Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 01:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe
Resource
win7-20240903-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe
-
Size
488KB
-
MD5
3c339154290c87abac049472ef31f8ac
-
SHA1
234d6f88721f2a59d8e815140dcba183a6c3ffe4
-
SHA256
a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58
-
SHA512
7670a978d1635baec4c6de92d44202b8824e6425ec7c7b6ff58cb469089a3464b43e6294c296a8d5c378259a79606763ffc087f6b460bb9513170f4afc892e95
-
SSDEEP
12288:V/MF/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VKK2O2HIBEd7M
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2876 Tiwi.exe 4852 IExplorer.exe 4196 Tiwi.exe 4492 IExplorer.exe 3968 Tiwi.exe 1144 IExplorer.exe 4788 winlogon.exe 4984 winlogon.exe 768 Tiwi.exe 4560 imoet.exe 3804 imoet.exe 3880 IExplorer.exe 2988 cute.exe 1452 winlogon.exe 5072 Tiwi.exe 1820 cute.exe 656 imoet.exe 724 IExplorer.exe 4032 Tiwi.exe 4752 winlogon.exe 4932 cute.exe 464 winlogon.exe 1852 IExplorer.exe 920 imoet.exe 1536 imoet.exe 4588 winlogon.exe 3648 Tiwi.exe 64 cute.exe 1800 IExplorer.exe 2424 imoet.exe 5088 winlogon.exe 4068 cute.exe 4800 cute.exe 3480 imoet.exe 3616 cute.exe -
Loads dropped DLL 6 IoCs
pid Process 4196 Tiwi.exe 3968 Tiwi.exe 768 Tiwi.exe 5072 Tiwi.exe 4032 Tiwi.exe 3648 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\Y: imoet.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\Q: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\B: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\J: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\T: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\G: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\N: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\B: imoet.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\X: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\S: Tiwi.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\L: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\P: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\V: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\Z: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\O: Tiwi.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\I: a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\R: imoet.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\E: IExplorer.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe -
Drops autorun.inf file 1 TTPs 8 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe File created C:\autorun.inf a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened for modification C:\autorun.inf a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File created C:\autorun.inf Tiwi.exe File opened for modification C:\autorun.inf Tiwi.exe File created F:\autorun.inf a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tiwi.scr a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File created C:\Windows\SysWOW64\tiwi.scr a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe -
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\ winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s2359 = "Tiwi" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\ a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\ a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\SwapMouseButtons = "1" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\s1159 = "Tiwi" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Mouse\ imoet.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\ a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2876 Tiwi.exe 3804 imoet.exe 4788 winlogon.exe 4852 IExplorer.exe 2988 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 2876 Tiwi.exe 4852 IExplorer.exe 4196 Tiwi.exe 4492 IExplorer.exe 3968 Tiwi.exe 1144 IExplorer.exe 4788 winlogon.exe 4984 winlogon.exe 768 Tiwi.exe 3804 imoet.exe 4560 imoet.exe 3880 IExplorer.exe 2988 cute.exe 1452 winlogon.exe 5072 Tiwi.exe 1820 cute.exe 656 imoet.exe 724 IExplorer.exe 4752 winlogon.exe 4032 Tiwi.exe 4932 cute.exe 464 winlogon.exe 1852 IExplorer.exe 920 imoet.exe 1536 imoet.exe 4588 winlogon.exe 3648 Tiwi.exe 64 cute.exe 1800 IExplorer.exe 2424 imoet.exe 5088 winlogon.exe 4800 cute.exe 4068 cute.exe 3480 imoet.exe 3616 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3840 wrote to memory of 2876 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 86 PID 3840 wrote to memory of 2876 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 86 PID 3840 wrote to memory of 2876 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 86 PID 3840 wrote to memory of 4852 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 88 PID 3840 wrote to memory of 4852 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 88 PID 3840 wrote to memory of 4852 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 88 PID 3840 wrote to memory of 4196 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 89 PID 3840 wrote to memory of 4196 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 89 PID 3840 wrote to memory of 4196 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 89 PID 3840 wrote to memory of 4492 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 90 PID 3840 wrote to memory of 4492 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 90 PID 3840 wrote to memory of 4492 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 90 PID 2876 wrote to memory of 3968 2876 Tiwi.exe 91 PID 2876 wrote to memory of 3968 2876 Tiwi.exe 91 PID 2876 wrote to memory of 3968 2876 Tiwi.exe 91 PID 2876 wrote to memory of 1144 2876 Tiwi.exe 92 PID 2876 wrote to memory of 1144 2876 Tiwi.exe 92 PID 2876 wrote to memory of 1144 2876 Tiwi.exe 92 PID 3840 wrote to memory of 4788 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 93 PID 3840 wrote to memory of 4788 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 93 PID 3840 wrote to memory of 4788 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 93 PID 2876 wrote to memory of 4984 2876 Tiwi.exe 94 PID 2876 wrote to memory of 4984 2876 Tiwi.exe 94 PID 2876 wrote to memory of 4984 2876 Tiwi.exe 94 PID 4852 wrote to memory of 768 4852 IExplorer.exe 95 PID 4852 wrote to memory of 768 4852 IExplorer.exe 95 PID 4852 wrote to memory of 768 4852 IExplorer.exe 95 PID 3840 wrote to memory of 3804 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 96 PID 3840 wrote to memory of 3804 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 96 PID 3840 wrote to memory of 3804 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 96 PID 2876 wrote to memory of 4560 2876 Tiwi.exe 97 PID 2876 wrote to memory of 4560 2876 Tiwi.exe 97 PID 2876 wrote to memory of 4560 2876 Tiwi.exe 97 PID 4852 wrote to memory of 3880 4852 IExplorer.exe 98 PID 4852 wrote to memory of 3880 4852 IExplorer.exe 98 PID 4852 wrote to memory of 3880 4852 IExplorer.exe 98 PID 3840 wrote to memory of 2988 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 99 PID 3840 wrote to memory of 2988 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 99 PID 3840 wrote to memory of 2988 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 99 PID 4852 wrote to memory of 1452 4852 IExplorer.exe 101 PID 4852 wrote to memory of 1452 4852 IExplorer.exe 101 PID 4852 wrote to memory of 1452 4852 IExplorer.exe 101 PID 4788 wrote to memory of 5072 4788 winlogon.exe 102 PID 4788 wrote to memory of 5072 4788 winlogon.exe 102 PID 4788 wrote to memory of 5072 4788 winlogon.exe 102 PID 2876 wrote to memory of 1820 2876 Tiwi.exe 100 PID 2876 wrote to memory of 1820 2876 Tiwi.exe 100 PID 2876 wrote to memory of 1820 2876 Tiwi.exe 100 PID 4852 wrote to memory of 656 4852 IExplorer.exe 103 PID 4852 wrote to memory of 656 4852 IExplorer.exe 103 PID 4852 wrote to memory of 656 4852 IExplorer.exe 103 PID 4788 wrote to memory of 724 4788 winlogon.exe 104 PID 4788 wrote to memory of 724 4788 winlogon.exe 104 PID 4788 wrote to memory of 724 4788 winlogon.exe 104 PID 3804 wrote to memory of 4032 3804 imoet.exe 105 PID 3804 wrote to memory of 4032 3804 imoet.exe 105 PID 3804 wrote to memory of 4032 3804 imoet.exe 105 PID 3840 wrote to memory of 4752 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 106 PID 3840 wrote to memory of 4752 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 106 PID 3840 wrote to memory of 4752 3840 a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe 106 PID 4852 wrote to memory of 4932 4852 IExplorer.exe 107 PID 4852 wrote to memory of 4932 4852 IExplorer.exe 107 PID 4852 wrote to memory of 4932 4852 IExplorer.exe 107 PID 4788 wrote to memory of 464 4788 winlogon.exe 108 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe"C:\Users\Admin\AppData\Local\Temp\a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3840 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2876 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3968
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1144
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4984
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4560
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1820
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4852 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:768
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3880
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1452
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:656
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4932
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4196
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4788 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5072
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:724
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:464
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:64
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3804 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4032
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1852
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4588
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4068
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2988 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3648
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1800
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5088
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3480
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3616
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4752
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:920
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4800
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD52b52539b7d2175d614cc2803cffb2a83
SHA1b2794c6533c02d65bdee86724ac6dc379eec5f83
SHA256f4df8dda5b996ad59aa26262815ed479a44e59783d64b509362f761e00b0d4fd
SHA512856da1f6dfcf720621a0da53d4fa437e6eece3f0d989fdcd91ab85b4171665d273b689cbda9200226559e66d8c2401bdf6a2a8742b75b4b3d4be226efecc9d69
-
Filesize
45KB
MD5ba0f4a031e1d1ccf7fc9ed2cfab0a4ce
SHA1d7cd547fb9ef6aa20c409d0c90c304e3776819f6
SHA256b0f2192d4ca94155c454faed76090413ece53761b25cbf5a2a171053a120556e
SHA5121cf0bec3f49f308df16bb63902938789944f06315f153b38a2ff2475840da4de4080348c3e4e976b69c2b7e6af3355ebc9c9c8ada1ebf593893c54224fbc118b
-
Filesize
488KB
MD58bfc30bbaf21ece0d5905253ee97f643
SHA167a2a72b157a8b28f527dc835536bda33d080f60
SHA25624282823e64f1ce0da9bd6e21cde1580122d49b41e74a76b2d8c6e807305b9de
SHA5129d1ad8b1be2a6773bafa2017b805a37948afff31135c6220085ec24e1cd4a2ea56947dd95442365363f7de42293c4df14f8c1196d55ba42adc37ffacab7932e4
-
Filesize
488KB
MD5cfa37c5d2b7e7eb05677a48e770b04c4
SHA1b9df73c61da9c942e49258d31590deefacb2b543
SHA256ead7bcbf0b2ba8df268f9393dc2a78d4c767114605a5e708de90eb66c93a2824
SHA5128e1b7dff65254acea06dcd1415f8396b165d14c5595cc62125f4dabc3119af41cccc8aa9bd102d70a500fd23955a62650e4113d8d6a9e54b07837d412db0a357
-
Filesize
488KB
MD59470b05463d54259121cbc03cbd96f6f
SHA196943d52a7de6b0b8c964507cab7b7a8b9ed996d
SHA25653b352ecf75b113c7851f95619b40e941fb0c33dfc31788b71bab577122c628c
SHA5128c5ece701a95389550917418d8dea085d1e5b82e05ce07fd9dab51308e828e7353c94bacfa22d4a3681673710b2f85e353ed9606596b043a3bbe8fd603a3fceb
-
Filesize
488KB
MD5143ce25575770a1a98c748907733cb3e
SHA1c88de2e48f79ea9aa38e5a2ea83464e0fd118345
SHA256010740440cf01c79395a667b4f3003b96b8deb760c70f26ff8d1f488604504f8
SHA512ff07639d4b568072cc7706b3fc5319fee3750976f62bf5b80ae66758554b2a50ba7cf61fc76b9d6614e2b9f1623a341265a728537dc61e897e91d2dc6805583e
-
Filesize
488KB
MD52177eab7163e505e53f4c9d88f3dfb24
SHA1465be6383bce18a7f2e436f3dc18e95da7558622
SHA256558bef2340f32bd581e13eb1f5b43480906bd74ccc676f4684381f4e5b771006
SHA51279019befa20602216c3464275849c676efc9fd86eaf0c309014ad37340a854921f396340a22957e7b8215b93d93c23dc30d17f9889c075e2e7cbe6dab4340e3e
-
Filesize
488KB
MD51caedecc0fdbc152c07dd9d03eafdb1f
SHA163006a6ff9fbce59261634d4aed3ab520ba4745a
SHA256b8e9a9b4b22e5e20e5abd69918aa7ea751f2dbcf308549a518daa20fb04813a3
SHA51299f207f8d2884cd51a5bcb8cea96e4424de10860169842e5d6b5721226c792b9566b9edc83adb84d3d7fc81320b9cfa194d36b4e8ff902314dfa70f6c30aa0f4
-
Filesize
45KB
MD58e7423d92b88d9b4c5d6c45780de62e5
SHA172771f2a21065cf2283c4b7bf9b2c6cb3873beeb
SHA2560770b609845300bdc0f49987cea6aabf7359a226afc5ebb0f7bb630af6c2afde
SHA5129269b7e0708288c2a939883000a1591836bb1b7519c14f18d54b318e0548467745ea08f4859e35da319284422817f7bc388239ac77353daacc137559676e6a2c
-
Filesize
45KB
MD567af33f222767bf8fa95699874526ad3
SHA121bf2c7e82369e306d1b29b10098795126527ac1
SHA256cfe561a0d95433cd5db8c7d8a8fef73b4e38e321e0ff3ad50a1e980e2424ad2e
SHA512de265572060173a1e8769abec73282f6af40016e418d9c553548bdc42af6f51896b5a0f5cc5815150e3739f635d25934912a37ac22ee2a1c162d08622948d2b0
-
Filesize
45KB
MD52c786cd756f648c13d16ada9e2b90e9e
SHA1ab068e3aca5982ae68168b6eb356529f67c5c87f
SHA2567c8010940ddb3557686924d9c2411b6f022639416042746cd10b687e31b917c3
SHA5129cf0abde734714f2281559411707c8b3e0071697c9a3d48a387b86415099f4fe87b67969f90b24117aec68555bcbd636e6318ba490250786140f88225d0af3c7
-
Filesize
488KB
MD52404ef8215feb9441d0cf805cc3c74c2
SHA15a621e75bb4486d82aaf34605782e802c06295fc
SHA25614b4f79188ad1e416d9104021d7f6e106b6265fd9c27dcc1a3846f01ba8a5852
SHA512924089bae24dc6ad00d050ea35589717b5ad2f6c8cb23ded70eb969d34d8cc260dd5b0dd9a9f51229d657b1d1a8c554918cadd344cc6d062c73b71896b731162
-
Filesize
488KB
MD5bfd647ab18e80d771646a1ef01e2b954
SHA1451354a3d40cba78ec9fb7c49c27c63fe8ccd500
SHA256973c56b7c09524ce8725fcaafd54a5955ea2c4c09c6765d1fb35863d41100293
SHA512f272e6d9e5b0137d1de6d3b59b95c34b62d5a4504d3adf599a6b26fc28684c34022b1d6fd7de9f68847ee57cc8e2336998da99ff5955e7fff03f74ccff21b5db
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
488KB
MD56043c4478fe0e19e9f2b8b15354f1b33
SHA16cd6f0cfb1694cd91fea731c9db511b3b0939978
SHA256363d526b3ddc23fda60b562490d267ead0f46705fb94e08694b61ed756c35a03
SHA5123497a8d9806e5c4ae10a8d584f423cb557bd95679a7ce79b8cc45902f40bc08f9d64651f56c574b08e5b8dd3133a1ce375e112a31de12f4d0fbf6c568045c68a
-
Filesize
488KB
MD53c339154290c87abac049472ef31f8ac
SHA1234d6f88721f2a59d8e815140dcba183a6c3ffe4
SHA256a83008e79db916cd97b72048ff51f0ccd8d1079391bf05c586640a8927009c58
SHA5127670a978d1635baec4c6de92d44202b8824e6425ec7c7b6ff58cb469089a3464b43e6294c296a8d5c378259a79606763ffc087f6b460bb9513170f4afc892e95
-
Filesize
488KB
MD53d32bb25134f29f1265b5931c8f52946
SHA155b8864fa7694a989dc7ec2d068358e8d21236a7
SHA256f9b6aa494952b5ad0351351c152fe18c5e43eea838c808e4f188b0fe6c4f59d4
SHA512cdc688ae79670eefda595541f8df2dd7f9683ba7da0d36dab5c03ac193144119f0af33c59aa3bf0a8c715a884b7f3734aad1e77a8cbc98ee5e0ee1538d02cf3c
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62