d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Size

351KB
MD5

922afba2c13ac4ec4b6950a6c2a8ae40
SHA1

756ccfea585548171272455591dd3229ee4b6484
SHA256

d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286
SHA512

91eca843aa58bbe9d851011751614a730fe3e41e164d9da230d06d59ad3045b1e519bdad0a10ba8669d2ce913204993003e74d75096a75ec8b7d0d050b975e75
SSDEEP

6144:V/OZplJcYZplx/OZpl7/OZplx/OZplQ/OZplU:V/Miqx/M7/Mx/MQ/MU

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
816	Tiwi.exe
4420	IExplorer.exe
2520	winlogon.exe
2332	Tiwi.exe
2576	Tiwi.exe
3380	IExplorer.exe
3916	IExplorer.exe
1516	winlogon.exe
4728	winlogon.exe
2804	Tiwi.exe
4560	Tiwi.exe
3140	imoet.exe
3504	IExplorer.exe
2240	imoet.exe
2988	IExplorer.exe
2248	winlogon.exe
2416	cute.exe
5052	winlogon.exe
1288	cute.exe
3048	Tiwi.exe
4920	imoet.exe
2916	imoet.exe
4924	cute.exe
4528	cute.exe
772	imoet.exe
5104	IExplorer.exe
3476	cute.exe
2788	winlogon.exe
4776	Tiwi.exe
5080	imoet.exe
3188	IExplorer.exe
5096	cute.exe
472	winlogon.exe
1952	imoet.exe
4696	cute.exe

Loads dropped DLL 6 IoCs

pid	Process
2332	Tiwi.exe
2576	Tiwi.exe
2804	Tiwi.exe
4560	Tiwi.exe
3048	Tiwi.exe
4776	Tiwi.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\T:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\X:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\O:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\L:	cute.exe
File opened (read-only)	\??\S:	Tiwi.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\J:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\K:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\M:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\I:	imoet.exe
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\Y:	cute.exe
File opened (read-only)	\??\B:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\P:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\U:	imoet.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\V:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\Q:	Tiwi.exe
File opened (read-only)	\??\V:	Tiwi.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\L:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\U:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\I:	cute.exe
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\O:	Tiwi.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\G:	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened for modification	F:\autorun.inf	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe
File created	C:\autorun.inf	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened for modification	C:\autorun.inf	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File created	C:\autorun.inf	Tiwi.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File created	C:\Windows\SysWOW64\tiwi.scr	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File created	C:\Windows\tiwi.exe	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imoet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tiwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
816	Tiwi.exe
3140	imoet.exe
2520	winlogon.exe
4420	IExplorer.exe
2416	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
816	Tiwi.exe
4420	IExplorer.exe
2520	winlogon.exe
2332	Tiwi.exe
2576	Tiwi.exe
3380	IExplorer.exe
3916	IExplorer.exe
1516	winlogon.exe
4728	winlogon.exe
2804	Tiwi.exe
4560	Tiwi.exe
3140	imoet.exe
3504	IExplorer.exe
2988	IExplorer.exe
2240	imoet.exe
2248	winlogon.exe
2416	cute.exe
5052	winlogon.exe
1288	cute.exe
4920	imoet.exe
2916	imoet.exe
4924	cute.exe
4528	cute.exe
772	imoet.exe
3048	Tiwi.exe
5104	IExplorer.exe
3476	cute.exe
2788	winlogon.exe
4776	Tiwi.exe
5080	imoet.exe
3188	IExplorer.exe
5096	cute.exe
472	winlogon.exe
1952	imoet.exe
4696	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 816	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	82
PID 456 wrote to memory of 816	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	82
PID 456 wrote to memory of 816	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	82
PID 456 wrote to memory of 4420	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	83
PID 456 wrote to memory of 4420	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	83
PID 456 wrote to memory of 4420	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	83
PID 456 wrote to memory of 2520	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	84
PID 456 wrote to memory of 2520	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	84
PID 456 wrote to memory of 2520	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	84
PID 456 wrote to memory of 2332	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	85
PID 456 wrote to memory of 2332	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	85
PID 456 wrote to memory of 2332	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	85
PID 816 wrote to memory of 2576	816	Tiwi.exe	86
PID 816 wrote to memory of 2576	816	Tiwi.exe	86
PID 816 wrote to memory of 2576	816	Tiwi.exe	86
PID 456 wrote to memory of 3380	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	87
PID 456 wrote to memory of 3380	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	87
PID 456 wrote to memory of 3380	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	87
PID 816 wrote to memory of 3916	816	Tiwi.exe	88
PID 816 wrote to memory of 3916	816	Tiwi.exe	88
PID 816 wrote to memory of 3916	816	Tiwi.exe	88
PID 456 wrote to memory of 1516	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	89
PID 456 wrote to memory of 1516	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	89
PID 456 wrote to memory of 1516	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	89
PID 816 wrote to memory of 4728	816	Tiwi.exe	90
PID 816 wrote to memory of 4728	816	Tiwi.exe	90
PID 816 wrote to memory of 4728	816	Tiwi.exe	90
PID 4420 wrote to memory of 2804	4420	IExplorer.exe	92
PID 4420 wrote to memory of 2804	4420	IExplorer.exe	92
PID 4420 wrote to memory of 2804	4420	IExplorer.exe	92
PID 2520 wrote to memory of 4560	2520	winlogon.exe	91
PID 2520 wrote to memory of 4560	2520	winlogon.exe	91
PID 2520 wrote to memory of 4560	2520	winlogon.exe	91
PID 456 wrote to memory of 3140	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	93
PID 456 wrote to memory of 3140	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	93
PID 456 wrote to memory of 3140	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	93
PID 4420 wrote to memory of 3504	4420	IExplorer.exe	94
PID 4420 wrote to memory of 3504	4420	IExplorer.exe	94
PID 4420 wrote to memory of 3504	4420	IExplorer.exe	94
PID 816 wrote to memory of 2240	816	Tiwi.exe	95
PID 816 wrote to memory of 2240	816	Tiwi.exe	95
PID 816 wrote to memory of 2240	816	Tiwi.exe	95
PID 2520 wrote to memory of 2988	2520	winlogon.exe	96
PID 2520 wrote to memory of 2988	2520	winlogon.exe	96
PID 2520 wrote to memory of 2988	2520	winlogon.exe	96
PID 4420 wrote to memory of 2248	4420	IExplorer.exe	97
PID 4420 wrote to memory of 2248	4420	IExplorer.exe	97
PID 4420 wrote to memory of 2248	4420	IExplorer.exe	97
PID 456 wrote to memory of 2416	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	98
PID 456 wrote to memory of 2416	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	98
PID 456 wrote to memory of 2416	456	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe	98
PID 2520 wrote to memory of 5052	2520	winlogon.exe	101
PID 2520 wrote to memory of 5052	2520	winlogon.exe	101
PID 2520 wrote to memory of 5052	2520	winlogon.exe	101
PID 816 wrote to memory of 1288	816	Tiwi.exe	102
PID 816 wrote to memory of 1288	816	Tiwi.exe	102
PID 816 wrote to memory of 1288	816	Tiwi.exe	102
PID 3140 wrote to memory of 3048	3140	imoet.exe	103
PID 3140 wrote to memory of 3048	3140	imoet.exe	103
PID 3140 wrote to memory of 3048	3140	imoet.exe	103
PID 4420 wrote to memory of 4920	4420	IExplorer.exe	104
PID 4420 wrote to memory of 4920	4420	IExplorer.exe	104
PID 4420 wrote to memory of 4920	4420	IExplorer.exe	104
PID 2520 wrote to memory of 2916	2520	winlogon.exe	105

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe
"C:\Users\Admin\AppData\Local\Temp\d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:456
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:816
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2576
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3916
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4728
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2240
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1288
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4420
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3504
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2248
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4920
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4924
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2520
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4560
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2988
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5052
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2916
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4528
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2332
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3380
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1516
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3140
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3048
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5104
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2788
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5080
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5096
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2416
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4776
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3188
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:472
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1952
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4696
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:772
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
c5609398fca5b9ae20b6b7afc219068b

SHA1
c9aa5c341ad07d768114b7add7e784d6f20186fd

SHA256
eec2d0fc410b9576e3276b1176f1f0403bcb7099d29f1d91f460c5e0dad7ba8a

SHA512
1c39ac49d7d5eb07cb1ca2899e0366801018240aed550b05aed04af0f4a9511e53a5120cb87a44e7163e8af22f9d1c8e050491a9d198cc1f56e5abfee4ee136d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
351KB

MD5
4b0b644618fea85dbb003afd112fe20c

SHA1
99daeff4c1c68284044edd6ae2e4359a3ea68192

SHA256
239f1bad2cbc2b33b77ffcf9318c70345d07c7bff2070e07caa81e498f44dfd1

SHA512
8948f40fb35277b60bc65116269ddafc07f373f963f8d9cbe7b3b1f2782268dac287101f0331a830f1ca2174c62f1088e3ffb2b8380cae516a279e23c4fd2e90

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
351KB

MD5
2b1afa7bb2853b7812aeef1744bed404

SHA1
28c84632e7304128e44369f83df4557c647fc0d9

SHA256
de046aff1afd0b86d395dafd26bf8b67c1ede6f214a49d5cbfc2bcfd7b28857e

SHA512
c870eb17448449e457c54506b9a6f9340ba94ca05e59acdc3fc17e13973e2f2a1212d18f66397dc425fa667c7df231b02c9233bdb388cd122f0ab0049ff5e6de

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
351KB

MD5
4b30d2537fd2661fc6aad95afa1f7fdb

SHA1
419fc513111f7fff281964acae095bcad148e1fd

SHA256
c199f09a2d6c38171b1af48fcec5c70a38a3bc8e8b178dec6ca95f3ff3dda7c0

SHA512
b15c338348dde9512876d7c8f062bb1d87d9567fada839e538e3e1b3ffc5101f85428463c85751c13a8149b2b166edab83c837c915795e7bc51f3141c9440f7a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
351KB

MD5
a1f8a2bc57d88ed20d2d67417250b1c7

SHA1
641aaf404ebb6c4253235f9e436b9b32505371a9

SHA256
38c7a696388fa6f264fcbfd0157626d46ece03fc2b56c12eda87a4f66614a88a

SHA512
d703367b88ae1287407db1fd1c5d8cae2147f391968dce00e0315a7a62a16fb3b614ff0627898a93bd68ce6a18657e35fb89a9b34aa69d41ed9be955dc7f2f70

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
351KB

MD5
e1b9d6bb3529c2ba10073b89e869da19

SHA1
6e504dd6bd0e40f58f3f5d9a21f579383cf7a459

SHA256
47b33f9bd75d1ee1dcd6c8bc92e5a7fea83773c84e44342a5f2b84eba57d6e97

SHA512
a2055c93f21f8b4e6401aab1b5863667bf89ddf079b99f22d779a7453e47742c2458501b459441a75f8bdd3bc71bdf6f427e77df4289f9aa91f416869d37777f

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
85d4c360e8933cd79df979132459e31c

SHA1
d68b406ccaee60e1c199c2cbf6c8f38549ab1f3c

SHA256
4759664399c72bcf2add65c62e85c7dcfdd1829fbe21d9a47196be6621228acc

SHA512
6b3d815a3afaf17a504edc7f5753a8a75f91c132068df473c0570df288aca546441896e87f1c7d06bca6ea8fa2640211d5b2c3b5108edd4db933647ec3b77d33

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
e23e2c47da77a69a97969004abfec52d

SHA1
38c3a38db066ff760e1f27e76613599e5172d2da

SHA256
af43a7e992d5caf542a9e2653066a6c20b047658c73d9c5b17ccd0dd81a0a7ec

SHA512
8d35673b70d1c161e60a0fec7898c1e2a9670b0b9fcaad0a33415a8ee9111d25f70bfe40db85db1a1abde26d0dc8f7c4f734635e93de9bbe920799fc2839f133

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
351KB

MD5
6b0de84f209005d529f1542bbcc6ad0d

SHA1
783ef57011a07448015d3b40e43037ce095b76f1

SHA256
0667da7225ff34faf098b4e1010bddba47339b79723ba3f0ada54e37dde351b0

SHA512
fe1832751ca31183bc2fe8d3a288fcd0ffc03e7c366a7177950d2b875bba75e956f147957c65420c7b0aef914db3103f3befc4df1f0d2d1d709c0aff73a7efe1

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
351KB

MD5
50b6c0bb022c490e7f0ef1a695f40712

SHA1
502032bf9e744ff21d067f176169fc13ebc39a43

SHA256
62e4a06c014e2924455e4513a8250acd21ddaba21fccbabba8c03e22f6689b40

SHA512
513b70a963124cffd86b74c9da2332fb58a7cff92bf8420e0d4db3f6d427ae793561962e042dd451cca0cce6f5d8f31489dc1702a240b2b012f5b84e666c0de2

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
351KB

MD5
76e9748233489bd931df5aee82337963

SHA1
9f24e3e49996ecff315f280060f3ca14415072bc

SHA256
8b17a41bb7b82f90ab23d158c9e06ad2e5ba304fe98d449cbbdd2513892387b0

SHA512
5db08ffc6074fb0783606fffb4894f50b2389f149b06cc7ecf0c327afc1f135a8e662be99e0e9da1987e2d4878fdb0e03ec653c0d9b0a2593f9c36a4a369ad84

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
351KB

MD5
922afba2c13ac4ec4b6950a6c2a8ae40

SHA1
756ccfea585548171272455591dd3229ee4b6484

SHA256
d711855d37fe17f72c5b34301aafff01e5f8c73c31b1bff59317cde0ec901286

SHA512
91eca843aa58bbe9d851011751614a730fe3e41e164d9da230d06d59ad3045b1e519bdad0a10ba8669d2ce913204993003e74d75096a75ec8b7d0d050b975e75

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
351KB

MD5
8aa89c58204fe26f767cf569cc3b8a1f

SHA1
2adc2468760b1c69d7c551418e4b757f13023825

SHA256
a4f2ecf26f7221c9882682fcf976b39ead935c997ffa3be226f83a1937d06486

SHA512
261322c433eeb4f1a4eed24c79da8f18336e4036f221415a22d685a56f0f7016c4b71ee40c9090e8f116642f38c888da8853dc1d2b8a6ac83d6050477831afd9

Download Submit
C:\Windows\Tiwi.exe

Filesize
351KB

MD5
5f6378f8991abd0982ce412b98bc3c56

SHA1
9b15f789bcf842a2cedd3748d8ef7360c7ec2c93

SHA256
4d794ba4236fa8b04c129e8e3d70ee9112b6bf09297e2fcdfbd130ae09c61239

SHA512
6c079312f041be3b60e133b8ffac4f15d60a195c70bba527a78c6844550a8996b7164b0b71bb5cdcf4b8e9465822b4a4aa766c1de66fd2b610f58f91705026c1

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
351KB

MD5
4cbaaf789a5c4dac35b8ff76fbc6216d

SHA1
7e1606dc24a55aee6cfb456746b976d6f9f1ec32

SHA256
052475b7ff6f262ec2adfa49a4aedfd918b2bf0fb86d215e6d2b00a09b20fbe6

SHA512
9faa2891efd1410221399730991fe1d18a9ab01821485f3ee36720b85c571cfe9fbc951e39ab7f979e5c9efe98d49071c92391ea169a8c3e73bfbf04f427c8e3

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
memory/456-406-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/456-281-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/456-0-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/816-96-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/816-285-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1516-232-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/1516-282-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2240-304-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2240-323-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2332-193-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2332-148-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2520-297-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2520-110-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2576-191-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2576-198-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2804-284-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2804-295-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2988-322-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/2988-309-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3140-298-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3140-429-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3380-227-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3380-194-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3504-300-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3504-321-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/3916-235-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4420-292-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4420-102-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4560-305-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4560-286-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4728-237-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download
memory/4728-293-0x00000000003E0000-0x00000000009DF000-memory.dmp

Filesize
6.0MB

Download