e589970c245dac03bbcaf1f1500N.exe
"C:\Users\Admin\AppData\Local\Temp\f2f33e589970c245dac03bbcaf1f1500N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3120
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1232
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3396
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2244
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2320
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2204
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4692
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:860
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1092
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1560
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1820
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1612
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2732
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2248
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2900
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3972
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2480
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1824
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5116
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2712
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2940
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4420
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2244
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4476
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2916
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1568
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4368
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3116
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4556
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3736
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2360
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2312
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3436
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4560
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4616,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
351KB

MD5
311df5543a9e84475bee01a7d6e8f707

SHA1
fbfb4f4513fae57bbe0272e0847b1d167b99195f

SHA256
ee41c58fc89e2b7bc2d245f6570a41c93cfe6625a0807d111aef126e33f51fb2

SHA512
ebb2cbf682d74353f023b694f86a79bbfab0c0650f9d5938494e8f2e529b9f2afeb04c9d3b17fb95ea57811cf12062f8e99b7982106d2c9546d1de15fe889634

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
fda52e5e72e6562b36385db8a3661afc

SHA1
ab56dd4061b3546bb4220f097f2007ebb9f58a40

SHA256
b07d1150c56ed52276cbe027bf725ac9d7af28e62eb8c23e1a817c411f360dae

SHA512
a5b65db3c5f62dd5cdfd73bd1ec3ec6277562e0f647364b69a28ce4aa4dcd43ccb393b326742e76af581c125498cd4ffa9da459f16daea094ca44c36023a0ae9

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
351KB

MD5
ae1ec723084797afac0d9061c9ff872e

SHA1
1bc86be8d1fde0d67a430b384921e0fd8c3b27fe

SHA256
90ccb873409479be15f26c39c2dfa027a7aace4cb1323d79f5fbb67e96a61957

SHA512
949d9976c30d347a1060a28a2df99d02d748269131fef65387f755d08ab23754799848025ec754c06ba1de4dce9aaf2420ec32c7574bea458abab69294c40eb7

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
351KB

MD5
44836b522fab31403939954a3d84d317

SHA1
4464e13f1cba8e425bf447b30b22ac72147c21ed

SHA256
2d02d0c8bb41f44f8ef627e2f922ec12b7d971edcf37b3ee0ac096af66d49742

SHA512
1ceffa81dd6687944c46f0a6485896938dfb7798aec3dbb99a0fbc6b52aee8c05ac59cac6791e94e7775682dd3a6cfeccf0fb37eaf08dd4d1d9df1398b4bfae0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
351KB

MD5
1c4ecf465768c6787ae92d1f11d0ffaf

SHA1
1fa7bde216ae5e74fc6f516cbb0f5c06839672c3

SHA256
0b7fcc6feb3c4d298f3745043ec9e5c30ab5386ddd6e97409a71f7b2c2c0e3f9

SHA512
a0fec1e03d3c338b4b6fb704d685f546a18843402f1dcf52d8d8f2acac98d0af79f7d06b1bfcce71ca483ff4ad2032b12371a70dbfdd9b2c4f16059b2ec2d51f

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
47f9f8989b37d12219808ad40ee8b3e6

SHA1
7b2a982364f4aadc7eac7e5015f9a6a700d63956

SHA256
46a070d03c8706179d9babbac73d40478b5ebe9c45e7ca0d32748aef247c9524

SHA512
c2e2fa094056d4145d9379a94e616156443d09887aab58450abb8161ad98c3967b64c955e008de03aeff262b35233cc9e12efa161bac8177b3c25b265f22b39b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
2e0b4652c5e2ecef2f6d5c5868ddafc6

SHA1
b45d48baa98ef900891e811410c31a956dc90b1b

SHA256
456772ee7628ec8922afbaac806032fa375a0ee301d69f643724f0b54a2235b4

SHA512
b5b8b625e2bcdedd858af3e086fa375b9d4711c21ccf2ed7074065b8a14f1660d6dc926b00ce12eda1476fb812b529658cd7108d51ba3f03d1cccd373b22c808

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
351KB

MD5
ff0eec92bf4464bc85ca7d7dd52d3440

SHA1
68618d6fc3521008d50d2b463fc08da1704217be

SHA256
a3c2deb996ef76f64715b36e99e58690e97914c5baa9d9319273af7daf5b5d4f

SHA512
bc381abf91766d8adbb869c5e6b45f5ce29f715aec665b5b4f30472588a09199be0094caecccdccf1502fd150f3abba68c314a5327da3660f1d9b6c1beac28ac

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
351KB

MD5
b641571cb293a7b859e9429023ba7d67

SHA1
0d73f7380efc8ca923f64e895c52dd878ca95384

SHA256
d0094413f299bf0ea2d544a26fee355f8e8d3f7a937fac01997e1fadca0a9fe9

SHA512
ce96ee78ba51af9b48ba844b77937f962a0ed2d80cfce3c3d1d35cad4e8ab44298470262bfe6c163330be3b56fd1cd1b6b8ffb46e3c048f0fcac683d1303db02

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
351KB

MD5
f2f33e589970c245dac03bbcaf1f1500

SHA1
f0c27c8b3163a108626c7f34baef121f0980c210

SHA256
017896522203c35720725c13f9123954d07b298f738b4c76dec0b6b74570f70d

SHA512
22f02a80498412854e4618282f60b80b7960f4d3c0756f8393ca89033caf95aa18c506d4edce60d408ddb8aadeff77d2585fe9e5d606389db80036bc8054cb20

Download Submit
C:\Windows\tiwi.exe

Filesize
351KB

MD5
e97730c71a8a0de0c07d9e7e6e751042

SHA1
f9f88117df7c34eed5c1c5d5b2b3b50ef10ba5bb

SHA256
c00fa6cea32d475760ce41583e22644bef33e5b226eb95ae9422d8a616ff65ed

SHA512
af67bbde2b648995d83ece565d3d9eb12d54b3ba8f31429cdd91d78268097f3a401c274fb9d021d70619b5afc27c77f3493e26f5a2ede0c22252dd53e83fd089

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
memory/1232-269-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1232-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2204-277-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2204-270-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2244-219-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2244-251-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2248-278-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2312-290-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2312-305-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2320-267-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2320-253-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2712-169-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2712-223-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2732-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2732-279-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2900-289-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2940-422-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2940-231-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3120-379-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3120-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3120-264-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3396-198-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3396-218-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3972-292-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3972-302-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4368-248-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4368-423-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4692-291-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4692-424-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/5116-170-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/5116-147-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download