Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 14:59
Static task
static1
Behavioral task
behavioral1
Sample
11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe
Resource
win10v2004-20240802-en
General
-
Target
11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe
-
Size
351KB
-
MD5
46af153ff1ca8bbd9922ee1cd457aa00
-
SHA1
c8a5f9ca564f1b95acd5e3b8de8235350b0fbc75
-
SHA256
11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45ab
-
SHA512
d60c807faddc883c0d61d403c58006ee38076ee945a9fdd38c4c69f845cdf33533d752a9a7d7f549fb0f08159c5c4c997c6d5885dbed2c82e276e9ff611674b6
-
SSDEEP
6144:V/OZpl8YZplx/OZpl7/OZplx/OZplQ/OZplU:V/M8qx/M7/Mx/MQ/MU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Tiwi.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cute.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" imoet.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 35 IoCs
pid Process 2756 Tiwi.exe 2776 IExplorer.exe 264 Tiwi.exe 1488 Tiwi.exe 1040 IExplorer.exe 540 IExplorer.exe 3016 Tiwi.exe 2916 winlogon.exe 1336 winlogon.exe 1772 IExplorer.exe 2404 imoet.exe 1536 imoet.exe 2448 winlogon.exe 2036 imoet.exe 1944 Tiwi.exe 3060 cute.exe 2412 cute.exe 1916 cute.exe 2120 Tiwi.exe 2264 winlogon.exe 2108 IExplorer.exe 2564 imoet.exe 2616 winlogon.exe 2052 IExplorer.exe 2208 imoet.exe 2708 cute.exe 1816 Tiwi.exe 2528 winlogon.exe 2504 cute.exe 2536 IExplorer.exe 1928 imoet.exe 1644 cute.exe 2020 winlogon.exe 1964 imoet.exe 1920 cute.exe -
Loads dropped DLL 53 IoCs
pid Process 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2756 Tiwi.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2756 Tiwi.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2756 Tiwi.exe 2756 Tiwi.exe 2776 IExplorer.exe 2776 IExplorer.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2756 Tiwi.exe 2756 Tiwi.exe 2776 IExplorer.exe 2776 IExplorer.exe 2776 IExplorer.exe 2776 IExplorer.exe 2756 Tiwi.exe 2776 IExplorer.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2776 IExplorer.exe 2756 Tiwi.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2916 winlogon.exe 2916 winlogon.exe 1536 imoet.exe 2916 winlogon.exe 1536 imoet.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2916 winlogon.exe 2916 winlogon.exe 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 1536 imoet.exe 1536 imoet.exe 2916 winlogon.exe 2916 winlogon.exe 3060 cute.exe 3060 cute.exe 1536 imoet.exe 3060 cute.exe 3060 cute.exe 1536 imoet.exe 1536 imoet.exe 3060 cute.exe 3060 cute.exe 3060 cute.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe" imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe" cute.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: cute.exe File opened (read-only) \??\P: cute.exe File opened (read-only) \??\O: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\S: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\Q: imoet.exe File opened (read-only) \??\Z: cute.exe File opened (read-only) \??\T: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\L: imoet.exe File opened (read-only) \??\M: imoet.exe File opened (read-only) \??\L: cute.exe File opened (read-only) \??\O: cute.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\K: Tiwi.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\G: imoet.exe File opened (read-only) \??\G: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\X: imoet.exe File opened (read-only) \??\E: cute.exe File opened (read-only) \??\S: cute.exe File opened (read-only) \??\Y: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\K: imoet.exe File opened (read-only) \??\W: imoet.exe File opened (read-only) \??\R: cute.exe File opened (read-only) \??\E: imoet.exe File opened (read-only) \??\K: cute.exe File opened (read-only) \??\I: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\I: Tiwi.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\B: cute.exe File opened (read-only) \??\U: cute.exe File opened (read-only) \??\P: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\V: cute.exe File opened (read-only) \??\U: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\G: Tiwi.exe File opened (read-only) \??\T: Tiwi.exe File opened (read-only) \??\S: imoet.exe File opened (read-only) \??\R: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\J: imoet.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\N: imoet.exe File opened (read-only) \??\T: imoet.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\U: imoet.exe File opened (read-only) \??\T: cute.exe File opened (read-only) \??\H: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\Z: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\B: Tiwi.exe File opened (read-only) \??\P: Tiwi.exe File opened (read-only) \??\N: 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\B: winlogon.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P " winlogon.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened for modification C:\autorun.inf 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File created F:\autorun.inf 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened for modification F:\autorun.inf 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr cute.exe File created C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\IExplorer.exe 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\shell.exe 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe imoet.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe cute.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\tiwi.scr 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File created C:\Windows\SysWOW64\IExplorer.exe imoet.exe File opened for modification C:\Windows\SysWOW64\shell.exe cute.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\shell.exe 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr Tiwi.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe Tiwi.exe File created C:\Windows\SysWOW64\IExplorer.exe Tiwi.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\tiwi.scr imoet.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 26 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe cute.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe IExplorer.exe File opened for modification C:\Windows\tiwi.exe winlogon.exe File created C:\Windows\tiwi.exe imoet.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\tiwi.exe imoet.exe File created C:\Windows\tiwi.exe 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe File opened for modification C:\Windows\tiwi.exe Tiwi.exe File created C:\Windows\tiwi.exe winlogon.exe File opened for modification C:\Windows\tiwi.exe cute.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\tiwi.exe IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 36 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language imoet.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cute.exe -
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ imoet.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" cute.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" cute.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" Tiwi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ imoet.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" cute.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\SwapMouseButtons = "1" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ cute.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s1159 = "Tiwi" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" cute.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Mouse\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International\s2359 = "Tiwi" Tiwi.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." Tiwi.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" imoet.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." cute.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" cute.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.." imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" Tiwi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" imoet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com" cute.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} cute.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Tiwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ imoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Tiwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2756 Tiwi.exe 1536 imoet.exe 2916 winlogon.exe 2776 IExplorer.exe 3060 cute.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 2756 Tiwi.exe 2776 IExplorer.exe 1488 Tiwi.exe 264 Tiwi.exe 1040 IExplorer.exe 540 IExplorer.exe 2916 winlogon.exe 1336 winlogon.exe 3016 Tiwi.exe 1772 IExplorer.exe 1536 imoet.exe 2448 winlogon.exe 2404 imoet.exe 2036 imoet.exe 3060 cute.exe 1944 Tiwi.exe 2264 winlogon.exe 2412 cute.exe 1916 cute.exe 2120 Tiwi.exe 2108 IExplorer.exe 2564 imoet.exe 2616 winlogon.exe 2052 IExplorer.exe 2208 imoet.exe 2528 winlogon.exe 1816 Tiwi.exe 2708 cute.exe 2504 cute.exe 2536 IExplorer.exe 1928 imoet.exe 1644 cute.exe 2020 winlogon.exe 1964 imoet.exe 1920 cute.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2756 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 28 PID 2956 wrote to memory of 2756 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 28 PID 2956 wrote to memory of 2756 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 28 PID 2956 wrote to memory of 2756 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 28 PID 2956 wrote to memory of 2776 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 29 PID 2956 wrote to memory of 2776 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 29 PID 2956 wrote to memory of 2776 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 29 PID 2956 wrote to memory of 2776 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 29 PID 2956 wrote to memory of 264 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 30 PID 2956 wrote to memory of 264 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 30 PID 2956 wrote to memory of 264 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 30 PID 2956 wrote to memory of 264 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 30 PID 2756 wrote to memory of 1488 2756 Tiwi.exe 31 PID 2756 wrote to memory of 1488 2756 Tiwi.exe 31 PID 2756 wrote to memory of 1488 2756 Tiwi.exe 31 PID 2756 wrote to memory of 1488 2756 Tiwi.exe 31 PID 2956 wrote to memory of 1040 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 33 PID 2956 wrote to memory of 1040 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 33 PID 2956 wrote to memory of 1040 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 33 PID 2956 wrote to memory of 1040 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 33 PID 2756 wrote to memory of 540 2756 Tiwi.exe 32 PID 2756 wrote to memory of 540 2756 Tiwi.exe 32 PID 2756 wrote to memory of 540 2756 Tiwi.exe 32 PID 2756 wrote to memory of 540 2756 Tiwi.exe 32 PID 2776 wrote to memory of 3016 2776 IExplorer.exe 34 PID 2776 wrote to memory of 3016 2776 IExplorer.exe 34 PID 2776 wrote to memory of 3016 2776 IExplorer.exe 34 PID 2776 wrote to memory of 3016 2776 IExplorer.exe 34 PID 2956 wrote to memory of 2916 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 35 PID 2956 wrote to memory of 2916 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 35 PID 2956 wrote to memory of 2916 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 35 PID 2956 wrote to memory of 2916 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 35 PID 2756 wrote to memory of 1336 2756 Tiwi.exe 36 PID 2756 wrote to memory of 1336 2756 Tiwi.exe 36 PID 2756 wrote to memory of 1336 2756 Tiwi.exe 36 PID 2756 wrote to memory of 1336 2756 Tiwi.exe 36 PID 2776 wrote to memory of 1772 2776 IExplorer.exe 37 PID 2776 wrote to memory of 1772 2776 IExplorer.exe 37 PID 2776 wrote to memory of 1772 2776 IExplorer.exe 37 PID 2776 wrote to memory of 1772 2776 IExplorer.exe 37 PID 2956 wrote to memory of 1536 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 38 PID 2956 wrote to memory of 1536 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 38 PID 2956 wrote to memory of 1536 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 38 PID 2956 wrote to memory of 1536 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 38 PID 2756 wrote to memory of 2404 2756 Tiwi.exe 39 PID 2756 wrote to memory of 2404 2756 Tiwi.exe 39 PID 2756 wrote to memory of 2404 2756 Tiwi.exe 39 PID 2756 wrote to memory of 2404 2756 Tiwi.exe 39 PID 2776 wrote to memory of 2448 2776 IExplorer.exe 40 PID 2776 wrote to memory of 2448 2776 IExplorer.exe 40 PID 2776 wrote to memory of 2448 2776 IExplorer.exe 40 PID 2776 wrote to memory of 2448 2776 IExplorer.exe 40 PID 2776 wrote to memory of 2036 2776 IExplorer.exe 41 PID 2776 wrote to memory of 2036 2776 IExplorer.exe 41 PID 2776 wrote to memory of 2036 2776 IExplorer.exe 41 PID 2776 wrote to memory of 2036 2776 IExplorer.exe 41 PID 2916 wrote to memory of 1944 2916 winlogon.exe 42 PID 2916 wrote to memory of 1944 2916 winlogon.exe 42 PID 2916 wrote to memory of 1944 2916 winlogon.exe 42 PID 2916 wrote to memory of 1944 2916 winlogon.exe 42 PID 2956 wrote to memory of 3060 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 45 PID 2956 wrote to memory of 3060 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 45 PID 2956 wrote to memory of 3060 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 45 PID 2956 wrote to memory of 3060 2956 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe 45 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" cute.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Tiwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System imoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cute.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" imoet.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe"C:\Users\Admin\AppData\Local\Temp\11646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45abN.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2956 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2756 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1488
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:540
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1336
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2404
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2412
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3016
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1772
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2448
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
-
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:264
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2916 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2108
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2208
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1536 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1928
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3060 -
C:\Windows\Tiwi.exeC:\Windows\Tiwi.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1816
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1964
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2264
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2708
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5a8761ecd0dbedda62af5424cf5790b56
SHA19380452f88a47e5b112e19f3c19c42094ecddaf3
SHA2568dd29ff22ae26ffc128cb461f408019f871edbff8bc0299da54e745ea5475344
SHA512fe9500babfdf0f4aa2943ceffdcc26a44e296d03f6427e1a5a937a5d1e8ec3d46fce0df6126534a9c7420800f4c5fe306b6e7e32f4ddde85af6ff13819d7535d
-
Filesize
351KB
MD5051289428f7e968e810f0160c1debf0b
SHA18e9e3a831215f317f69b328458796773fda4835b
SHA256e34bdff5fa163fc281394848b98622462a13be6ae9bfa3274d43b078425c92ae
SHA512da85f54760a3e16f9c60f12b2b2fa9bb59c774fc03d7f9b0886593f83b392154ea2c74da287ca06d2b21b5a85342c526fe7004d4f2d03d4cde0bcdf40e081e3c
-
Filesize
351KB
MD5b089fba849fe5bb2c0d444e362adcca7
SHA1bca50660694ef496c3801b6e94e1eeb50d956b35
SHA256125c102633e62ff2db6d3f31275bb83dc2401fce4db7ea85d63c24b4f0c9a43d
SHA51233c337d30d593050a56d9663a79b3079f28f06dab5d323b7f88594bd9ac878aa25fe597e6ed204d86d81613d1233f6c6c1148452d0d009382d8315a08eae8079
-
Filesize
351KB
MD5ae49415700244d1d02adc9a443edd9b2
SHA180e7e3e7a3160ddae160e0d0a5f71cc6fd59e70c
SHA25695f7faec426d956f962e7c3a0d4d95aba811abf7ae5161f7a2a629adf668183e
SHA512bf568687189207ee6a8c14f2831beb1bb589d2e90e061ad4dd1f471122ff0e5e2e333dba6f1521b85310cf2e1dc3dce16c5317e08eaf30e7fa3c1f581d8b9985
-
Filesize
351KB
MD5369424a29566d757eb6ab222bf08dbec
SHA1f3439024f8e3b7dccaff23600348b6ce5bb8687a
SHA256706c3dab328fd649cded7202da0372221c2b2c9051399c91f579c12442aabd45
SHA51289a246b58af25bb563a9db6178d92807cc2269a52fc45c1be6f94bf67755bbe065fecee2125df756cb1f9dc39c4949a3d1a52b1ce859ffecf07ad23db9835fd1
-
Filesize
351KB
MD5286c81837f966da4f128f079f5aec2d2
SHA1af9a3dc9866634061883e8e764b4069790c609d8
SHA256e43f70ee28f247c05b36f78562f04f4c47ebeb316dbe8ccab1c4f1d252496cef
SHA512a9e583cf4b3a8689af69923af0d486dc7480c509c31d0db7a5200c9f3e893074253bd1fb561d76b6e0afb1b079c5e16a1f467608cb2b73881b67462a5de16c58
-
Filesize
45KB
MD53bc74a6c9a5cc5c79b6fb03ca070f16a
SHA12f3b2d11497c9eb2de7845e4b50cace210d77bb0
SHA256ee82044d79fe830c67472a07e836f68b7f5a460edddbedf4dfe0b2591d9cd7cc
SHA512909411e7b6951496e8e997602a22f09a8b7de031269e9786bf1799ad3e96fbba7b3d8541729bb04b51816df26dd9947639f5d5f7ba8e971c26706bc89d672edf
-
Filesize
45KB
MD5f87c07cd487e8eb37d291f34f2d30294
SHA1ec63d65953ccb70c3945263f4858e8618eb13ea6
SHA25653c20bc945a10b40b76065057901fb58ef307422b1f97e56e7e6466aa87c5019
SHA51293fc0e82bf64f9da8d4ea1b8196fd7dd0d4288ef93fca7219341d9e2e2a4097150464f8f060202aa19aa142c9fadc4f03b5f07f8b205296bb9458df46b451a98
-
Filesize
351KB
MD5acd99d5797077a1fe02e1e380c86096f
SHA16f32ac5669c5f945a18a376b7aeb03fbf9469c71
SHA256a09fb08db3879201f634e11563b87e431929b5a08ced28547b6dae499572d532
SHA512fd5fdde74cadb323bdbe60fde77cc11fe0af2d43625a3abd6184ec19f8ec8a4c493c283a4cd6e6e0a3c7f55caef73435853a1c74c24cb3c04787dcb7921c2576
-
Filesize
351KB
MD5bc55029e2e9b6111eaf30a6609c428b9
SHA1ecef9451f737192c6960240b03a8559655e45eec
SHA256cdcafae1831f181923ad5aeec5578aa5f75f222fe86e735768ff0a7562307a93
SHA512aad6379c30569a1ed37e3b1a431d7d5a2fc6f61dd0de552389a398cd75240634c3a8cf9392e9bed87e0810eb4ed53d488c1ff3b819d78a90b16667e4cc8cdd6c
-
Filesize
351KB
MD5ccecc66414253f1a99d50b69a4f50786
SHA1ec137ef8d3cbd8fb74851419cc742326d7883959
SHA256f923e7edb48a2647890cf563d9aa9221e39ea8468e237ffa89e89a41be9e5461
SHA512bd4e8b6ec4dfc317e2211595ff0c8442830332d2ae0e5aeab626f08094365b2a6ca1a47d00dcc40426bf1e352bba2e4158345ae13f80a0442ce5acc2a71ad960
-
Filesize
351KB
MD54b461721bc0a851b7f94efe5bdfce960
SHA14c6a820b61009ee93ded4eb18c4f6df609754b70
SHA256389ba6ed46993f450f7dfeb29521dcedbc74acb9c22425a2466c9e6e67d10f6a
SHA5121e823e386f707a75ca9d6c00b94186fe42d3dded3cbb44bd9d1d3277c59910c6a5cde9f06962ef9dbb43b3c7efcd7f943a6230905ec5cb8e00207307d567cb73
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
351KB
MD5fa1569fee399b2a1c600a3f3e2894a9f
SHA1d09da83297988efc7f05c3f4283bf0616e0552e3
SHA256b205d8c1f0c128a73af22881e4f3d42871e88ac479217ba8c02a2dca6eeddef4
SHA512adbf244ff31a95eedfa473d0b5e50a20544964a19bccd71903637a437a3ea00202d639dc08f5113744576621c1600bae5ebc88212cbc4df3d69b7fa75981c3ea
-
Filesize
351KB
MD520b2d721c1d4f7bc4f5e5985e8b77ddc
SHA18c6f37bc3601b5ffb3404392651d6cc5132c8ae8
SHA256f7cddd4d4e3877431dc1406ef6f5a578722e342a69afcee5c8e554b8e2c0ce0e
SHA51206bf388318f384dfa7fc0685b74f8b6fb409f23199a5e636ef95cb685e005fac3da175c35586511591f2e40e410d50c77c15d17bb652adedb9ed5395c392ea19
-
Filesize
351KB
MD52896712a5abeba90d6be52bc9b8bb30c
SHA13f844489a6f5f471095c8d843411297e3167f9f0
SHA25634eaf950847cdf0047101247f52711151b108665cd07b891ff86bfbe5e7d564c
SHA51242eed21542e943dfdc527d72ab669fc59088b4a65ff787aeaa4eff4cefbbc914040c0002dce6cd9763ec4add9d388c3c99514a8eb3f67ba1cf1e1cb058715512
-
Filesize
351KB
MD546af153ff1ca8bbd9922ee1cd457aa00
SHA1c8a5f9ca564f1b95acd5e3b8de8235350b0fbc75
SHA25611646dffb3c31f3dff0feb3a5ebc9f174f21b8757e352a3da6060395181e45ab
SHA512d60c807faddc883c0d61d403c58006ee38076ee945a9fdd38c4c69f845cdf33533d752a9a7d7f549fb0f08159c5c4c997c6d5885dbed2c82e276e9ff611674b6
-
Filesize
351KB
MD52a1e5e6219b706b0878c7b004457de36
SHA12a4cbcdafb20e95c9c990a545edc3233d2043fd4
SHA25606c9894edee882976500bce6faf42d516a5b9bbc30e7141c55e1160eeee84ba8
SHA51244b25ffc6bb68e1fada8eec71704044d9e0ae3c2ac3c37d9e9d4cb20e01f4f68ac1c97a0eeb2155e0440573260c9dbb6d6d0ff4d2784741c3f5580f620665431
-
Filesize
351KB
MD51dad9422feb7beca84e26e618f22a62a
SHA1d58a5914c1cfa93a9501dd9dbe0618eb02ebb55f
SHA256c4878846014046e367e45fd4ada1030650b99ada28e7ce5e6f004df2d457ad89
SHA512ed7e36bb8052a5f8aa79ee5a77b07cd455070110097597679b3fc90f0591797232c3d6acc93bfa71c36cf7eeac6c32623ea19fb079c0db06233c73736142c4f1
-
Filesize
351KB
MD54e59cbcfa6b64068364793dd2e7a3afb
SHA1e628c628c31287c5f8ce8b6a0ccb0be6f9c2fc30
SHA256f6f5b54c06814587f8398adbc699622af9b5f1a54b8f6279e0604a437d453b2b
SHA5121925a141a22fd832f5b8d4a348093a3dd9866ca165335fbbc3fdd1cd9d7b2dc236c71fd6176cc9268b6af46ded884047a171ee9eaceef7b289b445a1d405cb95
-
Filesize
351KB
MD5d60b5b791378519a685b501f00b14e00
SHA16791e463e5203a800c9f0ccd7d7197fe0052275e
SHA256421bd732cdb0da908f7f2244445ec8a83508de9465fafb9f5309537e11e2ae36
SHA512a3e6f3be17e4661c52749ad4aecacaf8a2565b8bc430478d860fd430c74665e7e253b930e40caee73bb0a9a9c141024195503dbda77f1a99bd4ae8d36b6057b0
-
Filesize
729B
MD58e3c734e8dd87d639fb51500d42694b5
SHA1f76371d31eed9663e9a4fd7cb95f54dcfc51f87f
SHA256574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad
SHA51206ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853
-
Filesize
351KB
MD50468888c13690e481ba93ccad41f804f
SHA157ff21e6a2572df4048c38a8af7c6ca9b0b64fc1
SHA256cdcd1882cb322514f6b9cc7e6ca45efbe571f71c46bf69f74c18ea99e50760f0
SHA512d789f870199edb3a5dbe189bf3ffdb40aecd2a4dea6351a06c3373e7ff6fd13bfbcbaef0062a04b9359cdb5ab3f547ea4a38a32f66f6f20dcefea701c748139d
-
Filesize
351KB
MD5ae11a3fec917fe3f4117221e7576a12c
SHA115ec1e617441c66409be931892d1c99b5c7df127
SHA2563b90952befd1eb27c8dd0efaab531f2e135670dce59617c2223fb66f60be8b68
SHA51278a3d1c8a2317d3c948fbc47556636ea8c04c483f7d0c3ace743f8294719a043320afd2ad834f2b2471ace64f6dd5e05f28059be92551707c749acb04f37510c
-
Filesize
39B
MD5415c421ba7ae46e77bdee3a681ecc156
SHA1b0db5782b7688716d6fc83f7e650ffe1143201b7
SHA256e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e
SHA512dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62
-
Filesize
351KB
MD5c1353ff7b3bdc7b186002e2631d7c4bd
SHA1497105a6e94368c6d59c53e71830d056da2e6bd4
SHA256b7c3c45eb92d05153f527ab19f964336fd2f3d52754d680f8dc7fe58007d6091
SHA512b385a555687d47d6fb26a43d642042937356c3cecb2d19737b5e90afff42a3b8d445a492ed907ec8eae0eaa83058e0cd7c7665c0a2ed98447dc985115a2a8555