Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 09:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe
Resource
win7-20240903-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe
-
Size
488KB
-
MD5
616d3d1f176b32bb08a78c670e2a70c0
-
SHA1
7a571f812dee70e4ef4b689a22465c4b98386681
-
SHA256
c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7
-
SHA512
54aabaf45e7ae97e5c97df11487c4e277244819d6bdc908ee658ff233db6923d05312520e23693336261419706a88f118b50fc57734b40f4948b3367b47e2713
-
SSDEEP
12288:V/M+/MP/Mx/M7/Mx/M4/MpBE/Mk/M2/M1:VdK2O2HIBEd7M
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 4252 Tiwi.exe 2284 IExplorer.exe 2928 winlogon.exe 3148 Tiwi.exe 1716 Tiwi.exe 2428 IExplorer.exe 400 IExplorer.exe 4488 Tiwi.exe 4800 winlogon.exe 2232 IExplorer.exe 756 winlogon.exe 4572 imoet.exe 3960 imoet.exe 4380 winlogon.exe 2648 cute.exe 2696 cute.exe 1548 imoet.exe 548 Tiwi.exe 3772 cute.exe 3660 imoet.exe 2436 IExplorer.exe 4524 cute.exe 2704 winlogon.exe 2900 imoet.exe 2496 Tiwi.exe 5112 cute.exe 3500 Tiwi.exe 5068 IExplorer.exe 4400 IExplorer.exe 3916 winlogon.exe 3620 winlogon.exe 4584 imoet.exe 3792 imoet.exe 1920 cute.exe 3504 cute.exe -
Loads dropped DLL 6 IoCs
pid Process 3148 Tiwi.exe 1716 Tiwi.exe 4488 Tiwi.exe 548 Tiwi.exe 2496 Tiwi.exe 3500 Tiwi.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\V: Tiwi.exe File opened (read-only) \??\Z: imoet.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\Y: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\B: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\G: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\S: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\V: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\R: Tiwi.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\X: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\O: imoet.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\X: cute.exe File opened (read-only) \??\H: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\K: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\R: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\E: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\N: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\P: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\U: c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\J: winlogon.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe File created F:\autorun.inf c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened for modification F:\autorun.inf c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File created C:\autorun.inf c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened for modification C:\autorun.inf c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\tiwi.scr c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\shell.exe c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File created C:\Windows\SysWOW64\IExplorer.exe c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File created C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe -
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\ Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\ c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\ c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Mouse\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\s1159 = "Tiwi" cute.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\ c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 4252 Tiwi.exe 4572 imoet.exe 2928 winlogon.exe 2284 IExplorer.exe 2648 cute.exe -
Suspicious use of SetWindowsHookEx 35 IoCs
pid Process 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 4252 Tiwi.exe 2284 IExplorer.exe 2928 winlogon.exe 3148 Tiwi.exe 1716 Tiwi.exe 400 IExplorer.exe 2428 IExplorer.exe 4488 Tiwi.exe 4800 winlogon.exe 756 winlogon.exe 2232 IExplorer.exe 4572 imoet.exe 3960 imoet.exe 4380 winlogon.exe 2648 cute.exe 2696 cute.exe 1548 imoet.exe 548 Tiwi.exe 3772 cute.exe 2436 IExplorer.exe 4524 cute.exe 2704 winlogon.exe 2900 imoet.exe 2496 Tiwi.exe 3500 Tiwi.exe 5112 cute.exe 5068 IExplorer.exe 4400 IExplorer.exe 3916 winlogon.exe 3620 winlogon.exe 4584 imoet.exe 3792 imoet.exe 1920 cute.exe 3504 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3168 wrote to memory of 4252 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 83 PID 3168 wrote to memory of 4252 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 83 PID 3168 wrote to memory of 4252 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 83 PID 3168 wrote to memory of 2284 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 84 PID 3168 wrote to memory of 2284 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 84 PID 3168 wrote to memory of 2284 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 84 PID 3168 wrote to memory of 2928 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 85 PID 3168 wrote to memory of 2928 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 85 PID 3168 wrote to memory of 2928 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 85 PID 3168 wrote to memory of 3148 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 86 PID 3168 wrote to memory of 3148 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 86 PID 3168 wrote to memory of 3148 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 86 PID 4252 wrote to memory of 1716 4252 Tiwi.exe 87 PID 4252 wrote to memory of 1716 4252 Tiwi.exe 87 PID 4252 wrote to memory of 1716 4252 Tiwi.exe 87 PID 3168 wrote to memory of 2428 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 88 PID 3168 wrote to memory of 2428 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 88 PID 3168 wrote to memory of 2428 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 88 PID 4252 wrote to memory of 400 4252 Tiwi.exe 89 PID 4252 wrote to memory of 400 4252 Tiwi.exe 89 PID 4252 wrote to memory of 400 4252 Tiwi.exe 89 PID 2284 wrote to memory of 4488 2284 IExplorer.exe 90 PID 2284 wrote to memory of 4488 2284 IExplorer.exe 90 PID 2284 wrote to memory of 4488 2284 IExplorer.exe 90 PID 4252 wrote to memory of 4800 4252 Tiwi.exe 91 PID 4252 wrote to memory of 4800 4252 Tiwi.exe 91 PID 4252 wrote to memory of 4800 4252 Tiwi.exe 91 PID 2284 wrote to memory of 2232 2284 IExplorer.exe 92 PID 2284 wrote to memory of 2232 2284 IExplorer.exe 92 PID 2284 wrote to memory of 2232 2284 IExplorer.exe 92 PID 3168 wrote to memory of 756 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 93 PID 3168 wrote to memory of 756 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 93 PID 3168 wrote to memory of 756 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 93 PID 3168 wrote to memory of 4572 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 95 PID 3168 wrote to memory of 4572 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 95 PID 3168 wrote to memory of 4572 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 95 PID 4252 wrote to memory of 3960 4252 Tiwi.exe 94 PID 4252 wrote to memory of 3960 4252 Tiwi.exe 94 PID 4252 wrote to memory of 3960 4252 Tiwi.exe 94 PID 2284 wrote to memory of 4380 2284 IExplorer.exe 98 PID 2284 wrote to memory of 4380 2284 IExplorer.exe 98 PID 2284 wrote to memory of 4380 2284 IExplorer.exe 98 PID 4252 wrote to memory of 2648 4252 Tiwi.exe 99 PID 4252 wrote to memory of 2648 4252 Tiwi.exe 99 PID 4252 wrote to memory of 2648 4252 Tiwi.exe 99 PID 3168 wrote to memory of 2696 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 100 PID 3168 wrote to memory of 2696 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 100 PID 3168 wrote to memory of 2696 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 100 PID 2284 wrote to memory of 1548 2284 IExplorer.exe 101 PID 2284 wrote to memory of 1548 2284 IExplorer.exe 101 PID 2284 wrote to memory of 1548 2284 IExplorer.exe 101 PID 2928 wrote to memory of 548 2928 winlogon.exe 102 PID 2928 wrote to memory of 548 2928 winlogon.exe 102 PID 2928 wrote to memory of 548 2928 winlogon.exe 102 PID 2284 wrote to memory of 3772 2284 IExplorer.exe 103 PID 2284 wrote to memory of 3772 2284 IExplorer.exe 103 PID 2284 wrote to memory of 3772 2284 IExplorer.exe 103 PID 3168 wrote to memory of 3660 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 104 PID 3168 wrote to memory of 3660 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 104 PID 3168 wrote to memory of 3660 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 104 PID 2928 wrote to memory of 2436 2928 winlogon.exe 105 PID 2928 wrote to memory of 2436 2928 winlogon.exe 105 PID 2928 wrote to memory of 2436 2928 winlogon.exe 105 PID 3168 wrote to memory of 4524 3168 c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe 108 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe"C:\Users\Admin\AppData\Local\Temp\c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3168 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4252 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:400
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4800
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3960
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2648 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3500
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4400
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3620
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3792
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3504
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2284 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4488
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2232
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4380
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3772
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2928 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:548
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2436
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2900
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5112
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3148
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2428
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:756
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4572 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3916
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4584
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3660
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4524
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
488KB
MD55a594178b734a995c4efc9e106d7d459
SHA1c83a3419d6eb6b62dd1b4b204984df730e821548
SHA2568950db2b0ea8502e1346991d15c3ad598205986d78cf277e0017553985978f51
SHA5121909b0da6c11ae7f10347bdd9fb34b480ffb103568fcafd01ff3896ee4061fc969de35c4835208af25eea1acdf6d85255883f551fe76e9e4b41da5b8385af9b6
-
Filesize
45KB
MD54ddc454171bc14f8a28d755f6218a612
SHA1feab9a2b5d5c42e11186a040ada6f0e22f7733da
SHA256cee9cbecd7e3024b1ecd34886c04aba2882d14aa77a7ca93e10c39761272ac45
SHA512ac7e0816a2e8af95eb734fa254c15df60878c3f2f3e2185ce4f85bbe2f8f0627c57ff6887937376676d1c76c389f544d9ad21d1b3e24347ba2c1ab10f59079ed
-
Filesize
488KB
MD5685a544755f56f285e83d9764561c825
SHA1ae265b8a879953e4da6f8dcf3f67956689409a4d
SHA256a98efb48d33d68eed42acc88f962cf10fed4cfb31e7b40e476385f8b82d9aba5
SHA51216f13c0274e981bbdb49749d1771d498425b2b3ab1bc70ab6e79bd08dbdec001e15954f6548c7a3192ac625774637ded4bda1be99e3b76f0bd6edcbedcb3bc36
-
Filesize
488KB
MD59e11ea706b99fae10175e64335e86d87
SHA1f3c24f4d91112dfb4df5e3710070b000a8cd14a6
SHA256dc2aa5d21be52ea5c29d4aa48ab6003519ee6787de6c792ee843706d30ddc2c9
SHA5123c9f257e1d283f157aebf2abc69ddda368c01189d71693509863c22ca37d91fe3d3f5738c304fd09f743a434ba9c10f175fc9b05270c17549d3ffbbd8ed3d4db
-
Filesize
488KB
MD518f9708e0ea81d307a340f5a57de2df4
SHA1aabafb1da31044dc5f978e7a401ff6c902cbea0b
SHA256c817d6cf1f3a04131c9a76a1a6d849849c6bb8bcebf57721401b1e33e83aa64e
SHA5125fdd1caedcb08c2f93c2ca9b913e08f625f3e2a45c0938f2717bf823ec40d2abcfd54688b2d781ea9f3333ad8ca3b2c1a851fae54f623b517cde228f6c085cbc
-
Filesize
45KB
MD59d94864d6a14340c88cd143af2323340
SHA1810d1beeb4bb0d61328c34790d788d7aeab58b2d
SHA25685c0ea5dae155d4d8bd1d8599ede473bb0159a47a80bde62c6da0363a523e323
SHA512e2465a1bf26d252c790be3ac40a0f55ae22714d5a6af87177316385f856871008ecad425100f17cf5ae4be43d5037baab321a58519450671aab10ed7f937cc93
-
Filesize
45KB
MD57a469de2f3ef826fd6e95875191159f5
SHA1eb181ef0038cd635009ed47058baa68b2e298cb9
SHA2564edea22f2dd059f334f8f7592fbb90501e71c8cdc5fd47c2d10a1a2cd737da91
SHA51242a02e0dc0a3440b513bb6a437c7a7ebaa45478dd99e30ce7d61baa9bccc11a123e0f12fc021d91ec9e2a62db433b5e9b88c2bafc3fb53d2ebf398435de600d4
-
Filesize
45KB
MD5723a068d9cf246f953cd3ad389edb0a8
SHA163509572806f983ab4c41af3b1d0726a004385ee
SHA2565a94ff7f0b1827a4d96e5824bfbd7ed9654da9b0ebaa031a3eb345462c5432f6
SHA512a0797138594ddb72f5458d7b31920a4ed6573503a326b05031fb7511aca1eff31367aa392d175eb20d7a7ef438a01605fb458cb6016e5fa75ce992fd357b4079
-
Filesize
488KB
MD576e842feb9747791e881d6b2d9a1ff60
SHA1081fbe617ca99dfdd9c77c9b0e3b7b6db7ded119
SHA256715c40720481796bebd73dd6446a570812f2c7a9c715191f7291e8f8bb45bd96
SHA512fecfd390d01fa0a275c3baf7b7c60ade836d6d03cef70d14ddade02ee8eb360f1c6e0bf55a11c7b3657a415253c3ab6aa0e81fd595b9fbd6dd9fe777bae52550
-
Filesize
488KB
MD5616d3d1f176b32bb08a78c670e2a70c0
SHA17a571f812dee70e4ef4b689a22465c4b98386681
SHA256c9f41bc5f366b78b6fc376767ff73628ee6d5fc1f0a9fa9dc5bedcd049ebafd7
SHA51254aabaf45e7ae97e5c97df11487c4e277244819d6bdc908ee658ff233db6923d05312520e23693336261419706a88f118b50fc57734b40f4948b3367b47e2713
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
488KB
MD5e7a2eb38dc7eef8437426c686c28a765
SHA132096c9f7c99aab52f665548293598d777670cc8
SHA2561d769e83e4b7a91e8b95a6bfb83a345dcd472012982e2d7b38c65de5676f73d5
SHA512c710c34819a74f5f41f4bdc1d47161c40d905a86ad0d8c5648f4096ed58b54b891056a7ec4940cca28470055da3e0d9fa5c25dbd15d511d4b14cf383be1d9fb7
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62