Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 06:44
Behavioral task
behavioral1
Sample
ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe
Resource
win7-20240903-en
windows7-x64
28 signatures
120 seconds
Behavioral task
behavioral2
Sample
ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
27 signatures
120 seconds
General
-
Target
ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe
-
Size
57KB
-
MD5
e2121c3a3e684c4242b4e3ebf6fcc8f0
-
SHA1
0f2e6a4fce8d6e9caeb1bb388cfa2ec9f5cbfc64
-
SHA256
ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1b
-
SHA512
b0f099355fbc2a5db2792c666d925473d959dda36c4197a32ac20974da1ebba701b6053213945b6cd25069d18e1e1796d2befc9ce51cafe1fa367b880eeaed55
-
SSDEEP
768:Nh5sxVPFXfgaDjof4ZgHqLNhldu8pGTUTY26TsGrn5wFbUzMsPzB5UNXwekfp:NHsxFJfgaDjofVKn1pGwTJOlw1UrOwl
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 30 IoCs
pid Process 3020 Tiwi.exe 2440 IExplorer.exe 1672 winlogon.exe 2100 imoet.exe 2328 cute.exe 2412 Tiwi.exe 1992 IExplorer.exe 1384 Tiwi.exe 2160 winlogon.exe 1388 imoet.exe 1040 Tiwi.exe 2096 cute.exe 2252 Tiwi.exe 2732 IExplorer.exe 2844 Tiwi.exe 2756 IExplorer.exe 2604 winlogon.exe 2116 IExplorer.exe 2788 IExplorer.exe 1720 winlogon.exe 768 imoet.exe 3040 winlogon.exe 2200 imoet.exe 1872 imoet.exe 776 winlogon.exe 1936 cute.exe 756 imoet.exe 2828 cute.exe 1268 cute.exe 1260 cute.exe -
Loads dropped DLL 45 IoCs
pid Process 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 3020 Tiwi.exe 3020 Tiwi.exe 3020 Tiwi.exe 3020 Tiwi.exe 3020 Tiwi.exe 3020 Tiwi.exe 3020 Tiwi.exe 3020 Tiwi.exe 2440 IExplorer.exe 1672 winlogon.exe 1672 winlogon.exe 2440 IExplorer.exe 2100 imoet.exe 2100 imoet.exe 2328 cute.exe 2328 cute.exe 1672 winlogon.exe 2100 imoet.exe 2100 imoet.exe 2440 IExplorer.exe 2440 IExplorer.exe 1672 winlogon.exe 1672 winlogon.exe 2440 IExplorer.exe 2440 IExplorer.exe 2328 cute.exe 2328 cute.exe 2100 imoet.exe 2440 IExplorer.exe 2440 IExplorer.exe 2328 cute.exe 2328 cute.exe 2100 imoet.exe 1672 winlogon.exe 1672 winlogon.exe 2100 imoet.exe 2328 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Tiwi.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\Q: cute.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\H: Tiwi.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\M: cute.exe File opened (read-only) \??\N: Tiwi.exe File opened (read-only) \??\W: Tiwi.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\H: cute.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\Z: imoet.exe File opened (read-only) \??\G: cute.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\U: Tiwi.exe File opened (read-only) \??\Y: Tiwi.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\H: imoet.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\P: imoet.exe File opened (read-only) \??\J: cute.exe File opened (read-only) \??\W: cute.exe File opened (read-only) \??\Q: Tiwi.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\P: Tiwi.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\V: imoet.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\Z: Tiwi.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\Y: cute.exe File opened (read-only) \??\S: Tiwi.exe File opened (read-only) \??\I: imoet.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\M: Tiwi.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\Z: cute.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf Tiwi.exe File created F:\autorun.inf Tiwi.exe File opened for modification F:\autorun.inf Tiwi.exe File created C:\autorun.inf Tiwi.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\IExplorer.exe ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\tiwi.scr ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe -
resource yara_rule behavioral1/memory/2680-0-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0007000000015f38-7.dat upx behavioral1/files/0x0007000000015df1-99.dat upx behavioral1/memory/3020-100-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0007000000016d22-103.dat upx behavioral1/memory/2440-110-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1672-122-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0006000000016d68-121.dat upx behavioral1/memory/2100-135-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2680-134-0x0000000000440000-0x0000000000473000-memory.dmp upx behavioral1/files/0x0006000000016d6f-133.dat upx behavioral1/memory/2680-131-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0006000000016d73-138.dat upx behavioral1/memory/2680-140-0x0000000000440000-0x0000000000473000-memory.dmp upx behavioral1/memory/2440-148-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2328-147-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/3020-146-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2680-152-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2412-187-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1672-198-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1992-197-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2412-195-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0009000000015f4e-204.dat upx behavioral1/files/0x0007000000015f38-201.dat upx behavioral1/files/0x0007000000015e4f-200.dat upx behavioral1/memory/2100-231-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1388-275-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2160-271-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1384-317-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1388-318-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2096-329-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/3020-327-0x00000000026B0000-0x00000000026E3000-memory.dmp upx behavioral1/memory/1384-325-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1040-371-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2756-389-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1720-411-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/768-417-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2788-423-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2328-441-0x0000000001E80000-0x0000000001EB3000-memory.dmp upx behavioral1/memory/2200-428-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1872-447-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2828-467-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1936-465-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/756-463-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2200-449-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2828-450-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/776-439-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/3040-430-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1672-413-0x0000000002600000-0x0000000002633000-memory.dmp upx behavioral1/memory/2116-399-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2844-396-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2732-381-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/768-435-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2100-416-0x00000000030A0000-0x00000000030D3000-memory.dmp upx behavioral1/memory/1720-409-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2440-401-0x00000000025D0000-0x0000000002603000-memory.dmp upx behavioral1/memory/2252-382-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2328-368-0x0000000001E80000-0x0000000001EB3000-memory.dmp upx behavioral1/memory/2160-267-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2328-264-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1992-233-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/1672-472-0x0000000002600000-0x0000000002633000-memory.dmp upx behavioral1/memory/3020-473-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/memory/2328-477-0x0000000000400000-0x0000000000433000-memory.dmp upx -
Drops file in Windows directory 24 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe imoet.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe cute.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe File created C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Mouse\ cute.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 3020 Tiwi.exe 2100 imoet.exe 1672 winlogon.exe 2440 IExplorer.exe 2328 cute.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 3020 Tiwi.exe 2440 IExplorer.exe 1672 winlogon.exe 2100 imoet.exe 2328 cute.exe 2412 Tiwi.exe 1992 IExplorer.exe 2160 winlogon.exe 1388 imoet.exe 1384 Tiwi.exe 1040 Tiwi.exe 2096 cute.exe 2252 Tiwi.exe 2732 IExplorer.exe 2844 Tiwi.exe 2756 IExplorer.exe 2116 IExplorer.exe 1720 winlogon.exe 2604 winlogon.exe 2788 IExplorer.exe 3040 winlogon.exe 768 imoet.exe 776 winlogon.exe 1872 imoet.exe 2200 imoet.exe 756 imoet.exe 1936 cute.exe 2828 cute.exe 1268 cute.exe 1260 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2680 wrote to memory of 3020 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 30 PID 2680 wrote to memory of 3020 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 30 PID 2680 wrote to memory of 3020 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 30 PID 2680 wrote to memory of 3020 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 30 PID 2680 wrote to memory of 2440 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 31 PID 2680 wrote to memory of 2440 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 31 PID 2680 wrote to memory of 2440 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 31 PID 2680 wrote to memory of 2440 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 31 PID 2680 wrote to memory of 1672 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 32 PID 2680 wrote to memory of 1672 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 32 PID 2680 wrote to memory of 1672 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 32 PID 2680 wrote to memory of 1672 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 32 PID 2680 wrote to memory of 2100 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 33 PID 2680 wrote to memory of 2100 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 33 PID 2680 wrote to memory of 2100 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 33 PID 2680 wrote to memory of 2100 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 33 PID 2680 wrote to memory of 2328 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 34 PID 2680 wrote to memory of 2328 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 34 PID 2680 wrote to memory of 2328 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 34 PID 2680 wrote to memory of 2328 2680 ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe 34 PID 3020 wrote to memory of 2412 3020 Tiwi.exe 35 PID 3020 wrote to memory of 2412 3020 Tiwi.exe 35 PID 3020 wrote to memory of 2412 3020 Tiwi.exe 35 PID 3020 wrote to memory of 2412 3020 Tiwi.exe 35 PID 3020 wrote to memory of 1992 3020 Tiwi.exe 36 PID 3020 wrote to memory of 1992 3020 Tiwi.exe 36 PID 3020 wrote to memory of 1992 3020 Tiwi.exe 36 PID 3020 wrote to memory of 1992 3020 Tiwi.exe 36 PID 2440 wrote to memory of 1384 2440 IExplorer.exe 37 PID 2440 wrote to memory of 1384 2440 IExplorer.exe 37 PID 2440 wrote to memory of 1384 2440 IExplorer.exe 37 PID 2440 wrote to memory of 1384 2440 IExplorer.exe 37 PID 1672 wrote to memory of 1040 1672 winlogon.exe 39 PID 1672 wrote to memory of 1040 1672 winlogon.exe 39 PID 1672 wrote to memory of 1040 1672 winlogon.exe 39 PID 1672 wrote to memory of 1040 1672 winlogon.exe 39 PID 3020 wrote to memory of 2160 3020 Tiwi.exe 38 PID 3020 wrote to memory of 2160 3020 Tiwi.exe 38 PID 3020 wrote to memory of 2160 3020 Tiwi.exe 38 PID 3020 wrote to memory of 2160 3020 Tiwi.exe 38 PID 3020 wrote to memory of 1388 3020 Tiwi.exe 40 PID 3020 wrote to memory of 1388 3020 Tiwi.exe 40 PID 3020 wrote to memory of 1388 3020 Tiwi.exe 40 PID 3020 wrote to memory of 1388 3020 Tiwi.exe 40 PID 3020 wrote to memory of 2096 3020 Tiwi.exe 42 PID 3020 wrote to memory of 2096 3020 Tiwi.exe 42 PID 3020 wrote to memory of 2096 3020 Tiwi.exe 42 PID 3020 wrote to memory of 2096 3020 Tiwi.exe 42 PID 2100 wrote to memory of 2252 2100 imoet.exe 41 PID 2100 wrote to memory of 2252 2100 imoet.exe 41 PID 2100 wrote to memory of 2252 2100 imoet.exe 41 PID 2100 wrote to memory of 2252 2100 imoet.exe 41 PID 1672 wrote to memory of 2732 1672 winlogon.exe 44 PID 1672 wrote to memory of 2732 1672 winlogon.exe 44 PID 1672 wrote to memory of 2732 1672 winlogon.exe 44 PID 1672 wrote to memory of 2732 1672 winlogon.exe 44 PID 2328 wrote to memory of 2844 2328 cute.exe 45 PID 2328 wrote to memory of 2844 2328 cute.exe 45 PID 2328 wrote to memory of 2844 2328 cute.exe 45 PID 2328 wrote to memory of 2844 2328 cute.exe 45 PID 2440 wrote to memory of 2116 2440 IExplorer.exe 43 PID 2440 wrote to memory of 2116 2440 IExplorer.exe 43 PID 2440 wrote to memory of 2116 2440 IExplorer.exe 43 PID 2440 wrote to memory of 2116 2440 IExplorer.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe"C:\Users\Admin\AppData\Local\Temp\ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1bN.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2680 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2412
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1992
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2160
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1388
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2096
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2440 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1384
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2116
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:768
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1936
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1672 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1040
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2828
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2252
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2328 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2788
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:776
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:756
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1260
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD53fab5ba6c6bd9770412eea9cbf6ce0b7
SHA1d95ccf9a3025d9ecd0b90839b31115c548c12903
SHA256c2d85eda0fe77ece16034cdab412039d84ba733a3cd641e54ff360f3ea90f84a
SHA512ee14770caeae9872438928d9ce5b24a93e4e5ef9b20da027a97005ac9afe5ebac7f84a26bbf7a2bb8c9dcb7c0d2b34ff538464fb0a63b2912e5418d24143e477
-
Filesize
57KB
MD5e0af0aab4e112008cb2bceff46661b53
SHA1dae247ed4c4bc2ff0e00a8523c6d93098cb389b0
SHA256297b4c8a0735b6fd5848ea653245c2a5850f1871ac1fcf159aab1121aceaf105
SHA512442d6cafe92b9ef000dd1318c1865495974e8634309635281f59fbfdae55b67bf04ac0070e40dee787d8f1f9dc03ae58df28ef6d55bab302dc54d7b38a673a8a
-
Filesize
45KB
MD5d24d34390dbac5c8752bc6bc414635e2
SHA18558a64e0dca938cd6faf45df51906f2543e3952
SHA2567ec70c61db4119d58beb4e6bda226105d0e1ad2dd6cc72fd0d093b0e18b94107
SHA512eb38479927b7346becf324a42161517dd1ff0a3a521eb33d1495ac1cc6e9baa7b7656594e1362fad7f620a6e0220868cef3e574eae13fba8a11b789d070830a9
-
Filesize
45KB
MD5df332f2cc017f1b2f9b14ea7b1d0f83b
SHA178d11df025df02dcf07fd6bb55f949d0c9a9e33d
SHA256a3e3f2f5a60b43cb03c556a1d401bd752ea3635753089463984575c2683f197f
SHA512a4e3a6a5d5c04a0b6673a1ea318ca79feab77062640602e1ed261858c9db2c60c1d3a86866a9680195509686421952217819b1473cf6da5a8d71f4346170fa25
-
Filesize
45KB
MD5eeeed2fad6010463ca9abb2255fe0edc
SHA139d81fafcb3dec6dd10a60d3685f0c3957cf2240
SHA256ba70d9703a68987caa93a8e7f071e78440098b91bd0f2c0bf56092c1ccee6dea
SHA512fcf83cfc8bb6b7ac8a932ec9e0f836bb9ca3b7d15ea8257f59dd93d5994f0b916d832319bdcc2ec43fe6cbc933a06707241b4fca8807f95ac632cedb45dbeb3f
-
Filesize
45KB
MD5af468c9382d3a4ee8767ebd2d3e482be
SHA1bb9bb9dc1e266eee8cffcbc9ab4689c2fbb2110c
SHA2568a939ba4ae7eaf9ff06397694d25886315ba3dcef768ad406b4e925815da02a7
SHA512c0becb1bb2657e68570c6e4976c624c0731e10bf7ed486ed29af4aef4a17ed786dc5dbabacffeba9fa953639794e84cc50c20f9460ff13342bf72d0122197057
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
57KB
MD5cf4a348a79e05e02191a1303580f3ce5
SHA1eb86f59686f508bd4439270525285c08e0880db5
SHA25633fbd7e697e22c37b5c5239509753f0374599ec31546c2ad9a5dc4b7a90f8c2f
SHA512c46acb9e59ce6c45b97aee80fb199b1c578d03f535e2da15f4a2cdcf70bfbaeaa400512c4588d06fd3d74461dc3788853bcbb0e3fdc2dbf499bee86b214f81c7
-
Filesize
57KB
MD5e2121c3a3e684c4242b4e3ebf6fcc8f0
SHA10f2e6a4fce8d6e9caeb1bb388cfa2ec9f5cbfc64
SHA256ac6ab7789626d1af8b4aa23355e1429983f052f0dceccca6b65e202310a35e1b
SHA512b0f099355fbc2a5db2792c666d925473d959dda36c4197a32ac20974da1ebba701b6053213945b6cd25069d18e1e1796d2befc9ce51cafe1fa367b880eeaed55
-
Filesize
57KB
MD51632576ae5792b2043d4fab327030691
SHA185f833bfed29d39256d00cabb1afb3e4ec30dee4
SHA25662dddad5113c9fd3e03a07ab9e7df953c5ede5efe1491329c6ae60ead04dd51d
SHA51236b9505e39a3f775490a2cb9e12c2d9a9443f48e60795731c6469818f31b5daa0d14c9c8b639c5afda0ab604a6b21d3e9e1e8586df320322ff4f694ce76ec88e
-
Filesize
57KB
MD5966a2d78ad561ce52c518d78e5ed1627
SHA1ae117186a12c768b829c5fafdfbe523ef753f650
SHA2569ae16a7eb48fcc2cbf35ca28ff47c0e15d92635f3eb91883c5e8d8265d019b32
SHA5125378b3491eb505741500e666afeef02fe56b002a8786de8575d2df2a16835ce3fd5ca8630c9b6e4446fbb34c97548360424ba814eca99a73ef7f5bb4ef478da2
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
57KB
MD540150f271dad0ddc8182fe99b86a76a1
SHA102f4848ddc5641c5bd3d3b3fcd6f5b23e07c0ead
SHA2565807f424d31fde5458ff568ad25f13f9cdd88ed3b94a56077065bc3d7418d911
SHA512326b4264e7e81003a47dba941478acc06317a1915ee9fe406fc32dae985872a797ad808f484d0f2480d7b6da9bb95b4a09a1ffcb921eb918dec3af0cc253a318
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
57KB
MD575db7f4b49634fd8a6e8b8652ba9a925
SHA16ea61d149439acbf421a1dd867f97e8594b10e06
SHA2569f01b94c5f51775ad6df6870d23ad7125c5fff3941a7c9cbc1a1e9ea33dc9473
SHA5128b57526efbd2932043bb2c4a164ca62adf70ba79b591443e35498ee5382fb1205b60de6c74d59e7cfb3010ee92890acb272195338c8a9eb6ab7d83f6b55bbc80
-
Filesize
57KB
MD58e13abc262c9125a36c068838bd4ef2a
SHA1ed50a07ae86851d7f8fa5ece28a9610c49c428dd
SHA2561c9c92c3292fb9125a31b2ed2d27f4dcb70003c82eb09bc25567ec19783f735c
SHA512de5ccf99c3e6564729ad46ef36a348ae91fa89ebc58aa8ddbde1549cf82665b3ba3d2565682c190340280aa6f70c6ba5136c0fb339a4b673ce98f591211fbca7