Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15/09/2024, 00:42
Behavioral task
behavioral1
Sample
a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe
Resource
win7-20240704-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe
-
Size
57KB
-
MD5
260cbbb284f543073f34adfc4c9bbb28
-
SHA1
d37d110c9b9fe06235ffda5a28b9b9fcb5e32685
-
SHA256
a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f
-
SHA512
e5b843c6ce3da053ec97b59d34c044427e7c1bf5ae461cb2a862f04468c323fa8480d0f2cad1c8dbce91f4068c87389addbb95878771860dd3b8214a4a38904f
-
SSDEEP
768:Nh5sxVPFXfgaDjof4ZgHqLNhldu8pGTUTY26TsGrn5wFbUzMsPzB577Xwekfp:NHsxFJfgaDjofVKn1pGwTJOlw1Urvwl
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 30 IoCs
pid Process 2652 Tiwi.exe 2668 IExplorer.exe 792 winlogon.exe 1132 imoet.exe 2592 cute.exe 2972 Tiwi.exe 1004 Tiwi.exe 1932 IExplorer.exe 1776 IExplorer.exe 1340 Tiwi.exe 2016 winlogon.exe 556 IExplorer.exe 1800 imoet.exe 1028 Tiwi.exe 1544 winlogon.exe 560 imoet.exe 744 cute.exe 2952 IExplorer.exe 2892 Tiwi.exe 2012 cute.exe 2960 IExplorer.exe 2056 winlogon.exe 2772 winlogon.exe 2132 imoet.exe 2600 imoet.exe 2492 cute.exe 728 cute.exe 1592 winlogon.exe 1652 imoet.exe 1260 cute.exe -
Loads dropped DLL 45 IoCs
pid Process 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 2652 Tiwi.exe 2652 Tiwi.exe 2668 IExplorer.exe 2668 IExplorer.exe 792 winlogon.exe 2668 IExplorer.exe 2668 IExplorer.exe 792 winlogon.exe 2668 IExplorer.exe 2668 IExplorer.exe 2668 IExplorer.exe 2668 IExplorer.exe 792 winlogon.exe 1132 imoet.exe 1132 imoet.exe 792 winlogon.exe 792 winlogon.exe 792 winlogon.exe 792 winlogon.exe 2592 cute.exe 2592 cute.exe 1132 imoet.exe 1132 imoet.exe 1132 imoet.exe 2592 cute.exe 2592 cute.exe 2592 cute.exe 2592 cute.exe 1132 imoet.exe 1132 imoet.exe 2592 cute.exe 2652 Tiwi.exe 2652 Tiwi.exe 2652 Tiwi.exe 2652 Tiwi.exe 2652 Tiwi.exe 2652 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe -
resource yara_rule behavioral1/memory/1952-0-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0009000000018681-7.dat upx behavioral1/files/0x00070000000175ed-99.dat upx behavioral1/memory/2652-100-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0006000000019361-109.dat upx behavioral1/memory/2668-113-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x00050000000193d5-116.dat upx behavioral1/memory/792-124-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x00050000000193ee-127.dat upx behavioral1/memory/1132-136-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1952-133-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x000500000001941f-139.dat upx behavioral1/memory/2652-146-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2592-149-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2668-148-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1952-152-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0009000000018681-159.dat upx behavioral1/files/0x000500000001936c-164.dat upx behavioral1/files/0x0007000000018660-158.dat upx behavioral1/memory/728-427-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2600-423-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2492-421-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2132-414-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2952-396-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2960-393-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2960-392-0x00000000003B0000-0x00000000003C0000-memory.dmp upx behavioral1/memory/2892-390-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2772-410-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2772-408-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2592-407-0x00000000024A0000-0x00000000024D3000-memory.dmp upx behavioral1/memory/2056-404-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2960-402-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2012-400-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2012-385-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/744-343-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1028-335-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x000500000001936c-302.dat upx behavioral1/files/0x0008000000018701-300.dat upx behavioral1/files/0x0009000000018681-297.dat upx behavioral1/memory/560-341-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1544-331-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1028-330-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1800-290-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1800-324-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/556-322-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1776-274-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2016-284-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/792-283-0x0000000001FB0000-0x0000000001FE3000-memory.dmp upx behavioral1/memory/2592-282-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1340-271-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1340-264-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x000500000001936c-243.dat upx behavioral1/files/0x0008000000018701-241.dat upx behavioral1/files/0x0009000000018681-238.dat upx behavioral1/files/0x0007000000018660-237.dat upx behavioral1/memory/1132-235-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1004-233-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1932-226-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/792-224-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2972-221-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1932-430-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1592-433-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2652-434-0x00000000026B0000-0x00000000026E3000-memory.dmp upx behavioral1/memory/1592-436-0x0000000000400000-0x0000000000433000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\Z: imoet.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\B: imoet.exe File opened (read-only) \??\N: cute.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\X: Tiwi.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\O: imoet.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\J: Tiwi.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\S: Tiwi.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\Q: cute.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\X: cute.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf IExplorer.exe File created F:\autorun.inf IExplorer.exe File opened for modification F:\autorun.inf IExplorer.exe File created C:\autorun.inf IExplorer.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\IExplorer.exe a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\IExplorer.exe a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe File created C:\Windows\SysWOW64\tiwi.scr a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe File created C:\Windows\tiwi.exe a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ cute.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ IExplorer.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 1132 imoet.exe 2652 Tiwi.exe 792 winlogon.exe 2668 IExplorer.exe 2592 cute.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 2652 Tiwi.exe 2668 IExplorer.exe 792 winlogon.exe 1132 imoet.exe 2592 cute.exe 2972 Tiwi.exe 1004 Tiwi.exe 1340 Tiwi.exe 1776 IExplorer.exe 2016 winlogon.exe 556 IExplorer.exe 1800 imoet.exe 1544 winlogon.exe 1028 Tiwi.exe 560 imoet.exe 744 cute.exe 2892 Tiwi.exe 2952 IExplorer.exe 2012 cute.exe 2960 IExplorer.exe 2056 winlogon.exe 2772 winlogon.exe 2132 imoet.exe 2492 cute.exe 2600 imoet.exe 728 cute.exe 1932 IExplorer.exe 1592 winlogon.exe 1652 imoet.exe 1260 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2652 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 30 PID 1952 wrote to memory of 2652 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 30 PID 1952 wrote to memory of 2652 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 30 PID 1952 wrote to memory of 2652 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 30 PID 1952 wrote to memory of 2668 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 31 PID 1952 wrote to memory of 2668 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 31 PID 1952 wrote to memory of 2668 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 31 PID 1952 wrote to memory of 2668 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 31 PID 1952 wrote to memory of 792 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 32 PID 1952 wrote to memory of 792 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 32 PID 1952 wrote to memory of 792 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 32 PID 1952 wrote to memory of 792 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 32 PID 1952 wrote to memory of 1132 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 33 PID 1952 wrote to memory of 1132 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 33 PID 1952 wrote to memory of 1132 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 33 PID 1952 wrote to memory of 1132 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 33 PID 1952 wrote to memory of 2592 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 34 PID 1952 wrote to memory of 2592 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 34 PID 1952 wrote to memory of 2592 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 34 PID 1952 wrote to memory of 2592 1952 a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe 34 PID 2652 wrote to memory of 2972 2652 Tiwi.exe 35 PID 2652 wrote to memory of 2972 2652 Tiwi.exe 35 PID 2652 wrote to memory of 2972 2652 Tiwi.exe 35 PID 2652 wrote to memory of 2972 2652 Tiwi.exe 35 PID 2668 wrote to memory of 1004 2668 IExplorer.exe 36 PID 2668 wrote to memory of 1004 2668 IExplorer.exe 36 PID 2668 wrote to memory of 1004 2668 IExplorer.exe 36 PID 2668 wrote to memory of 1004 2668 IExplorer.exe 36 PID 2652 wrote to memory of 1932 2652 Tiwi.exe 37 PID 2652 wrote to memory of 1932 2652 Tiwi.exe 37 PID 2652 wrote to memory of 1932 2652 Tiwi.exe 37 PID 2652 wrote to memory of 1932 2652 Tiwi.exe 37 PID 2668 wrote to memory of 1776 2668 IExplorer.exe 38 PID 2668 wrote to memory of 1776 2668 IExplorer.exe 38 PID 2668 wrote to memory of 1776 2668 IExplorer.exe 38 PID 2668 wrote to memory of 1776 2668 IExplorer.exe 38 PID 792 wrote to memory of 1340 792 winlogon.exe 39 PID 792 wrote to memory of 1340 792 winlogon.exe 39 PID 792 wrote to memory of 1340 792 winlogon.exe 39 PID 792 wrote to memory of 1340 792 winlogon.exe 39 PID 2668 wrote to memory of 2016 2668 IExplorer.exe 41 PID 2668 wrote to memory of 2016 2668 IExplorer.exe 41 PID 2668 wrote to memory of 2016 2668 IExplorer.exe 41 PID 2668 wrote to memory of 2016 2668 IExplorer.exe 41 PID 792 wrote to memory of 556 792 winlogon.exe 40 PID 792 wrote to memory of 556 792 winlogon.exe 40 PID 792 wrote to memory of 556 792 winlogon.exe 40 PID 792 wrote to memory of 556 792 winlogon.exe 40 PID 2668 wrote to memory of 1800 2668 IExplorer.exe 42 PID 2668 wrote to memory of 1800 2668 IExplorer.exe 42 PID 2668 wrote to memory of 1800 2668 IExplorer.exe 42 PID 2668 wrote to memory of 1800 2668 IExplorer.exe 42 PID 1132 wrote to memory of 1028 1132 imoet.exe 43 PID 1132 wrote to memory of 1028 1132 imoet.exe 43 PID 1132 wrote to memory of 1028 1132 imoet.exe 43 PID 1132 wrote to memory of 1028 1132 imoet.exe 43 PID 2668 wrote to memory of 744 2668 IExplorer.exe 44 PID 2668 wrote to memory of 744 2668 IExplorer.exe 44 PID 2668 wrote to memory of 744 2668 IExplorer.exe 44 PID 2668 wrote to memory of 744 2668 IExplorer.exe 44 PID 792 wrote to memory of 1544 792 winlogon.exe 45 PID 792 wrote to memory of 1544 792 winlogon.exe 45 PID 792 wrote to memory of 1544 792 winlogon.exe 45 PID 792 wrote to memory of 1544 792 winlogon.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe"C:\Users\Admin\AppData\Local\Temp\a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1952 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2972
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1932
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1592
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1652
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1260
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2668 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1004
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1776
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1800
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:744
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:792 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1340
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:556
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:560
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2012
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1132 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1028
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2952
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2056
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2132
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2592 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:728
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5592cd88cf4f3cdff56991bbbc66f9397
SHA12113a9a4c998629bae12f9702a795de665e5455d
SHA2567142269a0c7e6d46be151cdc6abf03f7f875842179e9f17f85c9c57e033d013e
SHA5122d25c5a2a5ab26318c24fad52627f6af47f145d08accfdf847e118187a6a05bf126ed479a9901941c171be168071a915afa8189b6535acf18b650a7835b12198
-
Filesize
45KB
MD57dfe2f41ed985f669a2ce0d99108f69b
SHA190e4f47882e368143a8f0ffc4b17b866a8057fa6
SHA256176f3e15995b15fd3a87363585e1725456b720de31c194ade5af6bcec2735386
SHA512333e40f0f3ef7f8f6b5d4dd83025c631b6c01763436defbd96abdeb43f090de40c16ac5c80ce830984eb9133151e023ee2ee1a24ff7a4a0cb72af4ba741e5610
-
Filesize
45KB
MD52f065312a4404452bb11b2db94a62050
SHA125b6b18608da1c037c53e48ffc1c4c1b94600fca
SHA256f7196cfe0be2ea2fb5c304df07d5d2099ac56bbcc0ab0fb52a92891e42978377
SHA512181d429fa8c4e1472194a6f1d905a78657f9004f8d3a212df955b68df5582be8c3bcfabc9b3f09d89e9ee1eab9d38d589cc26e0d971ec882e60edf48a11f3c87
-
Filesize
45KB
MD571e4d7ac6aa02c168280d2fe11b1e16d
SHA16212e9b03354a4a6fb399cf50f18bf7d1d39e320
SHA25687aa33e42b96776379132c100a4a8ec236e49c364863e509ed7741b2ef07b4c6
SHA5125c0035f2f75f0b5c0185324c0fd0695148db9e18026945f06bbebbfeac753728caeaf1a847026d210e1744a9814c517668fdf168708c158483a26fe6c688bd6a
-
Filesize
57KB
MD51fe05a42e51d417d4466c21b92d6da50
SHA1f4a8845966cb9553dba2f1c366523cd817a6b196
SHA25688210333b370d8838aa74bada6a6ee344baba2b3c09d8bfdb742ca3f8c38eb1a
SHA512417e63b5f7a2dae72b105e0ed9022b189ede4bc397b6a720396429fc2bcf37053e1c318bcbcff6768a98f8c873c023eb5259153bf63bb46963a5b032622ea345
-
Filesize
57KB
MD55af81a7c37f176381262a6d38d480405
SHA1c2748ef6d07060a356163088b277576b67e2730b
SHA256143056d117e36ab594a820ad6cc2ba751e6e82294cbb95a64f1941c2944eed10
SHA51221eed70bddee88af12863ddf409fe5fdaf4b150fa3f6a3f372cc9b9d34aa141b40849fd8d348f0da282737dbfe2e82c4f45d86dfa9fd2d0660b7fa3df42083dc
-
Filesize
57KB
MD5f4df4a7b0b59eb4cf90ccc5ae54abe42
SHA1b3c00480187844897bcdec428dc2c2a80bd5d3c8
SHA256a40dfb952eedf1fd632f60414090e1fa083204ebb9c95e218ec45a24790e847b
SHA512c5454fde74f09b20daa3e4a3472bb2273356e9377402e8dfc57d9c3e749fed5e2175c8a7588f9ff6fd49bca90f718e71811794b5137ac54bdad5418fbe7fbfac
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
57KB
MD5fc23e893dab61a62076aa54a623c0b7b
SHA15042ea1508580decb75ee044978248f2b15aa59e
SHA256f076a22eda2140fe386d7e437a0cbdbe60b908dbe495988dc4e17436b2f6b7a6
SHA512748f2254bfb8825500ffc5d546061fca0c504aaf8e766cf3e65eeaa1e690241ebbc8ee3a262f2c6dc967ea1b9ee8372728ad1a20dbbb46e533070b1c1ecd05bc
-
Filesize
57KB
MD55c49dae09e70a5deae593c428fd141ab
SHA10c4554f5459f5b79432abdd68a6f166fc2c6df09
SHA256a0216819d13c84b6c9cbf0e6e963d9571203ec8082bf03c864d1a252cb1c6f76
SHA5126a329b3da90adfd8c36e9dc2f8a6d018ae3f86e4d331e77cd5c7da6b301d94db54d69c173ae71c0a387cb8fd83551d80e339d1fd52fd2c5fae590db11db71a32
-
Filesize
57KB
MD59f86a47a926e66b9800c5ce34183f412
SHA1c6be0d760a3639f0d7e7c9ba7bf500bb67b44ddd
SHA256efdc7cda579fa3144c9e3c17a63120bd7603b512e4fb738d02fb1ca620a2bd29
SHA5122e9d3153cfa37572c0f649171f8336a6a098114f8ad736d5cc6483651ed82ab6ea6f3651d6a4b7ef7e005bd3d4beb4f382986c2b30998a814c5fa8646efaf03d
-
Filesize
57KB
MD5b3afff27e4c0997223597cd5f9f217f6
SHA15350a9d918226bfb4314832ea53fb853544f609b
SHA256920eb3f09b9dee544bc065d220e00b5b92385a13c58c6e79487602d8bf25e2a5
SHA5125fbde4b2ac2dc3193ff065b51d77da70b8d8eb0389177d38aad2ed7023cdeaf69268140856035b612a78e71ecc472ef95fb4fba0cfd6de9547f0c32e5cabfaaa
-
Filesize
57KB
MD5260cbbb284f543073f34adfc4c9bbb28
SHA1d37d110c9b9fe06235ffda5a28b9b9fcb5e32685
SHA256a9f92f478f7e8911cd263130c4e97e4a719050cd0030f07ca27650dab31d699f
SHA512e5b843c6ce3da053ec97b59d34c044427e7c1bf5ae461cb2a862f04468c323fa8480d0f2cad1c8dbce91f4068c87389addbb95878771860dd3b8214a4a38904f
-
Filesize
57KB
MD507086a0b22c078c161e0e389da44d2eb
SHA19f712c8e820872f9c6734492f9d2d3afbb3efeff
SHA2562a181811bd8460a574def4f6c45aff070745667dd3501b91279607e42db7331b
SHA512001f9eb9171f78b42c193ef2406fc8a3bc61004fd3c0a52382755f22cdcd1b11e3afda833528f7e356ac0c40d97d53dbd231b49bf484a65328fd580c136f536c
-
Filesize
57KB
MD57f60d3f66b90ef5d1ba51ef6c3698266
SHA1145794ee808162b6394212ecc40c4028b2f9a0b6
SHA256dc8ea8c46b4ef859c29516411293a109e9444ceb7de1812d3741d63ebd3b01a5
SHA512457a32865cbad7af63f147974a6037846b194de6a828c5a3262d66eb08fd3a797d77bb1630df0f8689ac6d6b34326bb8ae1c5d215bd01cdf409c965441bd2773
-
Filesize
57KB
MD57eef049005f58b6a5dfc55d86c753609
SHA173d6147077cfa5d81b752b7d6709ff6298a281c6
SHA25642f2036c731d012836a098871822e280186a8a6f09f52eb234ea81fb675540f7
SHA5127f461820b6d88b98f97504cf361680e17822ea9a7b9db1cd848cecce18aca34d91d07adac11f074b275965055822991593bfdde5fe231c0a9bfaf60b30564c9f
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
57KB
MD5b322b3ca0f1727dba840c6dcfa97bdb0
SHA10b2d93f1a06ecf7950230bfa48a1e685fc2a5cf5
SHA256b9bf4b2a647aa632216aaf6fcd0a0fee011ef4409d5ec4ae983fb31cbcf35643
SHA51295c83d294ecb93d1789460e7a5e5415f1114d139f8843b2fe8d5b351b48e1b74785bc7c6647f51c7e22165de25e7b9a5a874831ef71061b55f48221aa5105646
-
Filesize
57KB
MD5bbec0b54a8e6323d862d41a1c711a385
SHA157b7d0025a1f52052cb177b76bad3c2487050c24
SHA2565d3b54bd62309062e8c4682c60230508bdf25ac8a3439f0dc7f8ea4237da01da
SHA5127ac4be6298ed551e830aead725986cf68091e765adf7c13293b6c1a553fddc8c760e5080957b515a7394d9dbad4624d3a641b26216737ea730c6a84208dfc2fc
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
57KB
MD5f1556174ae3327bbd2fed13a57bbd514
SHA146411bc7d22daf15c60d5ef33e6108dbe715105e
SHA2564a2afa8421092a1c17433d38bf8a3ad379b73d82c2f0b908d4d05333e78fc0ca
SHA5129cd03eeb2eb32cd714f90db443dc10706ca81325d16c3678049dd5a692c43a4db0199bf3face89c41744880d53e47128a39f34fb2b937b4a25f0c26d15f2ff49
-
Filesize
57KB
MD5cd1e4930e2ff497f5c90a377d8eeb644
SHA100ea1f8f39b28172f9befa2c2e6bc5863d947ad2
SHA2567074314b60a74787166ee1cd1c917651d92693d42e0114a66977201be1ea676f
SHA5120548db59bd28e5fc509ffd7da90ce2ef70c09e2c8b9820c9749d28b776bebf997c4e25a3698578dae27aa7b53237caf75e02e2179e4c1b5bdbf8f516ee79a66b
-
Filesize
57KB
MD52b77c95480f1e87472e63acc2f24c1a2
SHA1a9dfddf679c42f760efd01a1bf71e6104c459d8f
SHA256221b0800278352e9dabe625d90c31957efce7b2c381423207adcf11dfce71a8a
SHA512beb0a3898feed6e44afe1224b59a4e80b880ac507cdda10b8ab5dd65935435a2004831e9487443dc7e8fbff086504a9f1859cea47446a28fd45872c4234653c1